With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

book

Article ID: 177759

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The clients download full content updates with default LiveUpdate configuration in Symantec Endpoint Protection Manager (SEPM)

 

Symptoms

The clients are downloading full content updates instead of delta updates from SEPM.


The size of full content is around 100 MB* and the clients (which have not reported to SEPM for more than a certain number of days) are downloading 100 MB* of content from SEPM.

Cause

This is working as designed. There are two criteria for the clients to download full content:

  • The client definitions are corrupted and can not be recovered locally.
  • The definition revision on the client at the time of check-in is not present in SEPM.

By default, SEPM is configured to keep only three revisions if 500 or less clients were chosen during the SEPM installation, 10 revisions if 500 to 1,000 clients were chosen during the SEPM installation, or 30 revisions if more than 1,000 clients were chosen during the SEPM installation, and LiveUpdate for the SEPM will run every four hours. On average, Symantec releases Symantec Endpoint Protection (SEP) Certified Definitions three times a day. Essentially, three revisions is a day's worth of definitions. For example, if a client checks in after two days with the SEPM configured to maintain only three revisions, then the client's definition set will be older than any revision stored in the SEPM. Therefore, a delta content package cannot be built, and the full definitions package (full.zip) will be sent to the client instead.

Resolution

Open SEPM Console.

  1. Go to the Admin > Server > Properties of Local site in SEPM > LiveUpdate.
  2. Increase the "Number of content revisions to keep" to a higher number which suits your requirement.


Note: Increasing the above setting will directly effect the SEPM's hard drive space, as more content revisions will be stored in [Root]:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content. It will also increase the space used to store content revisions in the Database.

 

* Reference value for the beginning of the year 2011. Because of new threats and variants being regularly appearing "in the wild", the size of virus definitions tends to increase with time.