To troubleshoot the failure of the Symantec Endpoint Protection (SEP) client's definitions, it can be helpful to remove potentially corrupted definitions from the client.
The following are instructions for removing corrupt or potentially corrupt definitions from a Windows SEP client. It is important to consider the fact that if you follow this procedure and the definitions are not restored then the Windows SEP client client may be in a worse state (having no definitions) than it was before (where it was only suspected that the definitions were corrupted). Make a copy of any directory or registry contents you plan to delete.
Note: Disable Tamper Protection on the client before executing the following procedure to avoid getting an "Access is denied" error.
Close the client GUI. If the client GUI is open (SymCorpUI.exe is running) it will prevent the shutdown of the Symantec Management Client service in the next step.
If the BASHDefs definitions (Proactive Threat Protection) are to be cleared, then stop the BASH driver BHDrvx86 or BHDdrvx64 via the following:
Start command prompt as administrator
Run the following command "sc config bhdrvx64 start= disabled"
Expected result should be "ChangeServicesConfig SUCCESS"
Restart the system
If the IDSvia64 definitions (Intrusion Prevention System) are to be cleared, then stop the IDS driver IDSvia86 or IDSvia64 via the following:
Start command prompt as administrator
Run the following command "sc config IDSvia64 start= disabled"
Expected result should be "ChangeServicesConfig SUCCESS"
Restart the system
Stop the SEP services.
Open Start > Run (or Start > Search text box)
enter "smc -stop" to stop the Symantec Management Client (smc.exe) services and the dependent Symantec Endpoint Protection service.
Verify that the SEP system notification area icon disappears.
Navigate to the definitions directory: %ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions
Delete the below subdirectories in question. For example, to clear the IPS definitions, delete the folder "IPSDefs". To clear all definitions, delete all the folders. Note: If you receive and error indicating that a file or folder is in use, double check steps 2-4. If the drivers and services are off, you can attempt these steps in Safe Mode.
ACDefs
AdvMLDefs
AUDefs
BASHDefs
ccSubSDK_SCD_Defs
EDRDefs
EfaVTDefs
HIDefs
IPSDefs
IronRevocationDefs
IronSettingsDefs
IronWhitelistDefs
NTRDefs
PCHDefs
SDSDefs
SMRDefs
SRTSPSettingsDefs
STICDefs
SymPlatformDefs
TDADDefs
VirusDefs
WebExtDefs
Navigate to the following registry key: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\
For any folder contents you deleted above, delete the contents of the corresponding below registry key. Note: Do not delete the sub keys, only delete their contents For Example:If you are clearing the virus definitions, navigate to the following key: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs Then delete the following registry values:
SRTSP
NAVCORP_70
DEFWATCH_10
ACDefs
BASHDefs
ccSubSDK_SCD_Defs
EDRDefs
EfaVTDefs
HIDefs
IPSDefs
IronRevocationDefs
IronSettingsDefs
IronWhitelistDefs
NTRDefs
PCHDefs
SMRDefs
SRTSPSettingsDefs
STICDefs
SymPlatformDefs
TDADDefs
WebExtDefs
If the BASHDefs definitions (Proactive Threat Protection) were cleared, then start the BASH driver BHDrvx86 or BHDdrvx64
Start command prompt as administrator
Run the following command "sc config bhdrvx64 start= system"
Expected result should be "ChangeServicesConfig SUCCESS"
Restart the system
If the IDSvia64 definitions (Intrusion Prevention System) are to be cleared, then start the IDS driver IDSvia86 or IDSvia64 via the following:
Start command prompt as administrator
Run the following command "sc config IDSvia64 start= system"
Expected result should be "ChangeServicesConfig SUCCESS"
Restart the system
Start the SEP Services. If you performed the previous step and restarted the system, this step is not required.
Open Start > Run (or Start > Search text box)
Enter 'smc -start' to restart the Symantec Management Client (smc.exe) and Symantec Endpoint Protection services.
In each cleared definitions subdirectory there should appear a folder called 'newdefs-trigger' which is, itself, empty.
Monitor the definitions subdirectories to verify that definition sets are re-acquired