Endpoint Protection

Hi,

I need some confirmation or office documentation that specifies the amount of space taken up by virus updates on Versions 11 and Version 12 Sep Clients.

Also,

Why is it not possible to moved default locations to other drives even though installtion can be?

Directory Name

• 11.x and 12.0.x
  • Windows XP and 2003: C:\Program Files\Common Files\Symantec Shared
  • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Definitions
• 12.1.x
  • Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
  • Windows Vista, 2008, and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions

11.x keep 3 sets by default, 12.1 keeps 1. See here:

Drive Space used by Virus Definitions Updates

It's hard-coded into the product:

Can Symantec Endpoint Protection 12.1 definitions be safely moved to another drive?

It is possible to re-direct content to a new drive for SEPM but I assume you mean client here.

If you read the article closely, it says that the thresholds mentioned there are to be considered as an indication that the folders are excessively big and could present a problem. It does not mention that this is the required file size for virus definition updates to happen.

Yea I read it. It talks about threshholds. If over, there may be an issue. If at or under, it's usually OK.

Sizes are going to vary, there is no exact size every time.

But is there an exact requirement specified by symantec that the C:\ has to have x amount of space rather than just a threshold?

Sorry to keep going around on this. The customer is has many servers built with a C: partition of only 10GB as i'm sure many companies do and SEP Defs are 2GB of that space.

Found one for 11.x:

http://www.symantec.com/docs/TECH174225

I could not find a similar one for 12.1, perhaps support has more info on this.

Are you looking for something like this (note this is an old article, and def sizes have increased since then and will continue to do so)?

http://www.symantec.com/docs/TECH105407

As far as the why goes however, from what I recall SEP uses the Windows environment variables for the location of many of its files.  As such, if a Windows machine was built using the unattend switches to slap the %appdata% variable (and others like it) on another drive, SEP should follow it (as below):

https://www-secure.symantec.com/connect/forums/change-virus-definition-location-call-users-d#comment-8600321

This probably won't help you now though, as I'm guessing you're unlikley to be building anymore machines with a 10GB drive ;)

You can redirect SEP 12.1 Agent Def files (likewise SEP 11, but process is a little different), but ONLY the traditional AVDefs, in other words your SEP Agent for such scenarios can only be a "AV Only" SEP Agent. This is because the newer technologies (SONAR, IPS etc) have been poorly implemented in such a way they do not permit relocation, as their location values in the registry are hard-coded per ever engine and def update.

The other problem is, it's a very manual process as it can only be done post-install, and if you were to ever upgrade SEP Agent "over the top" from memory it restores to default OS drive location, meaning you need to do it again.

Essentially perform an AV only SEP Agent install (with no Defs included in the package as it's pointless) and then untick Tamper Protection (if enabled), do a  smc -stop, change the following two reg key values to something else that respects the existing folder structure, i.e. D:\SEPDefs and D:\SEPDefs\Definitions\VirusDefs respectively, smc -start, give it time to update.

Done.