Many https://stats.qalabs.symantec.com (or https://stats.norton.com) queries result in HTTP 503 errors.
TCP_MISS/503 0 CONNECT stats.qalabs.symantec.com:443 - DIRECT/192.168.2.220
Symantec Endpoint Protection (Windows)
Symantec Endpoint Protection (Mac)
If the stats URLs are proxied or redirected so that they produce something other than an empty or "not found" response, then SEP will keep retrying them.
For example, if one edits the hosts file and redirects the URLs to a Google IP:
184.108.40.206 stats.qalabs.symantec.com stats.norton.com
then packet logging will be flooded with 220.127.116.11 requests after installing Symantec Endpoint Protection 12.1 RU6 MP6 and having run LiveUpdate.
As soon as the host entry is removed, or redirected to a non-existent IP, Symantec Endpoint Protection gets an expected response from the stats URL and does not attempt to connect to it again.
This issue will be addressed in a next release of Symantec Endpoint Protection.
Until then, you may work around this issue by excluding the stats URLs from proxying or blocking them, without any adverse effect on Symantec Endpoint Protection.
This article, to which you are welcome to subscribe, will be updated with further details as new information will become available.