Installed Endpoint protection and servers ground to a halt.

Sorry, should have said user home directories rather than profiles. However, I have just re-checked the server now that the service is stable and found that the network bandwidth utilisation is is far higher than previously (short term peaks up to ~50%) which made me look for something that could have throttled network utlisation. The likely answer seems to be File Auto-protect but why wouldn't this have been evident when everyone logged on at the start of the day? Is this a red herring?

I had a similar problem with a domain controller here slowing right down and not letting users log on. I solved it by disabling Network Threat Protection. I haven't had time yet to go back and see exactly what it did to cause the problem.

rgs,

Thanks for that. I know I've seen the phrase Network Threat Protection but I can't find it in the policies. Are you referring to network drive scanning or Network Application monitoring? Or am I suffering from option blindness?

[EDIT] Actually, scratch that. I found the option in the help file and tied it back to the policy options. But it keeps referring to the firewall. I only installed antivirus and antispyware components so Network Threat Protection shouldn't even have been active!

Message Edited by jmangan on 10-10-2007 01:18 AM

This is getting weirder. I have disabled all of the Symantec services on the server (I went into Safe Mode to disable the Client Manager and remove ir from Windows/Run in regsitry) and the problem is still occurring. Installing SEP is the first thing to change on this server in weeks, if not months, and now it seems to be completely unstable.

How come you cannot uninstall the client from Add/Remove programs?

This time I was actually watching the network utilisation in Task Manager. Slowly, over a period of 15-20 minutes it decays away as more and more people call up to say they are losing their shares, machines are freezing, etc.

One reboot later and all is well - for a while. I've checked the network adapter drivers and we are at the latest level.

I need help!!

I have the exact same problem. I've just installed SEP on several clients and on two servers (both freshly installed Windows 2003 SP2). The clients are fine, but one of the servers (terminal service enabled, some shared folders, nothing else) is producing weird network halts - I can ping it, connect to it via mstsc.exe, but any connection attempt to the shared folders fails. I have only installed the necessery minimum client to the servers (antivirus and -spyware).

I don't know if this is a clue or a red herring but . . . we were running the latest Dell network drivers on our affected server but one of my colleagues downloaded a later Intel driver. While he was doing that he noticed that in 'Network Neighborhood' under 'Entire Network' there are four 'Symantec SNAC Network Provider' entries. These disappeared when he installed the new driver but have subsequently reappeared. This is on a server where I have disabled all of the Symantec services and applications. These entries also appear on the other servers that SEP was installed on but not on any of the other servers.

Have we been root-kitted by Symantec?

TCG,

Thanks, if I ever get the server working again I will try that. We couldn't wait any longer for a fix so we tried running the server in safe mode and deleted all references to Symantec in the registry. Now, not entirely surprisingly, we have a non-booting server which we are re-building.

Even if indexing is the answer (and I would really like to hear if it cures everyone elses problems) this is not good enough from Symantec; no response to this forum (although other simpler questions get answered), no way to remove the client to confirm the source of the problem and no warning up front that that they are installing at such a low level that removal is virtually impossible.

Just not good enough!

Now, back to the server rebuild . . . . .

Woohoo! First time ever the repair option actually worked for me. Server is backup, the "Symantec SNAC Network Provider"  instances have disappeared and (by the way) the indexing Service turns out to have been disabled all along.

I can't recommend this as a repair procedure but so far its looking pretty good!

If you are experiencing this problem then try this:

http://service1.symantec.com/SUPPORT/ent-security....

We did this on Friday and today is the first day since we installed SEP that the server has not suffered from a glitch.

Recommended (so far).

I have experienced this same problem on a Windows 2003 R2 SP2 Server with current Windows updates and Intel NIC drivers. The server will run fine 2 or 3 hours and then all of the sudden access to the shares disappears. A restart will cure the issue for a few hours and then the issue occurs again. Nothing strange in the task manager, and nothing unusal in the event logs. This server has never had this issue untill we installed Endpoint. Any Symantec guys out there want to try and answer this one? I will not deploy Endpoint Protection elsewhere until this issue is resolved.


Thanks For your Help!

-Rob

(in reply to jmangan) Maybe your suggestion works, but I'd rather try a solution which doesn't mean permanently uninstalling Symantec...

Message Edited by SyP2 on 10-16-2007 02:31 AM

Some additional information about our server: it's Windows Server 2003 SP2 Enterprise, with 4 GB RAM and Terminal Services installed.

