Endpoint Protection

Faulting application name: ccSvcHst.exe, version: 12.11.3.11, time stamp: 0x53713b15
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002e3be
Faulting process id: 0x31a0
Faulting application start time: 0x01d0235d6483e9c9
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
Faulting module path: C:\WINDOWS\SysWOW64\ntdll.dll
Report Id: 0b5ffbbb-8f6b-11e4-96e8-2c768a524dd0

 

SMC Service stops randomly... OS server 2008 R2

SEP Version 12.1 Ru5

NOTE: Recently upgraded.

Did you try a repair or running symhelp to diagnose?

May also need to enable advanced debugging via symhelp and submit to support, being that you're on the latest version.

Just start?

This was an issue in older versions if the client was a GUP, was this the case?

May want to try remove fully and re-instal...

No, not a GUP.. Just a ordinary client.

Have you try to retstart SEP client ?

Try to repair add/remove program.

 

How long was this going on? Maybe just a one time issue. Were new defs loaded at same time error came up? Reboot and see what happens again.

Yes, SMC stops automatically. When started, works for a time and then shuts down. Rebooted the server also once.

By any chance, is this related to SEP?

The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

Service stopped

Rebooted the server once, Still the issue persists. This issue is seen since the upgrade, which was 3 weeks ago... 

Then it's easily reproducible so you can enable logging

Without logs, tough to say

is this machine a GUP? ealier SMC used to stop on GUP machines and it was fixed in 12.1.5..

no, not a GUP. I'm aware of that fix as well.

You mean the sylink log, correct? or the Debug log?

There is advanced logging you can enable via symhelp and reproduce the issue to see what's going on. Support will probably need to be engaged. Basically, I'd try a reinstall first if you can to see if that solves it.

Here is the link to enabling advanced debugging via symhelp:

How to use the advanced debug logging options for the Symantec Endpoint Protection client in SymHelp

Lumia, Can you please share me the fix?  Even I have the same issue with my servers as well.

I have re installed SEP, still having the same issue.

Did you use cleanwipe?

Since you're on the latest version, have you contacted support?

No I did not use cleanwipe. There are other Symantec Products, So I dont want that to be disturbed.

Collecting sylink log will be any help?

Cleanwip has options to allow removal of specific products on a system when there arem ore than one.

No, but debug logs may give a better indiciation

Yes Brian, I know that it can remove specifc producs... Im collecting Debug log now.

I tried latest cleanwipe in our server where we had Symantec DLP, CCS, CSP and SEP.  Still no go.
 

Checked debug log... Did not HELP!

I think it's known isse with SEP 12.1 RU5 client upgrade.

Could you check the following thread, are you affected by same issue?

 https://www-secure.symantec.com/connect/forums/ccsvchst-dmp-files-filling-our-server

 

Try to use this KB to exclude the application you use. It solve sush problem

http://www.symantec.com/business/support/index?page=content&id=HOWTO95454

This issue has been resolved.

On Monday, February 9, 2015, Symantec released SONAR Heuristics Engine content revision 02/03/2015 r13. The update contains the 9.1.1.4 version of the SONAR engine which will prevent the crash attributed to the previous engine update released January 19, 2015 and dated January 6, 2015.

To resolve the crash, ensure your clients are running the latest SONAR Heuristics Engine content. If your computers still experience the crash after updating to the latest SONAR engine content, disable client submissions to Symantec Security Response for 14 days to allow the queued submissions to clear.

For more information on disabling client submissions to Symantec Security Response, see http://symantec.com/docs/HOWTO81000.

If you are still experiencing this problem after migrating to a SONAR engine revision of 02/03/2015 r13 or higher, create a support case and provide the following information:

A SymHelp report with Windows Preprocessor (WPP) gathered while the problem happens.
An application dump from the ccSvcHst.exe crash.
Note: If you previously disabled submissions to Security response to work around this problem, submissions can be re-enabled after SONAR updating SONAR definitions as long as it has been more than 14 days since they were first disabled. 

Reference: http://www.symantec.com/docs/TECH227716

Is there any update?

