You are on page 1of 4

w to clear out definitions for a Symantec Endpoint Protection 12.

1 client manually
Article:HOWTO59193 | Created: 2011- Updated: 2013Article URL | | 09-08 06-24 http://www.symantec.com/docs/HOWTO59193

Article Type How To Product(s) Show all Languages Show all

To troubleshoot the failure of the Symantec Endpoint Protection 12.1 (SEP) client to operate correctly or update its definitions, it can be helpful to remove potentially corrupted definitions from the client. The following are instructions for removing corrupt or potentially corrupt definitions from a SEP 12.1 client. It is important to consider the fact that if you follow this procedure and the definitions are not restored then the SEP 12.1 client may be in a worse state (having no definitions) than it was before (where it was only suspected that the definitions were corrupted). Make a copy of any directory or registry contents you plan to delete. Note: Disable Tamper Protection on the client before executing the following procedure to avoid getting an "Access is denied" error. 1. Close the client GUI. If the client GUI is open (SymCorpUI.exe is running) it will prevent the shutdown of the Symantec Management Client service in the next step. 2. If the BASHDefs definitions (Proactive Threat Protection) are to be cleared, then stop the BASH driver BHDrvx86 or BHDdrvx64 a. Open the Device Manager (devmgmt.msc) b. Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers' c. Right-click the driver and choose Properties d. Select the 'Driver' tab to access the Startup Type option e. Set Startup Type to 'Disabled' f. Click 'OK' and reboot the system

3. In the Start > Run menu option (or Start > Search text box) enter 'smc -stop' to stop the Symantec Management Client (smc.exe) services and the dependent Symantec Endpoint Protection service. Verify that the SEP system tray icon disappears. 4. Delete the contents of (not the directory itself) the definitions directories in question. The definition directories are sub-directories of the path <drive:>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions or <drive:>\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions and include the following BashDefs ccSubSDK_SCD_Defs EfaVTDefs HIDefs IPSDefs IronRevocationDefs IronSettingsDefs IronWhitelistDefs SRTSPSettingsDefs VirusDefs For example, to clear the virus definitions delete the contents of "VirusDefs" but not the folder "VirusDefs" itself. If you receive and error indicating that a file or folder is in use, you can delete the content by rebooting into safe mode.

5. If you are clearing the virus definitions, delete the following registry values... SRTSP NAVCORP_70 DEFWATCH_10 SepCache3 SepCache2 SepCache1 ...in the key... HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs 6. Clear the registry values within the appropriate sub-keys of... HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs ...that corresponds to the definitions directories you cleared. In both the registry and in the file system do not delete the folder/key that reflects the name of the definitions only delete the files/values contained in that folder/key. In other words do not delete the following sub-keys (only their contents): BASHDefs

ccSubSDK_SCD_Defs HIDefs IPSDefs IronRevocationDefs IronSettingsDefs IronWhitelistDefs MicroDefs EfaVTDefs (12.1.2+) SRTSPSettingsDefs(12.1.2+) 7. If the BASHDefs definitions (Proactive Threat Protection) were cleared, then start the BASH driver BHDrvx86 or BHDdrvx64 a. Open the Device Manager (devmgmt.msc) b. Choose View > Show hidden devices and look for the driver under 'Non-Plug and Play Drivers' c. Right-click the driver and choose Properties d. Select the 'Driver' tab to access the Startup Type option e. Set Startup Type to 'System' f. Click 'OK' and reboot the system 8. If you did not perform the previous step and reboot the system, then in the Start > Run menu option (or Start > Search text box) enter 'smc -start' to restart the Symantec Management Client (smc.exe) and Symantec Endpoint Protection services. 9. In each cleared definitions sub-directory there should appear a folder called 'newdefs-trigger' which is, itself, empty. 10. Monitor the definitions sub-directories to verify that definition sets are re-acquired.

You might also like