Endpoint protection errors and warning in windows server 2008
I have a number of warnings and errors in the application and system event viewer. All seems to be related to Endpoint protection.
Event ID 1000
Faulting application ProtectionUtilSurrogate.exe, version 11.0.3001.2198, time stamp 0x48c9b939, faulting module ccL60U8.dll, version 106.3.7.9, time stamp 0x48a4a6be, exception code 0x40000015, fault offset 0x000420e8, process id 0x8c8, application start time 0x01ca506d0d53c8be
Event ID 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-1447001783-2274183133-4180765549-1228:
Process 2492 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 832 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Printers\DevModePerUser
Event 10010
The server {EE68EAFC-BF28-4017-8A92-D17DACF0B459} did not register with DCOM within the required timeout.
Event 10000
Unable to start a DCOM Server: {EE68EAFC-BF28-4017-8A92-D17DACF0B459}. The error:
"5"
Happened while starting this command:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe {EE68EAFC-BF28-4017-8A92-D17DACF0B459} -Embedding
Can not tell if the following is related
Event ID 6037
The program svchost.exe, with the assigned process ID 2504, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name
Check the dcom permissions
Check the dcom permissions once.
You can refer below doc
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3f862957b21b671588256c620077a200?OpenDocument
The document you referenced
The document you referenced is not for Windows Server 2008. There are differences in Windows Server 2008 like the access is local and remote. My guess the correct settings for system are local access. However using the reference the best I can I do not see any settings that needed to be changed.
You can try by upgrading the
You can try by upgrading the
client to RU5 also. It is the latest version and the only version which Symantec
is officially supporting with windows 2008.....
SEP & Windows 2008
The latest version of endpoint RU-5 has better compatibility with Windows 2008. I would suggest you to upgrade to the latest version and if the issue still persists please let us know.
Thanks & Regards
Sandip C Sali
After uninstall of 11.0.3 and
After uninstall of 11.0.3 and install of 11.0.5, Event ID 1530 check in as usual
Process 836 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Printers\DevModePerUser
I am not familiar with the
I am not familiar with the termology of RU-5.
I will uninstall 11.0.3 and install 11.0.5 and see what errors/warning I get.
Restart the server once and
Restart the server once and see any errors are present..
Also tell us the role of this server....
Server was restarted, The
Server was restarted, The Event ID 1530s continues:
today 10:16AM
This is a stand alone server. Roles included Printer services, DHCP, DNS, FTP
Refer the following docs and
Refer the following docs and assure you had done all
settings correctly
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101210172548
http://support.microsoft.com/kb/822158
http://technet.microsoft.com/en-us/library/cc816917(WS.10).aspx
In regard to the first link,
In regard to the first link, there is no evidence of DHCP problem so I ignore this link
for now.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101210172548
The last two links are regarding the same subject. The last link states: Any antivirus
vendor should provide specific instructions to correctly configure their product to work
with domain controllers that are running versions of Windows Server and that have Active
Directory Domain Services (AD DS) installed. Does someone know if Symantec has such a
document?
Since both link 2 and 3 refer to the same subject and it is difficult to compare the
documentation, I will just select the second link since it is dated later.
The next problem is that link 2 is just general information and there is no specifics on
how to exclude files/folders from scaning.
The Endpoint Protection documents seem to be located at
http://www.symantec.com/business/support/documentation.jsp?language=english&view=manuals&pid=54619
Still the problem is locating which of the many documents and which of many pages shows
how to exclude the files mentioned in the second link. I do see the Administrator manual
is 625 pages.
In my 2nd link it is
In my 2nd link it is telling about the scanning exceptions for certain files and directories. You can exclude those… Many of those SEP will exclude automatically .First you confirm is it happens. If no do it manually.
For creating exception refer the link below
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030423280248?OpenDocument&ExpandSection=1
To verify refer the link below
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent
On second thought I question
On second thought I question the direction this thread is taking. Here is the 1:16PM event ID 1530
Note the Printers. This appears to be a problem between printers and Endpoint Protection.
The event was recorded at 1:16:22 PM. Looking at the DCHP leases, none of the more than 20 leases today occurred during the time of Event ID 1530.
If the problem is scanning files that should not be scanned then the problem should be during scaning and the scan was not occuring during the Event ID 1530s. This doesn't mean that the file/folder exclusion (once I figure how to do that) should not be done as that may prevent other problems.
Refer the following
Refer the following
discussions
https://www-secure.symantec.com/connect/forums/endpoint-protection-client-causes-problems-printers-connected-intel-netports
https://www-secure.symantec.com/connect/forums/problems-network-printing-2003-server-terminal-services-sep-1104
Any way you consider also the
exclusions in earlier links also. At least it will avid future problems.
I didn't see anything in the
I didn't see anything in the links that I thought would help. The links were for different type of problems.
Would you like to reply?
Login or Register to post your comment.