About the Symantec Endpoint Protection Support Tool

Article:TECH91280  |  Created: 2008-01-08  |  Updated: 2013-01-31  |  Article URL http://www.symantec.com/docs/TECH91280
Article Type
Technical Solution


The Symantec Endpoint Protection Support Tool is a utility designed to quickly and efficiently diagnose common issues encountered with Endpoint Protection and the Endpoint Protection Manager. With this release, the utility is limited to diagnosing problems on the local computer (that is, the computer that is running the utility). If a problem is identified, the tool will direct you to a solution, or the information can be provided to Tech Support, who can guide you through the next steps.


Symantec Help replaces Symantec Endpoint Protection Support Tool

The Symantec Endpoint Protection Support Tool is no longer being developed. Use Symantec Help (SymHelp):



Who is the utility designed for?
The utility is designed to assist customers and support personnel with data gathering and troubleshooting.

What does the utility do to my computer?
The support utility does not permanently alter any files on the computer. The utility is a collection of modules or scripts, each of which performs checks by gathering information regarding conditions on the local computer. These script files are copied to the temporary directory and are deleted when you exit the utility.

Because of this design, the utility does not permanently install anything on your computer when it runs.

Does this utility support remote connections?
Yes. You can run the utility over an RDP connection or by using other commercial remote administration utilities.

The utility didn't help me. What next?
In the event that the utility is unable to diagnose your issue, contact Technical Support:
My Support - Web Support
Contact Telephone Technical Support

Acquiring the tool
To acquire the tool, follow this link: The Symantec Endpoint Protection Support Tool.

Using the tool
After you start the utility, it downloads any new releases of the utility while you read the license agreement. If the tool finds an update, it updates and restarts itself automatically. Once you have the latest version, click "accept" to go to the Select Issue screen.

Note: If you make any system changes after running the tool, you must run the tool again to ensure an accurate report.

The Select Issue screen
The Endpoint Protection Support Tool is a combination of modular, discrete "checks." This screen presents a categorized list of the checks that the utility looks for. By selecting criteria, you increase the number of checks that the utility runs, which increases the thoroughness as well as the amount of time required for the tool to run. Due to time constraints, it is best to select only the checks that are relevant to your issue.

For example, if you are having trouble installing the Endpoint Protection Client, select "installation" and then "SEP Client."

Required Checks
If either the Symantec Endpoint Protection client or Manager is installed, the utility performs a series of operational checks for these programs, regardless of which options you selected. In particular, if the Manager is installed, you are prompted for the password. Typically, this is the same password that you use to log in into the Manager.

Running time
The design goal of the utility is to complete a comprehensive check of system variables in under two minutes. Due to variations among computers both in hardware and role, a computer with the following specifications was chosen as a benchmark:

Operating System Microsoft Windows XP Professional Service Pack 3
Processor 1.80 GHz Pentium

The support tool is designed to complete all of the checks under "Issue Selection" in under 2 minutes on this computer. The time that the tool takes to run on other machines may vary.

Once the utility finishes collecting the data for your issue(s), the task screen shows the options for analyzing the collected data.

Review Reports
If you are experiencing an issue with Symantec Endpoint Protection or Symantec Endpoint Protection Manager, click Review Reports to see a summary of the collected information. The information is grouped into the following sections:

  • Errors lists individual problems found by the tool. Click each error for detailed information.
  • Warnings, which are issues that warrant some attention but which probably are not critical.
  • OK lists items which passed the checks that the tool ran against them.
  • Information outlines general information about your computer, such as available disk space, operating system information, etc.
  • Applications lists the items that are in "Add/Remove programs," along with each program's manufacturer and version information.

This section returns you to the issue selection screen, where you can change the checks that you want to run.

Collect additional data
This option performs an intensive scan of the computer. This can take ten minutes or more. This additional data can help identify issues that previous checks did not detect.

Save Report
This option saves the information that the selected checks found. If you require assistance with your issue, you can send the saved report file to Technical Support.

How To Submit The Report
This option shows the options available for opening a Technical Support ticket.

Click Exit to close the utility and delete the files that were extracted to the temporary directory.

Running the tool from a command line
The Support Tool can be run from a command line, with a number of command line options. For detailed information, read the document Command line options for the Symantec Endpoint Protection Support Tool.

