Symantec has had a problem with virus definition corruption in the past few versions. I must say the way it fails in version 10.0.2 is rather annoying. In versions 8 and 9 it would fail by having the service stop and it would no longer contact the parent server. So you would have to audit for missing machines in the SSC or use a product like SMS to look for systems with stopped Symantec Antivirus services. There is also an application log event indicating virus definition corruption.
In 10.0.2, the client still reports into the SSC, but it often does not list a scan engine number. the definition number does not update. This is better because you can look for systems that are online with out of date definitions or a blank scan engine number.
The part I find a problem is that in the application log of the afflicted computer, it says “virus definitions are current.” There is no indication to the user that their sav is broken. When you look at c:\program files\common files\Symantec shared\virus defs, I am seeing virus defs from a couple of days ago even though the SSC is reporting one of the older defs being in force.
So how do I fix it when I get into this situation? I’ve heard of some people at other companies who would replace the contents of c:\program files\common files\symantec shared\virusdefs\ and c:\documents and settings\all users\application data\symantec\… I guess I’m a bit scared to do that. I wonder if I have to match OS version. Do I have to match SAV versions? Writing scripts saves time in the long run, unfortunately you have to make time now to get it right. I just dont have that time. So I do things the manual way.
The Manual Way
In c:\program files\common files\symantec shared\virusdefs:
1. delete the most recent folder containing a virus def. In this case its 20061025.039
2. Edit definfo.dat to match the redaced number of virus defs. In this case CurDefs changes to 20061024.020 and last defs changes to 20060930.002
3. Edit usage.dat. There should be one “date” indication followed by a list of sav components. In my case I see:
This is wrong, there should be only one date. remove [20061025.039] and change the “date” at the top to match your most recent virusdefs. In this case its 20061024.020. I suspect my problems are caused by doing upgrades and causing both navcorp_70 and navcorp_70_1 being there. But I’m not sure about that.
4. Symantec says to check the incoming folder, that has rarely had anything in it. It should be empty.
5. If you see any folders ending in .tmp delete them.
Next go to c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\. I remove all the files in this directory (not the folders). I then remove all the folders in the i2_ldvp.vdb folder.
Stop and then start the symantec service. If everything is happy it should create a new folder with todays defs in the virusdefs directory (assuming you are on a corporate network getting updates through vdtm) otherwise run liveupdate.
This rant seems to have turned into a knowledge base article. Keep in mind that symantec.com/techsupp is a much better place to get symantec help. I’m just rattling off some thoughts.
This is rather weird, every system has the 20061024.020 and the 20061025.039 defs in the folder but report in a previous def version. How very odd.