Video Screencast Help

Need a policy for clients to remove old definition files

Created: 20 Apr 2012 | 9 comments

Hi, I need to deploy a policy which can remove old definition files from clients. Because iam getting freequest requests that most of the client machines are showing disabled in the Management console. When i dig into the client details i found that the definitions may corrupted.

Comments 9 CommentsJump to latest comment

Jackie007's picture

SEP Client are able to communicate with SEPM Console ?

Thanks....

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you

Mithun Sanghavi's picture

Hello,

Are the clients actually showing offline, with regards to SEPM communication? (Help and Support (or Help if 12.1) > Troubleshooting)?

If they are 'offline', and they don't have a LiveUpdate schedule set (or don't have internet access), then that's why the definitions are getting out of date. It may not have anything at all to do with definition corruption.

If it does say 'offline', enabling Sylink debug logging is the best way to track down why communication is failing with the SEPM. (With SEP 12.1, Tamper Protection must be disabled first.)

How to enable Sylink Debugging for Symantec Endpoint Protection in the registry

http://www.symantec.com/docs/TECH104758

Symantec Endpoint Protection Manager 12.1 Communication Troubleshooting

http://www.symantec.com/docs/TECH160964

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

In case of Corrupt definitions, you may have either do that Manually.

Incase, of SEP 11.x, check this Article:

How to clear out corrupted definitions for a Symantec Endpoint Protection client manually

http://www.symantec.com/docs/TECH103176

Incase, of SEP 12.1, check this Article:

How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/docs/HOWTO59193

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ariv's picture

There is no policy to remove the OLD defs.

You can use the Rx4defs utility to reomve the corrupted defs from the client machines.

Check this link,

http://www.symantec.com/docs/TECH93036

You can get this tool from Symantec.

Chetan Savade's picture

Hi Manjunath K,

First identify whether definitions are reallly corrupted or not.

Check this article: How to determine if virus definitions of Symantec Endpoint Protection client (SEP) 11 or 12 Small Business Edition, are corrupted

http://www.symantec.com/docs/TECH97677  
 
If definitions are corrupted try running Rx4defs utility to remove the corrupted defs.
 
Link is already shared by Ariv 
 
Identify which machines are affected, is it happening randomly or with specific clients only ?
 
Also check whether SEPM is regulary updating or not.
 
 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Sumit G's picture

what is your communication Setting on Server?

Pull mode/ Push Mode?

Regards

Sumit G.

Manjunath.K's picture

Hello All,

Thanks for your prompt reply. First of all i regret to all because i will not check this forum contineously.

i will answer one by one.

Jackie: YES the clients are communicating to SEPM

Mithun: The clients are not offline, and the clients doesn't go to internet to download definitions because they are configured to download definitions/signature from Management server with respective heart beat. I have the definition files manually and tried updating but of no use.

Chetan: i have used rxdef tool to delete the definitions files and then tried updating which is not happening. SEPM is updating normally. Identified only few machines working acting like this.

Sumit: Clients are configured with Push mode with 2 minutes heart beat

 

Chetan Savade's picture

Hi Manjunath K,

For timebeing provide an access to run liveupdate manually.

Try to run liveupdate manually at end user, Start --> Run --> Luall.exe

If it's SEP 12.1 client you will have to click on liveupdate tab only.

Do you see any suspicious behaviours on affected workstation ?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<