Troubleshooting Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection installations: Checking rights and permissions

Article:TECH100048  |  Created: 2002-01-30  |  Updated: 2011-08-12  |  Article URL
Article Type
Technical Solution


You have problems installing Symantec AntiVirus Corporate Edition or Symantec Endpoint Protection, or you have installed the product, but it is not functioning properly. You need a list of files, folders, and registry keys in order to check rights and permissions.


The installation of Symantec AntiVirus or Symantec Endpoint Protection on any Windows NT/2000/XP/2003 computer requires Local Administrator rights to the computer. If you install from another computer by using NT Client Install or Client Remote, you must be a Domain Administrator, and on each computer, the Domain Administrator must also be a member of the Administrators group. Membership in other groups may cause restrictions on the Domain Administrator account's local rights. Verify that no restrictions on the Local Administrator or Domain Administrator accounts have been made.

Checking permissions within the registry

WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys specified. See the document How to back up the Windows registry before proceeding.

Note: When verifying permissions in Windows NT, verify that the Creator/Owner account has full rights to the registry keys listed. To propagate permissions to subkeys in Windows NT, place a check next to "Replace Permissions on Existing Subkeys."

To edit the registry

  1. Click Start, and then click Run.
  2. Type regedt32.exe in the Run box, and then click OK.
  3. Navigate to the following subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths

    For each of these keys, ensure that both System and Administrators have Full Control.

To check the rights on registry keys in regedt32

  1. Select the desired key.
  2. From the menu bar, click Security, and then click Permissions.
  3. If the Administrator and System accounts do not have full control, add them. Ensure that Deny is not checked for any rights.
  4. Click "Advanced."
  5. Click "Reset permissions on all child objects and enable propagation of inheritable permissions" (or "Replace permission entries on all child objects with entries shown here that apply to child objects"), and click OK.
  6. Click Apply, and then click OK.
  7. Close the Registry Editor.

Checking permissions on an NTFS drive

Use the Windows Explorer to verify that System and Administrator have "Full Control" and Users have "Read Only" permissions for the following folders (if they exist):

(drive:)\Program Files
(drive:)\Program Files\Common Files
(drive:)\Program Files\Symantec
(drive:)\Program Files\Sav
(drive:)\Program Files\Symantec AntiVirus
(drive:)\ProgramData\Symantec Shared
(drive:)\Program Files (x86)\Symantec
(drive:)\Program Files (86)\Common Files\Symantec Shared

To check the permissions, right-click the folder, choose Properties, and click the Security tab. Verify that both System and Administrator have Full Control.

The following folders should have Full Control permissions for the System and Administrator accounts, and Read Only for User accounts. If a folder does not exist, simply skip to the next one:

(drive:)\Documents and Settings\All Users\Application Data\Symantec
(drive:)\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
(drive:)\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

Note: Before attempting to change permissions on directories or subdirectories, you should take ownership. NT does not change permissions on a subdirectory where ownership is incorrect, and does not report that it cannot change the permissions. Using an Administrative logon is suggested.

Checking DCOM settings

The last place to check rights on a computer is in its DCOM settings.

To verify Distributed COM properties

  1. On the Windows taskbar, click Start > Run.
  2. Type the following, and then click OK:

  3. Do one of the following, depending on your operating system:
    • In Windows XP/2003, click Component Services > Computers > My Computer. Then right-click My Computer and click Properties.
    • In all other versions of Windows, go on to the next step.
  4. On the Default Security or Default COM Security tab, under Default Access Permissions, click Edit Default.
  5. Verify that Administrators, Interactive, and System accounts are set to Allow Access, and then click OK.
  6. Under Default Launch Permissions, click Edit Default.
  7. Verify that the Administrators, Interactive, and System accounts are set to Allow Launch, and click OK.
  8. Do one of the following, depending on your operating system:
    • In Windows XP/2003, skip the two following steps.
    • In all other versions of Windows, go on to the next step.
  9. In the Default Configuration Permissions section, click Edit Default.
  10. In the Registry Key Permissions window, verify that the following are set to Full Control, and then click OK:

  11. On the Default Properties tab, verify that Default Impersonation Level is set to Identify.
  12. Click Apply, and then click OK.
  13. Restart the computer for the changes to take effect.

Some customers have reported fixing installation problems caused by incorrect rights or permissions by using Microsoft's SubInACL utility to change registry and NTFS permissions. This information is provided for your convenience. Symantec does not provide support for or assistance with Microsoft products.


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices