How to manually purge definitions for a Windows Endpoint Protection client
search cancel

How to manually purge definitions for a Windows Endpoint Protection client

book

Article ID: 180682

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

  • Windows Endpoint Protection (SEP) client definitions are corrupt.
  • A single SEP Client can no longer download and apply some or all of the new LiveUpdate definitions. 
  • "Definitions are out of date" Issue persist after connections to the SEPM and LiveUpdate servers have been tested as per this document, "Determine whether your firewall is blocking LiveUpdate" and determined to be normal. 

Environment

Single Windows SEP client

Resolution

To troubleshoot the failure of the Symantec Endpoint Protection (SEP) client's definitions, it can be helpful to remove potentially corrupted definitions from the client.

The following instructions are used for removing corrupt or potentially corrupt definitions from a Windows SEP client. It is important to consider the fact that if the definitions are not restored after following this procedure, the Windows SEP client will be in a compromised state (having no definitions). If you are unable to reacquire the definition sets after following this procedure, please open a support case for assistance. It is recommended that you make a copy of any directory or registry contents you plan to delete.

Note: Disable Tamper Protection on the client before executing the following procedure to avoid getting an "Access is denied" error.

  1. Close the client GUI. If the client GUI is open (SymCorpUI.exe is running) it will prevent the shutdown of the Symantec Management Client service in the next step.

  2. If the BASHDefs definitions (Proactive Threat Protection) are to be cleared, then stop the BASH driver BHDrvx86 or BHDdrvx64 via the following:
    • Start command prompt as administrator
    • Run the following command "sc config bhdrvx64 start= disabled"
    • Expected result should be "ChangeServicesConfig SUCCESS"
    • Restart the system

  3. If the IDSvia64 definitions (Intrusion Prevention System) are to be cleared, then stop the IDS driver IDSvia86 or IDSvia64 via the following:
    • Start command prompt as administrator
    • Run the following command "sc config IDSvia64 start= disabled" 
    • Expected result should be "ChangeServicesConfig SUCCESS"
    • Restart the system

  4. Stop the SEP services.
    • Open Start > Run (or Start > Search text box)
    • enter "smc -stop" to stop the Symantec Management Client (smc.exe) services and the dependent Symantec Endpoint Protection service.
    • Verify that the SEP system notification area icon disappears.

  5. Navigate to the definitions directory: %ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
    • Delete the below subdirectories in question. For example, to clear the IPS definitions, delete the folder "IPSDefs". To clear all definitions, delete all the folders. 
      Note: If you receive and error indicating that a file or folder is in use, double check steps 2-4. If the drivers and services are off, you can attempt these steps in Safe Mode. 
      • ACDefs
      • AdvMLDefs
      • AUDefs
      • BASHDefs
      • ccSubSDK_SCD_Defs
      • EDRDefs
      • EfaVTDefs
      • HIDefs
      • IPSDefs
      • IronRevocationDefs
      • IronSettingsDefs
      • IronWhitelistDefs
      • NTRDefs
      • PCHDefs
      • SDSDefs
      • SMRDefs
      • SRTSPSettingsDefs
      • STICDefs
      • SymPlatformDefs
      • TDADDefs
      • VirusDefs
      • WebExtDefs

  6. Navigate to the following registry key:
    HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\

  7. For any folder contents you deleted above, delete the contents of the corresponding below registry key.
    Note: Do not delete the sub keys, only delete their contents
    For Example: If you are clearing the virus definitions, navigate to the following key:
    HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs
    Then delete the following registry values:
      • SRTSP
      • NAVCORP_70
      • DEFWATCH_10

    • ACDefs 
    • BASHDefs
    • ccSubSDK_SCD_Defs
    • EDRDefs
    • EfaVTDefs
    • HIDefs
    • IPSDefs
    • IronRevocationDefs
    • IronSettingsDefs
    • IronWhitelistDefs
    • NTRDefs
    • PCHDefs
    • SMRDefs
    • SRTSPSettingsDefs
    • STICDefs
    • SymPlatformDefs
    • TDADDefs
    • WebExtDefs

  8. If the BASHDefs definitions (Proactive Threat Protection) were cleared, then start the BASH driver BHDrvx86 or BHDdrvx64
    • Start command prompt as administrator
    • Run the following command "sc config bhdrvx64 start= system"
    • Expected result should be "ChangeServicesConfig SUCCESS"
    • Restart the system

  9. If the IDSvia64 definitions (Intrusion Prevention System) are to be cleared, then start the IDS driver IDSvia86 or IDSvia64 via the following:
    • Start command prompt as administrator
    • Run the following command "sc config IDSvia64 start= system" 
    • Expected result should be "ChangeServicesConfig SUCCESS"
    • Restart the system

  10. Start the SEP Services.
    If you performed the previous step and restarted the system, this step is not required. 
    • Open Start > Run (or Start > Search text box)
    • Enter 'smc -start' to restart the Symantec Management Client (smc.exe) and Symantec Endpoint Protection services.

  11. In each cleared definitions subdirectory, there should appear a folder called 'newdefs-trigger' which is, itself, empty.

  12. Monitor the definitions subdirectories to verify that definition sets are re-acquired