Endpoint Protection

on a windows XP SP3 machine i have SEP 11.0.4014.26. sometimes the windows security center on that machine suddenly shows a warning that the antivirus protection is off but when opening SEP it shows that everything is ok.

how do i fix this? is SEP really off or is it a bug somewhere?

If you look at Microsoft's Windows Security Center after the computer is fully started for a little bit (5 minutes?), does it still show a problem? I sometime see this as well, usually on startup. I think there is a race condition between WSC and SEP. If WSC starts up quicker than SEP's user-mode code, WSC will show this warning while SEP is in the process of starting. You are really still protected because our kernel mode drivers protection the computer started at boot time ... well, before any of the user-mode processes.

i am aware that there is a race condition between WSC and SEP and have seen it many times but this is not the case. the user is working on the PC for a few hours and then suddenly the WSC warning appears.

If the security center tells it off, there are 2 possible reasons, the av client process stopped or hanged and it maybe not up-to-date.

after checking Paul's response, i noticed the following behaviour on the client machine:

1. if i restart the WSC service, the warning remains

2. if i restart the SEP service the warning goes away.

this obviously shows that the problem is within SEP. the problem is that before restarting SEP if i look on the SEP console it says everything is OK and working.

 

any ideas?

Hi,
Yes, after an update the av client should take in the new defs, if the update is successful but the displayed date is incorrect even after a restart. There could be a problem on the SEP installation.

Try to uninstall and use MS Cleanup utility to remove corrupted setup informations, then fresh install sep client.

Hope this helps.

i am still stuck on this issue. and it has started happening on at least 5 different PCs here. does anyone have any idea how to solve this? (except from the obvious silly solution of restarting the SEP service every time this happens)

thanks

Usually this happens to us if product version is not updated, we also update windows, check also RAM/HD usage.

I've seen this on a number of computers, too.  It causes all kinds of grief.  On the one occasion when it happened  on the computer I was using I checked the SEP logs and noted that new definitions had just been retrieved and installed.  If you see witness the problem is is worth checking the Application events in the Windows Event Viewer.  I think you'll see the hiccup noted at the same time as the VDF install.

Hi smithm, but the WSC can see that you have SEP?

Hi smithm, but the WSC can see that you have SEP?

Yes.  WSC says, "Symantec Endpoint Protection reports that it is off".  SEP itself reports that it is ON.  I think this is what Dani reported in his/her initial post.  Unfortunately, once WSC and SEP get out of sync the WSC warnings are hard to ignore.  And to be honest we don't want to train our users to ignore the warnings.

I was hoping MR4 would address the issue but that's the version Dani is using.

Probably a coincidence, but the time I witnessed WSC going from happy to sad I happened to be retrieving mail at the same instant that the new VDF was installed.  LiveUpdate was running silently in the background so I only discovered its activity when I examined the logs.

Also, I should note that these are Unmanaged clients installed via Custom setup to omit Application and Device Control and to omit Network Threat Protection.

I think this could be a problem of your SEP try to repair once.

I think this could be a problem of your SEP try to repair once.

Hi Smit,

Can you try to repair WSC? Please check the link below

http://www.kiran-world.com/repair-windows-security-center-in-windows-xp/

Try also cleaning WSC list.

http://grandstreamdreams.blogspot.com/2007/04/how-to-repair-windows-security-center.html

Thanks for the links. At the moment I don't have a computer demonstrating the issue so I can't test the suggestions. However, I think there is something wrong with the way SEP and WSC interact. We have thousands of SAV 10 installs on campus and this hasn't been an issue. We are getting ready to migrate to SEP and in our small test group (several dozen systems) the issue has shown up three or four times. That's worrisome but since I don't have a test that demonstrates the failure I'll just hope that this makes it onto somebody's radar at Symantec.

sorry i have been away from the discussion for a while but until yesterday i did not get any emails about new posts to this topic.

anyway, i have a few comments:
1. i too have been seeing this error happen after live update has been ran and updated the defs. i ahev also an unconfirmed suspiction that another case was when a computer wakes from hibernation but i can not confirm that the hibernation is the cause and not some live update that ran before the hibernation.
2. Paul, the links for cleaning the WSC list are nice but at least on one XP machine i have formatted it completely and did a fresh install of SEP 11.0.4014.26 and still the problem returned like i never formatted the PC. so the WSC list did not have other antivirus data in it so there is no reason to clean it
3. i have seen this case happen on XP SP3 (managed) and on a few Vista unmanaged machines

Dani when you reformatted the pc, have you updated windows?

