Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

How to troubleshoot Symantec Endpoint Protection (SEP) or Symantec Endpoint Protection Manager (SEPM) installation failures

Created: 28 Apr 2011
w-d's picture
+1 1 Vote
Login to vote

It happens many times that you try to install SEP or SEPM and at the end it rolls back.

To avoid losing time by guessing what could be the cause of such issue it is worth to find the installation log and look. It gives you much useful information and sometimes helps you to resolve the problem very quickly.

Installation log’s names for the above products are:

sep_inst.log for SEP

sepm_inst.log for SEPM

Usually they are stored in the temporary folders:

C:\Windows\temp

or

C:\Documents and Settings\User_Name\Local Settings\Temp (where User_Name is currently logged user. You can open this temp by typing %temp% in start -> run)

If the installation log will not be found in none of those locations, you can search for those names on your whole disk.

If still cannot be found, you might have to force the creation of the installation log. In order to do that you will have to run msi installation from the command prompt using this command:

msiexec /i “path-to-msi\Symantec Endpoint Protection.msi” /L*V C:\sep_inst.log

where:

- “path-to-msi” is the whole path to the msi file you need to launch (if the file is stored in SEP folder on desktop of the user called ABC the path would be C:\Documents and Settings\ABC\Dekstop\SEP).

Note: you need to use brackets “” if there are spaces in the path and installation file name

- “Symantec Endpoint Protection.msi” is the installation file for SEP client (for SEPM it would be “Symantec Endpoint Protection Manager.msi”)

- “C:\sep_inst.log” it is the name and full path for the installation log

Eg:

msiexec /i “C:\Documents and Settings\ABC\Dekstop\SEP\Symantec Endpoint Protection.msi” /L*V C:\sep_inst.log

Once you have the installation log and SEP or SEPM is keeping to rolling back, open the installation log file and look for the value return value 3. Value 3 indicates that it happened something serious and around this value we will find more information about the cause. Once you find it, have a look on 10-15 lines above return value 3.

Note: in localized versions return value will be the following:

Rückgabewert– German

Valor devuelto– Spanish

Valore restituito– Italian

Here is an example of a machine which had a rollback:

MSI (s) (E8:24) [08:38:06:296]: Executing op: ActionStart(Name=MSIUnInstallAMSServerLegacy.F4413C06_9100_4CCA_959E_AAC27B587C0D,,)
Action 8.38.06: MSIUnInstallAMSServerLegacy.F4413C06_9100_4CCA_959E_AAC27B587C0D.
MSI (s) (E8:24) [08:38:06:374]: Executing op: CustomActionSchedule(Action=MSIUnInstallAMSServerLegacy.F4413C06_9100_4CCA_959E_AAC27B587C0D,ActionType=3073,Source=BinaryData,Target=MSIUnInstallAMSServerLegacy,)
MSI (s) (E8:70) [08:38:06:390]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI40.tmp, Entrypoint: MSIUnInstallAMSServerLegacy
SAVServerCA: Check for legacy AMS server
SAVServerCA: Did not find Uninstall key for legacy AMS server.
MSI (s) (E8:24) [08:38:06:640]: Executing op: ActionStart(Name=MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D,,)
Action 8.38.06: MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D.
MSI (s) (E8:24) [08:38:06:718]: Executing op: CustomActionSchedule(Action=MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D,ActionType=3089,Source=C:\Program Files\Symantec\Symantec System Center\AMS2\Winnt\InstallAMS.dll,Target=MSIUnInstallAMS,)
MSI (s) (E8:58) [08:38:06:718]: Invoking remote custom action. DLL: C:\Program Files\Symantec\Symantec System Center\AMS2\Winnt\InstallAMS.dll, Entrypoint: MSIUnInstallAMS
Action ended 8.38.06: InstallFinalize. Return value 3.

Looking above from Return value 3 you can see many indications about AMS – a legacy component from Symantec AntiVirus (SAV):

C:\WINDOWS\Installer\MSI40.tmp, Entrypoint: MSIUnInstallAMSServerLegacy
SAVServerCA: Check for legacy AMS server
SAVServerCA: Did not find Uninstall key for legacy AMS server.

(…)

ActionStart(Name=MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D,,)
Action 8.38.06: MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D.
(…)

CustomActionSchedule(Action=MSIUnInstallAMS.F4413C06_9100_4CCA_959E_AAC27B587C0D,ActionType=3089,Source=C:\Program Files\Symantec\Symantec System Center\AMS2\Winnt\InstallAMS.dll,Target=MSIUnInstallAMS,)
MSI (s) (E8:58) [08:38:06:718]: Invoking remote custom action. DLL: C:\Program Files\Symantec\Symantec System Center\AMS2\Winnt\InstallAMS.dll, Entrypoint: MSIUnInstallAMS

You can note some uninstallation attempts for the AMS component and a key information:

SAVServerCA: Did not find Uninstall key for legacy AMSserver.

It simply means that the AMS component is still installed and the SEP installation cannot remove it. This component needs to be removed prior installing SEP. Manual removal of AMS could be necessary in this case (http://www.symantec.com/business/support/index?page=content&id=TECH101722)

This is only an example. You can find different information in the installation log. The most common errors are:

1)

MSI (s) (8C:04) [09:27:13:894]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIECDE.tmp, Entrypoint: InstallLiveUpdate
LUCA: InstallLiveUpdate enter.
LUCA: C:\Users\lwollen\AppData\Local\Temp\BJMLCWUK\LiveUpdate\lucheck.exe
LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 206
CustomAction InstallLiveUpdate.479D9157_6569_48B2_97C9_6F35A45064AC returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 9:27:34: InstallFinalize. Return value 3.

Lucheck 206indicates different things. All of them (including the resolution) you can find here:

Symantec Endpoint Protection Client installation fails on LUCHECK 206

http://www.symantec.com/business/support/index?page=content&id=TECH122691

2)

Errors reporting to pending system changes that requires a reboot (sometimes you can see a warning message in a pop-up window but sometimes you can find this information only in the installation log):

Installer Information - "Symantec Endpoint Protection has detected that there are pending system changes that require a reboot." when trying to install SEP 11.0 on Windows 7

http://www.symantec.com/business/support/index?page=content&id=TECH95608

3)

Problems related to permissions

4)

Not enough disk space