Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to clear corrupt Virus Definitions from SEPM

Created: 22 Jul 2009 • Updated: 23 Jul 2009 | 23 comments
Language Translations
Aniket Amdekar's picture
+19 19 Votes
Login to vote

Sometimes, it is noted that if there are corrupt virus definitions downloaded by SEPM, it is required to clean them up and download the virus definitions again.

Following are the steps for the same:

File system cleanup for 32-bit SESC Virus Definitions:

1. Stop SEPM server service.

2. Go to C:\program files\symantec\symantec endpoint protection manager\Inetpub\content\{C60DC234-65F9-4674-94AE-62158EFCA433}" folder and move all of the subfolders to another place, such as C:\Temp if you want a backup, otherwise delete the sub-folders.

Database cleanup for 32-bit SESC Virus Definitions:

3) Go to C:\Program Files\Common Files\Symantec Shared\SymcData\ and delete the following folders:
sesmipsdef32
sesmipsdef64
sesmvirdef32
sesmvirdef64

4)In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps.
Delete these keys
SymcData-sesmipsdef32
SymcData-sesmipsdef64
SymcData-sesmvirdef32
SymcData-sesmvirdef64

5). In the registry, navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmipsdef64
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef32
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs\SymcData-sesmvirdef64

6). Start the SEPM service back up.

7). Run Live update from within the Symantec Endpoint Protection Management console.

This will re-populate the database which in turn will update the moniker folders.

Comments 23 CommentsJump to latest comment

kavin's picture

This will help lots of people as this is a very common issue all over the Globe

0
Login to vote
Sandeep Cheema's picture

Whatever you do.........Make sure that you take a backup....Some folks had a hard time with almost the same technique some time back..........

https://www-secure.symantec.com/connect/forums/machines-stopping-because-disk-full

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+1
Login to vote
Nel Ramos's picture

that is right...
a back up would make room for any mistakes...
First rule in implementation...

Nel Ramos

+1
Login to vote
ben_cSEPticons_secured's picture

nice work sir aniket, i used to encounter this kinda prob.. :-)

+2
Login to vote
AravindKM's picture

Very useful article.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
Pink Panther's picture

I followed this http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007123111551948 and now the client that is installed on the SEPM server runs without AV definitions and Luall.exe and the other processes keep trying in vain to update.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

@Mitacus -Hope you are aware of this
https://www-secure.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
nonnopinolo's picture

Hello,
I tried all the steps above but I am still getting the same errors.
Also in the folder C:\Program Files\symantec\symantec endpoint protection manager\inetpub\content there is only 1 file called ContentInfo.txt that is 0 Kb. Nothing else

Here the output of my last session of liveupdate.

15 February 2010 21:14:07 GMT:  LiveUpdate failed.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:07 GMT:  LUALL.EXE finished running.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:07 GMT:  LiveUpdate encountered one or more errors. Return code = 4.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:03 GMT:  Symantec Endpoint Protection Win64 11.0.5002.333 (English) is up-to-date.    [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:01 GMT:  Symantec Endpoint Protection Win32 11.0.5002.333 (English) is up-to-date.    [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Antivirus and antispyware definitions Win32 11.0 MicroDefsB.CurDefs failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Symantec Endpoint Protection Manager Content Catalog 11.0 failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:14:00 GMT:  Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:12:16 GMT:  LUALL.EXE has been launched.  [Site: My Site]  [Server: motn-isa]
15 February 2010 21:12:15 GMT:  Download started.  [Site: My Site]  [Server: motn-isa]

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 your error is return code = 4
Try this
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121710290448

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Scott Yee's picture

Hi SEP Expert,

Can someone explain what is the root cause of corrupted of virus definition from SEPM?

How may i avoid the issue again from the SEPM ?

Thanks

Regards,
Scott Yee

+1
Login to vote
weejl's picture

Yes, can someone please eloborate and expound on the details of definitions get corrupted in the first place?  I have restored the database several times from ths same validated restore point and the definitions keep becoming corrupt.

0
Login to vote
MaRRuT@CC's picture

Maybe your DB is already corrupt...
For this you have to reinstall your sep infrastructure from first point.
you can save policies, certificate, server settings and so on but you need to create a new 1 from a new installation

0
Login to vote
Prachi's picture

The Location for the SymcData folder in Windows 2008 64 bit machine is as follows:

C:\ProgramData\Symantec\Definitions\SymcData

Best Regards, 

 Prachi Tatkare.

