How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

Article:HOWTO59193  |  Created: 2011-09-08  |  Updated: 2013-06-24  |  Article URL http://www.symantec.com/docs/HOWTO59193
Article Type
How To



 

To troubleshoot the failure of the Symantec Endpoint Protection 12.1 (SEP) client to operate correctly or update its definitions, it can be helpful to remove potentially corrupted definitions from the client.   
The following are instructions for removing corrupt or potentially corrupt definitions from a SEP 12.1 client.  It is important to consider the fact that if you follow this procedure and the definitions are not restored then the SEP 12.1 client may be in a worse state (having no definitions) than it was before (where it was only suspected that the definitions were corrupted).  Make a copy of any directory or registry contents you plan to delete.
 
Note:  Disable Tamper Protection on the client before executing the following procedure to avoid getting an "Access is denied" error.
 
1. Close the client GUI.  If the client GUI is open (SymCorpUI.exe is running) it will prevent the shutdown of the Symantec Management Client service in the next step.
 
2. If the BASHDefs definitions (Proactive Threat Protection) are to be cleared, then stop the BASH driver BHDrvx86 or BHDdrvx64
 
a. Open the Device Manager (devmgmt.msc) 
b. Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers'
c. Right-click the driver and choose Properties
d. Select the 'Driver' tab to access the Startup Type option
e. Set Startup Type to 'Disabled'
f. Click 'OK' and reboot the system
 
3. In the Start > Run menu option (or Start > Search text box) enter 'smc -stop' to stop the Symantec Management Client (smc.exe) services and the dependent Symantec Endpoint Protection service. Verify that the SEP system tray icon disappears.
 
4. Delete the contents of (not the directory itself) the definitions directories in question.  The definition directories are sub-directories of the path… 
 
<drive:>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
or
<drive:>\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
 
…and include the following…
 
BashDefs
ccSubSDK_SCD_Defs
EfaVTDefs
HIDefs
IPSDefs
IronRevocationDefs
IronSettingsDefs
IronWhitelistDefs
SRTSPSettingsDefs
VirusDefs
 
For example, to clear the virus definitions delete the contents of "VirusDefs" but not the folder "VirusDefs" itself.
 
If you receive and error indicating that a file or folder is in use, you can delete the content by rebooting into safe mode.
 

 
5. If you are clearing the virus definitions, delete the following registry values...
 
SRTSP
NAVCORP_70
DEFWATCH_10
SepCache3
SepCache2
SepCache1
 
...in the key...
 
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs
 
6. Clear the registry values within the appropriate sub-keys of...
 
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs
 
...that corresponds to the definitions directories you cleared.  In both the registry and in the file system do not delete the folder/key that reflects the name of the definitions only delete the files/values contained in that folder/key.
 
In other words do not delete the following sub-keys (only their contents):
 
BASHDefs
ccSubSDK_SCD_Defs
HIDefs
IPSDefs
IronRevocationDefs
IronSettingsDefs
IronWhitelistDefs
MicroDefs
EfaVTDefs (12.1.2+)
SRTSPSettingsDefs(12.1.2+)
 
7. If the BASHDefs definitions (Proactive Threat Protection) were cleared, then start the BASH driver BHDrvx86 or BHDdrvx64

a.  Open the Device Manager (devmgmt.msc) 
b.  Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers'
c.  Right-click the driver and choose Properties
d.  Select the 'Driver' tab to access the Startup Type option
e.  Set Startup Type to 'System'
f.  Click 'OK' and reboot the system
 
8. If you did not perform the previous step and reboot the system, then in the Start > Run menu option (or Start > Search text box) enter 'smc -start' to restart the Symantec Management Client (smc.exe) and Symantec Endpoint Protection services.
 
9. In each cleared definitions sub-directory there should appear a folder called 'newdefs-trigger' which is, itself, empty. 
 
10. Monitor the definitions sub-directories to verify that definition sets are re-acquired.
 


Article URL http://www.symantec.com/docs/HOWTO59193


Terms of use for this information are found in Legal Notices