Video Screencast Help

Endpoint Protection Cloud - Definitions Update

Created: 05 Feb 2014 • Updated: 10 Feb 2014 | 15 comments
LukasM's picture
Hi! I can't find were I can configure WHEN to reboot the system when the new virus definitions are installed.
 
Right now, all the computers reboot when this process are finished.
 
Help!

Comments 15 CommentsJump to latest comment

.Brian's picture

If you don't get answer for this, I would check the admin/getting started guides:

http://consolehelp.symanteccloud.com/symhelpConten...

http://consolehelp.symanteccloud.com/symhelpConten...

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

LukasM's picture

Nothing there... can't belive it...

Matt Cooke's picture

You might want to swtich forums over to the cloud managed endpoint forum, the folks over there can most likely advise best.  Can't work out how to switch you over there automatically, sorry

https://www-secure.symantec.com/connect/security/f...

 

Rafeeq's picture

Hello Lukas,

Can you check the time when defs were loaded and when systems rebooted?

Open the SEP cloud on the clien machine

click on view history

in SHOW, use the drop down to select  Liveudpate.

check that time with the system reboot time. 

The only time it would reboot is when patch is applied. If you apply the patch then reboot is needed.

 

LukasM's picture

hi Rafeeq, the time of the definitions and reboot are the same. That is why we suspect on the  of Endpoint Protection.

I will use the symhelp utility and see if there is any information that I can use.

.Brian's picture

You may want to ring up support.

I can't believe a reboot would be required to load new defs. Never seen this before in previous versions, this could be a disaster.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Shawn T.'s picture

Hello Lukas,

The following information was found in the New Alerts section of the hostedendpoint portal.

Wednesday, February 12, 2014 11:51:35 AM (High Importance News)

SEP SBE 2013 Security Agent Update

On February 18th, we will release the latest version of our security agent (ver. 20.4) for new deployments of your Symantec Endpoint Protection Small Business Edition 2013 cloud-managed service. The new agent updates the cloud agent with our latest threat protection technologies.

Existing deployments will be updated using LiveUpdate. If you are using a redistributable package, you will need to recreate a new package to deploy the 20.4 version to your endpoints.

For any questions, please contact the Customer Support Team: support.cloud@symantec.com

Sincerely,
The Symantec Customer Communications Team

It seems like this may relate to your issue, but I'm not sure how you would be getting the update before tomorrow. You may want to contact .cloud support at 1-866-807-6047. As long as you have active clients on your machines, you should be able to get a case created.

I also wanted to point out a setting in your .cloud policies. If you access the policies page and look at the policies under Global > System, you will see the system policies. If only the Default System Policy is present, you won't be able to make changes until you add a new policy. Once you are in a policy other than the default, look for the section marked "Live Update Schedule". This section allows you to configure the time of day that a software update may be performed, or to disable it. (This does not affect virus definitions and if this option is set to disabled, it will still automatically update after the software has been made available for a period of 30 days. Please plan accordingly.)

Best Regards,

Shawn

 

Edit: p.s. As Brian indicated, no virus definition updates should cause the system to restart. I would consider reviewing the Windows system event log to determine if the reboot was unexpected, indicating some sort of crash. Support can also assist with reviewing the cause of the reboot.

nacatomi's picture

I have had exactly the same thing start happeneing since installing.  Our machines will just randomly reboot with no indication to the user and no oppurtuninty to save.  We are a programming house so this could become an issue.

Here is the event that is appearing on all the machines affected so far

The process wininit.exe (127.0.0.1) has initiated the restart of computer <PCNAME> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shut-down Type: restart
 Comment: 
 
Is there a way to stop this?  Or at least give the user the option to save.
mholko's picture

Hello,

Our computers are also rebooting automatically once getting this new 20.4 update. I have narrowed the reboots down to SEP. In the Windows events log it shows The computer has initiated a reboot reason - Legacy API shutdown. When I check the SEP History logs I can see that at exactly the same time the SEP live update session has completed and downloaded the updates. 

This has occured on multiple computers on our network and the same results are in the Windows and SEP logs. It is becoming very disruptive. Users have lost work due to computers rebooting automatically without a warning.

Is there a fix or workaround for this?

nacatomi's picture

I currently have a support case logged, after they told me where the log files live I can be pretty much certain its SEP thats doing it as in the logfile created seconds before the restart there is the entry of :

 

2014-03-03-09-21-37-367 : 0x1570 : Information : force reboot

 

Hopefully now I've passed this information onto the tech guys they can work on getting a fix out to us.

