Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Definition getting stores on local client at two different location in SEP12.1 ent.

Created: 04 Sep 2012 • Updated: 07 Sep 2012 | 13 comments
This issue has been solved. See solution.

Hi All,

Symantec virus definition getting stores on local client at two different location in SEP12.1 ent.

1. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

2. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

Why is it so?

Thanks & Regards,
Prasann
IT Security Engineer

Comments 13 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What OS are you running on this machine?

Could you please let us know which current version of SEP 12.1 are you running on your local client machine?

1. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

2. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

The Path provided above is same. The only different would be version difference.

If the above paths are correct, then the local client machine is installed with 2 version of SEP 12.1, which it should not be.

Do you see 2 version of SEP 12.1 under Add / Remove Programs?

If yes, I would then recommend you to uninstall SEP client, remove all Symantec Files and Directories from the machine and install the SEP 12.1 again.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

immumbaikar's picture

Hi Mithun,

Operating system is Windows XP & Windows 7 and SEP version is 12.1.1000.157 RU1

and as suggested by you, it is really difficult to identified system count as it is already huge (29000+ migrated to SEP12)

Just for your information.
We are in SEP 12.1 upgradation process.
Total 80000+ endpoint

 

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

Mithun Sanghavi's picture

Hello,

Could you pull 1 local client machine and check if you see 2 client version of SEP 12.1 in the add/remove programs?

Could you also let us know from which version are you migrating to what version and what is the migrating method / process?

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

immumbaikar's picture

Hi Mithun,

Only one SEP12.1 entry is visible in add\remove program wizard.

we are migrating from SEP11 RU6MP2 to SEP12.1 and upgrade package has been created with remove all policy option.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

Mithun Sanghavi's picture

Hello,

I believe you are Migrating from SEP11 RU6MP2 to SEP12.1 RU1, correct?

If yes, then the migration process is correct and there is nothing to worry.

In your case, you are installing SEP 12.1 RU1 i.e; SEP 12.1.1000.157

As per documentation, it is -

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

i.e;

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

which is same.

To let you know that starting from SEP 12.1, The Virusdef folder for Symantec Endpoint v12.1 would be under following Locations: -

Win XP - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Win 7 - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Server 2003 - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Server 2008/R2 - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Check these Articles:

Drive Space used by Virus Definitions Updates

http://www.symantec.com/docs/TECH141811

Disk Space Management procedures for the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH96214

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

immumbaikar's picture
Hi Mithin,
I can see both these folders on almost all systems (Plz refer attachment).
hence problem is nothing but unnecessary space used by application.
Thanks & Regards,
Prasann
IT Security Engineer
2 Def.JPG
Ajeet Srivastava's picture

Hello,

I guess OS is windows XP.

1. uninstall SEP client from the system and reboot.

2. Delete following folders if exist.

    C:\Documents and Settings\All Users\Application Data\Symantec

    C:\Program Files\Common Files\Symantec

    C:\Program Files\Symantec

3. Install SEP Client on the system.

 

Regards,

Ajeet

 

immumbaikar's picture

Hi Ajeet,

I did same but still problem exist.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

SMLatCST's picture

I wouldn't worry about this, as the CurrentVersion folder is not a real folder, it is just a junction to the (in your case) 12.1.1000.157.105 folder.

It's a lot easier to see in Win7 and 2k8, as the CurrentVersion folder has a little shortcut icon on it.  However, in WinXp and 2k3, windows junctions are not reported as shortcuts so it's more difficult to tell.

If you want proof, then download the Junction utitlity from Microsoft and run the command:

junction -s "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection"

This should give you results similar to mine below:

 

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
 
\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpo
int Protection\CurrentVersion: JUNCTION
   Substitute Name: C:\Documents and Settings\All Users\Application Data\Symante
c\Symantec Endpoint Protection\12.1.671.4971.105
 
Which reminds me I have a few more machines to upgrade smiley
 
The Junction utility can be found on the below link:
SOLUTION
immumbaikar's picture

Hi There,

I really agreed with above post
but in some cases, we do not find both these location so at that point what we can assume?

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

SMLatCST's picture

I'm glad it helped.

You say you've found instances where there is only one of the folder present?

If it's the numbered folder that's present, then it sounds as if SEP has failed to create the junction point.  That means SEP components that rely on the junction point may fail to work correctly, but all the files are present.

If it's only the CurrentVersion folder that is present, the you'd have to use the junction tool to find out where it is pointing, and find out if the required files are actually on your machine.

In both cases, it'd be worth checking if SEP is operating correctly, and perhaps run the SEP Support Tool to verify the installation.

As always, it'd be much appreciated if you could mark any posts you find helpful with a "Thumbs Up" or as the Solution wink

immumbaikar's picture

Hi There,

As suggested, i'll check both these conditions while troubleshooting on this case.

Thanks for your great support and knowlegde.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

pete_4u2002's picture

thumbs up to above suggestion!

this will be appearing irrespective of upgrade. Even the fresh install you will be to see this folder.