Introduction
Admins who have chosen to implement LiveUpdate Administrator 2.x (LUA 2.x) on their network are often surprised at how much bandwidth and space this internal LiveUpdate server consumes. There can be a lot of confusion over what is normal and questions if the product is purging old contents correctly or if something is wrong, This article will describe some common situations and offer advice and answers.
First off: not every network needs LUA 2.x to keep its Symantec products up-to-date. LUA is a fantastic tool when used correctly on capable hardware, but in many situations there are other solutions which are recommended. In an environment where Symantec Endpoint Protection is the only Symantec product, and the endpoints and Symantec Endpoint Protection Managers (SEPMs) do have Internet access, it's usually best to allow the SEPMs to download and distribute all the necessary contents by themselves. Some additional details (and situations when LUA 2.x is actually required) are described in the following article:
When is it Recommended to Use LiveUpdate Administrator 2.x with Symantec Endpoint Protection?
Article URL http://www.symantec.com/docs/TECH154896
Also, definitely read this article:
Best Practices for LiveUpdate Administrator (LUA) 2.x
Article URL http://www.symantec.com/docs/TECH93409
What Gets Stored, Where? Why?
Why are there "duplicate" copies of the same files seen on the drive where LUA is installed? This is by design. There are typically 3 separate places that LUA will use for content.
- “TempDownload” which is where updates are saved until they have been successfully retrieved from the Internet and moved to the permanent storage location (“Manage Updates”). This location can be set in the LUA server’s preferences. It does not need to be on the same default C drive. It is normal for this folder to be empty after the materials have been downloaded successfully and transferred to their “permanent” location.
(One technical note: despite its name, this folder is used as temporary space during both Download and Distribution tasks- not just downloads. If a download task and separate distribution task are running at the same time, TempDownload will temporarily grow quite large.)
- The “Manage Updates” folder ---- this is the location where the LUA program keeps its “permanent” copies of materials. Usually, on a Windows 2003 server, that is "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate Administrator\Downloads." In releases prior to LUA 2.3.2, this location cannot be moved after LUA is installed. The copies kept here are used to distribute the materials to all the Distribution Centers (DC’s) as needed.
- The “Distribution Center.” This is where Symantec products come to collect what they need. The default DC is called “clu-prod” and it is on the same C drive. A LUA server can have up to 100 DC’s all throughout the network.
and sometimes:
- Add one more, as well, if the optional "clu-test" Testing Distribution Center is used as well.
Some additional info can be found in the following article, and the articles linked from it:
Is it Possible to Configure LiveUpdate Administrator 2.x Download Directory Locations?
Article URL http://www.symantec.com/docs/TECH138380
Today's AntiVirus signature files are very large in order to protect against the millions of known threats. So, these updates that LUA stores can consume quite a bit of space. The figures in the following article date from 2010, but provide a rough estimation:
How much hard disk space is consumed by LiveUpdate Administrator 2.x for content updates?
Article URL http://www.symantec.com/docs/TECH90823
If space is growing short on the drive where LUA is installed, here are a couple of recommended actions:
- Many customers who are running out of space have added a new disk or virtual disk and used that for TempDownloads. This reduces the burden that LUA places on the C drive.
- Another solution: there’s no requirement to use this default clu-prod. One definite way to reduce the amount of space needed on the C drive would be to establish a DC on a different server that has ample space, then configure the various Symantec products to retrieve their updates from there. Details of how to do this can be found in the Connect Forum article and video on LiveUpdate Administrator: How to configure a remote Distribution Center
- Don't use one overloaded LUA server to download all the products that the entire organization needs. If server capabilities are very limited, dedicate one LUA for SEP updates, another LUA server for Scan Engine and so forth.
- Also: determine if LUA is actually configured to download what the organization needs, and no more. Read on.....
What is Taking Up So Much Space?
LUA 2.x can locally mirror everything that is on Internet-based LiveUpdate source servers. That is an enormous amount of materials. A common misconfiguration is just to "check" the entire product family when determining what LUA will download and distribute.
The good news is that LUA allows excellent granularity. If, for example, a company only uses the AntiVirus capabilities of SEP in their organization, LUA can be configured to download just the AV contents- saving many, many GB worth of materials that would never be used. Here is an illustration of what to check (and leave unchecked!) in an organization of 32-bit SEP clients which retrieve their AV defs directly from the LUA server:
The following resources can help admins to determine how best to configure their LUA:
LiveUpdate Administrator 2.x: What product selections are needed for specific versions of Symantec Endpoint Protection?
Article URL http://www.symantec.com/docs/TECH139618
LiveUpdate Administrator: Product Selection Guide
https://www-secure.symantec.com/connect/articles/liveupdate-administrator-product-selection-guide
It requires experience to recognize corresponding product and purpose of the files that LUA downloads and distributes. If, when examining the file system, there is ever a question about what a file is and does (and whether or not it is supposed to be present!) use LUA's "Manage Updates" page.
How To Determine the Corresponding Product for a LiveUpdate Administrator 2.x File
Article URL http://www.symantec.com/docs/TECH131177
Why is there one larger-than-normal download every month?
