How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection 14.2 and newer
search cancel

How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection 14.2 and newer


Article ID: 235297


Updated On:


Endpoint Protection


You discover that your network bandwidth usage is greater than normal and suspect it is related to content and definition updates between Symantec Endpoint Protection (SEP) clients and the Symantec Endpoint Protection Manager (SEPM).


The data to collect is from both the SEPM server and from some clients that are currently generating the network traffic in your environment.

Overview of log collection process:

Configure the SEPM to increase the log level detail
Gather debug logs and Symdiag output from sample affected clients
If using Group Update Providers (GUPs) gather debug logs from the GUP client
Collect the data from the SEPM after allowing the clients to reproduce issue
Disable debug logging on the SEPM and collect the data
Generate and export useful reports from the SEPM that illustrate recent activity and client-server interaction 

Set the SEPM to log additional log detail.  
On the SEPM perform the following actions to enable Secars and Secreg debugging (NOTE: If the SEP client is installed to the manager, Disable Tamper Protection):
Enabling SECARS and SECREG debugging for Endpoint Protection Manager

Collecting information from client side
These instructions need to be performed on an example set of the clients currently causing network issues.

If the client machines are also configured to use a GUP gather the following from the GUP(s) they are configured to use.

Collecting Information from the SEPM once the clients have finished reproducing issue:

On the SEPM, run the Symdiag tool to gather the logs.
After that, disable SECARS and SECREG debugging.

It will also be useful to generate the Server Activity, Client-Server Activity and Client Activity reports from the SEPM to provide a high-level overview of recent actions.

At this point you should be able to zip up all of the collected information (logs, diagnostics and reports) together for submission to Symantec Technical Support for review.

Applies To

Sudden decrease in performance in network segments
Slower link segments completely saturated for example WAN
Abnormal network usage increase