Video Screencast Help

SEP Average Update Size

Created: 05 Oct 2011 • Updated: 24 Oct 2011 | 7 comments
jwardell's picture
This issue has been solved. See solution.

Hi folks,

Could anybody tell me what the average file size is for a content update for SEP 12.1 that is pulled down to the SEPM via liveupdate?

Any help would be greatly appriciated!

Comments 7 CommentsJump to latest comment

Rafeeq's picture
The size of the heart beat is about 2-3 KB/s
If the heart beat is 5 min ,The heart beat happens 12 times an hour
So for 1000 clients in 24 hrs it should be = 1000*24*12*3 = 864000 = 844 mb
And if the heartbeat is for 15 mins , it will happen 4 times an hours
So for 1000 clients in 24 hrs it should be = 1000*24*4*3 = 281 mb
this is for the heartbeat
you cant say the actual size of the liveupdate coz it varies everday on an average
if you want to know the size, enable this
Ryan_Dasso's picture

@Rafeeq: This is not what the original post asked about... but besides that, even your numbers for the delta files pushed to clients is pretty low. Deltas are generally around 200-300 KB now.

To answer the original question, the size of the updates are hovering around 150 MB for all the defs. About 140 MB for antivirus defs and the other technologies are quite a bit smaller... a few MB, at most. Updates are growing slowly over time... about a year ago, they were at around 100 MB, in total.

If you want exact numbers, check the following link:

Pick one of the 3 folders and take a look at the JDB file... that's almost exactly what the SEPM pulls down for AV defs.

Elisha's picture

I think we need to distinguish our terminology here.  The 150MBs that you specify is talking about full content size, not updates.  We are talking about updates here.

If a client already has content applied then only an update is needed not a full content revision.  The updates are delivered either by SEPM, by GUP or by LU.  All of these delivery mechanisms for content use delta form.  These "updates" are generally around 200K to 300K (not 150MB).

If a customer is seeing 150MB updates then we need to figure out why those clients are not getting delta files.  Updates should not be that large.


Elisha's picture

Normally a client should be pulling a delta file from SEPM for content updates.  The average size of the AV delta file is around 200KBs to 300KBs.  The client could be updating this 2 to 3 times daily.  So it could range between anywhere between 400KBs to 900KBs daily for client's for content updates.

Vikram Kumar-SAV to SEP's picture

@ Elisha -- Are you sure LUA mechanism distributes deltas and not ?

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Elisha's picture

Yes. Our Internet LiveUpdate (LU) server will distribute delta updates.  LiveUpdate Administrator (LUA) which can deployed inside the customers network will download files from LU to distribute to other Symantec products (such as SEP or SEPM).  Since LUA gets files from LU it will get delta files also.

For LU I believe we keep 7 days of delta files.  For SEPM you can customize how many days of delta files you want to keep.

Mick2009's picture

Hi Jwardell,

"Thumbs up" to the advice, above.  Very good information on the size of full AV defs and average deltas that are sent to clients.

>content update for SEP 12.1 that is pulled down to the SEPM via liveupdate?

Due to the millions of threats and variants in circulation today, the AV definitions are the largest component that the SEPM needs.  However, there are also IDS signature definitions, whitelists, client packages, etc that the SEPM will need to download, too.  For a full list of what a SEPM is downloading and the sizes of the files, do check out the log.liveupdate from the SEPM. 

Both the SEPM and the LiveUpdate Administrator 2.x server generally connect to Internet LU sources, and can keep the SEP endpoint up-to-date with the latest contents.  In most circumstances it is best for the SEPM to handle this job, as the technology that it uses to generate delta defs for the clients results in smaller custom-built differential delta files being sent to each endpoint client.  The SEP clients get exactly what they need, and no larger.  The LUA server just stores and passes on the same larger incremental "current defs" that are on the Internet.  This keeps them up-to-date just as effectively, but may use more network bandwidth. 

The following article has a little more info on LUA AND SEP:

When is it Recommended to Use LiveUpdate Administrator 2.x with Symantec Endpoint Protection?
Article: TECH154896 | Created: 2011-03-07 | Updated: 2011-08-17 |
Article URL

Hope this helps!  Do update the thread if there is any more infromation you need, Jwardell, or mark it solved for the benefit of future admins who have the same question.

Thanks and best regards,


With thanks and best regards,