How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x

Article:TECH100019  |  Created: 2002-01-22  |  Updated: 2007-01-06  |  Article URL http://www.symantec.com/docs/TECH100019
Article Type
Technical Solution


Issue



You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms:

- The Symantec AntiVirus service fails to start.
- The number of Scan Omission errors in the Event Log is larger than normal.

You need to know how to revert to an earlier set of virus definitions.

Symptoms
How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms: - The Symantec AntiVirus service fails to start. - The number of Scan Omission errors in the Event Log is larger than normal. You need to know how to revert to an earlier set of virus definitions.



Solution




Before you begin:
Do not run the *x86.exe Intelligent Updater on an AntiVirus server that manages clients. Use the .xdb file instead.
For help with this, read the document Updating virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x.

To backdate virus definitions for Symantec AntiVirus 10.x, follow the directions in the document How to revert to the previous definition set using Symantec System Center.

If you use Symantec AntiVirus 10.x, do not attempt to manually repair virus definitions. Symantec AntiVirus 10.x includes an automatic definition repair feature. If Symantec AntiVirus 10.x virus definitions remain corrupted, contact Symantec Technical Support for assistance.



The easiest way to repair corrupted virus definitions is to download and run the Intelligent Updater file.

Download and run the yyyymmdd-version-x86.exe file (yyyymmdd-version indicates the date and version of the definition file).

If the problem with virus definitions caused the Symantec AntiVirus service to stop responding, you may need to restart Windows after running the Intelligent Updater.

If problems persist after running the Intelligent Updater, you can backdate to an earlier virus definitions set using the Symantec System Center. Read the document How to revert to the previous definition set using Symantec System Center for instructions.

Problems with virus definitions may prevent Symantec AntiVirus from communicating with the Symantec System Center. In this case, you must backdate the definitions manually.

Backdating definitions manually

To stop all Symantec services that use virus definitions
  1. Stop the following services:
    • Defwatch
    • Symantec AntiVirus service, Symantec AntiVirus Server service, or Symantec AntiVirus Client service, depending on the version of Symantec AntiVirus
      If the service cannot be stopped, disable the service and restart the computer.
  2. Navigate to the Usage.dat file located in the VirusDefs folder located in :\Program Files\Common Files\Symantec Shared\VirusDefs.
  3. Open the Usage.dat file in a text editor, such as Notepad.exe.
  4. Look for Qsadmin. If this entry exists, then stop the Symantec Central Quarantine, Symantec Quarantine Agent, and Symantec Quarantine Scanner services.
  5. If you have other Symantec products installed, then you may need to stop the services related to these products before you can delete folders.

To remove the most recent virus definition folder
  1. Open Windows Explorer, and then go to the folder C:\Program Files\Common Files\Symantec Shared\VirusDefs.
  2. Verify that the following folders and files are contained within the VirusDefs folder. If any of these folders are missing, then contact technical support for assistance and to provide us with information for tracking this problem:
    • Incoming (folder)
    • BinHub (folder)
    • TextHub (folder)
    • Definfo.dat (file)
    • Usage.dat (file)
    • Numbered virus definitions folders: Two or more subfolders that have dates as their folder names. For example, 20021016.002 is the folder that contains the October 16, 2002 virus definitions.
  3. Remove the most recent virus definitions folder. You may need to delete more than one virus definition folder, but it is important that at least one numbered virus definition folder remains.
  4. Identify the name of the remaining numbered virus definition folder, for example, 20021010.002.
  5. Open the Definfo.dat file in a plain-text editor, such as Notepad. The contents will be similar to the following:

    [DefDates]
    CurDefs=20021016.002
    LastDefs=20021010.002


  6. Change the value of the CurDefs and LastDefs lines to match the folder name that you noted in step 4. For example:

    [DefDates]
    CurDefs=20021010.002
    LastDefs=20021010.002


  7. Save and close the Definfo.dat file.
  8. Open the Usage.dat file in a plain-text editor, such as Notepad.
    Confirm that the numbered folder heading inside the square brackets [ ] matches the folder referenced by the "CurDefs" line in the Definfo.dat file.
    Confirm that there is a single square bracket around the heading.
    On a computer that runs only Symantec AntiVirus Corporate Edition, the Usage.dat file should look like this

    [20021016.002]
    DEFWATCH_10=1
    NAVCORP_70=1


  9. Save and close the Usage.dat file.


Note: If other Symantec products run on the same computer, other entries may appear in the Usage.dat file. Confirm that all entries appear under the same numbered folder heading. If more than one numbered folder heading appears, edit the Usage.dat file so that all Symantec products appear under the same numbered folder heading.



To remove .xdb, .wdb, and .vdb files and folders
  1. On Symantec AntiVirus servers, delete .xdb files:
    Browse to the directory where Symantec AntiVirus Corporate Edition is installed and identify files with an .xdb extension. Sort the files by date and delete or rename any .xdb files with dates newer than the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs.
  2. On Symantec AntiVirus clients, delete .wdb files from the appropriate location, depending on the version of Windows and the version of Symantec AntiVirus:

    Windows 2000/XP/2003 clients
    :\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
    :\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5
    Note that the Application Data folder is a hidden folder on some computers.

    Windows NT 4.0 clients
    :\WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
    :\WinNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

    Windows 95/98/Me clients
    :\Program Files\Symantec_Client_Security\Symantec AntiVirus
  3. Delete or rename all .vdb files except the one that corresponds to the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs. To determine the definition set that a .vdb file references, see the document How to decode the naming convention for .vdb and .xdb files.
  4. Identify the I2_LDVP.VDB folder.
  5. Delete any subfolders under I2_LDVP.VDB, but do not delete the I2_LDVP.VDB folder itself.

Restart all Symantec services that use virus definitions
Restart any services that you stopped in the section titled "To stop all Symantec services that use virus definitions." If possible, restart the computer instead of restarting services.

Update virus definitions
Once you have removed corrupted virus definition files, you can safely update to the latest definitions by using the Intelligent Updater.

Download and run the yyyymmdd-version-x86.exe file (yyyymmdd-version indicates the date and version of the definition file).


Notes:
  • If you backdated definitions to address symptoms such as false positive detections or conflicts with other software, contact Symantec Technical Support to confirm that the problem has been resolved before downloading and running the Intelligent Updater.
  • Do not run the *x86.exe Intelligent Updater on an antivirus server that manages clients. Use the .xdb file instead.
    For help with this, read the document Updating virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x.









Legacy ID



2002102209110448


Article URL http://www.symantec.com/docs/TECH100019


Terms of use for this information are found in Legal Notices