ESET update KB5344 flooded our servers.. Need fix!

Discussion in 'ESET NOD32 Antivirus' started by barrettdavis, Aug 5, 2010.

Thread Status:
Not open for further replies.
  1. barrettdavis

    barrettdavis Registered Member

    Joined:
    Aug 5, 2010
    Posts:
    2
    Hello everyone!

    Today around 11am, our 10 MB circuit network began getting super clogged with the KB5344 update today. I was wondering if anyone else ran into these issues?

    - We have around 200 users .. how would can we configure our system to have randomized periods to when users download their updates. (do not say after work hours, we are international)

    -- Also, our polling cycle for updates checks every 2 minutes (obviously problematic).. suggestion to fix?

    Any suggestions will be appreciated
     
  2. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Do you have remote administration servers deployed? - They really take the brunt off your network.

    ahem - 2 minutes is kind of a DDOS against ESET.

    afaik ESET currently releases around 2 to 6 signature updates a day, so a 2 minute interval looks kind of overzealous to me.

    Try to establish (linked?) remote administration servers throughout your company and heighten the update check interval to something like 15 minutes or even higher.

    As only the remote administration servers will periodically be accessing the Internet much of the load will vanish from your network.
     
  3. barrettdavis

    barrettdavis Registered Member

    Joined:
    Aug 5, 2010
    Posts:
    2
    I will adjust the polling cycle. I was just trying to get feed back what others have for their companies.

    -- We also use remote administration console btw(very helpful).
     
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    the most frequent I have ever setup a client was every 15 minutes - with a lan based system that's fine - 2 minutes is REALLY over the top - most clients I leave the 60 minute intervals, going to 30 minutes in the even that a customer is worried about threat - 15 minutes is the "super paranoid" setting I use... ;)

    I would ONLY use more frequent checks with a local mirror -and that would be local to ALL users - ie, with multiple locations, a mirror in each location.
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Wait, are you talking about update checks or client reporting? Those are two completely different things and the update scheduler only lets you do it once per hour at the most.
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    sorry, I did not notice you were talking about polling the RA server - that's still excessive.

    How to change the update frequency of workstations:

    http://kb.eset.com/esetkb/index?page=content&id=SOLN2117

    It's a scheduled task - you can change that every couple of minutes if you like - it would be REALLY silly to do so in my opinion (I am glad you did not make that change to every 2 minutes - phew...)
     
  7. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    Nope - the OP has his UPDATES running every 2 minutes it seems to me...

    So I think I was right - he has 2 minute update checks - REALLY excessive in my opinion... I am sure ESET doesn't get all warm and fuzzy about their RA/Mirror checking in that often...
     
  8. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    Updates checks are hard coded it only will update every hour at minimum (It can only be set longer). If you set it lower it does say it checks but actually don't update at all.

    See this topic. I believe there is a post of Marcos saying its hard-coded, but I cant find that one.
     
  9. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I believe the information provided by Marcos may be out of date.... but it does seem there is a lower limit of 10 minutes now...

    I changed my update checks to every 5 minutes - changed my update server to be a web server that has a parked domain on - then ssh'd to the machine and rain a tail -f on the web log...

    Next - at 14:37:23 - I clicked the "Update now" button...

    at 14:40:38 - ESET antivirus did a failed update check...
    at 14:50:38 - ESET antivirus did a failed update check again...

    I put my settings back to normal... so even though I had a 5 minute interval setup, ESET did two checks on it's own - at 10 minute intervals.

    ESET antivirus WILL check for updates more frequently than once every 60 minutes.

    Here are the logfile entries:

    Code:
    my.ip.add.ress - - [06/Aug/2010:14:37:23 -0600] "GET /update.ver HTTP/1.1" 404 3671 "-" "ESS Update (Windows; U; 32bit; VDB 7611; BPC 4.2.58.3; OS: 6.1.7600 SP 0.0 NT; CH 1.1; LNG 1033; x64c; UPD [url]http://myparkeddomain.com:80/;[/url] APP eav; BEO 1; CPU 30540; ASP 0.10)"
    my.ip.add.ress - - [06/Aug/2010:14:40:38 -0600] "GET /update.ver HTTP/1.1" 404 3671 "-" "ESS Update (Windows; U; 32bit; VDB 7611; BPC 4.2.58.3; OS: 6.1.7600 SP 0.0 NT; CH 1.1; LNG 1033; x64c; UPD [url]http://myparkeddomain.com:80/;[/url] APP eav; BEO 1; CPU 30540; ASP 0.10)"
    my.ip.add.ress - - [06/Aug/2010:14:50:38 -0600] "GET /update.ver HTTP/1.1" 404 3671 "-" "ESS Update (Windows; U; 32bit; VDB 7611; BPC 4.2.58.3; OS: 6.1.7600 SP 0.0 NT; CH 1.1; LNG 1033; x64c; UPD [url]http://myparkeddomain.com:80/;[/url] APP eav; BEO 1; CPU 30540; ASP 0.10)"
    
    
    I changed my IP and the name of the parked domain - but those were raw httpd logfiles - one manual check, followed by two 'auto' checks - somehow EXACTLY 10 minutes apart... ;)
     
  10. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I should add - that this does not prove that there is no 60 minute frequency cap on ESET checking for updates when the servers selected are "choose automatically" - only that there appears to be a much lower cap tolerance for when you are using your own update servers - which seems fair - if a company wants to have their workstations check in every 15 minutes - that's really their business - righto_O
     
  11. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    It may be right that the cap is removed when using your own updates servers, or the new cap is 10 minutes overall, I never tested this myself.
     
Thread Status:
Not open for further replies.