Video Screencast Help

Remove Virus Definitions

Created: 29 Jan 2010 • Updated: 06 Apr 2011 | 15 comments
mon_raralio's picture
+7 7 Votes
Login to vote

I've created a batch file to remove Symantec virus defs. It's my first in a while. :D
I've tested and used it in our production environment to clear corrupted definitions.
Even took care of the machines with the 12/31/2009 definitions that just wouldn't update.
At least it beats memorizing what to remove and where.

Note:
You must have administrative priveledges to cleanup the directory and the registry.
Zip has no password.
 

Comments 15 CommentsJump to latest comment

iamadmin's picture

If your feeling motivated, you might add in support for 64bit OSes. ;-)

-Mike

0
Login to vote
Constantine's picture

i'll check it then...

0
Login to vote
Cicero Oliveira's picture
in clients it has password, as I must proceed?
0
Login to vote
Ajit Jha's picture

Good have to experiment it. Thanks for sharing

Regard's

Ajit Jha

Technical Consultant

ASC & STS

0
Login to vote
ABN's picture

Nice work, 

The service Symantec Antivirus will no longer be there if it has been a clean install. I will be Symantec End point protection.
If you could have it modified and checked for 64 bit machines it would be great.

The following link might aid your work

This works even if the SEP has password.

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009032409384048?Open&seg=ent



+1
Login to vote
mon_raralio's picture

@ABN: I'll check on the 64 bit ones soon. Thank's for the link.

@Cicero: You need administrative rights to do this. Some active directory settings prevents regular users from making changes to certain files and folders.

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
Symantec World's picture

Hi,

I have run but nothing happen no definition were remove,

Is there any changes to be make in this batch file?

Regards, M.R

0
Login to vote
mon_raralio's picture

I just based it on Symantec's procedure for manual removal. You may check the contents of the batch file.
Were there any errors returned?

If you want, you may remove the non essential lines in the script.

“Your most unhappy customers are your greatest source of learning.”

+2
Login to vote
Vikram Kumar-SAV to SEP's picture

 Nice work Mon..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
AvinashBharatharaj's picture

Nice work. Thanks

0
Login to vote
aa23's picture

You can't do net stop/start smcservice. you need to type in "%programfiles%\Symantec\Symantec Endpoint Protection\smc.exe" -stop / start.

 

+1
Login to vote
mon_raralio's picture

Thanks for the feedback. I created a new batch file that changes to the SEP directory and doing the commands from there including the smc -stop / -start.

A drawback I found for this batch script is that it wouldn't work if the client is password protected.

AttachmentSize
Delete_Virus_Defs_v2.zip 737 bytes

“Your most unhappy customers are your greatest source of learning.”

+1
Login to vote
aa23's picture

I see you removed the NET STOP "Symantec AntiVirus" in v2, not sure why.

 

Have you guys noticed that by following this procedure, either manually from Symantec kb article or executing a script, the client will persist for a long time without definitions? No matter how many times I forced the client to check in with the SEPM, it still won't go faster. And if after it started downloading and populating the virusDefs folder, it still wouldn't install new defs.

Anything I'm missing? I kept on restarting the services, even restarted the computer. When it came back, it seemed to have installed definitions, but displayed malfunction of auto-protect. Long after that it came back to normal.

Let it be clear that I'm not questioning Mon's batch file, but Symantec's workaround.

Thanks!

0
Login to vote
mon_raralio's picture

Thanks again aa23. :D

I checked the v2 and actually found some errors. The script starts the services before removing the defs which should be afterwards. Posted it in the main thread.

The 2 scripts are basically the same in the process of deleting the definitions. The only difference is in their method of stopping the services. The first one terminates SEP by force and the other follows what the KB article says.

And I also noticed the lag in getting new updates. Even with using the Intelligent Updater on a working or non-corrupt definitions. The common factor is that the definitions are either non-existent or very old so it's taking a while to load the full list compared to deltas being deployed on a regular basis. Takes about 2-5 minutes.

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
aa23's picture

It takes a lot in my  case until clients show new defs, they keep on popping they are missing defs, which is a healthy sign, but takes too long, and probably users go suspicious that was the right way to fix their problem....  I noticed that if, after removing corrupt defs, you do a repair it works fast. Anyone able to include a script to repair SEP11 install? If it can be done remotely, it would be even better.

And regarding the corrupts defs - I also found quite a number of machines that experienced quite a pattern in that, they had new virus definitions downloaded and just one old defs folder that showed the old date.

Now the definfo.dat showed new date, while usage.dat the old date of the old folder. Clearly a sign of corrupt defs. For all these machines, i found to be working just a kill of the RTVScan process. I simply killed the process remotely :) and optionally restarted SEP service (restarted many times automatically) and SMCservice.... By watching the virusdefs folder, I could see the the old definitions being discarded, and instantly client writing the correct date to usage.dat file. Soon the same was communicated to the SEPM and could be seen in the console. All this without deleting all definitions nd registry keys...Nice...

 

 

0
Login to vote