Do rapid release defs change the engine or just the defintions?

This morning I noticed WSC was complaining that SEP was out-of-date but I wasn't working in my office and now that I'm back I see that the condition has cleared itself.  The SEP logs show that new VDFs were downloaded in the middle of the night.  The System Event logs concur and don't show anything else related to Symantec today.  So, not sure what, if anything, this all means. 

Paul, yes i keep all PC's in our company updated with all patches availbale on MS update.

how do i turn rapid release on?

update r coming or not u show first, if update is coming ,then you change the live update warnning setting TAB. it increase to minimum 14 days.

I can confirm that Un-Managed Clients running Vista and Windows XP show security warnings at startup and also sometimes after a manual live update.  I have removed the software, ran the clean utility and re-installed......but same issue.

There IS a problem between SEP 11.0.4014.26 and WSC.  I have contacted support, but that didnt go anywhere.

Dont bother with the uninstall-reinstall...run this utility..run that utility....update the OS...while putting your finger on your nose.  I have spent about 5 hours performing every trick I could find to fix this issue....bottom line is that its an APPLICATION PROBLEM.

Hopefully someone at Symantec will read this, maybe a new release in the future will fix it.

We have also faced the same problem.Reinstallation doesn't solves the problem.I think the problem is in SEP11.0. Hope that this problem will get resolved in newer version SEP 12.0.

Regards
Peter007

The reason for this is Symantec Services take time to start after machine reboots, but the kernel is protected at the time of booting as the Symantec drivers always protect it. Once the Symantec services start, Windows Firewall stops showing such type of warning and it hardly takes1-2 minutes.

I'm sorry binayak but you are confusing our problem with the timing issue on startup.  What you describe is annoying but since, as you say, it clears itself in a minute or two, the Symantec community grudgingly accepts the behaviour.

Our problem is entirely different.  No restart is involved.  You're working away happily when out of the blue the WSC reports that SEP is off (or perhaps out of date).  You check SEP and it says everything is on.  WSC offers three ways to fix the problem:

1. Turn on your installed AV program.  No good because SEP is already on.
2. Get another AV program.  Admittedly this sounds more and more like a good idea.
3. Click the option, "I have an antivirus program that I'll monitor myself."

It is encouraging to see that other folks are reporting, "Me too," but what do we have to do to get someone at Symantec to acknowledge the underlying problem and give us some hope that someone is planning to fix it?

A shout out to BobMillington!  I feel your pain and I'm suffering right along with you Bob.

Hi Dani, but if you uninstall SEP will it say that you don't have antivirus? it seems that WSC cannot see that SEP services are running.

Can you check this registry entry

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring

Check if there's an entry for SEP

Hi Paul, if i restart the SEP service then WSC suddenly sees SEP and removes the warning. so i don't see a need to check the registry. WSC knows about SEP and shows it's working until out of the blue it says it's off or it says that the VDF is too old. just this morning on an unmanaged machine WSC said that the VDF is too old. looking on SEP i saw that the VDF is from yesterday which seems fresh enough.

would someone at symantec care to join in the discussion and tell us what to do?

I have been following the thread, but I don't have anything specific to contribute. As I understand it, this behavior is inconsistent. Sometimes it occurs, other times it does not. When it is occuring consistently, have you tried tech support? Their problem is that they cannot help if the problem is not occuring. ... open to other ideas ... ?

We are tracking a known issue where Windows Security Center warns that antivirus definitions are "out of date" after running an active scan or complete scan.  The problem is due to a registry permissions issue on Windows Vista operating systems.  This problem will be resolved in the next version of SEP (11.0.4200), which is not yet released.

The "out of date" error does not match the "antivirus is off" issue reported here, but it is possible that both issues have the same root cause.

Are the folks reporting the issue here all running Vista, or are you seeing the problem on other operating systems?

Thanks for your response BMA.

I'm seeing the problem on Windows XP and a quick scan of the discussion above shows others have seen it on XP and Vista.   It has been reported on multiple systems here and some may be Vista but I can't confirm that today.

