How to redirect Symantec Endpoint Protection client (v12.1.x) definition files

Symantec Endpoint Protection

The Story

I’m currently working in a Citrix XenDesktop environment with pooled, non-persistent desktops. Citrix PVS is used to stream a read-only vDisk to VM’s on a XenServer infrastructure. Since a non-persistent desktop loses all updates after a reboot the Symantec Endpoint Protection (SEP) clients’ virus definitions also resets to the moment you last updated the definition files in your image. This means that, each day since the last vDisk version, the client will have to re-download all definition files after every reboot.

The obvious solution to this unwanted behavior is to move the definition files to a location on the persistent disk attached to the VM. The problem is that the SEP client does not have a configuration option that will allow you to do that. So I decided to create my own redirection solution. Here’s how I did it:

 The solution

First I figured out how the update process works within the SEP client. After the SEP service starts the client checks the current files, which are located in this folder:

C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions.

If the files are out of date, updates will be downloaded to the corresponding subfolders. The CurrentVersion folder is actually a symbolic link to the folder named after the SEP version (in this case 12.1.4013.4013.105). You can tell by the little arrow symbol on the folder:


CurrentVersion Symbolic Link

The path to this folder is located in the HKLM registry. There are a number of values that need to be changed but I’ll get to that later. I stopped the SEP client, copied the entire Definitions folder to a location on my persistent disk, made my registry changes and started the client. And what do you know?

It worked!


That was easy enough. Even after a reboot I now have up to date definition files and I have an extra GB of data on my system disk where the files used to be.

So here’s a Step-By-Step instruction on how to accomplish this.

The Steps

1. Updating the vdi image

Follow these steps in your client OS (in Read/Write mode):

  • Stop the SEP client (if running). You can use the following command  to do this:

    smc.exe -stop

    You probably will be prompted for a password.

  • Create a folder named SEP on your persistent drive. The name is not important but if your persistent disk is D:\ and you name the folder SEP you’ll not have to adjust the scripts later on.
  • Move the Definitions folder and it’s contents to the SEP folder:
    xcopy "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions" D:\SEP\Definitions\
    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions"

    The last command might fail on the count of some dll’s that are being used by the system process. Once the SEP client runs on the new settings you should be able to remove the old folder.

  • Change the following registry values :
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content]
  • Start the SEP client:
    smc.exe -start
  • Check in the notification area for the green dot on the notification icon, indicating that the client is up-to-date:
  • To be absolutely sure open the management console and check if no problems where detected. The notification icon can be a bit behind.
  • Close the image.

2. Migrate definition files on all VM’s

Now that we’ve prepared our image for this change we have to make sure that the definition files are present on the persistent disks on all VM’s in the environment. For this I created a PowerShell script which will do just that. The script is called Migrate-SEPDefinitionFolders.ps1 and is available for download at the end of this post. It has full help capabilities so you should be able to run it with ease. Of course, if you’re using an alternate VDI solution you’ll have to create your own version. It might still be useful to check it out, though.

In short the script will retreive a list of VM’s from a catalog on a Citrix Desktop Controller of your choosing. That list of VM’s will be processed. It will use Invoke-Command to run a scriptblock on these machines, that copies the definition files to the persistent disk. By default it will limit the execution to 10 concurrend sessions, in other words: only 10 VM’s at a time wil be running the scriptblock. The default setting can be overruled bij using the ThrottleLimit parameter. It will update online VM’s first. VM’s that are offline will be turned on by groups of the same limit (so 10 at a time by default), unless you use the SkipOffline parameter. When the group is online the scriptblock will run. After that the next group will start up, until all VM’s have been processed.

 Migrate-SEPDefinitionFolders -CatalogName XD7_TEST -DeliveryController XD7-CDC-001 -Credential DOMAIN\XDAdmin

 Retreives the VM's in catalog XD7_TEST from Delivery Controller XD7-CDC-001
 as user DOMAIN\XDAdmin. The online VM's will be processed first, after which
 the offline VM's will be powered on and processed with a maximum of 10 at a time.

This way you can migrate your test VM’s first, without touching your production catalogs. If you do want to process all VM’s in one run just use an asterisk (*) for the CatalogName parameter. It’s also possible to run the script on an array of VM’s using the VMName parameter:

 Migrate-SEPDefinitionFolders -VMName XenVM01,XenVM02,XenVM03,XenVM04 -ThrottleLimit 2

 Copies the SEP Definitions folder to default destination folder
 D:\SEP on VM's XenVM01 through XenVM04 two at a time. VM's must be online.

3. Roll out your new image to the migrated VM’s

Now that the VM’s have the necessary files in the right location it’s time to put it all together by assigning your new image/version to the VM’s you processed. Check the notification icon and the log file right after a VM has booted up. When the notification icon gives you the green light and the log file shows no errors you’re in the clear. Keep an eye on this for the next couple of days. You should start to see changes in the log file pretty soon.


Well, that’s all  the information you need. Give it a try and let me know what you think. The only thing left to do is give you the migration script:

Download here

(RightClick-Save As)

Until next time!


About MicaH

I'm a Senior Technical Specialist at PepperByte BV (the Netherlands).
This entry was posted in Citrix, Powershell and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s