Endpoint Protection

How to clear corrupt Virus Definitions from SEPM  

07-22-2009 06:42 PM

Sometimes, it is noted that if there are corrupt virus definitions downloaded by SEPM, it is required to clean them up and download the virus definitions again.

Following are the steps for the same:

File system cleanup for 32-bit SESC Virus Definitions:

1. Stop SEPM server service.

2. Go to C:\program files\symantec\symantec endpoint protection manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}" folder and move all of the subfolders to another place, such as C:\Temp if you want a backup, otherwise delete the sub-folders.

Database cleanup for 32-bit SESC Virus Definitions:

3) Go to C:\Program Files\Common Files\Symantec Shared\SymcData\ and delete the following folders:
sesmipsdef32
sesmipsdef64
sesmvirdef32
sesmvirdef64

4)In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps.
Delete these keys
SymcData-sesmipsdef32
SymcData-sesmipsdef64
SymcData-sesmvirdef32
SymcData-sesmvirdef64

5). In the registry, navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef64
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef64

6). Start the SEPM service back up.

7). Run Live update from within the Symantec Endpoint Protection Management console.


This will re-populate the database which in turn will update the moniker folders.
 

Statistics
0 Favorited
12 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

10-08-2013 01:51 PM

An exploit is a piece of software, a command, or a methodology that attacks a particular security vulnerability. Exploits are not always malicious in intent—they are sometimes used only as a way of demonstrating that a vulnerability exists. However, they are a common component of malware.

07-26-2013 04:36 AM

please, i need help. mt laptop encountered a SID:26892. Backdoor.Ratenjay RAT. what will i do? 

09-07-2012 03:47 PM

Amen ShadowsPapa.  How about, SEPM does, i dunno, perform a CHECKSUM function before it progate this corrupted definition file to ALL OF MY CLIENTS

Have you checked your LiveUpdate policy?  most recebtly, I spent a few weeks fighting with definitions being stuck and it wasn't corrupted defs (like it's been typically in the past).  It was actually an older LiveUpdate policy using an invalid GUP that I was probably testing, when I restored my Database from backup.

09-06-2012 08:08 AM

A common theme in SEP 11.x and 12.x

I think that for the next update or release of SEP, Symantec needs to concentrate on the root cause, or build in an automatic repair system - meaning that if the SEPM detects definitions won't move beyond a certain point, the SEPM automatically rolls back to the last known good instance, cleans up, then moves forward.

Otherwise, I come in after 2 days off for vacation, and spend my next week fixing and cleaning up manually. Been this road too often - if a person leaves for a couple of days, and there is a problem with definitions, by the time you get back to it, it's an emergency as the defs are now 9 days old, and no one, including the boss, had current defs and the phone is ringing, email is filling up........ and "what? Again"? and you try to explain that it can't be explained, SEP just has this problem of corrupt defs now and then and it's just not smart enough to tell when its own defs are bad, can't move forward - it simply gets stuck and sits there.

So how hard would it be to add some intelligence to SEPM? Do some client checks, do some checks on the defs running in SEP that runs on the SEPM, some sort of hash or defs QA check the SEPM does daily and if the defs appear bad, SEPM rolls them all back, and starts again. How hard is that? This system works miracles, but get a single bit out of place and it's totally crippled. Sort of like if the space shuttle ran on Windows 7, no redundent computer, and the thing froze, and the crew is on re-entry and has to tell mission control - "uh, folks, hang on, we've got a corrupt file and will have to reboot the computer"  ;-)  Yeah, I'm poking at you tongue-in-cheek, but seriously, I'd love to see this app or rather system have some smarts - and I know you guys can do it - it's the best on the market - but it gets tangled each time there's a tiny problem with the definitions. It's like the achille's heel of SEPM.

BTW - It's now September 6th, our defs have been stuck on August 29th, r18 and won't move. I've tried all the documents, all hints, tips and suggestions. the boss called - "hey, what's up with the definitions?".
I just got done reinstalling both servers several times because of other issues, and have done nothing all summer but reinstall, repair, rebuild, etc. I have over 150 hours in diagnostic time, hours, days, spent collecting information for tech support, who still have no real idea what's going on - I no longer like the phrase "no one else is seeing this" - they need to pay a visit to us. It's real.  
I'm exhausted. for me, SEP 12.1 is the worst version *as far as reliability* (it's power is beyond compare, however)  since SAV 7.0 and corrupted defs aren't helping.
Please - a real fix, a real document that's easy to follow. The last one was a jumble, and you had to keep referring to notes that explain "well, for that OS it's not that path, it's this path instead". That's not a very good document.
Maybe I need to work there - I'm good at creating documents that anyone can follow and that make sense from an end-user stand-point.
I'm ready for a Symantec tech person to remote in, take control, and just FIX it all.

