How to clear out definitions for a Windows Endpoint Protection client manually

book

Article ID: 180682

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

To troubleshoot the failure of the Symantec Endpoint Protection (SEP) client's definitions, it can be helpful to remove potentially corrupted definitions from the client.

The following are instructions for removing corrupt or potentially corrupt definitions from a Windows SEP client. It is important to consider the fact that if you follow this procedure and the definitions are not restored then the Windows SEP client client may be in a worse state (having no definitions) than it was before (where it was only suspected that the definitions were corrupted). Make a copy of any directory or registry contents you plan to delete.

 

Note: Disable Tamper Protection on the client before executing the following procedure to avoid getting an "Access is denied" error.

  1. Close the client GUI. If the client GUI is open (SymCorpUI.exe is running) it will prevent the shutdown of the Symantec Management Client service in the next step.
  2. If the BASHDefs definitions (Proactive Threat Protection) are to be cleared, then stop the BASH driver BHDrvx86 or BHDdrvx64 via one of the following:
    • Option 1: Windows Device Manager (Windows 2008 R2 and below)
      1. Open the Device Manager (devmgmt.msc)
      2. Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers'
      3. Right-click the driver and choose Properties
      4. Select the 'Driver' tab to access the Startup Type option
      5. Set Startup Type to 'Disabled'
      6. Click 'OK' and restart the system
    • Option 2: sc config command (Windows 2012 and above)
      1. Start command prompt as administrator
      2. Run the following command "sc config bhdrvx64 start= disabled"
      3. Expected result should be "ChangeServicesConfig SUCCESS"
      4. Restart the system
  3. In the Start > Run menu option (or Start > Search text box) enter "smc -stop" to stop the Symantec Management Client (smc.exe) services and the dependent Symantec Endpoint Protection service. Verify that the SEP system notification area icon disappears.
  4. Navigate to the definitions directory at one of the following:

    Windows Server 2003/XP
    <drive:>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions 

    or
    Windows Server 2008/Windows 7 and later
    %ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
     
  5. Delete the contents of (not the directory itself) the below subdirectories in question. For example, to clear the virus definitions, delete the contents of "VirusDefs" but not the folder "VirusDefs" itself. If you receive and error indicating that a file or folder is in use, you can delete the content by restarting into safe mode.
    • BashDefs
    • ccSubSDK_SCD_Defs
    • EfaVTDefs
    • HIDefs
    • IPSDefs
    • IronRevocationDefs
    • IronSettingsDefs
    • IronWhitelistDefs
    • SRTSPSettingsDefs
    • VirusDefs

  6. If you are clearing the virus definitions, navigate to the following key:

    HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs

    Then delete the following registry values:
    • SRTSP
    • NAVCORP_70
    • DEFWATCH_10

  7. Navigate to the following registry key:

    HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\

  8. For any folder contents you deleted above, delete the contents of the corresponding below registry key.
    Do not delete the subkeys, only delete their contents:
    • BASHDefs
    • ccSubSDK_SCD_Defs
    • HIDefs
    • IPSDefs
    • IronRevocationDefs
    • IronSettingsDefs
    • IronWhitelistDefs
    • MicroDefs
    • EfaVTDefs (12.1.2+)
    • SRTSPSettingsDefs(12.1.2+)

  9. If the BASHDefs definitions (Proactive Threat Protection) were cleared, then start the BASH driver BHDrvx86 or BHDdrvx64
    1. Open the Device Manager (devmgmt.msc)
    2. Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers'
    3. Right-click the driver and choose Properties
    4. Select the 'Driver' tab to access the Startup Type option
    5. Set Startup Type to 'System'
    6. Click 'OK' and restart the system

  10. If you did not perform the previous step and restart the system, then in the Start > Run menu option (or Start > Search text box) enter 'smc -start' to restart the Symantec Management Client (smc.exe) and Symantec Endpoint Protection services.
  11. In each cleared definitions subdirectory there should appear a folder called 'newdefs-trigger' which is, itself, empty.
  12. Monitor the definitions subdirectories to verify that definition sets are re-acquired