Hi, I have a number of machines showing that the file system auto-protect is malfunctioning, I've spent a few days going through that the problem could be and I've hit a brick wall.

The only difference betweeen a working and unworking machine is the Eraser engine showing as "Eraser:  0.0" on the malfunctioning ones.

They're 2008 R2 machines, SEP EE 11.0.x,  RU7 MP4  11.0.7400.1398

I've tried almost everything I can find on the forums etc, but nothing seems to make it work, if I switch them over to another management server running  11.0.7000.975 they're fine.

Help!!!

Hi,

Thank you for posting in Symantec community.

If switched to another SEPM they work fine, did you repair the SEPM where they are suppose to be listed?

Can reapir the SEPM through add/remove programs.

The other SEPM was a different version, I've tried repairs and almost everything else I can find.

As stated, the only difference betweeen a working and unworking machine is the Eraser engine showing as "Eraser:  0.0" on the malfunctioning ones.

Did this just start, had any changes been made recently?

See this articles

File System Auto-Protect is malfunctioning

http://www.symantec.com/business/support/index?page=content&id=TECH102962

I've worked through that James, and the only change is removing McAfee and installing Endpoint. There's only a few machines showing this behaviour.

Were there any remanants of mcafee left behind?

What happens after you run a repair on the sep client?

Thanks _Brian, I can only find a few random registry entries, nothing else, nothing "meaty".

When I run a repair it simply completes, the sheild vanishes mid repair and returns the same, with the exclamation mark

Hi James, I've actually done this too, to no avail.

If I move it to the other management server it's fine, on the older version, movie it to this one and it's just not happy, my issue is that they have to be moved onto our management server.

Try to uninstall sep client and reinstall again.You can remove all sep related entry for registry,or use cleanwipe tool.

http://www.symantec.com/business/support/index?page=content&id=tech184988

Delete those mcafee entries if you can

Run the symhelp tool on the affected to see what comes up

Troubleshooting computer issues with the Symantec Help support tool

http://www.symantec.com/docs/HOWTO80839

You can turn on some client debugging as well

Let's see if vpdebugging shows anything

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

http://www.symantec.com/docs/TECH102939

Try to this remove old virus defination

How to clear out corrupted definitions for a Symantec Endpoint Protection client manually

The problem seems more along the lines of communication between client/SEPM

enable sylink debugging as well

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/docs/TECH104758

Thanks for that _Brian, hurrah i've found some differences, I ran it on a working & a non working machine.

I get, "The following drivers and services need attention"

NAVENG, NAVEX15, SRTSP, SRTSPX & SymEvent

And that my NTP definitions are Corrupt.

Looks like I have my work cut out for me picking through this lot!

It's been repaired, cleaned, reinstalled etc, hrmmm

What happens when you deploy a client install from the working SEPM?

Most of them work, there are only one or two that end up in this state.

Hi,

Try the following steps:

How to clear corrupt Virus Definitions from SEPM, Apply the following steps on SEP 11 RU7 MP4 SEPM

https://www-secure.symantec.com/connect/articles/how-clear-corrupt-virus-definitions-sepm

Hi, they can't be corrupt as they deploy to most other machines fine?

I would wait before blowing away SEPM defs. I would check the client debugging first.

Hi _Brian the Sylink log is doing its thing :

I get the following for 11 monikers

EVENT_LU_REQUIRE_STATUS returned ERROR_SYSTEM_UNKNOWN

Not a big deal to give a try if SEPM is having good bandwidth connectivity to the internet.

Hi

Have you tried repairing

Regards