Jump to content

MEE Alternate locations for updates when Management Server still available

Recommended Posts

We have a large, geographically separated network where access to the internet is only available from the central office. There is approx 200 client PCs involved, of which 140 are on a local segment of network in the main office, and the remaining 60 are split across 15 satellite branch offices. Due to the cost of data and bandwidth, we have symmetrical 512kbps satellite links to connect the branch offices - there are enormous oceanic expanses between each of the islands and terrestrial links are simply not available.

We have an MB Management Server running in the main office which is currently serving every client PC throughout the entire business. This works, however it causes a lot of link congestion when updates become available and have to be transported over minimal bandwidth links a multitude of times.

So we have two solutions available:
1) We can saturate the links by effectively copying the same updates over the links for each PC requesting an update from the Management Server (up to 10 PCs in some locations). This is inefficient and causes other services such as VoIP and Terminal Services quality to drop dramatically. We have tested limiting bandwidth only to be met with time-out issues that in turn, require re-downloading the updates and further degrading the link quality.

2) Setup a Management Server on each of the remote locations which is the most feasible idea for what has been made available in the Management Policies by MEE. This then breaks the whole concept of central management (the purpose we bought the enterprise version of the product for) in that our administrators have to log into 15x different servers to administer the product - a labour cost that is highly inefficient due to the time taken to access, administer and collect reports on already slow links.

What we would like to see is a tiered model not unlike that of AVG Central Administration, which we also have in place and running very efficiently. The AVG Admin Server can centrally manage all of the clients across the entire enterprise, yet allows clients in remote branches to download their updates from an AVG proxy service on each island branch. This cuts the traffic of updates down to a single download on each link only, whilst maintaining total product control and reporting from a single server.

Ideally, if there is a way to set up a policy to only download from an alternate source and never download from the management server, even when it is available, we would be able to achieve the same solution using our DFS synchronizations to move only single copies of the update files to the remote branches. Is there any possible way to do this?


Link to post
Share on other sites


First, you are running into a problem that currently exists on the Management Server.  Clients requesting updates from the Management Server get the full database and not the incremental updates.  That represents a significant difference in data usage.  Going directly to the Internet allows them to get incremental updates as you likely intend.  Please send me a private message (click on my avatar to do that), so that we can have a focused discussion on the subject.  I may not get to it until Thursday, but I'll get to it.

Link to post
Share on other sites

Hello guys, the setting you are wanting for decreasing bandwidth usage is the incremental update setting, which is 3kb-5kb in size versus 15mb-25mb from the mgmt console for every client. This will also shift the traffic to be on the remote sites local area out to the internet. We have put in place SSL MITM attack mitigation for this update type, you do not need to worry about the security of clients reaching out on their own.

incremental update.JPG


If you wish to use the alternate source and custom path option, which I recommend avoiding due to the level of involvement you'll need to invest everyday in order to manage it, I've written out a post about how to accomplish it. It is located here - 


Link to post
Share on other sites

17 hours ago, JonasNimmo said:

we would be able to achieve the same solution using our DFS synchronizations to move only single copies of the update files to the remote branches. Is there any possible way to do this?


This is not really feasible for Malwarebytes Anti-Malware as the program itself must process the update, you cannot just drop a new set of signature update files in the directories. See my link in the previous post for "Reply to Policy Module ftp as endpoint update" for how the alternate file location updates are completed.

Link to post
Share on other sites

Hey All,


Sorry for the delay on reply. Gonzo came back to me in private message and explained the incremental difference between the management updates vs online updates. As per his suggestions, we have directed all update traffic from the islands to use our internal proxy with an mbam user for authentication. So far so good. The link usage has dropped as advised.

Mark this as solved. Thanks for the advice Gonzo and Djacobson.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.