I recently worked on a laptop that used Symantec Endpoint Protection 11 for antivirus software. It had been on an internal network that used a management server to pass definitions and patches to the clients. This laptop was then moved offsite where it didn’t have connectivity to the internal update server.

Even though I had removed the managed client and reinstalled the SEP11 client in unmanaged mode, it was still looking for the internal server for its updates. I checked the registry for the target liveupdate server, but it wasn’t there. Turns out, there’s a settings.liveupdate file in the C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate folder (for XP/2000) that tells the client where to look for the latest virus definitions. I deleted the file, and LiveUpdate rebuilt it on its first run. This time, its default setting was the internet source, which it accessed and was able to download the updates.

Evidently, when uninstalling the managed version, the liveupdate settings aren’t always removed. Deleting the file forced LiveUpdate to fallback and all was well.