Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

A bug of SEP RU1?(Download Insight)

Created: 08 Dec 2011 • Updated: 10 Dec 2011 | 34 comments
This issue has been solved. See solution.

Windows 7 U EN x64

version: 12.1.1000.157 RU1 (only)

look at the picture following, my client always prompts me that:

①Download Insight is not functioning correctly due to an intrusion prevention component;

②Network Intrusion Protection is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt.

But I have already uninstalled SEP and reinstalled it again, the problem still occurs; in addition, this problem will disappear when I disable SONAR and then enable it, however, I don't want to do like this again and again when I restart my computer.

So, could anyone please tell me how to solve this problem? Many thanks!

Comments 34 CommentsJump to latest comment

Paul Murgatroyd's picture

How long has it been left following installation?

Have you rebooted after install?

If you run LiveUpdate, can SEP fix itself (it should be able to)

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Of course I did!

It doesn't work by running LiveUpdate, only when I disable SONAR and then enable it, this problem will disappear.

But I don't want to do like this again and again when I start (or restart) my PC.

It's been about several days pissing me off !!

Thanks for your reply all the same. :-)

Simpson Homer's picture

Is it a managed or unmanaged client?

sorataxx's picture

Thanks for replying.

It's an unmanaged client, and I just uninstalled it in Control Panel again a few minutes ago, finished doing some clean-up,  then reinstalled it.

After I restart the computer, it still comes to me !

How desperated I am now! :-(

Paul Murgatroyd's picture

What do you see in the client system logs?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Look, it says that "Network Intrusion Prevention is not protecting machine because its driver was unloaded" while the fact is that I ran the setup as administrator, so how can it be that the driver was unloaded?

BTW, I am using x64 OS, patchguard???

Paul Murgatroyd's picture

thanks, and lastly can you post your SONAR system log?  You can get that from the client GUI, Proactive Threat Protection options, View Logs, System Log tab

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Here is my SONAR system log, thanks :-)

The picture is too large, so please view it in a new tabsmiley

sorataxx's picture

 

some information may be useful:
(the third in the system log)
 
Symantec Endpoint Protection -- Engine version: 12.1.157
 
Windows Version info:
Operating System: Windows 7 (6.1.7601 Service Pack 1)
 
Network  info:
No.0  "Wireless Network Connection"  **-**-**-**-**-**  "Broadcom 802.11g Network Adapter" 192.168.1.101 
sorataxx's picture

When I choose to disable SONAR, and then enable it (Change Settings ---> Proactive Threat Protection ---> Configure Settings ---> SONAR ),

or to disable Network Intrusion Prevention, and then enable it (Change Settings ---> Network Threat Protection ---> Configure Settings ---> Intrusion Prevention ), my SEP comes to normal.

But when I restart my PC, I have to do that again and again.angry

Swapnil khare's picture

This being unmanaged machine , have you also checked windows firewall status ? is it disabled should be if NTP is installed .

In device managed go to non plug and play look for spbbc and srtsp remove them and then do a repair from add remove to this sep client

Reboot the machine and then check

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

sorataxx's picture

Thank you for helping me!

Surely I have disabled windows firewall when I installed SEP.

What's more, I find no spbbc and srtsp in Non-Plug and Play Drivers.

Here is the proof:

Paul Murgatroyd's picture

you are missing a lot of drivers there.

Do you have your sep_inst.log file?  It should be in %TEMP%   There should also be a SIS_INST.LOG too

You wont see SPBBC because thats old, you should see BHDrv towards the top of the list though and there should definition be more Symantec drivers listed.

I notice you have other devices in your device manager which arent working properly though (Base System Device) do you have all the correct drivers loaded onto your PC?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Thanks for answering me so early, and you are really hard-working!

Then come back to the topic:

Just now I uninstalled my SEP again, do the clean-up, and then reinstalled it again as administrator.

①As we all know, x64 OS is quite different from x86, security products can't hook ssdt and shadow ssdt etc in the ring0 layer, so is it the reason that I don't have as much drivers as x86 OS?

②I do have  SEP_INST.log  in my %Temp% while I do really find no  SIS_INST.LOG  in the same folder.

I will copy the content in the  SEP_INST.log  later.

③I have BHDrvx64 instead of BHDrv.

④I have other devices in my device manager which aren't working properly (Base System Device) which is related to my memoery card, and I had already uninstalled it before I reinstalled SEP.

FYI.smiley

 

sorataxx's picture

I changed the extension from .log to .txt :-)

AttachmentSize
SEP_INST.txt 2.75 MB
Paul Murgatroyd's picture

ok, so that part of the install worked fine, its the SIS piece we need (because thats what installs the drivers), it should be here:

C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Install\Logs

I'm well aware of the differences between 32 and 64 bit, but you still dont have enough drivers present for SEP to work, here is my X64 Win7 client:

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Sorry to bother you.

Here is the log.

And I checked again, still find not as many drivers as yours.

I have uninstalled and reinstalled my client for more than 5 times, and I am extremely anxious :-(

AttachmentSize
SIS_INST.txt 5.21 MB
Paul Murgatroyd's picture

ok thanks, do you have this folder on your system when SEP is installed?

C:\Windows\system32\Drivers\SEP\0C0103E8\009D.105\x64

SEP should be putting its drivers in there, it is creating services correctly, but the installer then seems to have a problem getting back to that folder..