Technical Information


Release Notes Build 1.0.6040 (9/24/2012):
Includes the following new features and fixes:
·         Update Symantec Power Eraser to include latest Trojan.ZeroAccess remediation capabilities
Release Notes Build 1.0.6030 (5/1/2012):
Includes the following new features and fixes:
·         Add detection of SEP 11.0 RU7 MP2 (Agate) as latest build of SEP 11
·         Detect SEP 12.1 RU1 MP1 (Streetfighter) as latest build of 12.x
Release Notes Build 1.0.6020 (3/28/2012):
Includes the following new features and fixes:
·         Full data captures will now gather default.dat (Viewable within the Support Tool Viewer)
·         Full data captures will now also gather the *.log files out of the SEPM lodirectory.

Release Notes Build 1.0.6010 (1/12/2012):
Includes the following new features and fixes:
·         The report "IS Microsoft IIS correctly configured.." will now be properly displayed.
·         Included an updated version of the SMR (Symantec Maximum Repair) DLL that Power Eraser utilizes.
·         The Support Tool will now gather SQL_Anywhere_11 and SQLANY_Sem5 registry keys. 
Release Notes Build 1.0.6000 (11/21/2011):
Includes the following new features and fixes:
·         Added Support for SEP 12.1, including installing SEPM on Windows 7.
·         Corrected an issue with the http/ftp update mechanism, the Support Tool will now update using the proper protocol.
Release Notes Build 1.0.5090 (10/14/2011):
Includes the following new features and fixes:
  • Added support for SEP 11.0 RU7 MP1.
  • To limit the size of collected report files, the "AV" daily logs will be limited to the last 30 days
  • Log.LiveUpdate will be truncated to the last 20MB
  • Updated the KB document for the report "Is Symantec Mail Security for Microsoft Exchange sharing definitions?"
Release Notes Build 1.0.5080 (9/1/2011)
 Includes the following new features and fixes:
·         Updated Power Eraser to use the latest build of the SMR.dll (Version 2.1)
·         The Support Tool now detects SEPM 12.1.671.4972 as the latest build
·         Load Point Analysis will now search for files located in the Recycle Bin
·         Added detection a SEPM migration issue, which would result in client features being removed. 
Release Notes Build 1.0.5070 (7/19/2011):
Includes the following new features and fixes:
·         Detects Endpoint Protection 11 RU 7 as the latest release
·         Corrected a false positive when analyzing IPS definitions
·         Customer information will once again be included in saved SDBZ files
·         Reports which check for available memory will now properly calculate physical memory and page file usage
·         DNS information will now be collected
·         It is now possible to collect full data without running prior checks (accessed from the issue selection screen, at the top border of the window
·         REG_QWORD registry keys are now properly collected by the Support Tool
·         Selecting Power Eraser will now display an overview of the application.
Release Notes Build 1.0.5050 (6/22/2011):
Includes the following new features and fixes:
·         Tamper Protection with SEP 11 should no longer be triggered by the Support Tool
·         Corrected an issue where the Support Tool was not properly detecting required system restarts for installation of SEP.
·         The Support Tool's pre-installation check for SEP will now function properly in scenarios where SEP is already installed.
·         Fixed an issue where the status of Network Threat Protection was not being detected.
·         Corrected an issue where the Minimum Requirement report was not being displayed for SEPM pre-installation checks.
·         The Support Tool now collects raw SAV logs from the SEP client.
·         The Support Tool will now properly detect when an upgrade is blocked, such as when installing a version of SEP over another version.
·         Corrected an issue where SEP product definitions where incorrectly being reported as corrupted.
·         For SEPM deployments, the SQL client port was being incorrected labeled as a false positive, this has been corrected.
·         The Summary screen within the Support Tool will now list the SEPM's hostname when run on a managed client.
·         Windows XP 64 bit will now be properly detected as a supported OS for deployment of SEPM and SPC.
·         When opening an SDBZ from within the Support Tool where a load point report was collected without connectivity to the Reputation Database, the Support Tool will now prompt to resubmit the data.
·         Corrected an issue where the test text for warnings did not match the overall warning text color.
·         The Support Tool reports are now structured as statements, rather than questions.
·         Corrected a typo in the report "There are no Security Advisories for this build of Symantec Endpoint Protection"
·         Corrected an issue where the SMC service was incorrectly being flagged as being in error due to a start type of 'Demand Start'.
·         The report outlining the SEPM's port usage will now properly display all ports in use by the SEPM.
·         Corrected an issue occurring in some reports where the SEPM was being referred to as "SPC"
·         Updated the Support Tool's service detection to properly accommodate both client and console.
·         If present the Support will collect minidump files.
Release 1.0.5030 (6/2/2011)
 Includes the following new features and fixes:
SEP 12.1 Support: SEP 12.1's upcoming release means that the Support Tool needs to be able to provide data relevant to a number of new technologies and features, while simultaneously retaining the ability to gather data from SEP 11 and SEP 12.0 managers and clients.
This release of the Support Tool is the first to support all existing versions of SEP, and as such many of the etrack incidents listed below are specific to SEP 12.1.

