Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

How to tell whether Clients are receiving AV definitions from GUPs

Migration User

Migration UserApr 06, 2012 08:54 AM

http://www.symantec.com/docs/TECH97190

  • 1.  How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 05, 2012 09:44 AM

    Hello,

     

    We are in the process for configuring our clients to get AV definitions from GUPs.

    I thought the only way to determine whether a client is receiving AV definition from a GUP is in the SEP client logs. See Attached.

    Is there ANOTHER way to tell if clients are downloading and applying definitions from the GUP?

     



  • 2.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 05, 2012 09:59 AM

    from RU7 you can use the client activity log.

    Also Sylink logs will give you this information.

    How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

    http://www.symantec.com/business/support/index?page=content&id=TECH104758

     

    Hope this helps.



  • 3.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Broadcom Employee
    Posted Apr 05, 2012 10:05 AM

    is the LU policy setting is not to bypass GUP then you can conclude that the machine is getting the updates from GUP unless liveupdate is enabled on client.



  • 4.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Broadcom Employee
    Posted Apr 05, 2012 10:15 AM

    Hi RSASKA,

    Check this article

    How to confirm if Clients are receiving LiveUpdate content from Group Update Providers (GUPs)

    http://www.symantec.com/business/support/index?page=content&id=TECH97190&locale=en_US

    Also, check this tool 

    https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

     



  • 5.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Trusted Advisor
    Posted Apr 05, 2012 10:17 AM

    Hello,

    When we collect sylink.log and debug.log from the Client machine, we can find out if the client is receiving updates from SEPM or GUP.

    Example:

    http://www.symantec.com/docs/TECH169750

    and here is an Example of a Sylink log from a client to a GUP requesting an update:


      <luthreadproc></luthreadproc><LUThreadProc>Starting LU download.
    03/24 14:29:04 [2232] <LUThreadProc>Got a valid context from GetCurrentServerEx
    03/24 14:29:04 [2232] <LUThreadProc>Setting the session timeout on LUSession to 2 min.
    03/24 14:29:04 [2232] <mfn_MakeGetLUFileIISUrl:>Requested Content Path is:
    /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/80324005/delta80323019.dax
    03/24 14:29:04 [2232] <GetLUFileRequest:>IIS URL: /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/80324005/delta80323019.dax
    03/24 14:29:04 [2232]
    <GetLUFileRequest:>http://192.168.2.5:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/80324005/delta80323019.dax
    03/24 14:29:04 [2232] <GetLUFileRequest:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp
    03/24 14:29:04 [2232] <UpdateLUFileList:>Updating existing Download File List with : {C60DC234-65F9-4674-94AE-62158EFCA433}80324005
    03/24 14:29:04 [2232] <UpdateLUFileList:>Updating existing Download File List Temp file name from:  to C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp
    03/24 14:29:04 [2232] 14:29:4=>Sending HTTP REQUEST to download LU file
    03/24 14:29:05 [2232] 14:29:5=>HTTP REQUEST sent
    03/24 14:29:05 [2232] <GetLUFileRequest:>IIS return=200
    03/24 14:29:05 [2232] <mfn_DoGetLUFile200>Downloading LU file from server. Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433}Server File Path:/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/80324005/delta80323019.daxLocal Path:C:\Program
    Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp
    03/24 14:29:05 [2232] <mfn_DoGetLUFile200>Content Length => 35403
    03/24 14:29:05 [2232] <UpdateLUFileList:>Updating existing Download File List with : {C60DC234-65F9-4674-94AE-62158EFCA433}80324005
    03/24 14:29:05 [2232] <UpdateLUFileList:>Updating existing Download File List Temp file name from: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp to C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp
    03/24 14:29:05 [2232] <mfn_DoGetLUFile200>LU Content Downloaded.  Moniker: {C60DC234-65F9-4674-94AE-62158EFCA433} Target     Seq:80324005 Full version:0 Delta Base Seq:80323019
    03/24 14:29:05 [2232] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED
    03/24 14:29:25 [2224] <CSyLink::mfn_DownloadNow()>
    03/24 14:29:25 [2224] </CSyLink::mfn_DownloadNow()>
    03/24 14:29:30 [2232] <PostEvent>done post event=EVENT_LU_DOWNLOAD_COMPLETED, return=0

    Reference: - http://www.symantec.com/docs/TECH104539

    Hope that helps!!
     


  • 6.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 05, 2012 10:23 AM

    An indirect way for SEP 11 is to use the IIS logs. Don't forget to check if logging of the SEP content folder is enabled.



