Sophos Endpoint - Updating Policies

Hi Will,

If my understanding of this post is right, I believe you are looking for an option to schedule the communication between endpoints and server once ever hour, which I am afraid is not an available feature with SEC (atleast, not via UI). However, If this Communication is causing Load on your SAN, you can consider usage of Message relays which might help you delegate communication via few more servers rather than one Enterprise console taking over the job.

Thanks for the update. Please can you look at putting this functionality in a later release as it would be useful to stagger updates. 

Hello Will Janes and Adithyan Thangaraj,

I'm not sure that there isn't some confusion. A Message Relay won't help if updating is stressing the SAN.

Are you talking about servers (virtual perhaps) that have their disks on the SAN?

Christian

Hello Christian, 

Yes that is correct, when we have set updating to once an hour, we are seeing a latency spike on the hour in out SAN stats, and this is affecting performance.   

Do you know of a way to stagger updates, without having to create a number of update policies to check for update at a random set of minutes. 

Thanks, 

Will Janes. 

Hello Will Janes (sorry for the mistyped name in my previous post, corrected),

this happens every hour?

Before answering your question some remarks and numbers.
Most updates are null updates - meaning the endpoint compares a few catalogs, finds out that there hasn't been a change, and skips further processing - as new detection items normally arrive three to five times a day. The larger detection data updates (that increment the the data version like the recent 5.55 → 5.56) come monthly, software updates less frequent. AFAIK AutoUpdate verifies the cache (depending on the features installed some 1000 files totaling around 350MB or so) when there's an update (of whatever type) - mostly reads. Naturally the large updates also result in writes (first to the cache then to the program location).
I'm mentioning this because if you have issues during the small updates due to contention I think that the larger updates might cause problems even if evenly distributed over an hour.

Now update checks occur at fixed intervals (in your case one hour), the first one a few minutes afte the AutoUpdate service is started. If all you machines start at the same time then updates will cluster. Furthermore, as with SEC you can only set intervals and not times different policies won't really help.

An extreme measure would be to turn off automatic updates and trigger updating with, say, a started task. Obvious drawback - you can't configure this centrally.

Christian   

Hello Christian,

Not a problem, happens all the time! 

We have seen it, yes. The spike in latency on the hour. 

We have two sites, at one site its currently configured to shoot off updates once a day (needs to be changed). At the other site we have a number of policies in place to a set number of machines to update at a select interval of minutes, 60, 70, 80, 90 etc. We did this to avoid a hit every hour on the SAN.  

Could you go into a little bit more depth on how updates work and how we can resolve the problem we have at the moment without having to go down the route of turning off automatic updates. What would you recommend if we need to get hourly updates to our devices?  

Thanks in advance. 

Will Janes. 

Hello Will Janes,

how updates work
I think I've more or less said all I know [:)].

Every hour seems strange. As said, AutoUpdate compares it's catalogs to the ones in the CID and should note a difference only every so often. I'm not aware of any significant I/O in the null cases. If it does find a difference (normally only for teh SAVXP component) it verifies the files (re-)calculating the hashes and compares them to the cataloged values. The savxp cache is slightly less than 300MB, 700+ files. Wonder why this causes a noticeable latency - how many clients use the SAN?

... I'll think about alternatives.

Christian

Hello, 

Good information. Thank you. We have roughly 130+ VMs, most have some form of interaction with the SAN.  

Thanks Christian. That would be a great help! 

Hello, 

Good information. Thank you. We have roughly 130+ VMs, most have some form of interaction with the SAN.  

Thanks Christian. That would be a great help! 

Hello Will Janes,

as said, the so-called null updates shouldn't cause any significant load. If I'm correct regarding AutoUpdate's execution an actual update results in some 300MB read from the cache, practically in one go.

Unfortunately neither the endpoints' AutoUpdate nor SUM let you specify a point in time. Using several updating policies will provide some relief but eventually there will be collisions. In addition, as mentioned the AutoUpdate service's startup time determines the schedule.
I see no way to ensure an "even distribution" of updating other than turning off automatic updates and triggering updates via the service.

Christian