A set of current monthly based definitions (sometimes called "hub," "full" or "error" definitions) are published once per month for AntiVirus products (SEP 11 and Symantec AntiVirus 10.1). Note that there are separate hub defs for Macintosh, 64-bit components, and 32-bit components. LiveUpdate cannot operate without them, so the LUA server always downloads these large full definitions once per month. (These "hub defs" are usually released on the Tuesday that is closest to the 15th of the month.)
Some examples of SEP Hub-to-Hub defs:
- 1326744606jtun_nav2k8enn12m25.m25
- 1326744606jtun_nav2k8enn11m25.m25
An example of SEP Full defs:
- 1326744606jtun_nav2k8ennful25.m25
Some examples of SEP for Mac full defs:
- 1321438723jtun_ennfull2v2.osi
- 1321438723jtun_ennfull2v2.osx
Additional details on how LiveUpdate works to update AntiVirus clients (and the various types of files it uses) can be found in the following articles:
Symantec Endpoint Protection 11.x LiveUpdate "Micro Definition" Updates Explained
Article URL http://www.symantec.com/docs/TECH180196
LiveUpdate Administrator disk space usage is increasing in time even though purge is enabled and apparently working as expected.
Article URL http://www.symantec.com/docs/TECH186728
What does an unmanaged Symantec Endpoint Protection 11 client retrieve from LiveUpdate for its definitions
Article URL http://www.symantec.com/docs/TECH169751
Shouldn't LUA Purge Old Files?
In a word: yes, it does. Here is an extract from the User Guide which describes how purging and revision management are designed to work:
Configuring LiveUpdate Administrator preferences
....
You can also set schedules and rules for purging older updates, both in the Manage Updates folder and in Distribution Centers. When you download updates, they are copied to the Manage Updates location that you specified during installation. LiveUpdate Administrator distributes updates to your Distribution Centers, where they remain until you remove them. You can purge old updates from your Distribution Centers to free disk space. By default, updates in Distribution Centers are purged daily. However, you can change this setting to never purge updates automatically, or to purge them monthly or weekly.
All updates in the Manage Updates folder, except for the latest three revisions, are set to be purged daily by default. However, you can specify rules for the Manage Updates folder purge to determine which updates to delete, based upon the age of the revision or when the updates were initially downloaded. For example, you can purge updates older than 10 revisions back or purge the updates that were downloaded more than 10 days back.
Note: Even with a single content update revision, LiveUpdate Administrator can typically provide incremental content updates to connecting clients that have content outdated for up to 12 months.
Typically, Symantec recommends that you configure LiveUpdate Administrator to store no more than three update revisions. The primary reasons are to ensure that it is possible to rollback to a previous version of content in the unlikely event of corrupted content or a false positive, while also minimizing disk space usage.
A purge does not delete the latest revision even if it satisfies the purge rule. For example, a revision may be more than 10 days old, but it is not deleted if it is the latest revision.
Purging in LUA does not operate in a similar way to "keeping X number of content revisions" in a SEPM. Some files which can seem very old are retained by LUA. This is by design: LUA mirrors Internet contents, rather than creating deltas. As certain content updates rarely change, the initial files will be the most recent release available even though they date back several months. An example: SESM AntiVirus client update files.
- Tuesday, February 22, 2011 1:59 PM 15025400 1256246532 jtun_sesmantivirusclientwin32_1567to333_20090918437_51903.zip
- Tuesday, February 22, 2011 1:58 PM 12113593 1256246532 jtun_sesmantivirusclientwin32_19to333_20090918984_51174.zip
- Tuesday, February 22, 2011 1:58 PM 13136468 1256246532 jtun_sesmantivirusclientwin32_2224to333_20090918765_46396.zip
etc
Using "Manage Updates" can display when a particular file or product last updated a component.
Also: examine the LUA Event Log for any errors regarding "Distribution Center Cleanup," "Purge Schedule" and "Delete Content." These errors can take place in the event of LUA database corruption, failure to delete files that were locked by other processes, etc.
Can Files Be Purged Manually?
Though Windows will allow it, it is NOT recommended to manually delete files that are in LUA's TempDownloads, Manage Updates and Distribution Center locations. Doing so will throw the LUA database out of alignment with what is present on the disk. In case this has been done, please read:
What to do if you have Manually Deleted Files from a LiveUpdate Administrator 2.x Distribution Center?
Article URL http://www.symantec.com/docs/TECH132036
An "emergency purge" option may be added to a future release of LUA. There is a Connect Forum "Idea" (proposed enhancement request) that can be supported by those who wish to voice their interest in such an option: "Purge Now" Button for LiveUpdate Administrator 2.x
The best current solution, if it is strongly believed that an existing DC contains files that it should not:
- Backup the LUA 2.x server's settings
- Backup the contents of the DC
- Delete the DC in LUA's Configure / Distribution Centers GUI
- Afterward, re-create the DC with the same location, name, etc
This will wipe out all of the current contents and replace them with only the current, known-good, valid materials from the LUA server's Manage Updates directory.
Additional Information
There are a number of proposed changes to the way that LUA handles its content. Admins may wish to cast a vote in support of the following enhancements to the way LUA manages updates and displays information about them:
Additional suggestions from LUA admins can be created in the Ideas. Please do contribute any suggestions for improvements you would like to see in a future release!
Many thanks for reading! Please do leave comments, below, if you find this article helpful or unhelpful.