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Paul Murgatroyd's picture

hmm, ok.. what response do you get from these commands in a command prompt window?

sc query symiron

sc query symds

sc query bhdrvx64

sc query IDSVia64

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

I found something in the log except but what you mentioned just now:

 

2011-12-09T13:01:49.508Z ERROR I SIS          LogServiceInfo: unable to access folder: "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin64\
 
2011-12-09T13:43:20.350Z ERROR I SIS      Unable to send the opstate - Error: 0x80004005 = Unspecified error
 
2011-12-09T13:48:55.099Z ERROR S SIS      openKeyImpl() failed in thal::RegistryReadValue() - \Registry\Machine\Software\Symantec\Symantec Endpoint Protection\{6EB0F432-164B-45DF-BD3C-3D8D4E548719}\InstallTeefer does not exist
 
2011-12-09T13:48:55.177Z ERROR S SIS      CPostInstallTeeferCheck::Execute() - failed to read registry string: Software\Symantec\Symantec Endpoint Protection\{6EB0F432-164B-45DF-BD3C-3D8D4E548719}\InstallTeefer\RunCommand  ntStatus: 0xC0000034 = Object Name not found.  

 

I find I do not have the registry:

 \Registry\Machine\Software\Symantec\Symantec Endpoint Protection\{6EB0F432-164B-45DF-BD3C-3D8D4E548719}\InstallTeefer

And the Tamper Protection prevents me creating a new key here, so what should I do next?

Paul Murgatroyd's picture

I had engineering take a quick look at your logs, the install seems fine so something else must be breaking this somewhere.

Could you run the SEP Support Tool on this machine and save the results?  You can get to the tool from the Help button on the Client GUI - click through and then click "Save full data for support" on the toolbar at the top.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Paul Murgatroyd's picture

thanks, lots of interesting info in there.

I note you have had several AV products on this machine.. there may be remnants of those left that are causing us problems.  I also note that when SEP has worked, it has detected threats.  I would suggest you use the Symantec Endpoint Recovery Tool to boot into a clean environment and run a full scan of your machine with the latest definitions.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Thanks for checking the report.

In fact, before I installed SEP, I have used other AV products for a time, and I had uninstalled them before I installed SEP.

In addition, I have deleted related files, folders, registries, drivers etc as possible as I can, so what are those leftovers?

Yet, you also note that when SEP has worked, it has detected threats. So I checked the logs; according to those logs and the prompts while I use SEP, there are only some application trying to modify my hosts files like svchost.exe, some traffic related to IPv6, and some application trying to tamper SEP such as Process Lasso which is an automated Windows process (program) management and optimization utility.smiley

sorataxx's picture

OK,now I will start a full scan, it may take several hours. :-)

Paul Murgatroyd's picture

I saw logs for Ramnit too, thats a virus.

I would advise a full scan outside of Windows, using the Symantec Endpoint Recovery Tool, you can download it from FileConnect.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

sorataxx's picture

Thanks very much :-)

And now I have to tell something about my hobbies, one of which is studying on AV engineers, unpacking, helping people find out whether a file is a virus or not, or helping people find out whether a website  contains malicous codes or not etc.

Actually I am a so-called "hunter".

I did download a virus(Ramnit) several days ago, and then I didn't close my SEP so that it logged the event, and, SEP had already had this problem before that in fact.

PS: I never ran the Ramnit.

Here is the result of a full scan:

sorataxx's picture

Thank you very very much!!! I finally solved this problem based on your words!

I'm just wondering why you could be aware of the fact that I had installed other AV products since I had already deleted all I can think of realted.

It hits me that those registries following are still existing:

HKLM\SYSTEM\ControlSet001\Enum\Root\Legacy_*

HKLM\SYSTEM\ControlSet002\Enum\Root\Legacy_*

HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_*

So I uninstalled my SEP, and then deleted all those "Legacy" here, then I restarted my PC and installed SEP again. God bless, all is right!!!!

Thank you Paul, god knows how grateful I am now, thank you for your hard-working and your kind-heart!

And the same to Swapnil :-)wink

Swapnil khare's picture

Paul is correct set of driver should be listed

If i am not wrong on windows 7 and 2008 the Windows kernel is enhanced and hence the filtering happens eventually it is possible that all drivers are not getting loaded during install

Could you do a manual removal from this machine for sep and install again

during install make sure you right click on exe and do run as admin .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

sorataxx's picture

Thanks for replying.

Now I do really know the difference between our sets of driver listed.

And, I have already done a manual removal from this machine for sep and install again for 5 times.

I am so sure that I right clicked on .exe and run as administrator, I promise.

Swapnil khare's picture

Before removing it also please try this i recollect there was known issue initially

 

  1. Go to add remove program
  2. Select sep
  3. Change > modify > follow the wizard with custom install
  4. Disable Download insight and Sonar
  5. Also NTP along with it
  6. Continue setup
  7. Reboot the machine
  8. Follow the same process again once reboot is done however enable to features now
  9. and check by rebooting again , i think it should work as drivers will get re-loaded by doing this .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

sorataxx's picture

Thank you!

A few minutes ago I just finished what you told, but the problem stills occurs after I reboot my computer.

I'm sorry.sad