This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

¿How to configure more time for SEC updates?

 Hi,

¿How can i configure the time SEC control panel decide a endpoint is updated or not?

I mean. Now it's 10:00h and last endpoint update was at 9:26. SEC says that endpoint is not up to date. How can i increase that value to 12-24h?

Thanks in advance.

 



This thread was automatically locked due to age.
Parents
  • Hello mariano pop,

    first of all, some explanation what the value means. You might notice that the time is the same for all entries - quite unlikely that the endpoints have all updated at the same time.
    The value does not represent an endpoint's last update time but the time the next package became available. Well, that's not of much help so: Package means a specific combination of software and threat detection data. When SUM downloads new detection data or software it records the package's contents along with the timestamp when it has been deployed. When an endpoint updates it sends the according information from its installation to the management server which uses this information to determine whether the endpoint has the latest package installed or not. If you right-click View computer details you'll find for the out-of-date endpoints a Time next package became available value. If this value exists it (actually an adjusted value, more below) is displayed as Not since (No desde). Note that this is always the value for the next package (i.e. the oldest the endpoint has not yet installed), not the latest. Time installed package became available is actually a little bit confusing as it refers to the time of the base detection data (right now 4.53) update.
    When new data is available endpoints are supposed to update according to the policy - by default within 10 minutes. Again by default the management server allows 60 minutes before it reports endpoints as out-of-date. If you compare the Not since to the Time next package became available you'll notice the former is one hour off. In your case it means the endpoints have not updated since at least 8:26:58. The might have failed to send a status message for whatever reason, the might actually have an update interval longer than one (rather two in your case) hour. Thus you should consider increasing the latency only if your updating policy has an interval considerably longer than the default 10 minutes.

    The Dashboard Out-of-date computers count considers only connected computers. As protection data is updated several times a day the Not since indicates endpoints with potential (updating) problems. If a connected endpoint hasn't updated in the last hour it's not very likely that it will do so if you give it 12 or 24.

    Christian

  • Thanks for your answer. It's very descriptive.

     

    My updating policy is setup to 1440 minutes (24h).  Should i consider decrease that value?

    Why would i want a connection every 10 minutes to server from every endpoint?

    How many times a day Sophos can release new updates/virus definitions?

     

     

     

     

  • Hello mariano pop,

    How many times a day
    several times, e.g. 5 yesterday. Having the latest data or not makes a difference if there's a new campaign.  

    1440 minutes
    in the light of the above you should decrease it - how often does SUM check for updates (the maximum is 1440 and it's far from ideal)?

    a connection every 10 minutes
    isn't very expensive. And it's just a comparison of a few catalogs. Why wouldn't you want the latest data as soon as it becomes available? Threats don't consider your updating schedule [:)]

    Christian 

  • Hi QC,

     

    I changed some values and now i have this configuration, with this advertisments. (see picture below)

    I still think this is not working as expected, because it should say it's not up to date after ... ¿24h? // ¿1h? as you explained before?

    But with 15minutes difference, it already says that is not up-to-date.

    There is something out of my control.

     

  • Hello mariano pop,

    I'll give a detailed answer tomorrow, have to add some comments to your picture.
    Meanwhile: How many computers in total? 25 are out of date here - always the same, how long does it take until they are up to date?

    Christian 

  • In total there are 40 computers, but not all active at the same time. There are almost always around 30-35 active at the same time.

    This time it took around 45minutes to get up-to-date all and no error shown at this point.

    Thank you for your patience.

  • Hello mariano pop.

    some comments on your screenshot:

    Protección desdo Sophos in the Dashboard configuration (a) refers to SUM updating from Sophos. If it can't download updates or fails to deploy or apply them for 24 hours you'll get a warning in the Actualización pane. Note that (b) displays the last update which is not necessarily a package update.

    The No desde ... 15:10:44 (c) indicates that SUM performed the last update of the package that applies to these endpoints on 14:10:44 (it's earlier than the Última actualizaión in Actualización but this is ok). The endpoints have not yet reported that they have installed the latest package. This is not quite right, with the interval set to 20 minutes (d) in the policy (are all using the Predeterminada, I think (f) says Igual que la política?) the endpoints should check for updates three times within one hour. You didn't show Alertas y errores - are there any?
    Please double-click a computer (opens Ver detalles del ordenador) and check Hora del último mensaje. As the current time (e) is 15:25 the computers should have made 3 to 4 update attempts since the package was available and either reported success or an error.

