Browse All Articles > Symantec Anti-Virus fails to update
Occasionally a workstation or server will receive a corrupted virus-definition set or fail to update a product when the update becomes available. The following are some diagnostic steps to discovering why.
Before beginning to attempt to diagnose the Symantec-specific items, if there has been any sort of software update installed or the machine has been running for some time, first give it a reboot. The ins & outs of the software dependencies are too numerous to attempt to diagnose in a partially updated system.
Back from a reboot, begin first and foremost with ensuring that the services involved are working. Head over to the Services for the machine (from Administrative Tools or by running services.msc) and make sure that, at a minimum, you have DefWatch and Symantec Anti-Virus services running (workstations for v10 and prior will likely only have these two). By default, both of these services will be set to an Automatic start - that should still be the case & if it isn't, you found some tampering. Get them set to Automatic & reboot again to be sure something untoward isn't getting involved during the boot up.
To continue diagnosing, familiarise yourself with where the Symantec installation exists. Typically, the Anti-Virus lives in an obvious folder beneath C:\Program Files - Symantec Anti-Virus or SAV for example (I will here-on refer to this as the Anti-Virus folder). You should note, however, that the LiveUpdate will typically live in a separate folder from the Anti-Virus: probably C:\Program Files\Symantec (I will here-on refer to this as the LiveUpdate folder). The Virus Definitions themselves are more often stored under the Common Files\Symantec Shared\VirusDefs folder of the Program Files (I will here-on refer to this as the Virus Definitions folder). Many installations, however, follow a company doctrine of placing the installations elsewhere, so be sure you are sure of where they are.
LiveUpdate.
Go to the LiveUpdate folder and run the LuALL.exe. Depending on the Control Panel's settings, it may require a little interaction on your part: click next (should be only once in most versions) until it gives you some results. If you get a success message from LiveUpdate you should also see a new dialogue which performs the updating of the virus definitions. Wait for this dialogue to complete and then check your virus definitions date again: if it's up to date, you are all done. :D
If LiveUpdate has issue in connecting to the Symantec sites while attempting to retrieve the catalogue or any updates, ensure you have a good Internet connection. Once that is working, open the Control Panel and double-click the LiveUpdate option. On each of the FTP, HTTP and ISP tabs check the settings are correct. You will more often than not find that the setting "I want to use my Internet Options []...] settings" option is good enough. If LiveUpdate continues to fail, start looking at possible reasons beyond the Symantec software: firewall rules in particular.
Once your LiveUpdate is working, check your virus definitions again. Only if they are not up to date (that day or the previous, typically) should you need to continue. At this point, if you are working on a group server and your product updates are not being rolled out, open your Control Panel's Symantec LiveUpdate, go to the Update Cache tab and click the "Remove All Files From Cache" option. Once cleared, re-run the LiveUpdate to download the cache again. Note that this may be a very large download for some installations (everyone has a different bearing on "large download") and for some ISP connections this may incur extra costs due to bandwidth considerations (some connections have a cap on the amount of the bandwidth per week, for example). The new products should now begin to roll out. If they continue to fail, the go grab the latest version of LiveUpdate from http://www.symantec.com/techsupp/files/lu/lu.html , install it & begin again.
Still not getting the latest virus definitions? Next you need to discover which virus definitions have been downloaded. Head over to your Virus Definitions folder and check the dates on the folders. If a folder houses virus definitions, the folder name will be a date and reference of the form YYYYMMDD.RRR - where RRR is a numerical reference for the virus definitions. As an added confirmation, the folder should contain a WHATSNEW.TXT file containing information pertaining to the update(s).
Back in your Virus Definitions folder, open the DEFINFO.DAT file with a text editor (Notepad will do). The file is a typical "INI" file in style: headings of sections are in square brackets and parameters a given, one per line, in the form =. There is typically only one section in the file: DefDates which contains two parameters. The two parameters indicated which virus definition sub-folder is currently active and which one was last used (don't delete any of the folders which fail to be referenced here). You now have your Current Definition and Last Definition.
Two possible corruptions are possible to be identified here:
- If the software's indication of the current definitions are not the same as the Current Definition indicated in the DEFINFO.DAT, you either have a corrupt virus definition set or your Definition Watch service isn't working.