Syp2, I don't disagree with you on the target but, lacking any involvement from Symantec on this thread, I will settle for the servers working.

Losing all of the users' home directories 3-4 times a day is worse than being hit by a virus! I'm quite serious, the productivity loss over the last week is directly comparable to a major virus outbreak. In fact with a viruis outbreak we would probably have shut down the affected servers immediately and rebuilt them rather than waiting for Symantec to offer some explanation/solution.

Good luck waiting for the 'right answer'.

Thanks so much for the reply, here is the revelant info:

OS Name    Microsoft(R) Windows(R) Server 2003, Standard Edition
Version    5.2.3790 Service Pack 2 Build 3790
Other OS Description     Not Available
OS Manufacturer    Microsoft Corporation
System Name    MTC-W2K3
System Manufacturer    Intel
System Model    SBD2A070
System Type    X86-based PC
Processor    x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3192 Mhz
Processor    x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3192 Mhz
Processor    x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3192 Mhz
Processor    x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3192 Mhz
BIOS Version/Date    Intel Corporation SE7520BD22.86B.P.08.00.0070.062820050954, 6/28/2005
SMBIOS Version    2.3
Windows Directory    C:\WINDOWS
System Directory    C:\WINDOWS\system32
Boot Device    \Device\HarddiskVolume1
Locale    United States
Hardware Abstraction Layer    Version = "5.2.3790.3959 (srv03_sp2_rtm.070216-1710)"
User Name    DOMAIN\Administrator
Time Zone    Central Daylight Time
Total Physical Memory    3,583.38 MB
Available Physical Memory    2.77 GB
Total Virtual Memory    5.35 GB
Available Virtual Memory    4.73 GB
Page File Space    2.00 GB
Page File    C:\pagefile.sys

This server is an Intel SC5300 series chassis with a SE7520BD2 motherboard. I installed SEP using client remote , and this server had the Admin console installed on it as well. Using default policies, however I had to modify the firewall policy to do a permit any any to as it was blocking DNS and DHCP client requests. The strange thing is that I had told it not to install  the firewall, however these policies were still present. The server has an integrated INTEL pro 1000 card with the latest driver.


Thanks,
-Rob

Oops, I forgot one thing...

The main symptom is that the shares "disappear" within 3 or 4 hours of server operation. A reboot fixes the issue for another 3 or 4 hours. It seems like it may be a SMB signing issue???? The clients will all recieve a "delayed write failed" error message for the network drives when the issue first appears. I have since removed SEP and installed 10.1.5 and the issue has since gone away.. Hope this helps.

at last. :)

hardware:
IBM eServer xSeries 235, Dual Xeon 2800 MHz, 4 GB ECC RAM, Broadcom NetXtreme Gigabit Ethernet (b57xp32.sys, 10.35.0.0, 2007.05.09.)

software:
Windows 2003 Server Enterprise Edition, SP2, Hungarian Language, all security updates applied
Symantec Endpoint Protection manual install (then changing SyLink.xml to make it managed), with only Antivirus and Antispyware elements included.

environment:
Windows 2003 domain member server.
It's not a VMWare host. It's a fresh install, with almost no additional software installed.

Symantec policies: they have been slightly customized, if I can easily dump it to a file and you request, I can send it.

Symptomes: Network experience is doing OK for a while (usually several hours, maybe it depends on how many bytes are transferred), then clients connected to the server are:
at first, able to browse the shares, but copying a file never completes, after that, one cannot mount the share any more, until someone restarts the server.

I uploaded my server's SyLink.xml policy file and a system report file made by Lavalys' Everest to Symantec's secure fileshare. I suggest that those with the same problem should do the same!

(A demo version of Everest can be downloaded from: http://www.softpedia.com/progDownload/EVEREST-Corp... )

We mainly connect to the server with Windows XP SP2 clients, if that's a factor, maybe you should try this too.

Paul,

I have raised a call, Case 240-659-810, what might help is my last entry where I point out what was left to remove from the client after our own efforts had been exhausted and we got the 'official' Symantec advice. The problem must lurk in the few remaining files and registry entries.

I would also point out that I have not seen the problem on all of the servers I have rolled it out to  (Remote Client Installation) and I am using Windows 2003 SP1 & SP2 on Del hardware.

I hope it helps.

John

thanks!

p.

