[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Symantec Endpoint Protection: The Heartbeat Process

Published on
16,543 Points
4 Endorsements
Last Modified:
Community Pick
This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM).

Information Technology personnel responsible for support of the SEP environment.

SEP – Symantec Endpoint Protection
SEPM – Symantec Endpoint Protection Manager
GUP – Group Update Provider
LU – LiveUpdate

Heartbeat size information referenced from http://service1.symantec.com/SUPPORT/ent-security.nsf/383ed085ad1ed2c6882571500069b34d/18873ad6514d93b2882576cc0065df54/$FILE/SEP%20Sizing%20and%20Scalability%20Best%20Practices_%20v2.1_Final.pdf.

1.      SEP client reads sylink.xml to determine first available SEPM according to priority.
2.      SEP client connects to SEPM.
a. If session cannot be established within 30,000 milliseconds, check-in process terminates until the next heartbeat interval.
3.      SEP client performs an HTTP GET of index.dat from the SEPM and compares it against the client copy for any deltas.
a. Content differences will check against LiveUpdate policy for current location.
4.      SEP client performs an HTTP GET request to obtain URLs to download files.
a.      URLs will correspond to the SEPM or GUP depending on LiveUpdate policy.
b.      If SEPM is specified, content will download over TCP 8014 (recommended web site port).
c.      If GUP is specified, content will download over TCP 2967.
5.      SEP client uploads log files to SEPM.
6.      SEP client uploads LAN sensors and learned application logs to SEPM.
7.      SEP client disconnects from SEPM.
a.      When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
b.      When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

When there are no new client-side logs to upload to the management server, or policy or content to download from the server, the size of the Symantec Endpoint Protection client heartbeat is between 3KB and 5KB. When all client protection technologies are enabled and the maximum level of client logging is enabled (with the exception of packet-level firewall logging, which is not recommended in production environments), the size of a typical heartbeat is between 200 KB and 300 KB.
1 Comment
LVL 38

Expert Comment

Very helpful for any Symantec Administrator - well written.

"Yes" vote above.

Featured Post

Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month