You can look in the system log on the client. It will say "Downloaded content from GUP"

Or you can turn on sylink logging. You should see contact between the client and GUP.

It depends on your policy settings. You can set them to only talk to LU or internal only.

Any method can stop these clients from downloading from liveupdate.symantecliveupdate.com

To stop clients from connecting out onto the internet and downloading content from liveupdate.symantecliveupdate.com you need to change your LiveUpdate policy for clients internal to the network. It would look somewhat like the next screenshot. Remember that clients external to your network would benefit from still downloading updates directly from Symantec.

In the following screenshot, the options with stars only help minimise the connections out onto the internet, the do not prevent them. We cut our daily download of 6GB by 300+ clients down to 500MB by making sure that the 'Use the default Symantec LiveUpdate server' option is NOT checked as per the red no go circle.

For the logging, James-x answer is correct. You need to enable Sylink log debugging (unfortunately, per client)

I checked sylink log. I don't see the port number 2967 but i can see the IP address of my SEPM server.

I check system log i couldn't find "Downloaded content from GUP"

Policy configured to get updates only from GUP. I don't have that option selected "use a liveupdate server".

Only "use the default management server" is selected.

"use the default management server :" << THis mean that client is meant to download updates from the SEPM .

Incase you have configured a GUP and marked this option when the client check into the SEPM , the SEPM informs the clients to dowload updates from the GUP .

As a suggestion you can also use SEP Content Distribution Monitor (for GUP health-checking)

REFRENCE :https://www-secure.symantec.com/connect/downloads/new-sep-content-distribution-monitor-gup-health-checking

Please mark thums up if this is helpful or mark resolved if this was helpful

You could have a look at the Client  log C:\Documents and Settings\All Users\Application Data\Symantec\\Log. (open in notepad). It  have an entry like this; <date time(GMT)> Progress Update: TRYING_HOST: : "Central Live Update Server  <address of server it is trying to retrieve Updates from>" This will show you the  server address that it is trying to  to internal or external.

Also you could look at C:\Documents and Settings\All Users\Application Data\Symantec\\Settings. (open in Notepad). look for the entries marked as

HOSTS\0\ACCESS=<Server Path>

HOSTS\0\ACCESS2=<Server Path>

The <Server Path> should be you internal servers. They may look like this if they are going to the Symantec LU servers;

HOSTS\0\ACCESS=liveupdate.symantecliveupdate.com

You could have corrupted Client setting. It appears if your clients have corrupted setting they will revert to a  setting from this file C:\Program Files\Symantec\LiveUpdate\Settings.Default.LiveUpdate .

I have had this happen to us as posted in the below link. Mick2009 post a work around for the problem.

https://www-secure.symantec.com/connect/forums/liv...

As for stopping it if you run a proxy server you could block client from connecting to symantec liveupdate anonymously.