Question / Issue: Why does a Computer Software Restriction Policy results in Symantec AV service start failure on Domain Computers? Description / Symptoms: If Symantec Antivirus 10 (or higher) is installed on a machine and there is a Computer Software Restriction Policy in place and the "Trusted Publishers" is set to anything other than "End Users" the service will fail to start with the following errors in the Event Viewer under event log: Event Type: Error Event Source: Symantec AntiVirus Event Category: None Event ID: 14 Date: MM/DD/YYYY Time: 12:41:59 PM User: N/A Computer: <Computer Name> Description: Symantec AntiVirus services failed to start. (2000005F) Event Type: Information Event Source: Symantec AntiVirus Event Category: None Event ID: 14 Date: MM/DD/YYYY Time: 12:41:59 PM User: N/A Computer: <Computer Name> Description: Could not start Service Engine err=2000005F NOTE: User Software Restriction Policy works. Resolution Symantec Antivirus 10 (and higher) uses certificates in the install and also for the application to run. So if a Sofware Restriction Policy is in place for the computer and we have "trusted publishers" defined as anything other than "End Users" we will automatically check for the existance of the certificate in the "Trusted Publisher" store for the machine. If it is not there, we block the software from running, as Software Restriction Policies are designed to do. There are a number of solutions here, but a copy of the Certificate in question needs to be placed in the "Trusted Publisher" store. Here are some options to get that done: ======================================================================================================== Option 1: Use the MMC to copy and paste the certificate into the Trusted Publisher Store 1. Log into the machine as an administrator (local admin rights). 2. Launch MMC.exe 3. Add/Remove Snap-in and Add "Certificates" 4. Select "Computer account" 5. click on Next 6. Select Local Computer 7. click on Finish 8. Close Add Snap-in window. 9. Click "Okay" 10. Expand "Certificates (Local Computer)" 11. Expand "Trusted Root Certification Authorities" 12. Highlight "Certificates" 13. Find "Symantec Root CA" or the appropriate Trusted Root Cert for the application in question. 14. Highlight it and Right Click on it, then select "Copy" 15. Highlight "Trusted Publisers" in the Left Pane. 16. In the Right Pane, click on an empty spot and right click again, select "Paste" 17. A "Certificates" folder should appear under "Trusted Publishers" 18. Highlight it and you should see a copy of the Certificate you pasted in that store now. 19. The service will now start successfully. ======================================================================================================== Option 2: Use Certutil to import the certificates to the Trusted Publisher Store (certificates are exported from the Symantec applications previously) 1. certutil -enterprise -addstore "TrustedPublisher" c:\rtvscan.cer NOTE: This is sufficient for SAV 10.1. For SAV 10.0.x or higher, you would also have to run the following procedure: Example command - <Please change the (drivename) to the corresponding drive where the certificate store is located /certificates are stored> 1. certutil -enterprise -addstore "TrustedPublisher" c:\ccApp.cer NOTE: You'd have to run the command as an administrator, of course, and the *.cer files are those exported from the corresponding SAV executables. They are stored on the C: drive in my example. ======================================================================================================== Option 3 (FOR USE BY QUALIFIED <Read - Extreme Nerds :P > PERSONNEL ONLY): Use the supplied SAMPLE script to copy the certificate to the Trusted Publisher Store <Please note that you need top modify this script to suit the environment you are working on> NOTE: You will need to have the user / administrator register the capicom.dll with regsvr32 for this script to work, viz. click on START - > RUN - >type in "regsvr32 capicom.dll" without the quotes - and then click on OK. It also assumes default install location for Symantec Antivirus 10 or higher. It is provided as is and there is no error checking, and proper disclaimers are needed to be given to the user(s) in case you are using this script on the user(s) computer(s). The following Script has been graciously provided by a friend and neither he or I shall hold any responsibility for improper use of this script. Please tets in a test env, or a test computer facing a similar issue before you go ahead and implement this in production. You can get capicom.dll to register from the