I have a scheduld scan that runs early Friday morning and the WSC was complaining after that.  I believe it has happened at other times as well, notably after a background LiveUpdate installs new VDFs.  However, now that I know the scan might be a factor I'll watch for that.

Thanks for your response.  After virus definitions are installed the product may do a quick scan, particularly if there are items in the quarantine.  Thanks for keeping an eye out for the scan times - if we can link the scans to the WSC issues, there is a higher degree of confidence that this is the same issue.

I do have items in Quarantine on one XP system demonstrating the behaviour: EICAR test files and some innocuous text files that I added just to have something in quarantine while testing installs, upgrades, and uninstalls.  On Monday I'll ask my other users about their quarantine status.

BMA, thanks for the reply. on my side here are the details i have seen:
1. the "VDF out of date" and "AV is off" messages in WSC appear on both XP and Vista. both managed and unmanaged.
2. at least on the managed machines i have a morning "active scan" which runs at about 6 AM. however the WSC warning can appear at time during the work day. even hours after 6 AM when the scan is not running. also on a XP machine having this problem the quarantine in empty so new VDF should not trigger a scan (unless there are other reasons for a scan to run). i will try to find a correlation between the WSC warnings and the scan log of SEP and will post more info if i find something.

When I came in this morning WSC was reporting that SEP was off.  I right-clicked the SEP icon and selected Disable SEP and then right-clicked again and chose Enable SEP.  This cleared the WSC complaint.

I don't see a way to attach a file but here's a snapshot of my SEP logs for yesterday and today.

Date and Time,Event,Computer,User,Logged By,Description
4/26/2009 12:15:05 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Symantec Endpoint Protection Internet E-mail Auto-Protect Enabled
4/26/2009 12:15:04 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\OnOff' from '0' to '1'
4/26/2009 12:15:04 PM,Symantec Endpoint Protection Auto-Protect Enabled,ITSSTA32024A,Administrator,System,Symantec Endpoint Protection Auto-Protect Enabled.
4/26/2009 12:15:02 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\APEOff' from '1240762497' to '0'
4/26/2009 12:15:02 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff' from '0' to '1'
4/26/2009 12:15:00 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled
4/26/2009 12:14:59 PM,Symantec Endpoint Protection Auto-Protect Disabled,ITSSTA32024A,Administrator,System,Symantec Endpoint Protection Auto-Protect Disabled.
4/26/2009 12:14:59 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\OnOff' from '1' to '0'
4/26/2009 12:14:58 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\APEOff' from '0' to '1240762497'
4/26/2009 12:14:58 PM,Configuration Changed,ITSSTA32024A,Administrator,System,Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff' from '1' to '0'
4/26/2009 4:38:19 AM,Definition File Loaded,ITSSTA32024A,Administrator,System,New virus definition file loaded. Version: 110425t.
4/25/2009 4:38:38 AM,Definition File Loaded,ITSSTA32024A,Administrator,System,New virus definition file loaded. Version: 110424ao.

smithm,  I see in your log that SEP was disabled at 12:14:58 then enabled at 12:15:02.  Was that from you Disabling and Enabling SEP from the system tray icon?  Curious if that was you, or whether some other user/process on the system is disabling SEP.

Also when this issue occurs, if you open the SEP UI, is there a red "Fix now" button at the top?

Hi Dani, Can you double check this link?

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090321550048

The disable/enable SEP events were me.  Sometimes that works to resync WSC and SEP but not always.  My current theory is it works if WSC says SEP is off but not if WSC says SEP is out-of-date.  I have suggested it to some users reporting the WSC problem and they told me it didn't work for them.  Anyway, speculations aside, I did the disable/enable before I thought to grab the event details and in this instance it cleared the complaint.

The only time I've seen the red Fix Now button is when SEP was truly pooched.  In that case, LiveUpdate would not run successfully and the Fix Now didn't help.  I uninstalled SEP, uninstalled LiveUpdate, reinstalled SEP, and everything worked.  However, that was a one-off problem.  For the purposes of the WSC synchronization problem, no, I don't see the red Fix Now button.

Lastly, two users with the WSC problem reported in: one has XP, one has Vista, neither has files in quarantine.

SEP 11.0 MR4-MP2 has been released, which may resolve this issue.  For more information please see:

Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216494948?Open&docid=2007121216360648&nsf=ent-security.nsf&view=0

Released where, it's not on the platinium website?