How to determine if virus definitions of Symantec Endpoint Protection client are corrupted

book

Article ID: 178097

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to check if virus definitions are corrupted?

 

Symptoms

One or more of these symptoms might be seen on SEP client:

- Many numbered folders inside VirusDefs folder
- Tmp folders inside VirusDefs folder
- LiveUpdate does not update virus definitions
- SEP clients are not showing last available virus definitions
- SEP clients shows errors in main user interface, related to Auto-Protect Engine

Cause

Many different scenarios can create virus definitions corruption, most likely related to network interruption issues or interruption of LiveUpdate processes during the update of virus definitions.

Resolution

To check the virus definition folders integrity, open the directory:

%programdata%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions and select the appropiate definitions folder. 

You should see some numbered folders named by date in the format YearMonthDay.Rev (example: 20191122020 for 22 November 2019 rev. 20), plus the folders:

- BinHub
- Incoming
- TextHub

and files:

- Definfo.dat
- Usage.dat

(You may see that some .DB files are present as well, which is normal. See KB  TECH95798  - "What is the .db File in the VirusDefs Folder?" for more details about this)

Example screen shot:


If there are up to 3 numbered folders, this is the normal behavior of a SEP client.

Also, having more than 3 folders is not always a cause for concern, though if there is a high number of virus defs folders retained for a long period of time, it may indicate underlying virus definition corruption.

DefUtils is the process in control of when old AV Defs and IPS Sigs content get purged. The SEP cache size setting of 3 guarantees that there will be at least that many revisions cached, but DefUtils may choose to hold on to additional sets if other components are registered for them.


Other checks that may point to virus definition corruption are:

  • Temporary folders identified by a .tmp extension or tmp string in the name.
  • (If there are tmp files and as well a lulock.dat file, this means that LiveUpdate is currently running and updating virus definitions. This is a normal process, wait a few minutes and check that no process LU*.exe are running then check the VirusDefs folder again)
  • Any files in the VirusDefs\Incoming folder.
  • Mismatching information on Definfo.dat and Usage.dat files:
  • Open the Definfo.dat file with a text editor and verify that the "CurDefs" value equals the most recent folder.
    In the example of the above screen shot, the Definfo.dat file should look like this:

    [DefDates]
    CurDefs=20191122.020

     
  • Open the Usage.dat file with a text editor and verify that all virus definitions folders are included in this file. In the example of the above screen shot, the Usage.dat file should look like this:

    [20091119.040]
    SepCache3=1
    [20091120.005]
    SepCache2=1
    [20091122.020]
    DEFWATCH_10=1
    SepCache1=1
    NAVCORP_70=1
    SRTSP=1

    When virus definitions are downloaded from a SEPM, they are cached, so you will see different folders listed in the Usage.dat file.  But if the SEP client is receiving updates from an internet LiveUpdate server, what might happen is that all cached tags point to the same folder.  An example of the Usage.dat will look like this :

    [20090514.039]
    SepCache1=1
    SepCache2=1
    SepCache3=1
    [20090629.003]
    SRTSP=1
    NAVCORP_70=1
    DEFWATCH_10=1

If virus definitions appear to be corrupted (you see tmp file and/or there is a mismatch between the virus definitions folder and the Definfo.dat/Usage.dat files), use the following KB to cleanup / restore the virus definitions:


- How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually -  Article 180682
 

Attachments