Problem solved - after some serious struggle and the assistance of a Symantec employee over Webex (which doesn't speak well of the usability of this product)
1. Java Liveupdate (it was present on the system because Endpoint protection installed it) is not used, the Scan Engine runs its own copy, which is also a java app, thus my confusion.
2. The config file must be saved encrypted by the java editor (java -classpath jlu.jar ConfigEditor), the plain text version will be read, but the update will fail.
3. The update server's cache (the one available at http://address:7070) was not complete, but the updater log was not very helpful, it simply exited with success and "no updates available".