We are using Symantec Endpoint Protection for our main antivirus and we are noticing that updates to the client computers use a lot of bandwidth. After looking through the settings I see that clients will check/download updates every 4 hours.
We do not have a large pipe for bandwidth and we are looking to reduce the amount or data being pushed over it during the day. So I was wondering how people manage their AV updates.
One thing I would like to try is to run the updates during off-business hours (2-3am every morning), but a lot of users shut their computers down when they leave. Do other companies have their users keep them on or do they use some software to turn them on for updates and then off again after the updates?
Also how do you handle end users that take their laptops home with them?
3 Spice ups
probe
(Probe)
2
We use ESET here with the same update schedule & i don’t see any bandwidth hogging when the updates run. Are there any controls that you can tweak to control the bandwidth used? How much bandwidth do you have to play with?
We have monitoring software that we just implemented that watches the bandwidth going over our network and the update appears to be about 409Mb in size. I do not see any controls in Symantec to adjust for the bandwidth, but we have an MPLS pipe that is 4.5Mb/s throughput.
wayneallen
(Wayne4611)
4
I also use ESET, but their (and I assume most other AV’s) command server software lets you configure the server to pull down the latest definitions and have the clients pull the definitions from the server instead of directly from the internet, kind of like WSUS does for Windows updates. This saves tons of bandwidth as you no longer have lots of PCs hitting the internet all at once to get AV definition updates. We’ve got laptops set to try hitting the server first to get update, but if the server is unavailable then they fall back to using the normal internet updates.
erik
(ErikN)
5
Can you set your central AV server to do the downloading so that the clients only update on the network and not to the internet?
They are already set to only update from the central server. The issue is these updates are coming over the MPLS pipe wich is pretty small (4.5Mb/s). I was mostly curious if people use like WOL for computer during off business hours to update them?
erik
(ErikN)
7
Is there a setting to randomize the download time around the schedule so that they don’t all hit at once? I must be spoiled since I have a 500Mb fiber connecting our two buildings.
wayneallen
(Wayne4611)
8
If you AV server is at another location and only available over the MLPS pipe then it sounds like you may need to set up a secondary AV server at this location so the clients have a local server to update from. That way you only have one computer (the AV server) hitting the internet (or your primary AV server) over the MLPS pipe instead of all the clients. Like I said, I have ESET and not Semantic, but you should be able to set the secondary server as a “slave” of sorts to the primary server so you can still administer everything from the primary server.
I’m not using it myself, and I’m not 100% certain about this so that this with a grain of salt, but I think ESET can be set to use a client as a “server” for other clients to get updates from. You may look to see if this is an option with Symantec so you can just use an always on client if setting up a secondary AV server isn’t an option.
2 Spice ups
Hi Erik…
I’m checking with our key security folks for you to find out what we can do here. stay tuned.
@chetan-symantec @jereme-symantec
1 Spice up
Hey Matt,
Thanks for tagging me and bringing me in.
Justin,
One potential solution for this is what is called a “Group Update Provider” this is a machine that is at the remote location that can store content updates for the clients at that location. It does not provide the full functionality of a second SEP Manager, but it can provide the content updates to limit the bandwith concerns that you are having. You can control when the content is sent to the group update provider, and you can force that group of clients to receive their updates from that group update provider.
I’ve linked a technote below on the setup process for Group Update Providers:
http://www.symantec.com/business/support/index?page=content&id=HOWTO55184&actp=search&viewlocale=en_US&searchid=1314848512952
2 Spice ups
Thanks for that information. I will look into this and see if this is a viable option for us.
My Kaspersky Updates every hour. have about 600 machines inside and 200 outside. Inside machines are pulling from Management server so the traffic is only internal. outside ones have a choice between management server and Kaspersky central.
Cant wait to move to webroot, never have to worry about updates again
Totally agree with Jereme, just wanted to add few more points:
If GUP is configure SEPM will point clients to GUP & Downloads from the GUP will take place as per the heartbeat interval and selected mode. (Push mode or Pull mode). Even though GUP is not configured it work’s in same fashion.
There are two types of communication modes:
Push mode:
The client establishes a constant HTTP connection to the server. Whenever a change occurs with the
server status, it notifies the client immediately.
Pull mode:
The client connects to the server periodically, depending on the frequency of the heartbeat setting. The client checks the status of the server when it connects.
Because of the constant connection, push mode requires a large network bandwidth. Most of the time you can set up clients in pull mode.
What is the difference between Push and Pull modes when downloading policies and content from the management server? → Clients that use the Push mode download policies and content as soon as they become available. On push mode an open connection is kept so that the manager can contact the client immediately when data is available. Clients that use the Pull mode download policies and content based on the Heartbeat interval setting, which is set to 5 minutes by default.Because of the greater network bandwidth that is used with the push mode, it is recommended more for small and medium-sized networks.
Configuring push mode or pull mode to update client policies and content
http://www.symantec.com/business/support/index?page=content&id=HOWTO26845
Practically it’s not possible to schedule specific time to take updates from the GUP/SEPM though it’s configured in pull mode. Workaround can be to configure SEPM to download updates during non-production hours, as soon as SEPM gets updated it will update clients depending upon heartbeat interval. In that case if all the clients are on the same LAN segment I would recommend to keep it in Push mode.
If clients are on the WAN link I would recommend to configure Pull Mode with 30 minutes heartbeat interval.
1 Spice up
12.1.5 offers a bandwidth control feature. It’s an apache mod which can be enabled and configured to adjust the amount of bandwidth the clients use.
http://www.symantec.com/docs/TECH201290
