How to check if virus definitions are corrupted?
One or more of these symptoms might be seen on SEP client:
- Many numbered folders inside VirusDefs folder
- Tmp folders inside VirusDefs folder
- LiveUpdate does not update virus definitions
- SEP clients are not showing last available virus definitions
- SEP clients shows errors in main user interface, related to Auto-Protect Engine
Many different scenarios can create virus definitions corruption, most likely related to network interruption issues or interruption of LiveUpdate processes during the update of virus definitions.
To check the virus definition folders integrity, open the directory:
%programdata%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions and select the appropiate definitions folder.
You should see some numbered folders named by date in the format YearMonthDay.Rev (example: 20191122020 for 22 November 2019 rev. 20), plus the folders:
(You may see that some .DB files are present as well, which is normal. See KB TECH95798 - "What is the .db File in the VirusDefs Folder?" for more details about this)
Example screen shot:
If there are up to 3 numbered folders, this is the normal behavior of a SEP client.
Also, having more than 3 folders is not always a cause for concern, though if there is a high number of virus defs folders retained for a long period of time, it may indicate underlying virus definition corruption.
DefUtils is the process in control of when old AV Defs and IPS Sigs content get purged. The SEP cache size setting of 3 guarantees that there will be at least that many revisions cached, but DefUtils may choose to hold on to additional sets if other components are registered for them.
Other checks that may point to virus definition corruption are:
If virus definitions appear to be corrupted (you see tmp file and/or there is a mismatch between the virus definitions folder and the Definfo.dat/Usage.dat files), use the following KB to cleanup / restore the virus definitions:
- How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually - Article 180682