How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually.

Symantec.com > Enterprise > Support > Knowledge Base

How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually.

Question/Issue:
How to fix and rebuild corrupted definitions for a Symantec Endpoint Protection Client.

Solution:

DISCLAIMER: The following instructions are for the Symantec Endpoint Protection product ONLY. If there are any other Symantec products installed on the system that share the virus definitions please contact Symantec Technical Support.

Instructions for 32-bit Operating Systems:

For Windows 2000/2003/XP

Stop the Symantec Endpoint Protection Services:
1. Click the Start button and then click Run
2. Type services.msc and click OK
3. Right-click Symantec Management Client and click Stop.
4. Right-click Symantec Endpoint Protection and click Stop.
5. Minimize the Services window
  
  Note: If you are unable to stop the Symantec Management Client you will need to temporarily disable Tamper Protection. Please see the Technical Information at the bottom of this document for instructions.
Delete the data from the Definition folders:
- Virus Definitions
  C:\Program Files\Common Files\Symantec Shared\VirusDefs\ - Delete all files and subfolders
- Delete the downloaded data in the c:\documents and settings\all users\application data\symantec\liveupdate\downloads
  
  WARNING: In the next steps you will edit the Windows registry. Back up the registry before you make any changes to it, because incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry values that are specified. For instructions, see How to back up the Windows registry.
Delete the data from the registry:
1. Click the Start button and then click Run
2. Type regedit and click OK
3. Navigate to:
  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs
4. Delete the following values:
  1. SRTSP
  2. NAVCORP_70
  3. DEFWATCH_10
  4. SepCache3
  5. SepCache2
  6. SepCache1
Restart the Symantec Endpoint Protection Services:
1. Maximize the Services window.
2. Right-click Symantec Management Client service and click Start.
3. Right-click Symantec Endpoint Protection service and click Start.

For Windows Vista/Server 2008

Stop the Symantec Endpoint Protection Services:
1. Click the Start button.
2. In the search bar type services and then press Enter.
  Note: If the User Account Control prompt pops up click Continue.
3. Right-click Symantec Management Client and click Stop.
4. Right-click Symantec Endpoint Protection and click Stop.
  
  Note: If you are unable to stop the Symantec Management Client you will need to temporarily disable Tamper Protection. Please see the Technical Information at the bottom of this document for instructions.
Delete the data from the Definition folders:
- Virus Definitions
  C:\ProgramData\Symantec\Definitions\VirusDefs\
  - Delete all files and subfolders
  
  WARNING: In the next steps you will edit the Windows registry. Back up the registry before you make any changes to it, because incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry values that are specified. For instructions, see How to back up the Windows registry.
Delete the data from the registry:
1. Click the Start button
2. Type regedit and press Enter
3. Navigate to:
  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedDefs
4. Delete the following values:
  1. SRTSP
  2. NAVCORP_70
  3. DEFWATCH_10
  4. SepCache3
  5. SepCache2
  6. SepCache1
Restart the Symantec Endpoint Protection Services:
1. Maximize the Services window.
2. Right-click Symantec Management Client and click Start.
3. Right-click Symantec Endpoint Protection and click Start.

Instructions for 64-bit Operating Systems:

For Windows 2000/2003/XP

Stop the Symantec Endpoint Protection Services:
1. Click the Start button and then click Run
2. Type services.msc and click OK
3. Right-click Symantec Management Client and click Stop.
4. Right-click Symantec Endpoint Protection and click Stop.
5. Minimize the Services window
  
  Note: If you are unable to stop the Symantec Management Client you will need to temporarily disable Tamper Protection. Please see the Technical Information at the bottom of this document for instructions.
Delete the data from the Definition folders:
- Virus Definitions
  C:\Program Files (x86)\Common Files\Symantec Shared\VirusDefs\- Delete all files and subfolders
  
  WARNING: In the next steps you will edit the Windows registry. Back up the registry before you make any changes to it, because incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry values that are specified. For instructions, see How to back up the Windows registry.
Delete the data from the registry:
1. Click the Start button and then click Run
2. Type regedit and click OK
3. Navigate to:
  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\SharedDefs
4. Delete the following values:
  1. SRTSP
  2. NAVCORP_70
  3. DEFWATCH_10
  4. SepCache3
  5. SepCache2
  6. SepCache1
Restart the Symantec Endpoint Protection Services:
1. Maximize the Services window.
2. Right-click Symantec Management Client service and click Start.
3. Right-click Symantec Endpoint Protection service and click Start.

For Windows Vista/Server 2008

Stop the Symantec Endpoint Protection Services:
1. Click the Start button.
2. In the search bar type services and then press Enter.
  Note: If the User Account Control prompt pops up click Continue.
3. Right-click Symantec Management Client and click Stop.
4. Right-click Symantec Endpoint Protection and click Stop.
  Note: If you are unable to stop the Symantec Management Client you will need to temporarily disable Tamper Protection. Please see the Technical Information at the bottom of this document for instructions.
Delete the data from the Definition folders:
- Virus Definitions
  C:\ProgramData\Symantec\Definitions\VirusDefs\
  - Delete all files and subfolders
  
  WARNING: In the next steps you will edit the Windows registry. Back up the registry before you make any changes to it, because incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry values that are specified. For instructions, see How to back up the Windows registry.
Delete the data from the registry:
1. Click the Start button
2. Type regedit and press Enter
3. Navigate to:
  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\SharedDefs
4. Delete the following values:
  1. SRTSP
  2. NAVCORP_70
  3. DEFWATCH_10
  4. SepCache3
  5. SepCache2
  6. SepCache1
Restart the Symantec Endpoint Protection Services:
1. Maximize the Services window.
2. Right-click Symantec Management Client and click Start.
3. Right-click Symantec Endpoint Protection and click Start.

Technical Information:
How to disable Tamper Protection:

Open and log into the Symantec Endpoint Protection Manager console
Click the Clients view.
Select the appropriate group.
Under the Policies tab, in the "Settings" section, click General Settings.
Under the Tamper Protection tab, uncheck Protect Symantec security software from being tampered with or shut down.
Click OK.

References:
In some instances, Symantec Technical Support may recommend the use of an unsupported tool that automates the removal of corrupted SEP definitions. For details please see Using the "Rx4DefsSEP" utility at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009032409384048

Document ID: 2007123111551948
Last Modified: 09/30/2009
Date Created: 12/31/2007
Operating System(s): Windows 2000 Professional, Windows 2000 Server/Advanced Server, Windows XP Home Edition, Windows XP Professional Edition, Windows Server 2003 Web/Standard/Enterprise/Datacenter Edition, Windows Vista
Product(s): Endpoint Protection 11
Release(s): Endpoint Protection 11 [All Releases]