First, determine whether the amount of space used is as designed, or whether the definitions are not working correctly.

• Symantec Endpoint Protection 12.1 will keep 1 definition set
• Symantec Endpoint Protection 11.x will keep 3 definition sets at any time: the current set and the last 2.
• Symantec Antivirus  8.x/9.x/10.x will keep 2 definition sets: the current set and the last used.

These older sets are used for virus definition rollback purposes.

To check the virus definitions

Locations of Virus Definitions for SAV or SEP Client only:

• Windows 9.x\Windows XP\Windows Server 2003:  \Program Files\Common Files\Symantec Shared\VirusDefs\ or \Program Files (x86)\Common Files\Symantec Shared\VirusDefs\
• Windows Vista\Windows 7\Windows Server 2008: \ProgramData\Symantec\Definitions\VirusDefs\
• SEP 12.1 on XP: \Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

NOTE: Virus Definitions for the SAV Server or Symantec Endpoint Protection Manager (SEPM) are stored in different locations, and this document does not apply to server installations of SAV or SEPM.  To troubleshoot virus definition issues for SAV Server or SEPM, please contact Symantec Technical Support.

Examine the files and folders in the VirusDefs folder. You should see the following:

1. 2-3 numbered folders, approximately 430 - 470 MB each. On 3 January 2013 it was 454 MB for 64 bit 12.1.
   The numbered folders will have names that appear similar to the following: 20110408.002.
2. 1 folder named BinHub, approximately 250 - 470 MB depending on the age of the file. 
3. 1 folder named Incoming, which should be empty [this folder may not be present].
   The Incoming folder should only contain files while a virus definition update is in progress.
4. 1 folder named TextHub, approximately 1 KB
5. 1 file named definfo.dat, approximately 1 KB
6. 1 file named usage.dat, approximately 1 KB
7. 1 file named Cat.DB, approximately 650 KB
   The total size of all files and folders should be about 2 GB for SEP 11.0 and under 800 MB for 12.1.
8. If any of the following is true, the definitions may not be working correctly:
   • The Incoming folder never becomes empty.
   • Several .tmp folders or files exist in the VirusDefs folder.
   • The numbered folders are 800 MB or greater in size.

The files sizes listed are as of January 2013.  Definitions files are continually getting larger in size.

If the definitions do not appear to be working correctly, use the following document to correct them:

SEP 11.x

How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually

Warning: If you use Symantec AntiVirus 10.x do not attempt to manually repair virus definitions. Contact Symantec Technical Support for assistance.

If you are using a third party utility or custom script to update virus definitions, discontinue use of that utility for troubleshooting purposes. Symantec does not support or troubleshoot third party utilities or custom scripts.

 The other possible virus definition related function that could be causing excessive hard drive use is the presence of an internal LiveUpdate server installed on the computer.  Internal LiveUpdate servers can be either the LiveUpdate Administrator 2.x (LUA 2.x) or the legacy LiveUpdate Administration Utility 1.x (LUAU 1.x).

To determine whether the LiveUpdate Administration Utility is in use:

1. Search the drive for files with the extension .m25.
2. If any .m25 files appear, determine the folder in which they exist.

The folder with the .m25 files is the folder that is in use by the LiveUpdate Administration Utility. If you do not use this utility, it is safe to remove it and delete the folder. Otherwise, you may need to move the folder to another drive and configure the Utility to use the new location.