following location: http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d860ee43a-a843-462f-abb5-ff88ea5896f6%26DisplayLang%3den <Please search for "capicom" regularly on http://www.microsoft.com/downloads/ before you use this article, since Microsoft regularly updates the .MSI file for CAPICOM> -------------------------------------- BEGIN COPY ----------------------------------- 'Option Explicit ' CAPICOM Constants Const CAPICOM_LOCAL_MACHINE_STORE = 1 Const CAPICOM_STORE_OPEN_READ_WRITE = 1 Const CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED = 2 Const CAPICOM_STORE_OPEN_EXISTING_ONLY = 128 Const CAPICOM_ROOT_STORE = "ROOT" Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME = 0 Const CAPICOM_STORE_OPEN_READ_ONLY = 0 Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1 Const CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY = 2 Const CAPICOM_CERTIFICATE_SAVE_AS_CER = 1 Const CAPICOM_CERTIFICATES_SAVE_AS_PKCS7 = 1 Const CAPICOM_EXPORT_DEFAULT = 0 Const CAPICOM_ENCODE_BASE64 = 0 Const ForWriting = 2 save the trusted root and save to the Trusted Publisher store ================================================================================== Open the Certificate store. Dim Store Set Store = CreateObject("CAPICOM.Store") Store.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_ROOT_STORE, CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY Dim Certificate, Certificates Set Certificates = Store.Certificates 'Loop through the certs in the root store 'find the one we want and save it to c:\ For Each Certificate In Certificates 'wscript.echo Certificate.SubjectName if Certificate.SubjectName = "CN=Symantec Root CA, O=Symantec Corporation" then Certificate.Save "c:\symantec.cer",,CAPICOM_CERTIFICATE_SAVE_AS_CER, CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY end if Next ' Free resources. Set Store = Nothing Set Certificate = Nothing Set Certificates = Nothing ' Open the trusted publishers store Set Store = CreateObject("CAPICOM.Store") Store.Open CAPICOM_LOCAL_MACHINE_STORE, "TrustedPublisher", CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY Set Certificate = CreateObject("CAPICOM.Certificate") Certificate.Load "c:\symantec.cer" store.add certificate Set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FileExists("c:\symantec.cer") Then filesys.DeleteFile "c:\symantec.cer" End If ' Extract the cert from the Symantec .ExE and save to the Trusted Publisher store ' This makes the assumption that the .exe is in "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" '================================================================================== Set SignedEXE = CreateObject("CAPICOM.SignedCode") SignedEXE.FileName = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" Set SigningCerts = SignedEXE.Certificates For Each Certificate In SigningCerts if Certificate.SubjectName = "CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US" then certBlob = Certificate.Export(CAPICOM_ENCODE_BASE64) SaveFile "c:\symantec_codesign.cer", certBlob end if Next ' Free resources. Set Store = Nothing Set Certificate = Nothing Set Certificates = Nothing ' Open the trusted publishers store Set Store = CreateObject("CAPICOM.Store") Store.Open CAPICOM_LOCAL_MACHINE_STORE, "TrustedPublisher", CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY Set Certificate = CreateObject("CAPICOM.Certificate") Certificate.Load "c:\symantec_codesign.cer" store.add certificate Set filesys = CreateObject("Scripting.FileSystemObject") If filesys.FileExists("c:\symantec_codesign.cer") Then filesys.DeleteFile "c:\symantec_codesign.cer" End If '****************************************************************************** ' Subroutine: SaveFile ' ' Synopsis : Save string to file. ' ' Parameter : FileName - Output filename. ' ' Buffer - String buffer to be saved. ' '****************************************************************************** Sub SaveFile (FileName, Buffer) Dim fso Set fso = CreateObject("Scripting.FileSystemObject") Dim ts Set ts = fso.OpenTextFile(FileName, ForWriting, True) ts.Write Buffer ts.Close End Sub ' End SaveFile --------------------------------------- END COPY -------------------------------------- ========================================================================= DISCLAIMER: This sample is provided as is and is not meant for use on a production environment. I've put in quite a lot of research on this in a test environment, and it works, but please test it before you try this in a production environment. It is provided only for illustrative purposes. The end user / engineer must test and modify the sample to suit the target environment.