To ensure that protection is provided "straight out of the box," a SEP client is installed with a base set of antivirus definitions intact.  After the installation is completed, the client will initiate a LiveUpdate session to retrieve the most up-to-date protection for all of its components.

Unless configured otherwise, an unmanaged SEP client connects directly to LiveUpdate to update its definitions.  A managed SEP client typically does, as well, when LiveUpdate is run manually from the client interface.

The default connection URLs are:

• http://liveupdate.symantecliveupdate.com
• http://liveupdate.symantec.com
• ftp://update.symantec.com/opt/content/onramp 

The SEP client maintains an encrypted LiveUpdate product inventory list (C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate) that records the components and products installed with the SEP client.  As seen in a typical log.liveupdate:

25/08/2011, 15:23:00 GMT -> Opened the product inventory at "C:\ProgramData\Symantec\LiveUpdate\Product.Inventory.LiveUpdate".

LiveUpdate will check this list when determining which combination of components it needs to retrieve.  For example 

25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Automatic LiveUpdate, Version: 3.3.0.102, Language: English. Mini-TRI file name: automatic$20liveupdate_3.3.0.102_english_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Decomposer, Version: 1.0.0, Language: SymAllLanguages. Mini-TRI file name: decomposer_1.0.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symevent Installer, Version: 12.8, Language: SymAllLanguages. Mini-TRI file name: symevent$20installer_12.8_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: MS Light, Version: 5.0, Language: SymAllLanguages. Mini-TRI file name: ms$20light_5.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Known Application System, Version: 1.5.0, Language: SymAllLanguages. Mini-TRI file name: symantec$20known$20application$20system_1.5.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SEP PTS Engine Win32, Version: 6.1.0, Language: SymAllLanguages. Mini-TRI file name: sep$20pts$20engine$20win32_6.1.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SEP PTS Content, Version: 6.1.0, Language: SymAllLanguages. Mini-TRI file name: sep$20pts$20content_6.1.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Virus Definitions Win32 v11, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: sesc$20virus$20definitions$20win32$20v11_microdefsb.curdefs_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Virus Definitions Win32 v11, Version: MicroDefsB.Apr, Language: SymAllLanguages. Mini-TRI file name: sesc$20virus$20definitions$20win32$20v11_microdefsb.apr_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC Submission Control Data, Version: 11.0, Language: SymAllLanguages. Mini-TRI file name: sesc$20submission$20control$20data_11.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: SESC IPS Signatures Win32, Version: 11.0, Language: SymAllLanguages. Mini-TRI file name: sesc$20ips$20signatures$20win32_11.0_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Security Content B1, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: symantec$20security$20content$20b1_microdefsb.curdefs_symalllanguages_livetri.zip
25/08/2011, 15:23:59 GMT -> Check for updates to: Product: Symantec Security Content A1, Version: MicroDefsB.CurDefs, Language: SymAllLanguages. Mini-TRI file name: symantec$20security$20content$20a1_microdefsb.curdefs_symalllanguages_livetri.zip
 

(Note that there are two separate SESC Virus Definition files necessary to ensure that a client is brought up to date: CurDefs and HubDefs)

The definitions that are retrieved from the public LiveUpdate server in a typical default installation of an unmanaged client can be seen in the log.liveupdate.

The example log below provides an extract of entries found in a log.liveupdate that shows what antivirus definitions are retrieved at first:

25/08/2011, 17:18:33 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 110418018 to 110824050. Server name - liveupdate.symantecliveupdate.com, Update file - 1314253617jtun_nav2k8enncur25.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

25/08/2011, 17:18:33 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.Apr - SymAllLanguages. Update for HubDefs takes product from update 110418018 to 110818021. Server name - liveupdate.symantecliveupdate.com, Update file - 1313715088jtun_nav2k8enn04m25.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

Below is an extract example of a subsequent LiveUpdate session, showing you the file that the client retrieves from LiveUpdate:

25/08/2011, 19:35:29 GMT -> EVENT - PRODUCT UPDATE SUCCEEDED EVENT - Update available for Antivirus and antispyware definitions - MicroDefsB.CurDefs - SymAllLanguages. Update for CurDefs takes product from update 110824050 to 110825002. Server name - liveupdate.symantecliveupdate.com, Update file - 1314282430jtun_nav2k8en110824050.m25, Signer - cn=Symantec Corporation,ou=Locality - Culver City,ou=Product Group - LiveUpdate,ou=SymSignature 2005,o=Symantec Corporation, package install code 0. The Update executed with a result code of 1800, => Success

A set of current monthly based definitions (sometimes called "hub," "full" or "error" definitions) are published once per month. For detail son the conditions when a SEP client will need to download thee larger files, please see the article Symantec Endpoint Protection 11.x LiveUpdate "Micro Definition" Updates Explained.