We mainly use SEP11 on XPSP2 clients. On most machines antivirus, antispyware and proactive threat detection are installed. I uploaded my clients' and my administrator machines' SyLink.xml files to the share, is it the file which contains the policies? At first sight it only points to the management server.

Paul,

I'm working from memory on this now but I can say:

- I definitely didn't see any teefer2 references in the registry or in the network connection settings.

- I am pretty sure (~90%) that I haven't seen wpshelper.sys

- I am less sure about SysPlant.sys but I don't recall seeing it.

Regards,

John

Message Edited by PA_Infrastructure_Foxconn Corp on 10-23-2007 06:31 AM

Add another unhappy customer to your list.  We tried installing this in a limited fashion and things seemed fine at first.  However, I came across this thread as I was researching some other issues and realized that if I installed this on our production file servers, we'd be in big trouble.  So far I'm not very impressed with this product at all.  The previous version of Corporate Edition 10.2 was solid for us, and for now I'm going to stick with it.  We'll likely start to look for another solution if this is the direction that Symantec is going.

• Dell Windows 2003 R2 w/ 3 member servers (running, WSS 3.0, TS, Off site back DFS)
• DC/IE7/WSS 2.0/.NET v1; v2; v3 all current; Java 1.6.0_03-b05;
• EndPoint on the Server won't connect to Management Server (itself) Wont update Policy or allow for import or export just doesn't do anything.
• Errors Never Seen before miragtion/install: This next error is funny as it's 2:01 am and no one is in the office. This didn't stop until we powerbutton shutdown the server.

• This failure required a reboot to fix. No clients could connect. Hold Power Button, consol didn't respond! 2nd time this has locked us up.

• Next Error:

• This one is new. How many people have Shadow Copies on? Looks like the server locked up during a shadow copier, how does Endpoint handle Shadowcopies?

• LiveUpdate service is running and stopping every 20+ seconds and has been for hours!
• We use a program called BillQuick which runs off .NET 2 Workstations now have corrupted .net installs, this is from BillQuick Support

Here is what we need to try.

1. Uninstall BillQuick and all .NET framework versions from the PC.
2. Remove the PC from the Domain (change to workgroup)
3. Create an administrator account on the computer.
4. Reboot the PC and log on with the local user that was just created.
5. Install the full version of BillQuick downloaded earlier.
6. Reboot the machine and log back in as the same administrator.
7. Run BillQuick, if this successfully runs there is an issue with the domain user on the pc. If it does not run at this point the MDAC on the pc is damaged.
1. If we are successful in running BQ at this time rejoin the domain and restart the computer, see if BQ runs at this time. If not there is some security settings that are not allowing us to have full access to the BQ installation folder c:\programfiles\billquick2007\
2. If BQ doesn’t successfully run you can contact us further for assistance with MDAC troubleshooting.

<--------------------------------------------------------------->

          <  -  Nicholas Chappell  -  >

   <  -  -  BQE Software Support  -  -  >  

           <  -  (310) 602 - 4030  -  >

• Next:

Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6013
Date:  10/17/2007
Time:  12:00:06 PM
User:  N/A
Computer: KING
Description:
The system uptime is 6133258 seconds. 70+ Days uptime before EndPoint

I run a small network (one 2003 S.B. server with 8 XP clients). The server runs as a fileserver and mainly default policies. We upgraded to SEP about two weeks ago and  that's when the problems started. So, after two weeks of losing the fileshare a couple of hours after rebooting the server, yesterday the server ground to a halt. I rolled back the clients to 10.1 which was the previous stable version we used. 

When I tried to uninstall SEP from the server...nightmare! No information on the Symantec website, and as previous posters on this thread have stated, Add/Remove simply doesn't work! On our server, the progress bar 'progresses' about 5mm and then hangs. When I tried to cancel the uninstall, nothing happened; the window didn't close. Eventually the only way I could close the window was to logout.
I rechecked Add/Remove and SEP wasn't listed so I figured it had uninstalled despite the hang. On rebooting the server, I again checked Add/Remove and SEP was back in the list! Fortunately someone has since posted a link to the uninstall process (albeit for XP), which has enabled me to roll back to 10.1 on the server.

Our issue we have had rings true with most other posters, but one point I'd like to add is the process dfssvc.exe was creating a 2Gb pagefile at the same time as we were running SEP. I subsequently found that MS has released a hotfix for this but I've never noticed this process [having such an impact] before and only since running SEP. On removing SEP, the process is no longer having such an impact (and I haven't added the hotfix...yet!). Now, this is just speculation because I didn't monitor this process at the time the server was struggling (it's a production server) - but could the dfssvc.exe contribute to an inordinately big pagefile in turn causing the server to stop the fileshare?

