A bug of SEP RU1?(Download Insight)
Updated: 10 Dec 2011 | 34 comments
This issue has been solved. See solution.
Windows 7 U EN x64
version: 12.1.1000.157 RU1 (only)
look at the picture following, my client always prompts me that:
①Download Insight is not functioning correctly due to an intrusion prevention component;
②Network Intrusion Protection is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt.
But I have already uninstalled SEP and reinstalled it again, the problem still occurs; in addition, this problem will disappear when I disable SONAR and then enable it, however, I don't want to do like this again and again when I restart my computer.
So, could anyone please tell me how to solve this problem? Many thanks!
Discussion Filed Under:
Comments
How long has it been left
How long has it been left following installation?
Have you rebooted after install?
If you run LiveUpdate, can SEP fix itself (it should be able to)
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Of course I did! It doesn't
Of course I did!
It doesn't work by running LiveUpdate, only when I disable SONAR and then enable it, this problem will disappear.
But I don't want to do like this again and again when I start (or restart) my PC.
It's been about several days pissing me off !!
Thanks for your reply all the same. :-)
Is it a managed or unmanaged
Is it a managed or unmanaged client?
Thanks for replying. It's an
Thanks for replying.
It's an unmanaged client, and I just uninstalled it in Control Panel again a few minutes ago, finished doing some clean-up, then reinstalled it.
After I restart the computer, it still comes to me !
How desperated I am now! :-(
What do you see in the client
What do you see in the client system logs?
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Look, it says that "Network
Look, it says that "Network Intrusion Prevention is not protecting machine because its driver was unloaded" while the fact is that I ran the setup as administrator, so how can it be that the driver was unloaded?
BTW, I am using x64 OS, patchguard???
thanks, and lastly can you
thanks, and lastly can you post your SONAR system log? You can get that from the client GUI, Proactive Threat Protection options, View Logs, System Log tab
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Here is my SONAR system log,
Here is my SONAR system log, thanks :-)
The picture is too large, so please view it in a new tab
some information may be
When I choose to disable
When I choose to disable SONAR, and then enable it (Change Settings ---> Proactive Threat Protection ---> Configure Settings ---> SONAR ),
or to disable Network Intrusion Prevention, and then enable it (Change Settings ---> Network Threat Protection ---> Configure Settings ---> Intrusion Prevention ), my SEP comes to normal.
But when I restart my PC, I have to do that again and again.
This being unmanaged machine
This being unmanaged machine , have you also checked windows firewall status ? is it disabled should be if NTP is installed .
In device managed go to non plug and play look for spbbc and srtsp remove them and then do a repair from add remove to this sep client
Reboot the machine and then check
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
Thank you for helping
Thank you for helping me!
Surely I have disabled windows firewall when I installed SEP.
What's more, I find no spbbc and srtsp in Non-Plug and Play Drivers.
Here is the proof:
you are missing a lot of
you are missing a lot of drivers there.
Do you have your sep_inst.log file? It should be in %TEMP% There should also be a SIS_INST.LOG too
You wont see SPBBC because thats old, you should see BHDrv towards the top of the list though and there should definition be more Symantec drivers listed.
I notice you have other devices in your device manager which arent working properly though (Base System Device) do you have all the correct drivers loaded onto your PC?
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Thanks for answering me so
Thanks for answering me so early, and you are really hard-working!
Then come back to the topic:
Just now I uninstalled my SEP again, do the clean-up, and then reinstalled it again as administrator.
①As we all know, x64 OS is quite different from x86, security products can't hook ssdt and shadow ssdt etc in the ring0 layer, so is it the reason that I don't have as much drivers as x86 OS?
②I do have SEP_INST.log in my %Temp% while I do really find no SIS_INST.LOG in the same folder.
I will copy the content in the SEP_INST.log later.
③I have BHDrvx64 instead of BHDrv.
④I have other devices in my device manager which aren't working properly (Base System Device) which is related to my memoery card, and I had already uninstalled it before I reinstalled SEP.
FYI.
PFA.
I changed the extension from .log to .txt :-)
ok, so that part of the
ok, so that part of the install worked fine, its the SIS piece we need (because thats what installs the drivers), it should be here:
C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Install\Logs
I'm well aware of the differences between 32 and 64 bit, but you still dont have enough drivers present for SEP to work, here is my X64 Win7 client:
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Sorry to bother you. Here is
Sorry to bother you.
Here is the log.
And I checked again, still find not as many drivers as yours.
