Symantec Endpoint Protection (SEP) 11.x Clients may download unexpected or multiple AntiVirus Definition updates via LiveUpdate.
SEP Clients update their AntiVirus definitions (defs) by downloading so called "Micro Definitions" via LiveUpdate (LU). If the client is up to date, the update will be a Direct Delta to patch the definitions to the latest available version.
There are basically 4 content types LU clients could download. They fall into two categories:
The reason why the hub defs are still being updated, is to accommodate those situations where the direct deltas are either not available, or not usable, for whatever reason.
These hub defs can also be updated incrementally if they are not older than 10 months.
When a client does require a hub def update, it will also still need an update to the defs it is actually using, so the client will never get just a hub update by itself.
Content update type details and usage:
(Note: "old defs" are defined as any def set for which there is no direct delta currently posted)
Direct Deltas Availability
Direct Deltas will be available for the last 15 certified and released virus definitions. Since the advent of the multiple daily LU definitions (on average 3 times daily) this means that on average SEP 11 clients will get Direct Deltas if they have definitions not older than 5 days.
Note that LiveUpdate servers host four weeks worth of daily updates for SEP 12.1 clients. Unless a client is out of date for approximately one month, it will be able to download a delta.
The increase in the number of microdefs files means that each day's downloads will be larger in SEP 12.1 than it was previously in SEP 11.
Example of definitions available on the Symantec LiveUpdate servers on 30 January 2012
(the naming convention is: <posted_date_in_Unix_Epoch_time><JavaTriage><product>enyymmddrrr.m25. SEP clients share the same updates and are therefore the same “product” as NAV 2008, hence the “nav2k8” in <product>)
1327865301jtun_nav2k8en120128009.m25 For clients that are the most up to date on 30 January 2012. Previous LiveUpdate defs are 1/28/2012 rev. 9