Here are some lines from Log.Lue that seem to be related to the PTP definitions (note that due to the lack of naming consistency I make the assumption that "Behavior And Security Heuristics 12.1 RU2" in this log is the same thing as "SONAR Heuristics" a.k.a "PTP definitions")
Session started at: 2013/01/14 18:07:40.894 (UTC -05:00)
Adding an update to potentially available list by catalogue parser: SEPC Behavior And Security Heuristics 12.1 RU2, MicroDefsB.CurDefs, SymAllLanguages,CurDefs,130107011.
Update for moniker: {D6AEBC07-D833-485f-9723-6C908D37F806}, P: SEPC Behavior And Security Heuristics 12.1 RU2, V: MicroDefsB.CurDefs, L: SymAllLanguages, package: 1357692847jtun_bashsepc121130011-130107011.x01, SeqName: CurDefs, SeqNum: 130107011, has update status code: 100
***** Session Results *****
Total Updates Available: 6
Total Updates Succeeded: 6
Total Updates Succeeded - Reboot Req: 0
Total Updates Skipped: 0
Total Updates Failed: 0
Session result code: 0x00000000
Session ended at: 2013/01/14 18:08:38.721 (UTC -05:00)
On the Win7 client in C:\ProgramData\Symantec\Symantec Endpoint Protection\[version]\Data\Definitions\BASHDefs
(I believe that BASH = Behavior And Security Heuristics which equals "SONAR Heuristics")
there is a folder for 20121130.011 and for 20130107.011. So it seems that definitions for the current version are on the workstation.
The file definfo.dat shows
[DefDates]
CurDefs=20130107.011
The file usage.dat shows
[20121130.011]
BASH=1
Just to double-check I also reviewed the SEPM --> LiveUpdate Content Policy and all of the items are checked with 'use latest available'.
I also noticed on the SEPM --> Clients that this Win7 client shows "Not available" in the field for Current SONAR Definitions.