Thank you all for your feedback and assistance to date re this issue.

Please be assured that Symantec are taking this issue very seriously and currently Technical Support are investigating it as a priority.

If anyone else experiences these symptoms, can you please log a case with Technical Support and reference the case number 240-666-465. This way we can properly link related occurances together, set priority correctly and ensure all affected customers get assisted re resolving the issue.

When Symantec Technical Support reach a conclusive outcome with their investigation, I'll post a further update here to update the other forum users.

Best Regards,
Graham Ahearne.
______________________________________
Sr. Manager, Technical Product Management
Endpoint Security Group, Symantec Corporation

We have two DC's at our office.  The "secondary" DC is our Symantec AV server, and we had installed SEPM on it.  We also installed the client on the "primary" DC, another file server, and a few workstations.  After reading this thread, I was very hesitant about installing it on any of our other servers, even though we weren't really seeing any problems.  I was able to successfully uninstall from Add/Remove programs with no problems on all three servers and the few workstations.  The DC that had the client installed on it acted a little funny after we rebooted from the uninstall-DNS service wouldn't start and AD was showing a lot of errors in the event logs...however this may or may not have been due to a change I made to the hosts file before I rebooted.  I changed the hosts file back to normal and rebooted again and everything was ok.

I wonder if it has anything to do with some of the latest Windows updates not playing nicely with SEP?  We haven't updated our DC's for the last couple of months.  All servers are Windows 2003 RC Standard, SP2.  Dell PowerEdge 1950's.

The stories I have read on here have convinced me to stay with 10.2 on the clients 10.1.5 on the servers for the forseeable future.

Message Edited by Scott Klassen on 10-24-2007 11:27 AM

Message Edited by Scott Klassen on 10-24-2007 11:28 AM

Message Edited by Scott Klassen on 10-24-2007 12:23 PM

Message Edited by Malfean on 10-25-2007 01:08 AM

Message Edited by Network COP on 10-25-2007 11:05 AM

Message Edited by JohnL on 10-25-2007 03:41 PM

Message Edited by RYDOG on 10-25-2007 04:11 PM

Message Edited by RYDOG on 10-25-2007 04:15 PM

Message Edited by FlipSide on 10-26-2007 09:16 AM

Message Edited by FlipSide on 10-26-2007 09:17 AM

Message Edited by njlyle on 10-26-2007 10:01 AM

Message Edited by Scott Klassen on 10-26-2007 11:43 AM

Well I was a good boy and actually setup a virtual domain on vmware to roll this out before I rolled it out on production servers. It seemed to go fine on the vmware servers but I can't say I had them running for more than an hour.

After installing this at one site, the server has kicked me off RDP and is reportedly going very slow. I am about to go on site and investigate. I think you'll be adding another case to this thread.

Message Edited by Michael at SBS on 10-29-2007 11:29 AM

We currently have sav 10 and last week I started looking at sep.  Of course, I'm doing this in vmware and spent some time looking at different options.  I was having some issues on the server and came across this thread.  I thought I was doing something wrong in the configuration, but after reading some of these posts, I guess I'm not alone :smileysurprised: .  It started with the 25defbuilder process (forget the first part) causing heave cpu/disk activity, which went away after about 5-10 minutes.  I have one client, my notebook, and have been having problems.  The end of last week, there was heavy disk access and took about 10 minutes to open services and disable sep and stop them all.  Disk access stopped after that.  Today I was having the same issue as mentioned earlier.  I've been monitoring the client on my notebook and quite often it keeps saying 'file system autoprotect is malfunctioning' and after a few minutes it says it's ok, only to malfunction again :smileysad: .  On the server side, I have removed all the default rules and created my own.  I don't have scan all files enabled (only most common) and have since turned off the option to scan each file to determine the type.  Besides that, it seems to be working ok for the most part.  The only real problem i had on the network was that there was a rule that caused traffic to be blocked to the Exchange server, which i resolved by adding an exception on the 10.x.x.x network and seems to be fine.  I also had occasional cpu spikes on my notebook from ccSvcHst process.  Now that I see this thread and the other similar issues people are having, I will wait before deploying this :smileyindifferent: .