How to manually purge definitions for the Endpoint Protection Manager (SEPM)

book

Article ID: 184206

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

  • Managed Symantec Endpoint Protection (SEP) clients do not update virus definitions when being pulled from the SEPM. Otherwise the clients can pull content from the LiveUpdate servers. 
  • Corrupt definitions prevent Endpoint Protection (SEP) clients from receiving updates
  • The SEPM shows old virus definitions in Admin > Server > Local Site > Show LiveUpdate Downloads. LiveUpdate on the SEPM will fail Usually with a general Error code 2.
  • Connections to the LiveUpdate Servers have been tested from the SEPM as per Article ID: 15126 and determined to be normal. 

Cause

  • Examine the SEPM's LUX.log (\Symantec Endpoint Protection Manager\tomcat\logs) and the server activity logs in the SEPM under Admin > Servers. These may provide details on the nature of the failure.
  • Test connections to the LiveUpdate Servers from the SEPM as per Article ID: 15126 and determine the connection can be established. 
  • If the above was attempted and ruled out, one possible cause is that old or corrupted virus definitions present on the SEPM prevent the SEPM's ability to update the SEP clients with new virus definitions. Follow the steps in this KB to confirm or rule out this cause. 

Resolution

To clear old or corrupted virus definitions from the SEPM:

  1. Stop the service "Symantec Endpoint Protection Manager". 
    • Click Start > Run.
    • Type "Services.msc".
    • Select the "Symantec Endpoint Protection Manager" service.
    • Select "Stop".

  2. Delete the content of following folders:
    • C:\ProgramData\Symantec\LiveUpdate\LiveUpdateDownloads
    • %ProgramFiles(x86)%\symantec\symantec endpoint protection manager\inetpub\content\
    • %programdata%\Symantec\Definitions\SymcData\

  3. Open command prompt.
    • Change directory to the Symantec Endpoint Protection Manager\bin folder.
      Example: cd C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin
    • Run the command: lucatalog -cleanup
    • Once complete, run the command: lucatalog -forcedupdate
       
  4. Start the Symantec Endpoint Protection Manager service. 
     
  5. Log on to Symantec Endpoint Protection Manager Console and launch a LiveUpdate from Admin > Server > Local Site > Download LiveUpdate content.

  6. Verify the correct download/usage of new virus definitions from Admin > Server > Local Site >Show LiveUpdate Downloads.
    Note: as the last download dates are stored on the database you may not see this information updated