Unmounting a file system volume may fail due to the presence of open handles to a SYMEFA.DB file at the root of that volume. This may block the safe ejection of USB drives or the unmounting of other removable media.
Symantec Endpoint Protection (SEP) and other Symantec or Norton antivirus Windows products keep a SYMEFA.DB file at the root of each local volume. This file is used to improve Symantec product performance by keeping track of files that have already been scanned with the current set of virus definitions.
The block should be temporary. Retrying the unmount operation should succeed.
If such operations continue to be blocked for a certain volume, you may exclude it from SymEFA. SEP version 12.1 RU6 and newer include SymEFA exclusion functionality. To exclude a volume from SymEFA, please do the following.
- Disable Tamper Protection or reboot to safe mode.
- Create SymEFA Volume Exclusion in registry. Add a "VolumeNoPersist" multi-string value to the key below:
and set its value to the volume or list of volumes to exclude. For example, to exclude volumes 3 and 4:
An entry without a number (i.e. \Device\HarddiskVolume) will exclude all volumes except the system volume.
- Reboot and verify that no open handles to SYMEFA.DB exist for the excluded volumes. This can be done with a tool like Process Explorer and its Find menu, "Find Handle or DLL", and searching for "symefa".
To confirm volume number(s), use diskpart and "list volume" command to display a list of local volume numbers. Add one to the volume number displayed by diskpart. For example, to exclude Volume 3 listed by diskpart, use \Device\HarddiskVolume4 in VolumeNoPersist.