To answer your questions:
- What is the difference between the xdelta.dax and the xdelta.dax.sig files?
- What is the difference between the delta.dax and the delta.dax.sig files?
xdelta - uses a newer technology to create deltas - was as well implemented for the first time in later releases of 11.x and then 12.1 SEPM - i don't think you will see much of normal delta.dax files anymore
.sig files - are signature files for the delta definitions
- What is the content of the "FULL" folder?
Extracted content of the full.zip archive for the definition. SEPM uses the content in this folder to create deltas.
- The Full folder has a number of .DAT files (which will be the virus def files but these are 91MB, 26MB etc. [i.e. TCDEFS.dat; TCSCANx.DAT] Nothing to suggest the normal DAT file of around 90KB).
Those are archives containg virus signatures.
If a client's virus definitions are out of date and out of date beyond the content revision's held by a SEPM or GUP, the content revision will be downloaded to the client (this could be a file that is 450MB in size). - What is this content that is being sent to the client? Where is the current virus definition file (the 90-100KB) one coming from? What is being replaced on the client side?
If the SEPM does not held the content revision that the client currently has - the SEPM will provide the client with the full.zip file (as a matter of fact currently this would be around 290MB). This is then the full package with all current virus signatures. As SEPM wasnt able to created the differential delta - full information is send to client that then replaces the currently installed definitions set.
Already mentioned http://www.symantec.com/docs/TECH131528 contains a good info what causes when clients download full package when delta would be expected.