Beginning with Symantec Endpoint Protection 12.1 RU4 for Macintosh (SEP for Mac 12.1.4), LiveUpdate for Macintosh has been updated to version 6.0.

New features, differences, and improvements in LiveUpdate 6.x for Macintosh:

• Completely rededisigned. No java dependencies (does not use Java).
• No more symsched command-line, no more integration with the OS X cron table.
• Supports newer Mac OS X (10.7 and above)
• Extensibility in Microdefs-style updating
• Improved Proxy Support, dependencies, and pre-conditions
• Performance improvements
• LU (LiveUpdate) can run without a user logged in (TECH155154)
• Fixed a LUEngine folder permission
• Network availability check
• Does not clear LU Log when LU gets updated
• Ability to communicate to user when a reboot or logout is required
• Liveupdate.conf is no longer editable on a managed client -- use the SEPM policy for updating from an internal LiveUpdate Administrator 2.x (LUA 2.x) server

Architecture -- High Level -- Two Main Parts: GLUE and Regular Usage Daemon

GLUE (General LU Engine)

At the highest level, GLUE performs a single cycle of LiveUpdate updating.  This includes running the cycle multiple times due to forced updates.  GLUE is told what task to perform, gathers pertinent data installed on the user’s machine, makes network requests to determine what’s available, queries the user on whether or not to update some things, makes network requests to download update packages, performs updating, and performs post-processing.  GLUE attempts to be generic about what it updates and how it updates.  Product-specific functionality is called at specific points using product plug-ins.

Regular Usage Daemon

The LiveUpdate daemon is used as the primary means of LiveUpdate after the product has been installed.  The daemon is launched using launchd manually or by schedule. The daemon runs as root.  The daemon calls GLUE continuously using the commands it is given until all updates have been applied.  Once all updates for a command are applied, the next command is run.  If there are no more commands pending and a specific period of idleness passes, LiveUpdate quits.

Troubleshooting

Generally, setup a packet trace and sylink debugging, reproduce unsuccessful/successful LiveUpdate sessions, disable debugging and gather data. References: Mac OS X: How to capture a packet trace and Debugging Sylink communications with Symantec Endpoint Protection for Macintosh

Logs and error codes -- these logs are gathered in the GatherSymantecInfo diagnostic tool used in sylink debugging:

/Library/Application Support/Symantec/LiveUpdate/liveupdate.log
/Library/Application Support/Symantec/SMC/sepplugin.log
/Library/Application Support/Symantec/SMC/smc_debug.log

Look for text "error" <error no>
Error Codes:  

If LiveUpdate seems to be running indefinitely for some reason:
Look for "LiveUpdateDaemon" or "LUTool" process and kill
Example:

sh-3.2# ps -ax | grep "LiveUpdateDaemon"
34435 ??         0:00.10 /Library/Application Support/Symantec/LiveUpdate/LiveUpdateDaemon.bundle/Contents/MacOS/LiveUpdateDaemon
sh-3.2# kill -9 34435

No error? ... but Definitions are not updated:
Check if AV/IPS definition updates are turned off in SEPM and LU content policy 

Installed Files

/Applications/Symantec Solutions/LiveUpdate.app

/Library/Application Support/Symantec/LiveUpdate

LiveUpdateDaemon.bundle
LUMacGFS
LUMicroDefs2.dylib
LUMicroDefs25.dylib
LUTool - see How to run Macintosh LiveUpdate 6.x from the Command Line
NewRegistry: contains registry plist files
ActiveRegistry: contains active registry plist files for each component registered with LiveUpdate
PlugIns: contains plug-ins

/Library/Application Support/Symantec/SymQuickMenu/LiveUpdateQM.plugIn
/Library/LaunchDaemons

com.symantec.liveupdate.daemon.ondemand.plist
com.symantec.liveupdate.daemon.plist

/private/etc/liveupdate.conf

Applies To

Macintosh OS X

SEP 12.1 RU4 or newer