    40 computers isn't much, there shouldn't be communication issues which might cause the message to be delayed. Apparently they do update after some time but from what you say it takes much longer than expected. Are they updating via UNC (\\server\SophosUpdate\)?  

    Christian

Reply
  • Hello mariano pop.

    some comments on your screenshot:

    Protección desdo Sophos in the Dashboard configuration (a) refers to SUM updating from Sophos. If it can't download updates or fails to deploy or apply them for 24 hours you'll get a warning in the Actualización pane. Note that (b) displays the last update which is not necessarily a package update.

    The No desde ... 15:10:44 (c) indicates that SUM performed the last update of the package that applies to these endpoints on 14:10:44 (it's earlier than the Última actualizaión in Actualización but this is ok). The endpoints have not yet reported that they have installed the latest package. This is not quite right, with the interval set to 20 minutes (d) in the policy (are all using the Predeterminada, I think (f) says Igual que la política?) the endpoints should check for updates three times within one hour. You didn't show Alertas y errores - are there any?
    Please double-click a computer (opens Ver detalles del ordenador) and check Hora del último mensaje. As the current time (e) is 15:25 the computers should have made 3 to 4 update attempts since the package was available and either reported success or an error.

    40 computers isn't much, there shouldn't be communication issues which might cause the message to be delayed. Apparently they do update after some time but from what you say it takes much longer than expected. Are they updating via UNC (\\server\SophosUpdate\)?  

    Christian

Children
  • I will answer in blue.

     

    QC said:

    Hello mariano pop.

    some comments on your screenshot:

    Protección desdo Sophos in the Dashboard configuration (a) refers to SUM updating from Sophos. If it can't download updates or fails to deploy or apply them for 24 hours you'll get a warning in the Actualización pane. Note that (b) displays the last update which is not necessarily a package update.

    The No desde ... 15:10:44 (c) indicates that SUM performed the last update of the package that applies to these endpoints on 14:10:44 (it's earlier than the Última actualizaión in Actualización but this is ok).  At this point, the time is 15:10:44, but i understood what you mean. The endpoints have not yet reported that they have installed the latest package. This is not quite right, with the interval set to 20 minutes (d) in the policy (are all using the Predeterminada,(some of them have different policy) I think (f) says Igual que la política? Right now i only have 3endpoint "not up-to-date", but are offline, and their status is Esperando politicas. The other are all saying Igual que la politica. the endpoints should check for updates three times within one hour. You didn't show Alertas y errores - are there any? There was only 1 error from 1endpoint that couldn't update.
    Please double-click a computer (opens Ver detalles del ordenador) and check Hora del último mensaje. As the current time (e) is 15:25 the computers should have made 3 to 4 update attempts since the package was available and either reported success or an error. 

    40 computers isn't much, there shouldn't be communication issues which might cause the message to be delayed. Apparently they do update after some time but from what you say it takes much longer than expected. Are they updating via UNC (\\server\SophosUpdate\)? Yes. The updating is via \\server\SophosUpdate\

    Christian

     
    I think there was a small amount of time since i changed configuration to (20min update) till i saw all "up-to-date errors". Right now it's everyting updated and no errors shown.
     
    Thank you very much for your explanation, it  was very usefull.
     
     
     
  • Hello mariano pop,

    At this point, the time is 15:10:44, but i understood what you mean
    I see I've omitted some detail so just to make sure you understand: The package is updated at 14:10:44, the server gives the endpoints (by default) on hour to update and if they haven't it will display No desde ... 15(14+1):10:44. If you'd change the Latency registry value to 10 minutes it'd say 14:20:44.

    Christian

  • QC said:

    Hello mariano pop,

    At this point, the time is 15:10:44, but i understood what you mean
    I see I've omitted some detail so just to make sure you understand: The package is updated at 14:10:44, the server gives the endpoints (by default) on hour to update and if they haven't it will display No desde ... 15(14+1):10:44. If you'd change the Latency registry value to 10 minutes it'd say 14:20:44.

    Christian

     

     
    All clear now. So answearing my first question, changing that time(default 1h) it wouldn't say endpoint is not up-to-date right?
     
    I don't need to do it any more with actual configuration, but where can it be changed that value?
  • Hello mariano pop,

    the link to the knowledgebase article is in my first post.
    Changing the value and consequently what's displayed does not change the fact that an endpoint has not yet updated. In other words: Whether an endpoint has the latest protection data is not a discretionary decision.

    Christian