Symantec Endpoint Protection (SEP) 12.1 client is maintaining multiple virus definitions versions on servers.

Article:TECH180056  |  Created: 2012-01-27  |  Updated: 2013-03-28  |  Article URL http://www.symantec.com/docs/TECH180056
Article Type
Technical Solution

Product(s)

Environment

Issue



Symantec Endpoint Protection 12.1 clients are holding onto more than one set of definitions at a time, using up additional disk space.


Error



Error example from: SEP Support Tool (SST) logs: 

You need to reboot this computer to delete 22 files.
Tests Error You need to reboot this computer to delete 22 files:
Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120130.035\VIRSCAN5.DAT
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120130.035\VIRSCAN7.DAT
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120130.035
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120131.003\ECMSVR32.DLL
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120131.003\NAVENG32.DLL
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120131.003\NAVEX32A.DLL
\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint 


Environment



  • Defect found on 12.1, 12.1 RU1 and 12.1 RU1 MP1 - SEP clients
  • Reproduces with greater frequency on servers as they are rebooted less frequently than workstations

Cause



  • Some of the virus definitions files are locked and in use by the product when the product tries to delete them

Solution



This issue has been fixed in Symantec Endpoint Protection 12 Release Update 2 (RU2).  For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH 103088: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control.

If you are not able to upgrade the SEP client, you can temporarily work around the issue as needed.  Most of the machines that are affected have been found to be running scheduled scans at the same time as the client updates definitions.  Scheduling the scan for a later time (or switching from daily scheduled scans to weekly) will typically enable the older definition sets to be successfully deleted by SEP.

Additional workarounds are available, though neither will prevent the issue from happening again:

  • Reboot the machine. In observed cases where definitions had been marked for reboot, this does actually remove the definitions.
  • It has also been reported that stopping the client services and deleting the older virus definitions is also successful in clearing them out.




Article URL http://www.symantec.com/docs/TECH180056


Terms of use for this information are found in Legal Notices