Endpoint Protection

I have some servers where the SEP managed client isn't displaying the correct virus defs.  When I peek in C:\programdata\symantec\symantec endpoint protection\$version$\data\defintions\virusdefs, I see multiple sub folders with dated defintions.  I see one for the current day, then a couple from a couple weeks ago.  The SEP client shows the Virus Defintions to be the date of the previously dated folder and Network Threat Protection is the current date.  Running Live Update or applying the downloaded Intelligencer Update doesn't fix it.  I can usually turn of tamper protection, then do a smc.exe -stop, then smc.exe -start and it will clear the old def folders and display the correct definitions in the client.  The System log on the client does not show any errors.  How do I go about correcting this?  smc.exe -stop doesn't always work, and sometimes totally hangs SEP, requiring a restart.  I can't do that to servers.  I have to rely on the daily report to alert me as to which clients aren't updating properly. 

SEPM is 12.1.6.
SEP clients are all 12.1.5 or higher.

Specific example:
SEP Client Version 12.1.5337.5000.105 (I'm sure I could find examples of 12.1.6 clients)
C: drive has plenty of space - 16 gigs free.
SEP client shows:
Virus and Spyware - Nov 22, 2015 r2
Proactive Threat Protection - Nov 13 2015 r11
Network Threat Protection - Dec 2, 2015 r11
VirusDefs folder has the following subfolders:
20151121.038
20151122.002
20151202.003

This issue isn't widespread.  We have over 2200 clients, but I can count on fixing at least 1 per day.  Experience tells me that stopping SMC just for correcting VirusDefs can cause the service to hang, requiring a restart to correct SMC services and virus defs.  Usually, it clears the problem, but it's that 1 in 10 chance that hurts.

Run the symhelp tool on it and see if definitions are corrupt. You may need to manually clear out.

Troubleshooting computer issues with the Symantec Help support tool

When you manually drop in the JDB file or the intelligent updater do they update correctly? 

Intelligent Updater
https://support.symantec.com/en_US/article.TECH102606.html

JDB File
https://support.symantec.com/en_US/article.HOWTO55187.html

Hi,

To decide definitions are corrupted or not look into the following location:

%programfiles%\Common Files\Symantec Shared\VirusDefs

If there are up to 3 numbered folders, this is the normal behavior of a SEP client.

Also, having more than 3 folders is not always a cause for concern, though if there is a high number of virus defs folders retained for a long period of time, it may indicate underlying virus definition corruption.

This article can give provide more details: How to determine if virus definitions of Symantec Endpoint Protection client (SEP) 11 or 12 Small Business Edition, are corrupted

http://www.symantec.com/docs/TECH97677

If definitions are corrupted can try to clear it manually. Follow this article: How to clear out definitions for a Symantec Endpoint Protection 12.1 client manually

http://www.symantec.com/docs/HOWTO59193

Is there any update?

OR

If issue has been resolved mark this thread as a solved with the best answer that helps you.

Running the symhelp.exe indicates Iron Revocation defs are corrupt.  Running the intelligencer updater updates the defs, but they won't auto update from the manager or Live Update. 

To fix this, would it be:
Disable Tamper Protection in the client.
Run smc.exe -stop
Browse to "%ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions", open IronRevocationDefs and delete the contents?

My recent experience with smc.exe -stop is that it doesn't stop Symantec.  The service will show as stopping.  Kill ccSvcHst.exe in task manager, and SMC immediately starts, so I won't have an opportunity to manually delete the folder.

Looks like clearing the IronRevocationDefs folder on a couple of these machines corrected the issue. I was able to run Live Update without failure after clearing them out. We'll see if they will continue to receive updates from the SEPM. I'd mark Brian's first response as the solution, as this is what pointed me in the direction of SymHelp.