There'something wrong. It happened again this morning btw. It's not like it's slowly ramped up at these locations over time. Every day for years things have been normal and just in the last 2 days when LiveUpdate kicks off and goes to send the new defs it sends at least 10 times more than it ever has before. I did just come across this other post which is very similar. My issue is very similar but for me it's affecting most clients (not just 1 group). If corrupted defs is my problem does it make sense that it would be the defs on the SEPM even though clients are successfully up-to-date and the SEPM is showing a LiveUpdate Success?
http://www.symantec.com/connect/forums/client-sepm-clogging-network-traffic
Also this in the release notes for the newest MP.
Symantec Endpoint Protection Clients download full definitions from Symantec Endpoint Protection Manager or GUP rather than deltas
Fix ID: 1950212
Symptom: Clients download full definitions from Symantec Endpoint Protection Manager or GUP due to the server generating 0-byte deltas.
Solution: The Symantec Endpoint Protection Manager definition delta generation was made more robust to ensure deltas are generated properly for distribution to clients and GUPs.
I have a case open with Symantec, but so far they aren't sure what's happening. They haven't even mentioned this fix posted above... Thanks for any input.