The clients download full content updates with default LiveUpdate configuration in Symantec Endpoint Protection Manager (SEPM)
Symptoms
The clients are downloading full content updates instead of delta updates from SEPM.
The size of full content is around 100 MB* and the clients (which have not reported to SEPM for more than a certain number of days) are downloading 100 MB* of content from SEPM.
This is working as designed. There are two criteria for the clients to download full content:
By default, SEPM is configured to keep only three revisions if 500 or less clients were chosen during the SEPM installation, 10 revisions if 500 to 1,000 clients were chosen during the SEPM installation, or 30 revisions if more than 1,000 clients were chosen during the SEPM installation, and LiveUpdate for the SEPM will run every four hours. On average, Symantec releases Symantec Endpoint Protection (SEP) Certified Definitions three times a day. Essentially, three revisions is a day's worth of definitions. For example, if a client checks in after two days with the SEPM configured to maintain only three revisions, then the client's definition set will be older than any revision stored in the SEPM. Therefore, a delta content package cannot be built, and the full definitions package (full.zip) will be sent to the client instead.
Open SEPM Console.
Note: Increasing the above setting will directly effect the SEPM's hard drive space, as more content revisions will be stored in [Root]:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content. It will also increase the space used to store content revisions in the Database.
* Reference value for the beginning of the year 2011. Because of new threats and variants being regularly appearing "in the wild", the size of virus definitions tends to increase with time.