Video Screencast Help

Unable to Delete VIRSCAN7.DAT File

Created: 17 Dec 2009 • Updated: 02 Nov 2010 | 18 comments

My company has SEPM v11.0.4202.75 and on several occasions I've had SEP clients stop getting updated virus definitions.  In order to resolve the problem I've followed the "How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually" article.  One of the steps in this article is to delete all files and folders in the "C:\Program Files\Common Files\Symantec Shared\VirusDefs\" directory and in every case I've been unable to delete a file named "VIRSCAN7.DAT".

A specific example of this is a client with only antivirus and antispyware protection installed, v11.0.4202.75.

Anyone know why this is?

FYI, I have been able to ignore this file and continue with the steps in the article and resolve the virus def update issues.

Comments 18 CommentsJump to latest comment

Rafeeq's picture

You need to stop the symantec services before you do that
go to services window
stop symantec mangement client
symantec endpoint services 
open task manager
kill rtvscan.exe
try deleting the file you should be able to do that.

sandeep_sali's picture

Kill rtvscan.JPG

Thanks & Regards

Sandeep C Sali

ITDAD's picture

Stopping the services is a part of the article and I have killed rtvscan.exe in the past.  I've even used ProcessMonitor to determine what process had the file locked and was unable to kill that process.  I've already repaired the corrupt definitions on the latest server with this problem.  I will make sure to do the same on the next and report which process actually has the file locked.

Thanks for your responses.

Rafeeq's picture

When you are not able to delete files because of someone holding the file
you can use the simple tool called wholockme to release the handle and you will be able to delete the file.

ITDAD's picture

Thanks for the suggestion.

I did try to use File Assassin and Unlocker but neither were able to kill the process.  The only drawback to using these apps is that they require installation to use and installing on the fly with production servers is a gray area.

I'll check out WhoLockMe.  I just discovered another server with outdated virus definitions.  If it's the same problem, I'll let you know.

Rafeeq's picture

Sure will wait for an update from you,
stopping all the symantec services should help you to delete the files
rtvscan.exe would continiously using the virusdefs file.
if tamper protection is enabled you wont be able to kill symantec process from task manager
first disable tamper,then all the symantec (this should disable tamper too) and delete the folder
if everything else fail wholockme should help you out. 

ITDAD's picture

Ok, I have another client with the same problem.  Windows 2000 Server with SP4 running SEP 11 MR4.  I have stopped the Symantec Management Client and the Symantec Endpoint Protection services (had to kill the Rtvscan.exe process to do this). and when attempting to delete the virus defs, the 20091122.020\VIRSCAN7.DAT file cannot be deleted.  The date on this folder is the last date reported to the SEPM.

Rafeeq's picture

 Please disable these too
Symantec Settings Manager
symantec endpoint protection
symantec management client.
System Event Notification
Symantec Event Manager
please use wholockme to know which process is holding it
most of the times it will be rtvscan.exe

on these do u have mutiple symantec product, say like mail security , ghost, etc
coz all the symantec products put there virus defs in this same path...
hope they are not holding the defs

ITDAD's picture

I have stopped all of those services.

We do not have multiple symantec products on this particular server.

ITDAD's picture

I attempted to use "WhoLockMe" utility and got this error:

The file "C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091122.020\VIRSCAN7.DAT" doesn't exist."

I cut and pasted the path and file name from Windows Explorer.

Rafeeq's picture

reboot the box once if possible, check if really exist,may be marked for deletion.

ITDAD's picture

Unfortunately that's not an option without paperwork and a downtime.  I have been able to do that in the past and that has resolved the lock.  I was hoping to find a solution that didn't require restarting.

It's curious that it's the same file for multiple servers.

Rafeeq's picture

you said it right,
try deleting the entire virusdefs folder and create a new one with the same name,if it allows you to do so. 

ITDAD's picture

No luck there.  Folder not empty error when attempting to delet the folder.

ITDAD's picture

I installed this app and attempted to load it.  Waited about 15 minutes but the application won't load.  Looks like my only option here is a restart.

awgtek's picture

I resolved this issue by searching for the file handle (virscan7.dat) in Process Explorer, then selecting the handle, right-clicking and selecting 'close.' Hope that helps.