 

 

Andrew.Stevens.SHG's picture

nacatomi, we've been having the same issues, started end of last week and every day this week we get more reports of it.

 

Seems to be immediately after users turn on their computer in the morning, 15 minutes later it reboots without any warning.

 

Some users then proceed to get this happen 3 or 4 times, although usually it's only once.

 

I've looked around for anything else that could be causing it, and the only thing we've noticed is this Symantec Update going out that prompts for a reboot, although I don't think it's THAT update, but possibly an update after it? Or maybe the update sets a force reboot flag so that from then on Virus Definition updates causes a reboot when previously they didn't.

Trying to find the log files and an entry, something like what you had nacatomi (2014-03-03-09-21-37-367 : 0x1570 : Information : force reboot) would be the smoking gun we can wave at Symantec.

 

Obviously our users are not happy, and the moment this happens to a Director, we will be in the preverbial.

nacatomi's picture

Andrew,

I can tell you where and what to look for.  I have passed this info over to the tech guys and they are looking for a fix apparently.

Anyway to see if its the same issue you need to check the Windows events in the system log.  Look for Event ID 1074 with the text something like 

"The process wininit.exe (127.0.0.1) has initiated the restart of computer PCNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart
 Comment: "
 
Then go to C:\ProgramData\NortonInstaller\Logs and look for one at the same time (within a few seconds of the above event and it might be a 7zip file).  Open the file and open the logfile, if its the same issue we are having you should see the line with
 
"2014-02-13-10-22-14-324 : 0x1E1C : Information : force reboot "
 
Hope this helps you
Andrew.Stevens.SHG's picture

nacatomi, thank you very much, that is most certainly helpful, looking for log files, checking the "symantec" folders and even just a search for files modified today I couldn't find anything that had reboot in it.

Completely slipped my mind to look for "Norton".

 

Yes, we certainly have lots of event id 1074, and exactly that text/description, which I've been Googling and checking forums, articles, and my notes from previous companies/issues, and going over every single startup process (since winnit.exe is the "Start Up Program", and coming up with nothing, the only thing I've been able to say is "Well, there have been some Symantec Cloud updates recently... bit coincidental" to the management, which obviously isn't very impressive, but I have ruled out soo many possibilities in the last week, our patching system, some rogue Windows Update Microsoft have decided to push out, any installations, or system wide program updates, power fluctuations, virus outbreak, etc. etc.

I've justed a laptop of a nearby user that rebooted this morning, and indeed he has a log file:

HotFix-2014-03-07-08h43m28s.log

with the line:

2014-03-07-08-43-29-389 : 0x14A4 : Information : force reboot

which is when he wrote down his laptop rebooted.

 

I'd be on the phone with them now, except we're in the UK and their phone lines aren't open yet!

Something we are not happy with when it's a global service, should have 24/7 telephone support.

 

I'm going to try to collate these log files from various computers, this particular user has had it every morning! That way I can see if it's one Hotfix that's struggling on some computers more so than others, or if it's a series of hotfixes. Don't think it's Virus Definitions updates at this point.
 

Digiflow's picture

Hi.
Were currently exploring the exact same symptoms at one of our customers.
We have many SMB customers, this is the only one that weve pushed the setup out to all clients with GPO, and its just those in that location who has the problem. It started last tuesday. And now atleast once a week in the morning about 20 minutes after they start working, the computer restarts/shutdown.

Is there any fix for this? Or is our only option to uninstall Endpoint, until this issue is fixed?

Eventlog in Norwegian:

Prosessen wininit.exe (127.0.0.1) har startet omstart for datamaskinen XXXXXXXXX på vegne av brukeren NT-MYNDIGHET\SYSTEM av følgende årsak: Eldre API-avslutning
 Årsakskode: 0x80070000
 Avslutningstype: omstart
 Kommentar: 

And its Symantec application that initiate the Shutdown.

PIMIT's picture

We have also experienced computers rebooting after an update; this happened twice to the same user -  (thanks nacatomi for posting the info).

We have logged a support ticket to find out if there is a fix.

Just purchased this software - not very happy!

 

UPDATE - Have now been advised by Support that they are working on a fix. In the meantime they are suggesting that for any affected machine to run the LiveUpdate by clicking on updating the Update Definitions link at the right side of Endpoint Protection screen. May need to do this up to 12 times to get all patches applied. Not sure if this works though.