Endpoint Protection

Hello Team.
I was not pushing anything to a site today, when suddenly I get a call that the line was saturated.
Note: The SEPM server is configured to download updates from the local file server, and only after hours.
This happened during the day, and 3 connections at once. We do not configure auto-updates of any other software, so looks like the obvious culprit is SEP.
This were the 3 instances happening at once.

All virus definition servers of Symantec are akamized so if clients are connecting to akamai means they are connecting to internet to download virus definitions..

Double check you Liveupdate Policy and check undr "Use Liveupdate Server" what is specified.

Akamai is tied to LiveUpdate.

Virus def packages are about 70-80 MB in size, depending on a few different factors.
The most common updates are for the AntiVirus defs, which come in both 32-bit and 64-bit.
There are a handful of other defs that the SEPM also downloads that are generally smaller in size and get updated less frequently.

You might want to configure LiveUpdate (on the SEPM) to only check for updates once a day during off hours (default is to check every 4 hours).

SEPM Console > Admin > Servers > Local Site > Site Properties > LiveUpdate

A few things to think about, and reiterating what the others have said...

1.  You have your live update policies applied to clients wrong.  Clients are pulling directly from Symantec and not the SEPM more than likely
2.  You need to keep more revisions of the live update defs on the management server, this is under the SERVER properties in the SEPM.  10 is a good number.  But every 4 hours is fine IMO.  
3.  If you have slow WAN links between sites, you need to learn about GUP's, and again, keep at least 10 revisions of defs on your GUP's.


If you're able to track the incoming, can you track the destination traffic?