Endpoint Protection

I have a number of clients that cannot afford to allocate a lot of disk space. Therefore we are attempting to edit the installer to not cache the install (done) and to set content revisions to 2 (We want to make it the same as SAV10).

Anyways I found the following information for setting content revisions on the client.

Question 1 - The information below indicates that the changes dont take affect until the next content update from the manager. What if we dont use the manager for updates? All our client use LUA on different servers.

Question 2 - Can this setting be centrally controlled through the SEPM policy?

Question 3 - What if I dont have the DWORD "CachedEntriesEx"? It appears if the DWORD is missing the value of 5 is used as default. Is there a way to set this value in the installation package? Maybe SEPPREP?

How to decrease the number of Content Cache definitions stored on the Symantec Endpoint Protection Clients.

HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\Content\{moniker}
Each moniker should have a "CacheEntries" (DWORD) entry in the registry. This value determines the number of cache entries for that particular moniker.

If the value does not exist a default value of 5 is used.

 Open the registry

• Go to the following Moniker {C60DC234-65F9-4674-94AE-62158EFCA433} Key.

HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\Content\{{C60DC234-65F9-4674-94AE-62158EFCA433}

• • Locate the CacheEntries and double click on the key
  • Change the CacheEntries key to the desired value (default is 5) .

Note: The changes will not take affect until the next content update from the manager.

You can control the number of content revisions that the Symantec Endpoint Protection client stores for each content type. Each content type can be configured individually.
Start > Run > regedit > navigate to HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\Symantec Endpoint Protection\Content\ > Open folder with the intended content moniker name > & then depending on version do the following:

1. In Symantec Endpoint Protection 11.0 and MR1, adjust the "CachedEntries" DWORD value to the # of cache content revisions to keep.
    
2. In Symantec Endpoint Protection MR2 and newer, adjust the "CachedEntriesEx" DWORD value to the # of cache content revisions to keep.

Can you check this?

http://service1.symantec.com/support/ent-security.nsf/docid/2005040511242648

Question 1 - The information below indicates that the changes dont take affect until the next content update from the manager. What if we dont use the manager for updates? All our client use LUA on different servers.

The configuration you are seeing in registry is coming from the liveupdate policies. These policies can only be obtained from SEPM, not LUA.

Question 2 - Can this setting be centrally controlled through the SEPM policy?

I do not think this can be configured via LU policies.

Question 3 - What if I dont have the DWORD "CachedEntriesEx"? It appears if the DWORD is missing the value of 5 is used as default. Is there a way to set this value in the installation package? Maybe SEPPREP?

This setting is in the policies. So, if you configure this manually, then next time the client will get the policies from SEPM, it will revert back to the original settings.


Regards,
Aniket

If I understand this correctly you cannot control the content revisions unless the SEPM server is used for updates. Setting this policy manually will reset it the next time SEP gets an update from LUA.

If this is true wouldnt it also reset when Symantec LU servers are used?

If these clients are unmanaged and get their updates from LUA then manual policy changes in the registry should not get over written..
It only gets overwritten when the client contacts SEPM and compares its policies.

These are all managed clients

if its managed clients then no matter where they take their content updates from..they policy updates will be always from SEPM..so no Registry tweak will work.

Sounds like I need to submit an idea

I have one more question. I thought SEP was supposed to keep 3 revisions of AV definitions on the system but when I spot checked a few systems I only see one set of AV defs. If I remember correctly SAV kept 2.

What's even more interesting is that these clients used to have 3 or more definition revisions because I created a post asking about the size of disk space being taken up.

The difference is that was with MR5 and we were using SEPM server for updates. Since then we have moved our test PC's to RU6 and RU6a and started using internal LUA server for definition updates. Could the LUA make this difference?

By the way definfo.dat shows only one date of defs as well. I know SAV used to have two dates listed.

I think I'll start a different post regarding the definition revision issue. I did a few quick tests and additional spot checks and found the following:

Systems that previously used SEMP for updates and were then moved to internal LUA servers have 2 or 3 definition revisions. The older definition revisions vary among the clients, some are months old but the system does have current defs.

Systems that were installed recently with the configuration to only use the LUA server only have the current revision of defs. Now im testing to see what happens if I point these clients back to SEPM.

In SAV keeps 3 revisions
So does SEP and we cannot control the content revisions in SEP client.

I've confirmed that using LUA 1.x for updates stops creating the 3 revisions of SEP definitions on the client. Is this a known issue?