I have uninstalled and reinstalled my client for more than 5 times, and I am extremely anxious :-(
ok thanks, do you have this
ok thanks, do you have this folder on your system when SEP is installed?
C:\Windows\system32\Drivers\SEP\0C0103E8\009D.105\x64
SEP should be putting its drivers in there, it is creating services correctly, but the installer then seems to have a problem getting back to that folder..
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Yes, I have the folder as you
Yes, I have the folder as you say. :-)
hmm, ok.. what response do
hmm, ok.. what response do you get from these commands in a command prompt window?
sc query symiron
sc query symds
sc query bhdrvx64
sc query IDSVia64
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Here is what I get:
Here is what I get:
I found something in the log
I found something in the log except but what you mentioned just now:
I find I do not have the registry:
\Registry\Machine\Software\Symantec\Symantec Endpoint Protection\{6EB0F432-164B-45DF-BD3C-3D8D4E548719}\InstallTeefer
And the Tamper Protection prevents me creating a new key here, so what should I do next?
I had engineering take a
I had engineering take a quick look at your logs, the install seems fine so something else must be breaking this somewhere.
Could you run the SEP Support Tool on this machine and save the results? You can get to the tool from the Help button on the Client GUI - click through and then click "Save full data for support" on the toolbar at the top.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
OK, I have uploaded it in the
OK, I have uploaded it in the attachment.
thanks, lots of interesting
thanks, lots of interesting info in there.
I note you have had several AV products on this machine.. there may be remnants of those left that are causing us problems. I also note that when SEP has worked, it has detected threats. I would suggest you use the Symantec Endpoint Recovery Tool to boot into a clean environment and run a full scan of your machine with the latest definitions.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Thanks for checking the
Thanks for checking the report.
In fact, before I installed SEP, I have used other AV products for a time, and I had uninstalled them before I installed SEP.
In addition, I have deleted related files, folders, registries, drivers etc as possible as I can, so what are those leftovers?
Yet, you also note that when SEP has worked, it has detected threats. So I checked the logs; according to those logs and the prompts while I use SEP, there are only some application trying to modify my hosts files like svchost.exe, some traffic related to IPv6, and some application trying to tamper SEP such as Process Lasso which is an automated Windows process (program) management and optimization utility.
OK,now I will start a full
OK,now I will start a full scan, it may take several hours. :-)
I saw logs for Ramnit too,
I saw logs for Ramnit too, thats a virus.
I would advise a full scan outside of Windows, using the Symantec Endpoint Recovery Tool, you can download it from FileConnect.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
replay
Thanks very much :-)
And now I have to tell something about my hobbies, one of which is studying on AV engineers, unpacking, helping people find out whether a file is a virus or not, or helping people find out whether a website contains malicous codes or not etc.
Actually I am a so-called "hunter".
I did download a virus(Ramnit) several days ago, and then I didn't close my SEP so that it logged the event, and, SEP had already had this problem before that in fact.
PS: I never ran the Ramnit.
Here is the result of a full scan:
Thank you very very much!!! I
Thank you very very much!!! I finally solved this problem based on your words!
I'm just wondering why you could be aware of the fact that I had installed other AV products since I had already deleted all I can think of realted.
It hits me that those registries following are still existing:
HKLM\SYSTEM\ControlSet001\Enum\Root\Legacy_*
HKLM\SYSTEM\ControlSet002\Enum\Root\Legacy_*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_*
So I uninstalled my SEP, and then deleted all those "Legacy" here, then I restarted my PC and installed SEP again. God bless, all is right!!!!
Thank you Paul, god knows how grateful I am now, thank you for your hard-working and your kind-heart!
And the same to Swapnil :-)
Paul is correct set of driver
Paul is correct set of driver should be listed
If i am not wrong on windows 7 and 2008 the Windows kernel is enhanced and hence the filtering happens eventually it is possible that all drivers are not getting loaded during install
Could you do a manual removal from this machine for sep and install again
during install make sure you right click on exe and do run as admin .
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
Thanks for replying. Now I do
Thanks for replying.
Now I do really know the difference between our sets of driver listed.
And, I have already done a manual removal from this machine for sep and install again for 5 times.
I am so sure that I right clicked on .exe and run as administrator, I promise.
Before removing it also
Before removing it also please try this i recollect there was known issue initially
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
Thank you! A few minutes ago
Thank you!
A few minutes ago I just finished what you told, but the problem stills occurs after I reboot my computer.
I'm sorry.
Would you like to reply?
Login or Register to post your comment.