Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

ProActive Threat Protection is Disabled

Created: 24 Oct 2013 | 16 comments

Hi all, I'm going to open a support ticket for this as well, but I've found in the past that sometime I can get a faster answer here, with so many minds at work.

I'm running into a problem with a small number of workstations, where suddenly PTP is showing as disabled.  In the SEPM, it lists the status as "Malfunctioning".  In the Client Console, I get the red alert bar, with the message Proactive Threat Protection is disabled.  There is no "Fix" button on these clients.

Uninstalling / reinstalling doesn't fix the problem, even when Cleanwipe is run in between the removal and reinstall.  Affected machines include both the 12.1.3001.165, and the 12.1.2015.2015 clients.  As I said, this is a fairly small percentage of our client base (about 30 out of 1400), however what concerns me is suddenly out of nowhere I had about 15 machines with this issue.  Machines that had been in production for quite some time without issues.  A week later I had 21 workstations, a week after that 29 workstations....it's a trend I'd like to stop early if I can.

Has anyone seen behavior like this recently?  Any ideas for things I can check?

Operating Systems:

Comments 16 CommentsJump to latest comment

.Brian's picture

Run the symhelp tool

Troubleshooting computer issues with the Symantec Help support tool

Article:HOWTO80839  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO80839

Does running a repair fix it?

Check if BASH driver is running. Open a cmd prompt:

for 32-bit machine run "sc query bhdrvx86"
for a 64-bit machine run "sc query bhdrvx64"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Could you please check in the AV/AS policy if the SONAR is not disabled?

SONAR.jpg

Make sure it is Enabled and Locked.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

trav531's picture

Brian: A repair does not fix it.  BASH driver is currently showing as Stopped.  Running the Help Tool now.

Mithun: Sonar is enabled and locked across all of my endpoints.

Additional info: after reviewing the list of affected PC's for a common thread we noticed 1 single commonallity.  Every single one has PGP Desktop installed.  As we don't have very many PGP installs in the company, and no machine without PGP is having this issue...I think we're onto something here.

trav531's picture

Further update, PGP Desktop definitely seems to be the issue.  Once I uninstall that, SEP starts working normally again.

Interesting though, that these 2 products have been working fine together for months, and suddenly stop playing nice in the last couple of weeks.

.Brian's picture

Was PGP upgraded>

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SameerU's picture

Hi

Have u tried upgrading to SEP 12.1.4

Regards

trav531's picture

No luck so far.  Here's the data to date.  Still working with Support on this as well.

All affected workstations were on PGP 10.0.1 and SEP 12.1.3

Uninstalled PGP 10.0.1 and rebooted

Verified that SEP Proactive Threat Protection was working once PGP was removed.

Uninstalled SEP 12.1.3 and rebooted

Ran Cleanwipe Utility and rebooted

Installed SEP 12.1.4 and rebooted

Verified that once again Proactive Threat Protection was functioning correctly

Installed PGP 10.3.1 (as this version supposedly fixes this issue with SEP) and rebooted

SEP Proactive Threat Protection is disabled after the reboot.

trav531's picture

Hey NirHal, have you found a solution to this yet?  Support is still working on it on my end.

DCSEPadmin's picture

I have the same exact problem. Waiting on SEP support. They want to send me to Symantec PGP support. I said no. I did call Symantec PGP support and they were clueless. I can't believe this is the same company.

Symantec Certified Specialist

.Brian's picture

It sounds like this a bug and will only be resolved with a code fix. Did you provide logs for support?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

trav531's picture

Yeah, they're wanting me to open a case with the PGP support as well now. DC SEPadmin, do you know WHEN you started seeing the issue? For us, it was beginning of October. It worked fine before then.

I've made it to 3rd level support now, and have an engineer on the case. They're wanting me to make a VM of the workstation for them to play with. Will keep you all posted.

DCSEPadmin's picture

Yes. I sent the large symhelp file to sep support and other log files to encryption support. The issue started when we had to install the new desktop encryption software. We had an older version. My hunchsi that the  issue is a conflict between sep application and device control “Non-Plug and Play Drivers” drivers and “Non-Plug and Play Drivers”: PGPdisk and PGPsdkDriver from desktop encryption.

It's simple to reproduce. Install SEP with a device and app policy. Then isntall desktop encrytion software. reboot.

Symantec Certified Specialist

.Brian's picture

Any progress with this?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

trav531's picture

It appears the January 15, 2014 R11 definitions for Proactive Threat Protection has fixed the issue.  I still have a couple of workstations to investigate, but since Wednesday's definition update, my list of affected clients has gone from 29 to 7.