  • 7.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 05, 2012 01:22 PM
      |   view attached

    @ Pete: I set up the LU policy for clients to retrieve defs from GUPs, and have confirmed from their System Logs that they are in fact receiving the updates from GUP.

     

     

    @ Mithun: I ran Sylink Monitoring and instead of this

    <GetLUFileRequest:>http://192.168.2.5:2967/content/{C60DC234-65F9-4674-94AE-62158EFCA433}/80324005/delta80323019.dax
    03/24 14:29:04 [2232] <GetLUFileRequest:>NEW download: C:\Program Files\Symantec\Symantec Endpoint Protection\LiveUpdate\LUF5.tmp
     

    I get this:

    04/04 02:15:38 [5928] Request>
    http://[IP ADDRESS]:2967/content/{D3769926-05B7-4ad1-9DCF-23051EEE78E3}/120403001/xdelta120401001.dax
    04/04 02:15:38 [5928] Unable to query return content length for SendRequest, 122
     

     

    Yet, I am being told that client is downloading AV from GUP, even though it does not mention this in System logs.

     

    Kindly explain where in the logs (uploaded) it indicates that the client is retrieving AV from GUPs.

     

     

    ::::EDIT::::

     

    I mean, I see the following in the logs:

    04/04 02:15:38 [5928] Request> http://[IP ADDRESS]:2967/content/{D3769926-05B7-4ad1-9DCF-23051EEE78E3}/120403001/xdelta120401001.dax
    04/04 02:15:38 [5928] Unable to query return content length for SendRequest, 122
    04/04 02:15:38 [5928] </CHttpConnector::SendRequest()>
    04/04 02:15:38 [5928] <CHttpFileDownload::read()>
    04/04 02:15:38 [5928] </CHttpFileDownload::read()>
    04/04 02:15:38 [5928] </CHttpFileDownload::Do()>
    04/04 02:15:38 [5928] <LUDownloader::GetContentToFile> completed.
    04/04 02:15:38 [5928] <CHttpFileDownload::~CHttpFileDownload()>
    04/04 02:15:38 [5928] </CHttpFileDownload::~CHttpFileDownload()>
    04/04 02:15:38 [5928] <UpdateLUFileList:>Updating existing Download File List with : {D3769926-05B7-4ad1-9DCF-23051EEE78E3}120403001
    04/04 02:15:38 [5928] <ProcessLUDownloadedFile>LU Content Downloaded.  Moniker: {D3769926-05B7-4ad1-9DCF-23051EEE78E3} Target Seq:120403001 Full version:0 Delta Base Seq:120401001
    04/04 02:15:38 [5928] <PostEvent>going to post event=EVENT_LU_DOWNLOAD_COMPLETED

     

    But I cannot understand HOW it is retrieving the AV from the GUP, rather than the SEPM.

    Reason we implemented GUPs is to reduce network traffic to our SEPM.

     

    Thanks!!!

    Attachment(s)

    txt
    Sylink_3.txt   822 KB 1 version


  • 8.  RE: How to tell whether Clients are receiving AV definitions from GUPs
    Best Answer

    Trusted Advisor
    Posted Apr 06, 2012 04:41 AM

    Hello,

    Do you have a Replication set?

    Check the Solution provided in the Thread below:

    https://www-secure.symantec.com/connect/forums/gup-group-update-priver-running-crazy-has-anyone-seen-something

    and check this Article:

    http://www.symantec.com/docs/TECH96419

    Almost similar issue.

    Hope that helps!!

     



  • 9.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 06, 2012 04:55 AM

    you can be use netflow software.

    NetFlow Analyzer is a bandwidth monitoring and network forensics tool which provides an in-depth visibility into network traffic and its patterns

    trial version you can be found.

    http://www.manageengine.com/products/netflow/netflow-monitoring.html



  • 10.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 06, 2012 08:47 AM

    @ Mithun and Ashish - will research your suggestions on Monday - Thank you!



  • 11.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 06, 2012 08:54 AM

    http://www.symantec.com/docs/TECH97190



  • 12.  RE: How to tell whether Clients are receiving AV definitions from GUPs

    Posted Apr 10, 2012 04:01 PM

    Ok, it turns out, if SEP client is lower than RU6 MP2, then it bounces from SEPM to SEPM and there is no way to confirm whether the SEP clients is receiving AV defs from GUP or SEPM.

     

    Now, we are deploying RU7 MP1 and these same SEP client now show (in System logs) that they are getting AV defs from GUPs. And no bouncing from SEPM to SEPM !!!