You would like to know what conditions would cause a client to download a full definition file (full.zip), rather than an incremental delta (.dax), from the Symantec Endpoint Protection Manager (SEPM) or a Group Update Provider (GUP).
The following scenarios will cause a client to download a full definition file.
A client will download a full definition any time its SEPM is not able to build a delta for the content it is requesting. As GUPs do not build their own deltas and can only mirror the content the SEPM has, the same principal applies for clients updating from GUPs. In order for the SEPM to be able to build a delta, the following conditions must be met:
If both conditions are met, then the SEPM will build a delta for the requested content.
In most cases, if a client is requesting a full.zip, it is because its definitions are farther out of date than the number of content revisions being kept on the SEPM. If a client is requesting a full.zip because of this condition, the product is working as designed.
0-byte .dax files are present on the SEPM:
In some older builds of Symantec Endpoint Protection Manager, there is an issue in which if the SEPM had created a 0-byte delta (.dax) file, it could cause clients to request full definitions even when the clients would have otherwise gotten a delta. 0-byte deltas are generally only generated at times when the SEPM is under high load. This issue should be resolved by upgrading the SEPM to RU6 MP1 or later.
If it is suspected that a SEPM is experiencing this issue, it can be confirmed by checking the subfolders within C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\Content. Note that any content moniker could be potentially impacted by the issue (though Antivirus definitions were the most common), so all content types should be checked.
Client-side definition corruption:
In some rare cases, definition corruption on the client side will also trigger the client to download a full.zip rather than a delta.
Increasing the number of content revisions to be held on the SEPM will reduce the chances of clients needing full definitions, at the cost of drive space on the SEPM and its database. If bandwidth usage by definition updates is a concern, consider modifying the number of content revisions kept by the SEPM to a higher number. For more information on this, please review the following document: http://www.symantec.com/docs/TECH92225
If the 0-byte .dax issue is being observed on the SEPM, then it is highly recommended that it be upgraded to RU6 MP1 or later. This issue is described in more detail in the following document: http://www.symantec.com/docs/TECH122612
Client-side definition corruption is usually cleared out by it redownloading the full definition. If issues persist on a particular client, then it is necessary to troubleshoot the cause of the corruption on the client-side. A good starting point for this is located here: http://www.symantec.com/docs/TECH103176