Endpoint Protection

Hello,

I was wondering if there is a way to find out why the process ccSvcHst.exe jamms when i do a "smc -stop" on a SEP client.

I have disabled the Tamper Protection before running smc -stop, because of what i read around many articles, stating that is good to have it disabled, becuase if would not interfere with anyone who tries to tamper SEP, so i did this.

But my main concern is that at this moment i have 2 production servers who have their SEP clients almost "broken", because durring the "smc -stop" process, the ccSvcHst.exe just frozen on STOPPING status :|

Of course the SEP client will work again when i will receive the GO from my customer that i can reboot the servers.

But considering the fact that they are Production servers, you just can't have them rebooted whenever you want :|

And seeing this situation i am in at the moment and have been in the pas, i became "paranoia" in using the "smc -stop" function to stop a SEP :)

Everytime i use it, it gives me the creeps, because i have the Tsk Mngr opened, i watch the processes :)

I have the Services.msc opened, i watch the services beeing stopped, refreshing to see on what state is the service (stopping, stopped)

But until i see the services stopped, i am like "please work... please work... please work..." :)

I would very much appreciate the effort from everyone ;)

Thanks a lot ;)

Is it throwing an error message?

What is the exact version of SEP?

Its necessary to know the exacrly SEP client version 12.1.x

Hi,

In case it's not the latest version should upgrade to the latest version of SEP, SEP 12.1 RU5 is the latest version.

Few issues have been reported in the previous releases of SEP 12.1

Hi,

We have the same problem on clients installed on 2012r2 servers.

When running "smc -stop", the service "SepMasterService" is stop pending and we have to reboot to be able to restart it.

During the smc -stop command, we see the process ccSvcHst.exe is never ending.

We have tried to disable Tamper proctection and set the UAC to the minimal but we still have the problem...

Note : The version is 12.1.5337.5000

@Brian,
no error message, just that i can see the service it's on Stopping state :)
In the attached screenshot can be seen the service state since the problem appeared.
SEP version : 12.1.4112.4156

@Chetan,
Indeed is not the latest version.
If i can obtain from customer a downtime of 1 hour this weekend i will upgrade to RU5.

@5624-av,
Curious, the server that i currently have problems with is also a 2012 R2 :)
And if you say you already have 12.1.5337.5000 (RU5), i guess that even if i upgrade to RU5 i can have the same issues in the future like you have at this moment.

Overall information/update to the case :
One of the servers is ok now :)
It seems that the customer has rebooted the server and the SEP is now up-and-running, so it helped my problem, but it's not a solution the reboot.
In a productive server/environment is much to difficult to reboot whenever a problem like this happens.
And considering the fact that usually a troubleshoot can be done for a malfunctioning component, an update problem,etc... every time when it arrives to the "smc -stop" part, to tell you the truth, i'm scared of what could might happen after :)

The other problematical server is still on pending feedback from customer, i did not receive any info about a possible downtime.

Next time the problems occurs you can enable adavnced debugging within symhelp. You will probably want to open a case though:

How to use the advanced debug logging options for the Symantec Endpoint Protection client in SymHelp

http://www.symantec.com/docs/TECH207795

How to debug the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH102412

Makes sense, but that would mean that i have to enable advanced debugging within symhelp every time i try to troubleshoot a SEP client, because i don't have where to know if the SEP will crash or not.

But what you said is logical, is somehow like, better safe then sorry :)

Hi,

@Brian : is it a joke ?

I know today is april fool's day !!!

When I try to use SymHelp, the last screen said "Some system changes must be made to enable debug logging" and it try to execute smc -stop and smc -start....

This thread explains that our problem is "smc -stop" never finish !!!!

So, using SymHelp will crash my client...

This is not a joke.

My next suggestion would be run a repair via add/remove programs or even try a reinstall of the client.

I have another SEP client that got jammed after "smc -stop" :(

I wanted to troubleshoot this client that wasn't getting updates, and started to follow steps from this link :
http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

When i arrived at the part where it says to "smc -stop" from run, the SEP GUI dissapeared from bottom right but the process is stuck and the service is on Stopping state :(
You can see better from the screenshot i attached.

Also the "smc -start" doesn't work now, i can't even get up the SEP client, as he is jammed somehow :(

Trust me when i say i am terrified by the thought that i have to troubleshoot a SEP client and i have to stop the services :(

Hi all,

we have same problem on Windows server 2003 R2 Standard x64 Edition with SP2.

When we have to stop Symantec Endpoint Protection, then Symantec Endpoint Protection stays in stopping state...

