After you upgrade your Symantec Endpoint Protection Manager (SEPM), you start receiving a large number of, "Critical: NETWORK LOAD ALERT: Too many requests for virus and spyware full definitions" ,  alerts from the SEPM via email.

Symantec Endpoint Protection Manager - 14.x and higher

Symantec Endpoint Protection Manager has the "Critical: NETWORK LOAD ALERT: Too many requests for virus and spyware full definitions"  alert set by default. This alert is designed to notify administrators of possible impending bandwidth problems, as clients request and download full definition updates.

The default threshold for this alert is 25 requests for full definition sets, for any definition types, within 10 minutes.

Definition sets that are small, or which are not updated frequently, may tend to be distributed in full definition sets, rather than as delta sets.

Because all requests for full definition sets are tracked, regardless of the type of content requested, clients that are requesting multiple types of content updates may cause the counter to artificially inflate to the point of sending an alert.

It is possible for just a few client computers to trigger an alert, if they request multiple content types.

Review the information in the alert to see which content types are being downloaded and the size of those downloads.

Note: The latest SEPM builds exclude smaller content types from the alert.

If you see a number of these alerts, you may need to adjust the threshold for the notification to a level that it appropriate for the number of client computers that you have deployed.

To adjust the notification threshold:

1. Log in to your SEPM and, in the left pane, click Monitors.
2. In the right pane, on the Notifications tab, click Notification conditions.
3. In the resulting list of notification conditions, click Network Load: Requests for Full Definitions, and then click Edit.
4. In the Edit Notification Condition dialog box, next to Notification condition, adjust the number in the requests for full definitions text box to a more suitable threshold for your environment.
5. Click OK.

Your SEPM will now send alerts only when the new threshold is reached.

When the clients' applied LiveUpdate Settings policy has the Content Download Management setting "Download delta content from a LiveUpdate server when available" enabled, clients will still query the SEPM for the content metadata information. This may trigger the Network Load Alert, even though the clients actually download smaller content from LiveUpdate or an Internal LiveUpdate Administrator server, instead. You can verify by checking the download source from Client System logs via the SEPM UI:

1. Go to Monitors, Logs
2. Select Log type: System, and Log content: Client Activity
3. Click Additional Settings
4. Set the Event source to "cve" (without quotes)
5. Increase the Limit of entries per page and/or Time range, as needed
6. Check the Description of the events for the downloaded content's Remote file path

Note: Any file path ending in .dax is delta content, which does not contribute to the alert. Files ending in .zip are full definition content.