How to check if virus definitions are corrupted in SEP 11/12 ?
One or more of these symptoms might be seen on SEP client:
- Many numbered folders inside VirusDefs folder - Tmp folders inside VirusDefs folder - LiveUpdate does not update virus definitions - SEP clients are not showing last available virus definitions - SEP clients shows errors in main user interface, related to Auto-Protect Engine
Many different scenarios can create virus definitions corruption, most likely related to network interruption issues or interruption of LiveUpdate processes during the update of virus definitions.
To check the virus definition folders integrity, open the directory:
You should see some numbered folders named by date in the format YearMonthDay.Rev (example: 20091122020 for 22 November 2009 rev. 20), plus the folders:
- BinHub - Incoming - TextHub
- Definfo.dat - Usage.dat
(You may see that some .DB files are present as well, which is normal. See KB TECH95798 - "What is the .db File in the VirusDefs Folder?" for more details about this)
Example screen shot:
If there are up to 3 numbered folders, this is the normal behavior of a SEP client.
Also, having more than 3 folders is not always a cause for concern, though if there is a high number of virus defs folders retained for a long period of time, it may indicate underlying virus definition corruption.
DefUtils is the process in control of when old AV Defs and IPS Sigs content get purged. The SEP cache size setting of 3 guarantees that there will be at least that many revisions cached, but DefUtils may choose to hold on to additional sets if other components are registered for them.
Other checks that may point to virus definition corruption are:
Temporary folders identified by a .tmp extension or tmp string in the name.
(If there are tmp files and as well a
lulock.dat file, this means that LiveUpdate is currently running and updating virus definitions. This is a normal process, wait a few minutes and check that no process LU*.exe are running then check the VirusDefs folder again)
Any files in the VirusDefs\Incoming folder.
Mismatching information on Definfo.dat and Usage.dat files:
Definfo.dat file with a text editor and verify that the "CurDefs" value equals the most recent folder and that the "LastDefs" value equals the previously dated folder. In the example of the above screen shot, the
Definfo.dat file should look like this:
Note: From version 4.0 of DefUtils, the Definfo.dat is not updated anymore on LastDefs tag:
DefUtils versions previous to 4.0 had 2 values in definfo.dat: curdefs and lastdefs.
From 4.0 onwards (began shipping with version SEP 11 MR4 MP2), DefUtils on Windows does not create/update the LastDefs key in definfo.dat.
(SEP 11 RU5 has version 4.1.1 of DefUtils, see release notes KB:
This change was incorporated to prevent another copy of definitions to be present on the machine.
So, LastDefs is only going to exist in the case where definfo.dat was migrated from a previous install.
If there is a set of defs that came with the migration and were marked as LastDefs in definfo.dat, they will remain on the machine forever.
Also, DefUtils will revert to the defs that are LastDefs if the entry exists.
There will also probably be two changes in version 4.3:
1) If LastDefs key is seen, delete it from definfo.dat and delete the defs if there is no usage associated with it.
2) Do not read the LastDefs key while reverting to last good defs.
Usage.dat file with a text editor and verify that all virus definitions folders are included in this file. In the example of the above screen shot, the
Usage.dat file should look like this:
In SEP 11 you can have 3 different virus definitions folders used as cache, identified in the
Usage.dat file as "SepCache1/2/3=1"
When virus definitions are downloaded from a SEPM, they are cached, so you will see different folders listed in the Usage.dat file. But if the SEP client is receiving updates from an internet LiveUpdate server, what might happen is that all cached tags point to the same folder. An example of the Usage.dat will look like this :
If virus definitions appear to be corrupted (you see tmp file and/or there is a mismatch between the virus definitions folder and the Definfo.dat/Usage.dat files), use the following KB to cleanup / restore the virus definitions:
- How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually - TECH103176
For Symantec Antivirus 10.x , see: TECH99824 - How to determine if virus definitions used by Symantec AntiVirus Corporate Edition are corrupted
Imported Document ID: TECH97677
Subscribing will provide email updates when this Article is updated. Login is required.