06-16-2012 08:56 AM

Readers of this article may also be interested in:

Symantec Endpoint Protection Manager 11.x is not updating 32 or 64 bit virus definitions.
Article: TECH104721   |  Created: 2008-01-15   |  Updated: 2012-06-16   | 
Article URL http://www.symantec.com/docs/TECH104721 
 

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.
Article: TECH166923   |  Created: 2011-08-11   |  Updated: 2012-02-06   | 
Article URL http://www.symantec.com/docs/TECH166923 
 

02-13-2012 05:07 AM

guys

 

i hav e installed Symantec End point protection manager on windows 2008 R2 and i do not have internet to update virus definations i am trying to downliad and update antivirus and anti spyware definations on server with .jdb file but it seems not updating .. how i check i go to consile admin--servers-localsite but it shows old updates on 17 dec. I wnat to update Server from .jdb file and all clinets then get updated with the server .. no internet access at all.

 

 

please suggest how i update server and my clinets with latest virus definatiosn

01-11-2012 08:18 AM

The Location for the SymcData folder in Windows 2008 64 bit machine is as follows:

C:\ProgramData\Symantec\Definitions\SymcData

03-04-2011 08:30 AM

Maybe your DB is already corrupt...
For this you have to reinstall your sep infrastructure from first point.
you can save policies, certificate, server settings and so on but you need to create a new 1 from a new installation

03-01-2011 06:33 PM

did the trick

07-30-2010 05:11 PM

Yes, can someone please eloborate and expound on the details of definitions get corrupted in the first place?  I have restored the database several times from ths same validated restore point and the definitions keep becoming corrupt.

05-06-2010 01:55 AM

Hi SEP Expert,

Can someone explain what is the root cause of corrupted of virus definition from SEPM?

How may i avoid the issue again from the SEPM ?

Thanks

Regards,
Scott Yee

02-15-2010 04:29 PM

02-15-2010 04:19 PM

Hello,
I tried all the steps above but I am still getting the same errors.
Also in the folder C:\Program Files\symantec\symantec endpoint protection manager\inetpub\content there is only 1 file called ContentInfo.txt that is 0 Kb. Nothing else

Here the output of my last session of liveupdate.

15 February 2010 21:14:07 GMT:  LiveUpdate failed.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:07 GMT:  LUALL.EXE finished running.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:07 GMT:  LiveUpdate encountered one or more errors. Return code = 4.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:03 GMT:  Symantec Endpoint Protection Win64 11.0.5002.333 (English) is up-to-date.    [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:01 GMT:  Symantec Endpoint Protection Win32 11.0.5002.333 (English) is up-to-date.    [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Antivirus and antispyware definitions Win32 11.0 MicroDefsB.CurDefs failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Symantec Endpoint Protection Manager Content Catalog 11.0 failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:12:16 GMT:  LUALL.EXE has been launched.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:12:15 GMT:  Download started.  [Site: My Site]  [Server: motn-isa]

01-27-2010 10:25 AM

Great Job!

01-04-2010 04:57 PM

I followed this http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007123111551948 and now the client that is installed on the SEPM server runs without AV definitions and Luall.exe and the other processes keep trying in vain to update.

10-08-2009 01:25 PM

Awesome!

08-31-2009 07:21 AM

Very useful article.

08-03-2009 04:52 AM

nice work sir aniket, i used to encounter this kinda prob.. :-)

07-30-2009 02:07 PM

that is right...
a back up would make room for any mistakes...
First rule in implementation...

07-28-2009 08:26 AM

Whatever you do.........Make sure that you take a backup....Some folks had a hard time with almost the same technique some time back..........

https://www-secure.symantec.com/connect/forums/machines-stopping-because-disk-full




07-26-2009 10:48 PM

This will help lots of people as this is a very common issue all over the Globe

07-25-2009 07:00 PM

Nice article...
you might also add this...
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007123111551948

thanks..

Related Entries and Links

No Related Resource entered.