Endpoint Protection

Hi All,

Symantec virus definition getting stores on local client at two different location in SEP12.1 ent.

1. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

2. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

Why is it so?

Thanks & Regards,
Prasann
IT Security Engineer

Hello,

What OS are you running on this machine?

Could you please let us know which current version of SEP 12.1 are you running on your local client machine?

1. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

2. "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

The Path provided above is same. The only different would be version difference.

If the above paths are correct, then the local client machine is installed with 2 version of SEP 12.1, which it should not be.

Do you see 2 version of SEP 12.1 under Add / Remove Programs?

If yes, I would then recommend you to uninstall SEP client, remove all Symantec Files and Directories from the machine and install the SEP 12.1 again.

Hope that helps!!

Hello,

I guess OS is windows XP.

1. uninstall SEP client from the system and reboot.

2. Delete following folders if exist.

    C:\Documents and Settings\All Users\Application Data\Symantec

    C:\Program Files\Common Files\Symantec

    C:\Program Files\Symantec

3. Install SEP Client on the system.

Regards,

Ajeet

Hi Mithun,

Operating system is Windows XP & Windows 7 and SEP version is 12.1.1000.157 RU1

and as suggested by you, it is really difficult to identified system count as it is already huge (29000+ migrated to SEP12)

Just for your information.
We are in SEP 12.1 upgradation process.
Total 80000+ endpoint

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

Hello,

Could you pull 1 local client machine and check if you see 2 client version of SEP 12.1 in the add/remove programs?

Could you also let us know from which version are you migrating to what version and what is the migrating method / process?

Hi Mithun,

Only one SEP12.1 entry is visible in add\remove program wizard.

we are migrating from SEP11 RU6MP2 to SEP12.1 and upgrade package has been created with remove all policy option.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

Hello,

I believe you are Migrating from SEP11 RU6MP2 to SEP12.1 RU1, correct?

If yes, then the migration process is correct and there is nothing to worry.

In your case, you are installing SEP 12.1 RU1 i.e; SEP 12.1.1000.157

As per documentation, it is -

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs"

i.e;

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs"

which is same.

To let you know that starting from SEP 12.1, The Virusdef folder for Symantec Endpoint v12.1 would be under following Locations: -

Win XP - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Win 7 - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Server 2003 - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Server 2008/R2 - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs

Check these Articles:

Drive Space used by Virus Definitions Updates

http://www.symantec.com/docs/TECH141811

Disk Space Management procedures for the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH96214

Hope that helps!!

I wouldn't worry about this, as the CurrentVersion folder is not a real folder, it is just a junction to the (in your case) 12.1.1000.157.105 folder.

It's a lot easier to see in Win7 and 2k8, as the CurrentVersion folder has a little shortcut icon on it.  However, in WinXp and 2k3, windows junctions are not reported as shortcuts so it's more difficult to tell.

If you want proof, then download the Junction utitlity from Microsoft and run the command:

junction -s "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection"

This should give you results similar to mine below:

Which reminds me I have a few more machines to upgrade 

thumbs up to above suggestion!

this will be appearing irrespective of upgrade. Even the fresh install you will be to see this folder.

Hi Ajeet,

I did same but still problem exist.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

Hi There,

I really agreed with above post
but in some cases, we do not find both these location so at that point what we can assume?

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)

I'm glad it helped.

You say you've found instances where there is only one of the folder present?

If it's the numbered folder that's present, then it sounds as if SEP has failed to create the junction point.  That means SEP components that rely on the junction point may fail to work correctly, but all the files are present.

If it's only the CurrentVersion folder that is present, the you'd have to use the junction tool to find out where it is pointing, and find out if the required files are actually on your machine.

In both cases, it'd be worth checking if SEP is operating correctly, and perhaps run the SEP Support Tool to verify the installation.

As always, it'd be much appreciated if you could mark any posts you find helpful with a "Thumbs Up" or as the Solution 

Hi There,

As suggested, i'll check both these conditions while troubleshooting on this case.

Thanks for your great support and knowlegde.

Thanks & Regards,
Prasann
IT Security Engineer
CCNA,ITIL(2011)