Etrack Incident:
SEP 12.1 Specific
Report Crashes fail to trigger restart of data collection
Collection of SAV User Logs - %SAVUSERLOGDIR%\**.**
Collection of SIS scripts
windows 2008 crashing on report generation when client install is selected.
SAV log parsing to include "Risk Details" information
Crashing in ST_Script_WinOS.STS_Minifilters
Support Tool generated WPP logs are left in the root of the drive
Crash in Rpt_InstallClient.9
Crash in Rpt_SepDefs.1
Support Tool crash on Windows XP
Failure to capture MSI feature information in SDS_ParseMSIProducts
Collection of *.dat files inside the config folder
duplicate entries for ETL logs within ST viewer
Vpdebug logs fail to display in the ST Viewer under SEP product
SEP logs are not displayed in the ST Viewer under SEP
Sylink.xml for SEP 12.1 fails to appear in ST Viewer in text file views
Correct pre-install check option for SEP 12.x to SEP 12.0.x
Choosing cancel on create folder dialog cancels the save
Augment report "Is the Symantec Endpoint Protection Manager using its configured ports?" to include new technologies
Correct report GUID not selected for report "This system does not meet the minimum requirements for installing Symantec Endpoint Protection"
Add command-line to enable option for SEP 12.1 pre-install report
Some of the processes are not being resolved to a path
ST Viewer: SEP features from MSI duplicating listed results