- If you have virus definition folders with dates beyond those given in the DEFINFO.DAT file, your Definition Watch service isn't working.
Corrupt virus defintions.
This step is best done while the machine is not networked because it first involves stopping your anti-virus. Head over to the Services for the machine (again, from Administrative Tools or by running services.msc), locate the Symantec service(s) and stop them all. Locate also the DefWatch service and stop that.
If this is a server installation, pop into the Anti-Virus folder and look for an I2_LDVP.VDB folder. Enter the folder and remove all the sub-folder there (but keep the I2_LDVP.VDB folder itself).
Go back to the Virus Definitions folder and open up the USAGE.DAT file (another text file). You should see one or more sections here with each heading indicating the definition it represents. A healthy USAGE.DAT will house just the one section whereas an unhealthy one (or one being updated as you look) will typically show two sections.
If you have only the one entry in your USAGE.DAT, this is a healthy USAGE.DAT and your DEFINFO.DAT's Current Definition should be the same as this section's heading. If your DEFINFO.DAT's CurDefs parameter is not the same as your USAGE.DAT's section heading, then you have a corrupt DEFINFO.DAT. In this situation, remove the folder from the Virus Definitions folder that represents the current defintions. Once removed, alter the DEFINFO.DAT's CurDefs parameter to indicate the same virus defintions as the USAGE.DAT (don't change the LastDefs parameter). Restart your DefWatch and Anti-Virus. Give them a couple of minutes & the run a LiveUpdate again (beginning again from above).
If you have more than one section in your USAGE.DAT then you have a partial update. Check which section in your USAGE.DAT has the NAVxxx_xx parameter (the parameter name is made up of a product ID & a version code which doesn't necessarily correspond to the AV version - for example Symantec Corporate v9 uses NAVCORP_70 as the parameter name). Move the DEFWATCH_xx parameter into the same section as the NAVxxx_xx parameter and make a note of the now-empty section's header. Remove the folder in the Virus Definitions folder that corresponds to the empty section header and then remove the section from the UPDATE.DAT file & save the change - this should leave you with a single section heading in the file. Now check (and follow) the above paragraph, in case you need to update the DEFINFO.DAT file, then follow the instructions for restarting service & LiveUpdate - and be able to retrieve the latest Virus Definitions.
Before beginning to attempt to diagnose the Symantec-specific items, if there has been any sort of software update installed or the machine has been running for some time, first give it a reboot. The ins & outs of the software dependencies are too numerous to attempt to diagnose in a partially updated system.
Back from a reboot, begin first and foremost with ensuring that the services involved are working. Head over to the Services for the machine (from Administrative Tools or by running services.msc) and make sure that, at a minimum, you have DefWatch and Symantec Anti-Virus services running (workstations for v10 and prior will likely only have these two). By default, both of these services will be set to an Automatic start - that should still be the case & if it isn't, you found some tampering. Get them set to Automatic & reboot again to be sure something untoward isn't getting involved during the boot up.
To continue diagnosing, familiarise yourself with where the Symantec installation exists. Typically, the Anti-Virus lives in an obvious folder beneath C:\Program Files - Symantec Anti-Virus or SAV for example (I will here-on refer to this as the Anti-Virus folder). You should note, however, that the LiveUpdate will typically live in a separate folder from the Anti-Virus: probably C:\Program Files\Symantec (I will here-on refer to this as the LiveUpdate folder). The Virus Definitions themselves are more often stored under the Common Files\Symantec Shared\VirusDefs folder of the Program Files (I will here-on refer to this as the Virus Definitions folder). Many installations, however, follow a company doctrine of placing the installations elsewhere, so be sure you are sure of where they are.
LiveUpdate.
Go to the LiveUpdate folder and run the LuALL.exe. Depending on the Control Panel's settings, it may require a little interaction on your part: click next (should be only once in most versions) until it gives you some results. If you get a success message from LiveUpdate you should also see a new dialogue which performs the updating of the virus definitions. Wait for this dialogue to complete and then check your virus definitions date again: if it's up to date, you are all done. :D
If LiveUpdate has issue in connecting to the Symantec sites while attempting to retrieve the catalogue or any updates, ensure you have a good Internet connection. Once that is working, open the Control Panel and double-click the LiveUpdate option. On each of the FTP, HTTP and ISP tabs check the settings are correct. You will more often than not find that the setting "I want to use my Internet Options []...] settings" option is good enough. If LiveUpdate continues to fail, start looking at possible reasons beyond the Symantec software: firewall rules in particular.