OR

If issue has been resolved could you mark this thread as a solved with the best answer that helps you :)

Hi Chetan,

No. The issue is still there with the client. I have contacted support for assistance. 

Hello ,

we continu to have such problem on our computers.

did you have some trouble with windows XP on shutdown or logoff ? we encountered randomly a complete Freeze of the workstation on "saving your settings" message

or some other windows service hang: symantec framework or windows services, after the computer reboot

does anybody have this behavior with the last sep client 12.1 ru5?

 

Thanks

YR

hello

concerning the desactivation of SONNAR , it doesn't work we always have framework error randomly with the last RU5

Lumia@720 -    Did you get anywhere with this? We contacted support and it was an awful waste of time. Got no where in 7 days even with escalations. We have the same error and it only happens on our Win8.1 OSs, surprisingly not on any Server 2012 R2 OSs. On average it happens once a day, with no pattern as to when it happens. The SONAR engine is 9.2.1.8

 

Faulting application name: ccSvcHst.exe, version: 12.11.3.11, time stamp: 0x53713b15
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f42c2
Exception code: 0xc0000374
Fault offset: 0x000e5624
Faulting process id: 0x9e0
Faulting application start time: 0x01d0916a1bb00deb
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: bf688566-fe35-11e4-bec4-180373408946
Faulting package full name: 
Faulting package-relative application ID: 

Hi,

SEP 12.1 RU6 is now released & it has a following fixes related to ccSvcHst.ex crash.

ccSvcHst.exe crashes and fills up the hard drive with large dump files

Fix ID: 3673616

Symptom: The Common Client Crash Handler fills the client hard drive with large memory dump files generated by the frequent crashing of ccSvcHst.exe.

Solution: Disable the Common Client trace crash handler settings once the Symantec Endpoint Protection installer exits.

After a GUP upgrades to 12.1 RU5, ccSvcHst.exe crashes and creates multiple dump files

Fix ID: 3692462

Symptom: The process ccSvcHst.exe crashes and creates multiple dump files after upgrading the Group Update Provider to 12.1 RU5.

Solution: Updated the code to handle string buffer resize exceptions to avoid process crash.

Referene: New fixes in Symantec Endpoint Protection 12.1.6

http://www.symantec.com/docs/TECH230558

I would recommend to upgrade SEP 12.1 RU6 and check the performance.

Chetan, unfortunately 12.1 RU6 hasn't solved our problem. We still get the below error multiple times a day with the SEP client crashing. I opened a case with support and the logs apparently don't help at all. They're saying it's an environmental issue so now I have to spend weeks (already 3 weeks in) doing trial & error work on what software or GPO is causing this. Unfortunately we have an extensive GPO list and this probably won't be possible. We may have to move to a different vendor as we can't patch above 12.1 RU4 without running into this issue. We won't be able to pass our security audit with unpatched anti-virus software. 

We never see this issue with 12.1 RU4, so something new in RU5 and RU6 must be causing this. 

 

Faulting application name: ccSvcHst.exe, version: 12.12.0.15, time stamp: 0x550cbac0
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f42c2
Exception code: 0xc0000374
Fault offset: 0x000e5624
Faulting process id: 0xa24
Faulting application start time: 0x01d0acfd886e350b
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 666fda58-18ff-11e5-beca-180373408946
Faulting package full name: 
Faulting package-relative application ID: 

Same here. I have also installed RU6 in that server. It did work for 3 days then it started to crash.

Sorry for the delay response, could you share the Symhelp & Process dump logs.

About Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH170735

 

Sorry for the delay response, could you share the Symhelp & Process dump logs.

About Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH170735

Since you're an employee, are you able to just look at my existing case? I've uploaded multiple debug files and SymHelp files. Case# 08929681

I'm continuing to test internal GPOs but it'll be a long time till I'm finished considering we have around 40 GPOs (the same GPOs prior to RU5 when the crashing started) and the client crashing is happens at random times. Sometimes going 24-48 hours without an SEP crash. It's impossible to reverse GPOs so I have build new test VMs and go slowly. On top of that, I don't even know if it's a GPO causing it. 

This still has not resolved for me. We are still submitting dumps & files.