Release Notes Build 1.0.5000 (4/21/2011):
-When opening a report with the Support Tool on Windows Vista, the window can now be resized.
-Improved how file number percentages are rounded in Load Point Analysis. They should now be much closer to 100%.
-The command line help window now includes switches for for Power Eraser and msiapifeatures. This is accessed from the command line by running the Support Tool with -h.
-The help file (This file) is now searchable.
-When using command line switches, the -out switch can now use paths with spaces, provided the path is enclosed in double quotes. IE: -out "C:\test path with spaces".
-Corrected an issue where if the administrative shares were disabled, the Support Tool would fail to report an error.
-In a multi-monitor setup, the Support Tool's window will no longer move back to the primary screen when changing size such as when displaying the reports.
-If the Support Tool is run on a machine running a beta version of Endpoint Protection (Such as 12.1) A knowledge base article link is presented, directing the user to the proper version of the Support Tool.
-Clicking the help button during data collection will no longer cause the progress indicator to reset. 
-The following registry paths will now be collected by the Support Tool:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 
Release Notes Build 1.0.4090 (3/22/2011):
-Added Support for SEP RU6 MP3
-Numerous improvements to crashing reports have been made, including
  • STS_Secars crashing
  • SD_OSInfo.SDS_EnumLocalPrivs crashes
  • SDS_EnumEvtLog crashes
This release of the Support Tool includes the following new features and fixes
  • Corrected an issue where the Support Tool's summary screen would incorrectly report the installed features.
 Release 1.0.4070 (1/25/2011)
 This release of the Support Tool includes the following new features and fixes
  • Power Eraser will no longer allow for the selection of critical system files for removal. This is an effort to prevent users from potentially damaging Windows.
  • The Support Tool will now gather data from Endpoint Protection Manager installations with non-standard data directories.
  • Corrected an issue on Windows 2003 R2, where running a full data grab would generate SidebySide Errors in the Event Log.
  • Added a detection for SEPM RU 6 MP2 Point Patch 1.
  • When using IIS 7.5, the Support Tool will no longer generate an error for application pool identity.
  • Corrected an Issue on Windows 7 Enterprise edition 64-bit, where definitions were being reported as corrupted.
  • Corrected an issue where data from the reputation database was incorrectly reported.
  • Resolved an issue where the Support Tool would crash on saving an SDBZ with invalid characters in the path.
  • Previously, Selecting "Cancel" when presented with the prompt for creating a new directory to save an SDBZ, would cause the Support Tool to cancel saving. This has been resolved.
 This release of the Support Tool includes the following new features and fixes:
 Corrected Load Point Analysis network connectivity issues.
  • Additional information is now gathered in the event of the Support Tool crashing. This will help us identify future issues, as well as trends.
  • Added a detection for: Security Advisory: SYM10-013
  • Updated SMR.dll for Power Eraser.
  • Updated additional reports to use the new format.
  • Version information for Secars.dll will now be verified.
  • The Support Tool will now collect the following logs:
    • out.log
    • installdm_log.err / installdm_log.out
    • upgrade.log
Release 1.0.4030 (12/7/2010)
This release of the Support Tool includes the following new features and fixes:
  • Corrected a problem where running Load Point Analysis without network connectivity caused the Support Tool to crash.
  • Added support for Symantec Endpoint Protection 11.0.6 Maintenance Patch 2 (RU6 MP2).
Release 1.0.4020 (11/23/2010)
This release of the Support Tool includes the following new features and fixes:
  • Changed the method by which the Support Tool looks for installed products, thus reducing the running time and the likelihood of crashes.
  • Symantec Power Eraser now has the ability to check for rootkits via bootlogging.
  • New command line switches:
    • -spe: Starts the Support Tool with Power Eraser selected.
    • -speonly: Runs Power Eraser in silent mode.
    • -spexml: Creates an xml document with the Power Eraser results (Note: requires the use of -spe or -speonly)
  • When Symantec Power Eraser detects a risk, it will now be automatically selected.
  • Detected Risks can now be copied to another location to ease submission to Security Response.
  • Symantec Power Eraser now detects Internet Explorer proxy settings.
Release 1.0.3090 (10/25/2010)
This release of the Support Tool includes the following new features and fixes:
  • The Support Tool will now run off of read only media. This is in anticipation of the Support Tool being included on the CD/DVD with future releases of Endpoint Protection.
  • Updated to the report screen's accordion sections -- mousing over an accordion header will cause the accordion to change color slightly.
  • Updated the Endpoint Protection and Manager version check reports for increased readability.
  • The Support Tool now enumerates common load point registry locations.
  • Increased stability of MSI data gathering process. Data gathering successes will be tracked through telemetry.
Release 1.0.3080 (8/26/2010)
This release of the Support Tool includes the following fixes:
  • Corrected a problem in which hidden files saved by Load Point Analysis were retaining the Hidden attribute.
  • Corrected an issue in which the Secars communication test was failing on computers that run Symantec Protection Center.
  • The Support Tool now correctly enumerates running processes on 64-bit computers.
  • Corrected a user interface issue which was hiding the Symantec Power Eraser option with the Endpoint management console installed (version 11x and 12x).

Release 1.0.3070 (8/17/2010)

This release of the Support Tool adds support for Symantec Endpoint Protection Release Update 6 Maintenance Patch 1 (RU6 MP1). Customers with earlier versions will be notified of the latest release upon running the tool.

Ongoing issues:
  • The Support tool incorrectly states that the Symantec Endpoint Protection Manager virtual directories within IIS are in use.
  • Due to the method in which ports are allocated in Windows 2000, the Support Tool is unable to provide data as to the CURRENT state of the ports used within Symantec Endpoint Protection/Symantec Endpoint Protection Manager.
  • The Support Tool does not provide detailed information regarding the state of IIS on Windows XP and 2000.
  • Currently the Support Tool does not properly determine the tamper protection and decomposer version information.
  • The Utility currently does not perform any network functions, such as polling remote client computers.
  • The "Top issues" section does not return any additional information (this section will be for incorporating detections for new issues as they arise).
  • The detection for installed SQL server version and service pack is not functioning correctly, displaying warnings when compatible SQL versions are in use.
  • The utility will always look for updated versions, and once found will automatically download them. Short of removing the machine from the network, this update process currently cannot be bypassed or cancelled.
  • The utility erroneously notes that Symantec Endpoint Protection Manager's virtual directories are in use by another application.
  • In the event that the utility exits unexpectedly, the folders created in the %temp% directory must be removed manually. The temporary folders follow this format: IXP000.tmp, incrementing upwards.

Legacy ID


Article URL http://www.symantec.com/docs/TECH91280

Terms of use for this information are found in Legal Notices