What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

Article:TECH99222  |  Created: 2001-01-19  |  Updated: 2010-08-13  |  Article URL http://www.symantec.com/docs/TECH99222
Article Type
Technical Solution


Environment

Issue



You suspect that a Symantec AntiVirus product is not detecting infected files.

 


Solution



If you suspect that a Symantec AntiVirus product is not detecting viruses, you should check the following:

Scan with the latest Rapid Release virus definitions
Download and apply Rapid Release virus definitions to ensure that the latest virus definitions are installed.
For directions, read the document for your product version:


After you apply the latest Rapid Release virus definitions, run a full system scan. If Symantec AntiVirus is installed on a mail server, you must exclude certain files to prevent damage to the data on the server. If you cannot open Symantec AntiVirus, follow the directions in the section "Scanning when Symantec AntiVirus fails to open," which appears below.

Confirm that Auto-Protect or real-time scanning is enabled
Download the industry standard AntiVirus test file, Eicar.com. If Auto-Protect or real-time scanning is enabled, then Eicar.com should trigger a virus alert. Eicar.com contains harmless code designed to test the integrity of antivirus software. You can download and use the Eicar test file at the EICAR Web site.

Scan All Files
For maximum protection, Symantec recommends that you configure your AntiVirus software to scan all file types. However, if Symantec AntiVirus is installed on a mail server, you must exclude certain files to prevent damage to the data store on the server. These exclusions are created automatically by Symantec AntiVirus Corporate Edition (SAV_CE)10.1.x, Symantec Client Security (SCS) 3.1.x and by all versions of Symantec Enterprise Protection.

Check Exclusions
Check the exclusion list to ensure that you are not excluding potentially infectious files.

Is more than one AntiVirus program installed?
If you are running a real-time virus scanning utility and a server- or groupware-based AntiVirus program on the same computer, then ensure that the real-time scanner is excluding the working directory of the server- or groupware-based scanner.

Running more than one real-time scanner on the same computer is not recommended or supported.

Definition Integrity
After you rule out a configuration problem, follow these steps to ensure that there is no problem with the definition files:

  1. Browse to the <OS Drive>:\Program Files\Common Files\Symantec Shared\VirusDefs folder.
  2. Note the contents of this folder. You should find the following files and folders:
    Files
    Usage.dat
    Definfo.dat

    Folders
    Incoming
    Binhub
    Texthub
    20040312.023 -- this is an example, your folder name will be different.
    20040312.023 -- this is an example, your folder name will be different.


    Note: You may have more than two numbered folders. The naming convention for these folders is yyyymmdd.xxx, where yyyy represents the year, mm represents the month, dd represents the day, and xxx is an extension.

    Open Definfo.dat in a text editor, such as Notepad. Ensure that the CurDefs= line refers to the yyyymmdd.xxx folder containing the most current definitions.

Scanning when Symantec AntiVirus fails to open
If Symantec AntiVirus is not working correctly on the computer, see the document Cleaning an infected system with no or a damaged install of Symantec Endpoint Protection/Symantec AntiVirus

Submit a suspected file to Symantec Security Response for testing
If you suspect that a file on your computer is infected with a virus or is part of a worm or Trojan Horse, submit the file to Symantec Security Response for evaluation. Security Response uses these submissions to identify new threats and to create new virus definitions. For submission instructions, read the document The Symantec Security Response sample submission process

Verify that you have all of the most recent security updates available for your operating system
For Windows users, Microsoft Windows Update is the easiest way to verify that your operating system is fully updated. There is also the Microsoft Baseline Security Analyzer tool that can educate the user on updates and patches to the Windows operating system that need to be applied.



 



Legacy ID



2001031909215448


Article URL http://www.symantec.com/docs/TECH99222


Terms of use for this information are found in Legal Notices