Control AntiVirus Definition Distribution

When new AntiVirus definitions or engine files become available, the Endpoint Security Server notifies all endpoints that updated files are available and, assuming they are online, endpoints will check-in and download the new files.

It is possible, however, to stagger definitions distribution so that all endpoints don’t try to retrieve them simultaneously. There are a few reasons why you might want to do this:

  • Provide an opportunity for caching proxies to get the new files first (seed the proxies) so that other endpoints at that location will obtain the files from there instead of pulling them across the network. To achieve this, create a group with a couple of endpoints (that are always online) from each location where a proxy has been added.
  • If you want to test new definitions with a test group prior to rolling the definitions out to the general population. Create a group containing the test endpoints (which could also include the “caching proxy” endpoints above) which will receive the definitions immediately as soon as they are available on the server. Create another group for the general population to receive the definitions some time later. You could also create a third group for corporate critical servers which would receive the definitions after the general population.
  • If you need to alleviate the impact on virtual infrastructures that are sensitive to increases in network latency during AntiVirus Definition distribution.

To apply different delays to these groups, use the “Delay AntiVirus definition distribution” setting in the Agent Policy sets. The default delay is 0. Change this value in the Global Agent Policy set to whatever delay you want to for the general population (e.g. 4 hours). Create a zero-delay agent policy set (with the delay set to 0) and apply this policy set to the test group or cache proxy servers group. Create a critical server policy set (with the delay set to a figure greater than the general population (e.g. 8 hours). The maximum delay value that can be applied is 72 hours.

Remember that endpoints remain unprotected from new known malware until they receive the latest AntiVirus definitions so you should minimize any delay in getting definitions to the endpoints to ensure the best protection is available.

An additional option is available to achieve greater predictability for AntiVirus definition distribution and prevent definitions from being made available for distribution during business hours. On the Endpoint Security Server (see screen shot below), you can set the AntiVirus Subscription Service download time from GSS to Server. This allows the Administrator to control when AntiVirus definitions and engine are downloaded to the Endpoint Security Server which acts as the starting point for the subsequent delivery to endpoints.