do you have policy to bypass GUP?

Have you checked if these clients have corrupt defs?  That's usually the cause for clients to repeatedly download the full defs file.

Also, can you confirm that you have a sufficient number of defs retained by your SEPM to avoid endpoints unnecessarily grabbing the full defs?

Hello,

Check this Article:

How to Troubleshoot High Bandwidth usage issues in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH154001

Hope that helps!!

Clear out the defs:

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

My second comment was with regards to the "Number of content revisions to keep:" option found under ADMIN -> Servers -> Local Site Properties -> LiveUpdate tab.

An especially low number would mean clients are less likely to receive delta definition updates (~200kb) and more likely to grab the full fat defs (~200mb), which is why I mention it.

We came across the same scenario, in a 7 site 2000+ workstation environment there were about 50 misbehaving PCs that would repeatedly try and pull almost 800MB a day from the parent bypassing the local GUPs, 90% of teh workstations were properly operating.

We found an old reference to GUPs and differening subnets, the Symantec tech I talked to insisted that the subnets were not an issue, but we kept seeing results that disproved it as an issue, and our answer was local LU servers in the sites, this resolved it 100%.

We found that some were corrupt defs, some had full C: drives and unable to decompress the defs, and then others were just a mystery.

I know it's not the approved method, but it worked for us.

If i remember correctly there was a bug where clients bypass GUP and take defs from main SEPM...

not sure if it has been 100% fixed but it sounds matched your situation...

If you have enough space on the SEPM server then increase the number of contents from 3 to may be 15 - 20 depending on the space you have on the SEPM server.

also can you please collect the sylink logs of around 500KB from the misbehaving client and add it to the thread it would help us to understand if the client is actually bypasssing the GUP or not. also the number of unused contents kept on the GUP increase that aswell.

Content revs:

1. When you have 3 content revs in the SEPM, the SEPM can only provide microdefs for clients having one of the three most recent AV def releases. For a client that check in with a def that is fours revs back it will have to get a FULL def not a microdef.

2.  At first, increase to six defs. After three releases, measure how much more space you have used on the SEPM.  That will give you guidance on how much further you can increase defs with the SEPM space you have.

3. There is a point of diminishing return, and that is reach when the microdef is just as big as a full defs. Having more content revs than that is a complete waste of resources and gets you no advantage.   I did some research on this and the point was reached somewhere below thirty content revs. Offhand I do not recall exactly.

We have found serveral Virtual OS installations which were pulling data. They have been decomissioned.