Endpoint Protection

Hello folks -

An app owner brought this to my attention this morning stating that SEP is holding on to duplicate definition files and taking up space that they can use on their servers. I was wondering if someone could help me understand why SEP does it and if there is a way to eliminate this issue all together.

SO under take a look at this screenshot as you can see CurrenVersion folder contains the same defs as the Data/Definition/VirusDef folder.

Can anyone clarify why is that the case please and if there is a way to remove a duplicate?

many thanks!

SEP 12.1 should only be keeping 1 content revision for AV content:

Configuring the number of content revisions kept by the Symantec Endpoint Protection client

The definitions set may be corrupt and you can try clearing out:

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

Was this a fresh install of 12.1 or and upgrade from 11.x?

Thanks this was a an uprade from 12.1 to 12.1.2, but I am seeing similar issue on my desktop also.

So most of the machines are showing same definitions and have identical files Under Current Version Vs just Data\Definitions\VirusDefs why 2 copies is my question?

Try running utility "Rx4DefsSEP" .

http://www.symantec.com/business/support/index?page=content&id=TECH93036&locale=en_US

Issue releated Corrupt virus defination

https://www-secure.symantec.com/connect/forums/corrupted-virus-definition

Do not use Rx4DefsSEP on a 12.1 client. Below is a quote taken from the KB.

"It is not intended for operation with Symantec Endpoint Protection 12.1 systems due to changes in folders and operations"

The CurrentVersion folder is a junction to the actual version number of the installed SEP client, in your case 12.1.2015.2015.

Make a change in the 12.1.2015.2015 folder and it is reflected in the CurrenVersion folder, it's not a duplicate, it's the same file referenced twice because of the junction.

#EDIT#

You can confirm this by running the below command:

junction.exe -s "C:\ProgramData\Symantec\Symantec Endpoint Protection"

#EDIT2#

This is also why the CurrentVersion folder has a little shortcut icon on it!

Clear the defintion from Server and check

How to clear corrupt Virus Definitions from SEPM
https://www-secure.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm

http://www.symantec.com/docs/TECH166923

thumbs up SMCatCST!

use the tool it will show the information as posted above.

Answer to my question as given to me by our SME is:

The reason you see two copies is the currentversion is actually a junction point linking the directory to \symantec\symantec endpoint protection\<SEP version>. From a command prompt, cd to the Symantec endpoint protection directory and run dir – XP/2003 should list <junction> instead of <dir> - newer operating systems will also list the actual directory being linked and will show the arrow on the folder within Windows explorer.

Thanks all for your responses.

Can you please mark the post by SMLatCST as the solution? I think his answer is best suited in this case.

Apoligies I did not see that post when I did the refresh. Made his a solution. Thx alot guys for all ur assistance.

Thanks!