Troubleshooting Large Incrementals caused by Symantec LiveUpdate

Scope

This article explains how to troubleshoot Symantec LiveUpdate causing large incremental backups.

Overview

There are two scenarios in which the size of an incremental backup can be affected by Symantec LiveUpdate:

• Nightly updates causing large amounts of change on a protected drive.
• New definition files being generated by LiveUpdate if the original definition file is locked during an update.

Resolution

Nightly updates causing large amounts of change on a protected drive

By default, Symantec LiveUpdate stores definition files in a folder named 'Definitions' or 'VirusDefs' in one of the following locations:

• C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions.
• C:\Program Files\Common Files\Symantec Shared\VirusDefs\

These paths may vary based on what version of Symantec is being run, or if you have changed the protected system's default download location.

Datto recommends using the Symantec LiveUpdate Administrator to change the default download location to a disk volume not protected by the Datto device. For more information regarding changing the download location, consult the Symantec Knowledge Base.

New definition files being generated by LiveUpdate if the original definition file is locked during an update

When LiveUpdate runs a scheduled scan, it locks the definitions file against any changes. If the automatic updater runs at the same time, it will be unable to overwrite the old definitions file, and will download a new copy instead. Because definitions files are often large, the new disk change caused by the download will reflect in the size of the protected system's next incremental backup.

Changing LiveUpdate's scheduled scan time will normally fix this issue.

Symantec has also created a tool to clean up stale virus definitions, which can be downloaded here.