We are running into the issue where some of our servers are requiring 2GB+ for Symantec files.

Across hundreds of servers, this can be quite a bit of disk space growth over our previous AV software which wouldn't take more than 500mb on each server. I have noticed, some servers are fine. They have ~500-600mb used. However some are not, using anywhere between 1-2gb+ for definitions files.

I have dug into servers with lots of disk space usage, and it seems to come from this directory: C:\Users\All Users\Symantec\Symantec Endpoint Protection\12.1.x.x.x\Data\Definitions\VirusDefs or the analog on a 2k3 server.

On servers with low disk space usage, there are usually 1-3 folders here with definitions in them from multiple dates/revisions. On servers with higher disk usage, there may be 5-6+ folders here, sometimes with very old definition revisions (2-3 months old and older) still stored here.

How do we solve this issue? Keep in mind manual deletion does not work for us as we have far too many servers to nanny these folders by hand.

Can you tell us the version of AV client running in your servers?

Hello ,

Please check out the below link,

How to change the number of downloaded content revisions that are retained by the Symantec Endpoint Protection Manager versions 11.0. or 12.1

http://www.symantec.com/business/support/index?page=content&id=TECH104845

12.1.671

Hi,

As we have 5000 endpoints, this is set to 30. I was told not to change this in order to allow for more granularity in microdefs to reduce LAN/WAN traffic.

Am I to understand that the clients too will store 30 revisions? That doesn't seem to make any sense.

The SEP12 client is preconfigured to keep one revision of each content set.

Please run SEP support tool .

You can download it from the below link

The Symantec Endpoint Protection Support Tool

If you find your virus defs corrupted you may follow below KB to clear it once.

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

only SEPM will store 30 definition, not the client.

By default SEP 12 retains only 1 definition.

But for earlir versions see the below link which will guide you to reduce the number on the client.

http://www.symantec.com/business/support/index?page=content&id=TECH103956&actp=search&viewlocale=en_US

It is possible that there was a problem during migration. you can run the SEP support tool log.

So this is a bug, then? This isn't isolated, there are many servers in my environment doing this behavior.

Running the support tool is all well and good if this were one single instance, but we are seeing this on multiple machines.

can you check the registry entry for 32 bit definition , if the cache setting has been enabled

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\Content

Hi,

If you want to remove corrupted definitions you can use Rx4Defs.exe

For more information:

http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/67b45d576111b98888257459005f74d0?OpenDocument

We too are seeing a large number of clients retaining virus definitions. Furthermore, Rx4Defs seems, at the link above, to be for 32-bit clients only. What do we do when we have a mixed environment of 32b and 64b?

Best regards,

Sune Mølgaard

Incidentally, at least for the machine that I tried to run the support tool on now, it would seem that definitions are *not* corrupted, but the support tool indicates that the client needs to be rebooted in order to delete the old definition dir.

This is highly inconvenient, and what might cause this?

Best regards,

Sune Mølgaard

There is currently a known issue regarding clients not deleting definition sets until a reboot is performed. The issue has been presented to Development.

If you are experiencing this issue I would recommend calling into support and opening up a case and reference the following KB document.

http://www.symantec.com/docs/TECH180056

You will also want to provide a SEP support tool from a affected client showing that the definitions are waiting to be deleted upon reboot. Below is a link on how to download and run this tool.

http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe

Providing this information will be able to advance the case and have it attached to the issue. The more cases attached the more visibility this will gain with development.