Symantec Endpoint Protection reports "No Symantec Protection technologies are Installed"

Article:TECH93564  |  Created: 2009-01-21  |  Updated: 2012-05-24  |  Article URL http://www.symantec.com/docs/TECH93564
Article Type
Technical Solution


Environment

Issue



Symantec Endpoint Protection (SEP) Client is installed and appears to be working properly, but the Client User Interface status page reports "No Symantec Protection technologies are Installed"

Symptoms
For managed clients, the Symantec Endpoint Protection Manager (SEPM) reports that the client is working properly, and the SEP client is updating correctly.
However, when the SEP client User Interface is opened, it reports that "No Symantec Protection Technologies are Installed".

On unmanaged clients, the client is protected (this can be seen/demonstrated because AutoProtect "pop-ups" occur and the system is still protected from viruses and malware), but the SEP client GUI reports "No Symantec Protection Technologies are Installed"

If the client has the SNAC client enabled, this component will appear as working properly



 


Error



No Symantec Protection Technologies are Installed


Environment



Windows Server 2003 - Standard Edition.


Cause



[A]  This is caused by a permissions issue on the Symantec Endpoint Protection Registry Hive:
The symptoms above will appear if the permissions for the user account of the logged in user is denied read access to any of the following registry entries: [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache\{5713D82F-7C60-410a-9144-FE4D0329DF7B}\]

[B]  This is caused by "Enable trusted publisher lockdown" option was checked in User configuration - Windows Settings - Internet Explorer Maintenance - Security - Authenticode Settings .

[C]  This can be also caused due to the traces of previously installed SEP or Symantec AntiVirus (SAV). 


Solution



NOTE: If this condition is determined to be caused by either condition A or B, this is frequently an applied Network Security issue.  Due to that, it is critical that once the cause is positively identified (A or B), that the Network Security team be notified.  In most cases, the team/person responsible for the AV product is not the team/person that applied the incorrect permissions settings (usually via GPO.). 
This is now an issue that should be evaluated internally by the customer's various applicable teams.
Having a TestSec report from a working system to compare with a failing system will significantly reduce the confusion on what DCOMs, rights and permissions need to be addressed.

 

For the below listed solutions, test each on only one problematic system. If the solution will resolve the problem, network wide, ask your customer to contact the Network Security team for GPO modification.

Solution [A] :
NOTE: The listed registry keys, by Microsoft default, should not require change.  Discuss with the customer how these security settings were implemented and if their network security individual should be notified.
NOTE: Export the below listed registry items and save the resulting .reg file to a safe location.
NOTE: Any changes to the system should be accomplished by the customer, under Symantec guidance, as required.
NOTE: Apply changes to only one system to verify the SEP client functionality.  Once functionality is verified, the customer should contact the network security individual concerning changing the applicable GPO policy for the rest of the network.

To access the permissions on any specific registry key, open REGEDIT and browse to the key in question -

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV]

Right-click on the key and select "Permissions". You should see a screen such as the one below:



Ensure that no accounts or groups are explicitly denied permissions on the Symantec registry key or sub keys

Ensure that the Users group has the "Read" permission allowed.

One way of ensuring that all permissions are correctly set is to set the permissions correctly on the Symantec key

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\]

Then click on the "Advanced" permissions button. You should see a window like the screen shot below:



(As you can see, the "Users" group has read permissions, and no group or user is denied any permissions)

Tick the box "Replace permission entries on all child objects with entries shown here that apply to child objects"

This will reset the permissions on the entire Symantec hive and all entries within it.

You should now be able to close and reopen the SEP client UI and see the status of all of the installed components.

Note that if there is an "Explicit Deny" set on any registry entry, the steps above will not remove it. As such, you should still verify manually that none of the keys below have an "Explicit Deny" entry against any user or user group.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache\{5713D82F-7C60-410a-9144-FE4D0329DF7B}\]



Technical Information
Note that the permissions on the registry may be being set by GPO. In this case, the manual steps above will fix the computer, but the permissions will be reset if/when the computer is restarted, or if the user logs out and a different user logs in. In this case, it will be necessary to identify which Group Policy or Security Policy is setting the permissions on the Symantec registry keys, and remove or edit the policy so that it no longer affects the Symantec registry keys.

 

Solution [B] :

  1. Click on start.
  2. Go to Run
  3. Type "gpedit.msc"
  4. In the Local Group Policy Editor
  5. Navigate to User configuration - Windows Settings - Internet Explorer Maintenance - Security
  6. On the Right hand pane, double click on "Authenticode settings"
  7. Uncheck "Enable trusted publisher lockdown"
  8. Click on start.
  9. Go to Run
  10. Type "GpUpdate /Force"
  11. Restart the system.

 

 

No Protection Technologies issue.

 

Can be additionally caused by:
-          Corrupted install/upgrade package which force clients within the group to remove all their features.
(Ref: TECH161241)
 

-          Incorrect permissions on following files:
msvcp71.dll
msvcr71.dll
Note: Those files are usually located in C:\Windows\system32 folder. 
(Ref: TECH161209)
 

 The permissions listing from a test machine:

  • SYSTEM – Full access
  • Administrators – Full access
  • Users – Read and Execute, Read                 

     

Registry permissions issue 

The registry keys below can potentially contribute to the issue.
The permissions from un-affected machine can be compared with an affected one.


