Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How many missing deltas before full update?

Created: 12 Feb 2013 | 6 comments

The question has come up:  how many deltas should we have the server maintain so that we're adequately covered in case a PC hasn't checked in for a while - so that there won't be any unnecessary full antivirus definition updates downloaded?  The default when we installed SEP was 10 revisions, but recently it was suggested that we should keep 70 (as that would just about be the maximum that our drive space would allow).  That seems excessive to me, so I was wondering what a reasonable number would be?  How many revisions can be missed before a full update is triggered?

Many thanks,

Comments 6 CommentsJump to latest comment

.Brian's picture

70 is high. I was always told to keep 30. 30 is roughly 10 days worth of revisions.

See this best practice guide

Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager

Article:TECH92225  |  Created: 2009-01-05  |  Updated: 2012-03-30  |  Article URL

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


70 is on the higher side.

Symantec releases 3 definitions a day. So Let's say for a week's time of definitions, you would need atleast 21 definitions.

To determine how long it will take to perform a content distribution update in a best case scenario, use the following formula of:

 Concurrent Connections x Content Size* ÷ Available Bandwidth = Content Distribution Time

*Average Content Size = 70-100kb

Check these Articles:

Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper

Hope that helps!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

10 Revisions will give you approx. 3 days worth of update. Keeping 70 allow around 3 weeks of updates - every day there are 3 definitions being released. Usually there is not much need for that amount - around 20-30 revisions should be enough - covering you for a whole week - that client computers can be offline and still receive the delta updates.

saturnnights's picture

What is the tipping point at which the client will request a full update?  I had heard that there was such a point at which too many deltas would require a full update?

SebastianZ's picture

The tipping point is for when the delta package will reach the size similar to that of

It will be around a month - bit more that that - but is depending on the amount of new signatures added each time to the definitions.

But as far the functionality goes the SEPM will create the deltas as long as it has the revisions stored for it - may it be even few hundred (not recommended:D)

Vikram Kumar-SAV to SEP's picture

Every delta is the current def on SEPM - Current definition on client.

If the definition that is present on the client is present on the SEPM it will create a delta for it;.

If the SEPM does not have clients definition on SEPM delta won't be created and full zip will be pushed.

eg: Client has defs of 1st Feb and SEPM's current def is 12th feb.

So if you have content revision set to 30(10 days) then SEPM will not have definition of 1st feb on SEPm and it will push

but if you have content revision if 40(~13 days) then 1st Feb defs will be covered and client will receive delta definitions.

So by 70 revision(~23 day) client with definitions older than 23 days will pull

and 70 days is not very huge..enterpise do you 90 revisions as to keep definitions for last 30 days.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.