Video Screencast Help
Security Community Blog

Configuring Modifying Changing Liveupdate on SEP 11.x

Created: 22 Aug 2012 • Updated: 18 Sep 2012 • 3 comments
ABN's picture
0 0 Votes
Login to vote

Hello Gents,

We normally do come across the scenario of Live update affecting our ususal work of, being a Symantec administrator. Scenarios like

  1. Clients do not have the ability to launch liveupate even though policy is been set to do so. Or vice versa.
  1. Low disk space causing SEP not to update on critical serves. Definition is stored only on the OS drive were space is a major concern.


By default the SEP definitions will be stored in the Operating System drive even if we install it in a different partition.

With the following process we can configure the Liveupdate settings, the number of revision that is kept on the SEP (client) and also change the location on where it is stored.


I )   To enable Liveupdate on the SEP.

    From SEPM:


     From Client computer:

     HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate

     To enable live update "AllowManualLiveUpdate" - Value 1 to enable 0 to disable.

     To enable Scheduling Liveupdate "AllowLocalScheduleChange" - Value 1 to enable 0 to disable.


II )   To reduce the number of revision stored:

      Modify the following registry to the desired value. The value should not be lower than 2. You can reduce ~600+MB there.


  • Go to the following Registry key. 
  • For 32 bit Operating system.

       HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\Content\{{C60DC234-65F9-4674-94AE-62158EFCA433} 

  • For 64 bit Operating system

        HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\Content\{1CD85198-26C6-4bac-8C72-5D34B025DE35}


  • Locate the CacheEntriesEx and double click on the key
  • Change the CacheEntriesEx key to the desired value (default is 3) .


III )     To modify the location where definitions are stored.

        Modify the following registry data value to the desired location.


  • For 32 bit Operating system:


         By default it will be “C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1”

  • For 64 bit Operating system:

         HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432\Symantec\InstalledApps\ AVENGEDEFS=”DATA”

         By default it will be “C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1”


** Note** The settings will take effect the next time update is initiated. For self-managed on the next  liveupdate schedule and for managed on the next content update.


Comments 3 CommentsJump to latest comment

Srikanth_Subra's picture


Can it be possibel to post the settings for SEP 12.x scenario?

Thanks & Regards,


"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Login to vote
Elisha's picture

For SEP 12.1 the registry key is here:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\DEFINITIONSROOT

Login to vote
Paulie-D's picture

@Elisha - thanks for the great tip.  I have a few follow-up questions for you.

1. When SEP 12.1 downloads an update via the LiveUpdateEngine (LUE), it begins the chore of expanding and integrating the update ... which seems to consume upwards of 2GB of space on the C: drive until it completes ... where most of the disk space is returned.  My question is: which setting under \PathExpansionMap\   would allow that temporary workspace to occur on a different drive other than C: ?  I presume the DEFINITIONSROOT value is where the final resulting VirusDefs will reside ... not necessarily the expand process workspace.

2. I was successful in altering the DEFINITIONSROOT value to a different drive on the local machine, after first disabling Tamper Protection, making the Registry change, copying* the subfolders and their contents from the default location to the new path, then re-enabling Tamper Protection, and finally rebooting.  My questions are:  (*1) Was it necessary to copy the assets from the default location to the new folder ... or would a subsequent LiveUpdate propagate?  (2) Since altering the DefinitionsRoot value, I am no longer able to change it again ... or change any other value under \PathExpansionMap\   even though Tamper Protection is disabled.  What happened?

The Default Location mentioned above is:  C:\documents and settings\all users\application data\symantec\symantec endpoint protection\currentversion\data\definitions\*.*

3. In tandem with item #2, I noticed that values under HKLM > Software > Symantec > Symantec Endpoint Protection > CurrentVersion > SharedDefs   also changed accordingly.  However, other values that refer to the original (default) location of the DefinitionsRoot still persist.  My question is: Should the following Registry values also be changed, to be in sync with the new value for DefinitionsRoot?




4. I noted that, after upgrading from 12.1 RU2 to 12.1 RU3, the aforementioned changes to the Registry were RESET back to their default. 

Thanks in advance for your valued feedback!

**** UPDATE as of 2013-08-30 ****

I altered the two additional Registry values, as mentioned on item #3 above, in the interim of receiving Symantec feedback.  It just made sense to do so, as their previous values were now incorrect as a result of the relocation / moving of the Definitions directory and its sub-folders.

I employed Microsoft's (Sysinternals) Process Monitor to collect activity for an entire LiveUpdate session, while the new relocation settings were in play. This particular LU session saw 3 areas updated; Virus and Spyware Definitions Win32, Symantec Whitelist, Revocation Data.  During the LU process, the free disk space on C: declined by .1GB but was returned afterwards.  Conversely, the free space on the newly-relocated drive dropped by .5GB and persisted afterwards.  Process Monitor clearly supports this revelation, as the majority of the disk activity is indeed at the newly-relocated directory path.

This appears to be great news, as it was my primary goal to relocate the expansion / unpacking of data which occurs during the LU process.  It would appear that the aforementioned Registry values allowed the relocation of both the workspace and the final residence of the VirusDefinitions.

Looking forward to your feedback / confirmation, regardless.

Login to vote