How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x

Question/Issue:
You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms: - The Symantec AntiVirus service fails to start. - The number of Scan Omission errors in the Event Log is larger than normal. You need to know how to revert to an earlier set of virus definitions.

Symptoms:
How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms: - The Symantec AntiVirus service fails to start. - The number of Scan Omission errors in the Event Log is larger than normal. You need to know how to revert to an earlier set of virus definitions.

Solution:


Before you begin:
Do not run the *x86.exe Intelligent Updater on an AntiVirus server that manages clients. Use the .xdb file instead.
For help with this, read the document Updating virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x.

To backdate virus definitions for Symantec AntiVirus 10.x, follow the directions in the document How to revert to the previous definition set using Symantec System Center.

If you use Symantec AntiVirus 10.x, do not attempt to manually repair virus definitions. Symantec AntiVirus 10.x includes an automatic definition repair feature. If Symantec AntiVirus 10.x virus definitions remain corrupted, contact Symantec Technical Support for assistance.

Backdating definitions manually

To stop all Symantec services that use virus definitions

  1. Stop the following services:
  2. Navigate to the Usage.dat file located in the VirusDefs folder located in <drive>:\Program Files\Common Files\Symantec Shared\VirusDefs.
  3. Open the Usage.dat file in a text editor, such as Notepad.exe.
  4. Look for Qsadmin. If this entry exists, then stop the Symantec Central Quarantine, Symantec Quarantine Agent, and Symantec Quarantine Scanner services.
  5. If you have other Symantec products installed, then you may need to stop the services related to these products before you can delete folders.

To remove the most recent virus definition folder
  1. Open Windows Explorer, and then go to the folder C:\Program Files\Common Files\Symantec Shared\VirusDefs.
  2. Verify that the following folders and files are contained within the VirusDefs folder. If any of these folders are missing, then contact technical support for assistance and to provide us with information for tracking this problem:
  3. Remove the most recent virus definitions folder. You may need to delete more than one virus definition folder, but it is important that at least one numbered virus definition folder remains.
  4. Identify the name of the remaining numbered virus definition folder, for example, 20021010.002.
  5. Open the Definfo.dat file in a plain-text editor, such as Notepad. The contents will be similar to the following:

    [DefDates]
    CurDefs=20021016.002
    LastDefs=20021010.002


  6. Change the value of the CurDefs and LastDefs lines to match the folder name that you noted in step 4. For example:

    [DefDates]
    CurDefs=20021010.002
    LastDefs=20021010.002


  7. Save and close the Definfo.dat file.
  8. Open the Usage.dat file in a plain-text editor, such as Notepad.
    Confirm that the numbered folder heading inside the square brackets [ ] matches the folder referenced by the "CurDefs" line in the Definfo.dat file.
    Confirm that there is a single square bracket around the heading.
    On a computer that runs only Symantec AntiVirus Corporate Edition, the Usage.dat file should look like this

    [20021016.002]
    DEFWATCH_10=1
    NAVCORP_70=1


  9. Save and close the Usage.dat file.


Note: If other Symantec products run on the same computer, other entries may appear in the Usage.dat file. Confirm that all entries appear under the same numbered folder heading. If more than one numbered folder heading appears, edit the Usage.dat file so that all Symantec products appear under the same numbered folder heading.



To remove .xdb, .wdb, and .vdb files and folders
  1. On Symantec AntiVirus servers, delete .xdb files:
    Browse to the directory where Symantec AntiVirus Corporate Edition is installed and identify files with an .xdb extension. Sort the files by date and delete or rename any .xdb files with dates newer than the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs.
  2. On Symantec AntiVirus clients, delete .wdb files from the appropriate location, depending on the version of Windows and the version of Symantec AntiVirus:

    Windows 2000/XP/2003 clients
    <Drive>:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
    <Drive>:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5
    Note that the Application Data folder is a hidden folder on some computers.

    Windows NT 4.0 clients
    <Drive>:\WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
    <Drive>:\WinNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

    Windows 95/98/Me clients
    <Drive>:\Program Files\Symantec_Client_Security\Symantec AntiVirus
  3. Delete or rename all .vdb files except the one that corresponds to the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs. To determine the definition set that a .vdb file references, see the document How to decode the naming convention for .vdb and .xdb files.
  4. Identify the I2_LDVP.VDB folder.
  5. Delete any subfolders under I2_LDVP.VDB, but do not delete the I2_LDVP.VDB folder itself.

Restart all Symantec services that use virus definitions
Restart any services that you stopped in the section titled "To stop all Symantec services that use virus definitions." If possible, restart the computer instead of restarting services.

References:

  1. How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x
    Document ID: 2002102209110448
    Last Modified: 11/06/2007
    Date Created: 10/22/2002
    Product(s): Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0
    Release(s): SAV 8.0, SAV 8.0 [All Releases], SAV 8.01, SAV 8.1, SAV 8.1.1, SAV 9.0, SAV 9.0 [All Releases]
    Symantec Corporation

[ Return to Unable to Unlock Server Group or Start Symantec AntiVirus Server ]