Once your LiveUpdate is working, check your virus definitions again. Only if they are not up to date (that day or the previous, typically) should you need to continue. At this point, if you are working on a group server and your product updates are not being rolled out, open your Control Panel's Symantec LiveUpdate, go to the Update Cache tab and click the "Remove All Files From Cache" option. Once cleared, re-run the LiveUpdate to download the cache again. Note that this may be a very large download for some installations (everyone has a different bearing on "large download") and for some ISP connections this may incur extra costs due to bandwidth considerations (some connections have a cap on the amount of the bandwidth per week, for example). The new products should now begin to roll out. If they continue to fail, the go grab the latest version of LiveUpdate from http://www.symantec.com/te
Still not getting the latest virus definitions? Next you need to discover which virus definitions have been downloaded. Head over to your Virus Definitions folder and check the dates on the folders. If a folder houses virus definitions, the folder name will be a date and reference of the form YYYYMMDD.RRR - where RRR is a numerical reference for the virus definitions. As an added confirmation, the folder should contain a WHATSNEW.TXT file containing information pertaining to the update(s).
Back in your Virus Definitions folder, open the DEFINFO.DAT file with a text editor (Notepad will do). The file is a typical "INI" file in style: headings of sections are in square brackets and parameters a given, one per line, in the form =. There is typically only one section in the file: DefDates which contains two parameters. The two parameters indicated which virus definition sub-folder is currently active and which one was last used (don't delete any of the folders which fail to be referenced here). You now have your Current Definition and Last Definition.
Two possible corruptions are possible to be identified here:
- If the software's indication of the current definitions are not the same as the Current Definition indicated in the DEFINFO.DAT, you either have a corrupt virus definition set or your Definition Watch service isn't working.
- If you have virus definition folders with dates beyond those given in the DEFINFO.DAT file, your Definition Watch service isn't working.
Corrupt virus defintions.
This step is best done while the machine is not networked because it first involves stopping your anti-virus. Head over to the Services for the machine (again, from Administrative Tools or by running services.msc), locate the Symantec service(s) and stop them all. Locate also the DefWatch service and stop that.
If this is a server installation, pop into the Anti-Virus folder and look for an I2_LDVP.VDB folder. Enter the folder and remove all the sub-folder there (but keep the I2_LDVP.VDB folder itself).
Go back to the Virus Definitions folder and open up the USAGE.DAT file (another text file). You should see one or more sections here with each heading indicating the definition it represents. A healthy USAGE.DAT will house just the one section whereas an unhealthy one (or one being updated as you look) will typically show two sections.
If you have only the one entry in your USAGE.DAT, this is a healthy USAGE.DAT and your DEFINFO.DAT's Current Definition should be the same as this section's heading. If your DEFINFO.DAT's CurDefs parameter is not the same as your USAGE.DAT's section heading, then you have a corrupt DEFINFO.DAT. In this situation, remove the folder from the Virus Definitions folder that represents the current defintions. Once removed, alter the DEFINFO.DAT's CurDefs parameter to indicate the same virus defintions as the USAGE.DAT (don't change the LastDefs parameter). Restart your DefWatch and Anti-Virus. Give them a couple of minutes & the run a LiveUpdate again (beginning again from above).
If you have more than one section in your USAGE.DAT then you have a partial update. Check which section in your USAGE.DAT has the NAVxxx_xx parameter (the parameter name is made up of a product ID & a version code which doesn't necessarily correspond to the AV version - for example Symantec Corporate v9 uses NAVCORP_70 as the parameter name). Move the DEFWATCH_xx parameter into the same section as the NAVxxx_xx parameter and make a note of the now-empty section's header. Remove the folder in the Virus Definitions folder that corresponds to the empty section header and then remove the section from the UPDATE.DAT file & save the change - this should leave you with a single section heading in the file. Now check (and follow) the above paragraph, in case you need to update the DEFINFO.DAT file, then follow the instructions for restarting service & LiveUpdate - and be able to retrieve the latest Virus Definitions.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)