How to manually purge definitions for the Endpoint Protection Manager (SEPM)
search cancel

How to manually purge definitions for the Endpoint Protection Manager (SEPM)


Article ID: 184206


Updated On:


Endpoint Protection


  • Managed Symantec Endpoint Protection (SEP) clients do not update virus definitions when being pulled from the SEPM. Otherwise the clients can pull content from the LiveUpdate servers. 
  • Corrupt definitions prevent Endpoint Protection (SEP) clients from receiving updates
  • The SEPM shows old virus definitions in Admin > Server > Local Site > Show LiveUpdate Downloads. LiveUpdate on the SEPM will fail Usually with a general Error code 2.
  • Connections to the LiveUpdate Servers have been tested from the SEPM as per Article ID: 15126 and determined to be normal.
  • Examination of the SEPM's LUX.log (\Symantec Endpoint Protection Manager\tomcat\logs) and the server activity logs in the SEPM under Admin > Servers do not provide any details on the nature of the failure.


If the above information is correct, one possible cause is that old or corrupted virus definitions are present on the SEPM and this prevents the SEPM from being able to update the SEP clients with new virus definitions. Follow the steps in the Resolution section to confirm or rule out this cause. 


To clear old or corrupted virus definitions from the SEPM:

  1. Stop the service "Symantec Endpoint Protection Manager". 
    • Click Start > Run.
    • Type "Services.msc".
    • Select the "Symantec Endpoint Protection Manager" service.
    • Select "Stop".

  2. Delete the content of following folders:
    • C:\ProgramData\Symantec\LiveUpdate\LiveUpdateDownloads
    • %ProgramFiles(x86)%\symantec\symantec endpoint protection manager\inetpub\content\
    • %programdata%\Symantec\Definitions\SymcData\

  3. Open command prompt.
    • Change directory to the Symantec Endpoint Protection Manager\bin folder.
      Example: cd C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin
    • Run the command: lucatalog -cleanup
    • Once complete, run the command: lucatalog -forcedupdate
  4. Start the Symantec Endpoint Protection Manager service. 
  5. Log on to Symantec Endpoint Protection Manager Console and launch a LiveUpdate from Admin > Server > Local Site > Download LiveUpdate content.

  6. Verify the correct download/usage of new virus definitions from Admin > Server > Local Site >Show LiveUpdate Downloads.
    Note: As the last download dates are stored on the database you may not see this information updated.