Note: StandAlone TestSec Tool contains the configuration file “SymStatic.dat” which allows testing the permissions on custom registry keys and file system locations. This is a easily readable/editable text file. 
It was updated 7/28/2011 with the following keys:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ClientUI\ComCatCache\{5713D82F-7C60-410a-9144-FE4D0329DF7B}
HKEY_CLASSES_ROOT\CLSID\{DEDC07E8-EE02-4AB9-8DE3-15808156CB49}
HKEY_CLASSES_ROOT\CLSID\{C904B403-EA5E-48AB-99B6-F5A6EAD6D908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DEDC07E8-EE02-4AB9-8DE3-15808156CB49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C904B403-EA5E-48AB-99B6-F5A6EAD6D908}
HKEY_CLASSES_ROOT\SavMainUI.TamperProtectionProvider\CLSID
HKEY_CLASSES_ROOT\SavMainUI.TamperProtectionProvider.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavMainUI.TamperProtectionProvider\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavMainUI.TamperProtectionProvider.1\CLSID
HKEY_CLASSES_ROOT\SavMainUI.SavProtectionProvider\CLSID
HKEY_CLASSES_ROOT\SavMainUI.SavProtectionProvider.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavMainUI.SavProtectionProvider\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavMainUI.SavProtectionProvider.1\CLSID
HKEY_CLASSES_ROOT\AppID\{5C2FCE47-AC1E-43D5-8E5C-038570953896}
HKEY_CLASSES_ROOT\AppID\SavMainUI.DLL
HKEY_CLASSES_ROOT\CLSID\{04661FE8-877E-4157-A08A-A1152B880817}
HKEY_CLASSES_ROOT\CLSID\{3839D6F2-9AC5-4F95-9A47-504FB453ACBD}
HKEY_CLASSES_ROOT\CLSID\{4572031A-44ED-411B-9254-76449055D796}
HKEY_CLASSES_ROOT\CLSID\{9A4A52A6-7B83-403D-A6C9-1C8A492687CD}
HKEY_CLASSES_ROOT\CLSID\{AB08D3A3-260C-4CAB-BC71-8784DF963C8F}
HKEY_CLASSES_ROOT\CLSID\{AE78D5A2-46A3-43BB-A166-1B0018F0F21B}
HKEY_CLASSES_ROOT\CLSID\{BD94CF3C-95B7-48CF-A805-FC32EFBD3117}
HKEY_CLASSES_ROOT\CLSID\{CED1DFB3-4A7D-463F-985C-DBF75C52680B}
HKEY_CLASSES_ROOT\CLSID\{DEB07E48-ABCF-48AA-9B43-97E45D338C50}
HKEY_CLASSES_ROOT\CLSID\{E25C22E6-78BD-45F9-88D2-6DF7A580E400}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5C2FCE47-AC1E-43D5-8E5C-038570953896}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SavMainUI.DLL
HKEY_LOCAL_MACHINE\CLSID\{04661FE8-877E-4157-A08A-A1152B880817}
HKEY_LOCAL_MACHINE\CLSID\{3839D6F2-9AC5-4F95-9A47-504FB453ACBD}
HKEY_LOCAL_MACHINE\CLSID\{4572031A-44ED-411B-9254-76449055D796}
HKEY_LOCAL_MACHINE\CLSID\{9A4A52A6-7B83-403D-A6C9-1C8A492687CD}
HKEY_LOCAL_MACHINE\CLSID\{AB08D3A3-260C-4CAB-BC71-8784DF963C8F}
HKEY_LOCAL_MACHINE\CLSID\{AE78D5A2-46A3-43BB-A166-1B0018F0F21B}
HKEY_LOCAL_MACHINE\CLSID\{BD94CF3C-95B7-48CF-A805-FC32EFBD3117}
HKEY_LOCAL_MACHINE\CLSID\{C904B403-EA5E-48AB-99B6-F5A6EAD6D908}
HKEY_LOCAL_MACHINE\CLSID\{validity4A7D-463F-985C-DBF75C52680B}
HKEY_LOCAL_MACHINE\CLSID\{DEB07E48-ABCF-48AA-9B43-97E45D338C50}
HKEY_LOCAL_MACHINE\CLSID\{DEDC07E8-EE02-4AB9-8DE3-15808156CB49}
HKEY_LOCAL_MACHINE\CLSID\{E25C22E6-78BD-45F9-88D2-6DF7A580E400}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7575C05C2E2DBE9468B685AD530ECA8B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A65E9D7ED15B977468878D7B8938BB61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls 

 

Incorrect “State” value in Software Publishing key.

Key: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing


The issue can happen when DWORD value “State” is set to another value than “23c00”.
Ref: http://www.symantec.com/connect/forums/no-protection-technologies-are-installed-0

Note: After changing the value of “State” value the restart of SMC service or reboot is required.
Note: Symantec is aware that some companies use the value of "63c00" to force the system to check the vailidity of any certificate in use. 
Accordingly, this is a security setting and the customer should be made aware to contact the Network Security team reguardingthis value.


-          By GPO called “Enable trusted publisher lockdown”
-          By GPO Software Restriction Policies > Trusted Publishers

If the following options are selected, Windows XP and Windows 7 machines will be impacted.
-           “Allow only all administrators to manage Trusted Publishers”
-          “Verify that the publisher certificate is not revoked”
-          “Verify that the timestamp is not revoked”

If the following options are selected, only Windows XP is impacted. (Windows 7 works fine)
-          “Allow only all administrators to manage Trusted Publishers”
-          “Verify that the publisher certificate is not revoked”

If the following options are selected, both XP and 7 works fine.
-          “Allow all administrators and users to manage user’s own Trusted Publishers”
-          “Verify that the publisher certificate is not revoked”
 

The Default configuration is: (Option – “Specify Trusted Publisher (Authenticode) policy options” is NOT selected)


Solution [C]:
Create a new client package by selecting the client install settings to "Remove all previous Logs policies, and reset the client-server communication settings".
Deploy the package on those computers only that are effected; either by creating a new group or deploy it manually.
 



Legacy ID



2009042115381848


Article URL http://www.symantec.com/docs/TECH93564


Terms of use for this information are found in Legal Notices