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
nyousuf's picture

guys

i hav e installed Symantec End point protection manager on windows 2008 R2 and i do not have internet to update virus definations i am trying to downliad and update antivirus and anti spyware definations on server with .jdb file but it seems not updating .. how i check i go to consile admin--servers-localsite but it shows old updates on 17 dec. I wnat to update Server from .jdb file and all clinets then get updated with the server .. no internet access at all.

please suggest how i update server and my clinets with latest virus definatiosn

0
Login to vote
Mick2009's picture

Readers of this article may also be interested in:

Symantec Endpoint Protection Manager 11.x is not updating 32 or 64 bit virus definitions.
Article: TECH104721   |  Created: 2008-01-15   |  Updated: 2012-06-16   | 
Article URL http://www.symantec.com/docs/TECH104721 
 

Symantec Endpoint Protection Manager (SEPM) 12.1 is not updating 32 or 64 bit virus definitions.
Article: TECH166923   |  Created: 2011-08-11   |  Updated: 2012-02-06   | 
Article URL http://www.symantec.com/docs/TECH166923 
 

With thanks and best regards,

Mick

+1
Login to vote
ShadowsPapa's picture

A common theme in SEP 11.x and 12.x

I think that for the next update or release of SEP, Symantec needs to concentrate on the root cause, or build in an automatic repair system - meaning that if the SEPM detects definitions won't move beyond a certain point, the SEPM automatically rolls back to the last known good instance, cleans up, then moves forward.

Otherwise, I come in after 2 days off for vacation, and spend my next week fixing and cleaning up manually. Been this road too often - if a person leaves for a couple of days, and there is a problem with definitions, by the time you get back to it, it's an emergency as the defs are now 9 days old, and no one, including the boss, had current defs and the phone is ringing, email is filling up........ and "what? Again"? and you try to explain that it can't be explained, SEP just has this problem of corrupt defs now and then and it's just not smart enough to tell when its own defs are bad, can't move forward - it simply gets stuck and sits there.

So how hard would it be to add some intelligence to SEPM? Do some client checks, do some checks on the defs running in SEP that runs on the SEPM, some sort of hash or defs QA check the SEPM does daily and if the defs appear bad, SEPM rolls them all back, and starts again. How hard is that? This system works miracles, but get a single bit out of place and it's totally crippled. Sort of like if the space shuttle ran on Windows 7, no redundent computer, and the thing froze, and the crew is on re-entry and has to tell mission control - "uh, folks, hang on, we've got a corrupt file and will have to reboot the computer"  ;-)  Yeah, I'm poking at you tongue-in-cheek, but seriously, I'd love to see this app or rather system have some smarts - and I know you guys can do it - it's the best on the market - but it gets tangled each time there's a tiny problem with the definitions. It's like the achille's heel of SEPM.

BTW - It's now September 6th, our defs have been stuck on August 29th, r18 and won't move. I've tried all the documents, all hints, tips and suggestions. the boss called - "hey, what's up with the definitions?".
I just got done reinstalling both servers several times because of other issues, and have done nothing all summer but reinstall, repair, rebuild, etc. I have over 150 hours in diagnostic time, hours, days, spent collecting information for tech support, who still have no real idea what's going on - I no longer like the phrase "no one else is seeing this" - they need to pay a visit to us. It's real.  
I'm exhausted. for me, SEP 12.1 is the worst version *as far as reliability* (it's power is beyond compare, however)  since SAV 7.0 and corrupted defs aren't helping.
Please - a real fix, a real document that's easy to follow. The last one was a jumble, and you had to keep referring to notes that explain "well, for that OS it's not that path, it's this path instead". That's not a very good document.
Maybe I need to work there - I'm good at creating documents that anyone can follow and that make sense from an end-user stand-point.
I'm ready for a Symantec tech person to remote in, take control, and just FIX it all.

+1
Login to vote
weejl's picture

Amen ShadowsPapa.  How about, SEPM does, i dunno, perform a CHECKSUM function before it progate this corrupted definition file to ALL OF MY CLIENTS

Have you checked your LiveUpdate policy?  most recebtly, I spent a few weeks fighting with definitions being stuck and it wasn't corrupted defs (like it's been typically in the past).  It was actually an older LiveUpdate policy using an invalid GUP that I was probably testing, when I restored my Database from backup.

0
Login to vote
shellpink's picture

please, i need help. mt laptop encountered a SID:26892. Backdoor.Ratenjay RAT. what will i do? 

0
Login to vote
Kenny_Wylies's picture

An exploit is a piece of software, a command, or a methodology that attacks a particular security vulnerability. Exploits are not always malicious in intent—they are sometimes used only as a way of demonstrating that a vulnerability exists. However, they are a common component of malware.

0
Login to vote