How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x

Question/Issue:
You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms: - The Symantec AntiVirus service fails to start. - The number of Scan Omission errors in the Event Log is larger than normal. You need to know how to revert to an earlier set of virus definitions.

Symptoms:
How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x You updated the virus definitions on a computer that is running Symantec AntiVirus Corporate Edition, and now you see one or more of the following symptoms: - The Symantec AntiVirus service fails to start. - The number of Scan Omission errors in the Event Log is larger than normal. You need to know how to revert to an earlier set of virus definitions.

Solution:

Backdating definitions manually

To stop all Symantec services that use virus definitions

1. Stop the following services:
   • Defwatch
   • Symantec AntiVirus service, Symantec AntiVirus Server service, or Symantec AntiVirus Client service, depending on the version of Symantec AntiVirus
     If the service cannot be stopped, disable the service and restart the computer.
2. Navigate to the Usage.dat file located in the VirusDefs folder located in <drive>:\Program Files\Common Files\Symantec Shared\VirusDefs.
3. Open the Usage.dat file in a text editor, such as Notepad.exe.
4. Look for Qsadmin. If this entry exists, then stop the Symantec Central Quarantine, Symantec Quarantine Agent, and Symantec Quarantine Scanner services.
5. If you have other Symantec products installed, then you may need to stop the services related to these products before you can delete folders.

1. Open Windows Explorer, and then go to the folder C:\Program Files\Common Files\Symantec Shared\VirusDefs.
2. Verify that the following folders and files are contained within the VirusDefs folder. If any of these folders are missing, then contact technical support for assistance and to provide us with information for tracking this problem:
   • Incoming (folder)
   • BinHub (folder)
   • TextHub (folder)
   • Definfo.dat (file)
   • Usage.dat (file)
   • Numbered virus definitions folders: Two or more subfolders that have dates as their folder names. For example, 20021016.002 is the folder that contains the October 16, 2002 virus definitions.
3. Remove the most recent virus definitions folder. You may need to delete more than one virus definition folder, but it is important that at least one numbered virus definition folder remains.
4. Identify the name of the remaining numbered virus definition folder, for example, 20021010.002.
5. Open the Definfo.dat file in a plain-text editor, such as Notepad. The contents will be similar to the following:
   
   [DefDates]
   CurDefs=20021016.002
   LastDefs=20021010.002
   
   
6. Change the value of the CurDefs and LastDefs lines to match the folder name that you noted in step 4. For example:
   
   [DefDates]
   CurDefs=20021010.002
   LastDefs=20021010.002
   
   
7. Save and close the Definfo.dat file.
8. Open the Usage.dat file in a plain-text editor, such as Notepad.
   Confirm that the numbered folder heading inside the square brackets [ ] matches the folder referenced by the "CurDefs" line in the Definfo.dat file.
   Confirm that there is a single square bracket around the heading.
   On a computer that runs only Symantec AntiVirus Corporate Edition, the Usage.dat file should look like this
   
   [20021016.002]
   DEFWATCH_10=1
   NAVCORP_70=1
   
   
9. Save and close the Usage.dat file.

1. On Symantec AntiVirus servers, delete .xdb files:
   Browse to the directory where Symantec AntiVirus Corporate Edition is installed and identify files with an .xdb extension. Sort the files by date and delete or rename any .xdb files with dates newer than the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs.
2. On Symantec AntiVirus clients, delete .wdb files from the appropriate location, depending on the version of Windows and the version of Symantec AntiVirus:
   
   Windows 2000/XP/2003 clients
   <Drive>:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
   <Drive>:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5
   Note that the Application Data folder is a hidden folder on some computers.
   
   Windows NT 4.0 clients
   <Drive>:\WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
   <Drive>:\WinNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5
   
   Windows 95/98/Me clients
   <Drive>:\Program Files\Symantec_Client_Security\Symantec AntiVirus
   
3. Delete or rename all .vdb files except the one that corresponds to the remaining virus definitions folder in C:\Program Files\Common Files\Symantec Shared\VirusDefs. To determine the definition set that a .vdb file references, see the document How to decode the naming convention for .vdb and .xdb files.
4. Identify the I2_LDVP.VDB folder.
5. Delete any subfolders under I2_LDVP.VDB, but do not delete the I2_LDVP.VDB folder itself.

References:

1. How to manually repair or backdate virus definitions for Symantec AntiVirus Corporate Edition 8.x and 9.x
   Document ID: 2002102209110448
   Last Modified: 11/06/2007
   Date Created: 10/22/2002
   Product(s): Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0
   Release(s): SAV 8.0, SAV 8.0 [All Releases], SAV 8.01, SAV 8.1, SAV 8.1.1, SAV 9.0, SAV 9.0 [All Releases]
   Symantec Corporation

[ Return to Unable to Unlock Server Group or Start Symantec AntiVirus Server ]