Hi MFishman,
I'm not a security specialist but I am sure I can (at least partially) answer this question. And as stated above it depends, on which part of the product you are looking at!
I take it that by privileged mode you mean kernel mode (ring 0 in i386 and other processors) in opposition to user mode (ring 3) which are the only mode used in *nix and Windows implementations (
more details here).
So back to the answer, LiveUpdate and any desktop facing programs are running in user mode, no two ways about it. They have advanced privileges but not at the processor level i.e. they most likely inherit system privileges by running under the local nt authority account.
Now for kernel or privileged programs I'm not 100% sure but if you consider the network filtering and other pro-active threat management, process monitoring and the like then the answer must be yes, yes and yes!
Let's confront this with reality (Google search for "symantec endpoint protection kernel drivers") and we have the following coming 3rd:
Here's one proof that we have some drivers or other programs running under ring:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007267476677998.
So I've corrected myself on the subject line above, as this is a plain yes answer.