We have SEP 12.1. RU5

This installation is clean, because before installing SEP client we cleaned OS with cleanwipe.

This problem won't be resolved by reinstalling client...

It's some solution?

The 2 servers i jammed trying to troubleshoot SEP, are ok now, because i found out they were having problems described in this thread :
https://www-secure.symantec.com/connect/forums/network-shares-stop-responding-randomly-windows-server-2008-r2
What i did was :

1. Reboot Server
*I always reboot a server in cases like this, because i wan't a server to be fresh, not having an big uptime.

2. Uninstall problematical SEP version : 12.1.4112.4156
*This will be done from Add/Remove Programs

3. Reboot Server
*Open CMD with admin rights, reboot from there

4. Run cleanwipe
5. Reboot server when Cleanwipe requires
*Open CMD with admin rights, reboot from there

6. Install version 12.1.4013.4013
*Run the package as admin

7. Reboot Server after SEP install
*Open CMD with admin rights, reboot from there

In the past 3 years since i am working with this AV solution, i encountered many cases when smc just jamms after a attempt of "smc -stop" end every time i had to request service window in order to troubleshoot the SEP client.

So i don't think there's an actual workaround in order to bypass this process jamm.

Only thing what it can be done, request service window, this will make customer ask what is going on, we have to explain why we request this window and this is how the story goes on and on.

In the end we have to deal with this solution because this is what we have at the moment and with this solution our company approaches future customers :(

I am also working with other AV solution for servers, Trend Micro and i don't have these problems in that environment.

But then again, this is another story :)

My advice, ALWAYS untick/disable Tamper Protection before using the smc -stop command.

Because if it does go bad (which is pretty frequent if SEP is playing up, hence why you'd use it in the first place) you're stuffed, and have no choice but to reboot....which in our line of work is rarely an option with a tonne of paperwork, CRs, and approvals.

With Tamper disabled, Task Manager/Process Explorer etc allows you to kill it, as a worse case scenario. With Tamper on, no can do as its in play at the driver level.

This, as well as the issue where SEP retains more VirusDefs than it should (due to locking its own files), are some of our biggest ongoing frustrations with SEP.

Hi,

SEP 12.1 RU6 is now released and there are following smc related fix available.

SMC service does not start due to serdef.dat corruption

Fix ID: 3711180

Symptom: SMC service cannot start because the server profile file (serdef.dat) is corrupted.

Solution: Added a fallback mechanism to load the server profile from a backup profile file. When SMC is re-started it will load the correct server profile.

smc -stop does not stop the SEP services if the client requires a password

Fix ID: 3592784

Symptom: If you configure the Symantec Endpoint Protection notification area icon to be hidden and then try to stop the password-protected client services with the command smc -stop, the services do not stop. Because the notification area icon is hidden, you are not prompted to enter a password.

Referene: New fixes in Symantec Endpoint Protection 12.1.6

http://www.symantec.com/docs/TECH230558

Symantec Endpoint Protection 12.1.6 Release Notes

http://www.symantec.com/docs/DOC8626

New fixes in Symantec Endpoint Protection 12.1.6

http://www.symantec.com/docs/TECH230558

Can test with SEP 12.1 RU6 client.

12.1.6 has just been released:

Symantec Endpoint Protection 12.1.6 Release Notes

http://www.symantec.com/docs/DOC8626

New fixes in Symantec Endpoint Protection 12.1.6

http://www.symantec.com/docs/TECH230558

Hi,

We have upgrade to 12.1.6 and still have the problem.

On a specific server (windows 2012r2), :

- smc -stop hang and never ending

- the process ccSvcHst.exe still running (and cannot be killed)

- the symantec Endpoint Protection service is in status "stopping".

The only solution is to reboot (not acceptable in production !!!).

On this server the definitions are corrupted every days due to an unknown cause.

Some help will be appreciated

I have the same issue on both 12.1.5 and 12.1.6

SMC -p xxxx stop...doesn't always works and SMPC -p xxxx start never works.

Then policy updates or other updates run ccsvchst.exe to 50 to 100 percent cpu...

This is makes the server almost unusable..Happens on clean install or not. Virtual or physical.

Sometime a repair helps, but this is getting rediculouse...2000 servers and 8500 pc and ready to ditch this for something else........

Everyone says to upgrade to 12.1.5 and 12.1.6..>Well same issue regardless of version, Each version since 12.1 users have complained of HIGH CPU..next version claims to have fixed it

Really, what is the real fix??????????????