Starting early May 2015, Symantec Endpoint Protection (SEP) clients will be moving to a lighter, more efficient definition set called Core 1.5.  This will lower the on-disk size of Symantec Endpoint Protection Client Virus and Spyware definitions and lower the overall memory usage of the client.​

Frequently asked questions regarding the change to Core 1.5 content:

Q:  Why is Symantec making this change?
A:  The Core 1.5 content is highly optimized to improve overall disk usage and definition deltas.  The Core 1.5 definitions are approximately one third of the size of conventional full content that Symantec Endpoint Protection has been using. 

Q:  What does an administrator need to do to receive the Core 1.5 definitions?
A:  Nothing. The content will be distributed as part of the regular definition updates via LiveUpdate.

Q:  Will there be a size difference in the deltas during the transition?
A:  The deltas will have an increase in size during the transition from full content to Core 1.5 definitions.  During the initial rollout, this will result in approximately 1.5MB deltas for each of the AntiVirus/AntiSpyware definition updates.  AntiVirus/AntiSpyware content is released on average three times per day Monday through Friday, and once daily on Saturday and Sunday.

Q:  What options do I have for mitigating the larger updates during the transition?
A:  Symantec Endpoint Protection includes a variety of ways to update the client content:

• Ensure that the Symantec Endpoint Protection Manager stores enough content revisions to ensure each client receives a delta (TECH92225)
• Run LiveUpdate multiple times during the day to deploy smaller deltas (TECH178257, HOWTO80823)
• Use GUPs for smaller bandwidth links (TECH93813, HOWTO80900)
• LiveUpdate Administrator can also be used as an alternative update option (TECH93409)
• RU5 and above Symantec Endpoint Protection Managers also include built-in bandwidth throttling capabilities (TECH201290)

Q:  How long will the transition take?
A:  The transition was completed on July 8th, 2016.

Q:  What kind of disk usage savings can be expected once the transition is complete?
A:  The on disk footprint should be reduced by 66% after the migration.

Q:  Do Rapid Release definitions also use Core 1.5?
A:  Yes, from May 2016 the Rapid Release definitions used by SEP 12.1 have taken advantage of Core 1.5. The name of files (symrapidreleasedefscore15-v5i32.exe) reflects this change. The smaller size will mean a more manageable file for customers and less bandwidth consumption during download.

Q: What are the efficacy considerations?
A: In order to maintain efficacy levels, Insight and SONAR are a recommended part of the AntiVirus protection stack for SEP 12.1. If these technologies are not in use, then the potential for a loss in efficacy exists.

Q: How does Core 1.5 definition content provide protection?
A: Core 1.5 uses a combination of on-disk definitions and cloud-based definitions. Protection against older, low-prevalence malware is now available in the cloud, while defense against more prevalent malware is located on-disk. Without access to the cloud via Download Insight, only the protection from on-disk definitions is available. For additional detail on Insight, please see: "How the Insight Lookup Process works".

Note: The bulk of this processing is done on LiveUpdate servers. If you run LiveUpdate Administrator, you can see a spike of 5-10 GB per SEP 12.1 release type (12.1, 12.1 RU2, 12.1 RU4, 12.1 RU5, 12.1 RU6) causing the download size to spike up to a total of 16-18 GB in size for some downloads. This occurred sporadically until the process was completed. The transition process was completed on July 8th, 2016. It was advised to allocated 15-20 GB of disk space per SEP 12.1 catalog version x the number of versions being retained by your server (the default is 3) while the process was underway.