Endpoint Protection

 View Only
Expand all | Collapse all

SAV 10.1.9 version and scan engine blank

Migration User

Migration UserMar 05, 2010 12:39 PM

  • 1.  SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 07:57 AM

    I've got a client (2003SE sp2) which reports "Missing Definitions!" in the SSC.  I've tried versions 10.1 MR6, MR7, MR8, and MR9.
    I've tried stopping the service, replacing the virusdefs folder (c:\program files\common files\symantec shared) with files from a known good client.
    After I start the service it immediately downloads the current vdb file from the parent SAV server to the 7.5 folder and creates a tmp folder in virusdefs folder, but that's where it stays.
    Then every minute or so a new tmp folder is created in the virusdefs folder.  Any new vdb file released is downloaded to the 7.5 folder along with all the other ones (ballooning the size of the folder if left unchecked) and creating more tmp folders in virusdefs folder.  Over the course of a month it got almost 2GB in the 7.5 folder and over 13,000 tmp folders in the virusdefs folder.

    We have an internal liveupdate server that we use for 64bit clients and it hosts the 32bit definitions as a just-in-case kind of thing.  So when I configure the client to use the internal liveupdate location and run liveupdate, it tries to go out to symantec's ftp (which is blocked at our boundary) and fails.  In the registry the HKLM\software\intel\landesk\virusprotect6\currentversion\liveupdatesource shows all the correct information for the internal liveupdate server.  I've tried liveupdate 3.2, 3.3, and 3.5.

    Event ID 40: "Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer." appears in the Application Event Viewer.

    There's also Event ID 7000: The SAVRT service failed to start due to the following error: A device attached to the system is not functioning.  This one pops whenever a new vdb file gets in the 7.5 folder.

    The support above my level, as well as the support above their level, have not been able to resolve this issue.

    Any help would be supremely appreciated!



  • 2.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 09:07 AM
     Might be a DCOM permission issue.

    also try updating the Symevent
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1998092408260848


  • 3.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 10:06 AM
    I updated the SYMEvent per the link and rebooted, no change.
    Check permissions for DCOM, everything looks correct, so no change there either.

    I was reading an article about checking in device manager for SAVRT & SAVRTPEL:(http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004041306575548) and the laster steps say to check SAVRT and SAVRTPEL are enabled.  Well, SAVRTPEL is there and enabled but SAVRT is not there at all. *EDIT* The other steps are fine *EDIT*

    Anyone know how to install it?  Is there a dll I can register?


  • 4.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 10:21 AM
     Its a sys file SAVRT.sys

    check in device Manager - View -Show Hidden Devices - Non Plug and Play Devices..it should be listed there.


  • 5.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 11:50 AM
    Nope, it's not there.  The file exists at c:\program files\symantec antivirus\savrt.sys along with the other savrt files, it just isn't in the device manager.  I believe this to be the root cause but have no idea how to fix since different versions have yielded identical results.


  • 6.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 11:56 AM
    have you tried running rx4defs on this box? u can get that from Symantec

    Using the "Rx4Defs" utility

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008053010223848 


  • 7.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 12:04 PM
     You can run a SCSCleanwipe once..to wipe out all SAV entries in files and registries..
    Then try Install it ..


  • 8.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 12:17 PM
    I had not tried the Rx4Def utility before, but just did and the results are the same.  Tmp folders are still stacking up and the version as well as the scan engine are blank.  Show hidden devices in device manager still does not show RAVRT.

    Thank you for the shot, though.  It is an interesting utility which I'll hang on to for future use.


  • 9.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 12:18 PM
    I ran NoNav v2.611 as well as CleanWipe with the same results.  I also went through the manual uninstall of a client (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005050210381448) but no joy.


  • 10.  RE: SAV 10.1.9 version and scan engine blank



  • 11.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 12:20 PM
     Hope there isn't a bot/rootkit on this system which is blocking SAVRT.sys

    try running rootkitrevealer  http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
    also try scanning this machine with Malwarebytes once..

    Well..Just to be sure..



  • 12.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 12:39 PM
    Yeah, tried that stuff already unfortunately.


  • 13.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 01:04 PM

    Running a full malwarebytes scan ATT.  Might take a minute :)

    RootkitRevealer keeps crashing when I try to save the data to a txt file; there are 5,754 findings, most of which are security mismatches.  From what I can tell nothing looks suspect, but I'm not too familiar with what I "should" be looking for.



  • 14.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 02:21 PM
    Full malwarebytes scan came back with zero infections.


  • 15.  RE: SAV 10.1.9 version and scan engine blank

    Posted Mar 05, 2010 02:43 PM
     So after the installation what all errors do you get in EVENT Viewer and also can you post the

    %temp%\SAV_INST.log