How To: Manually Remove AV Definition From an Endpoint

Version 1

    How To:

    Sometimes a problem may arise due to a bad AV definition which can cause problems on Endpoints. In most cases this will be resolved by the next definition update, but there may be times when it is urgent to remove the AV definition from the Endpoint.

     

    Step by Step:

     

    1. Reboot the Endpoint into Safe Mode to prevent the AV from being active
    2. After reboot, go to C:\ProgramData\HEAT Software\EMSSAgent\data\persist\live\AV\ScanEngine
    3. There will be two numbered directories and a Live.txt file
    4. Open Live.txt and and change the value to the older numbered directory
      • In the example screenshot, you would change the value in Live.txt from 5 to 4
    5. Save and exit Live.txt
    6. Delete the newer numbered directory
      • In the example screenshot, you would delete the 5 directory
    7. Reboot the Endpoint

     

    This will revert the Endpoint to using the previous AV definition version that was stored on it, allowing it to function normally and receive the next AV definition update without problem.