Endpoint Protection

 View Only

  • 1.  Registry key to delete

    Posted May 06, 2013 03:06 PM

    Hello Team ,

    There is a specific key which store root kits or key loggers in registry due to which SEP install rolls back every time , can someone please share that key .

     

    Thanks in advance

     



  • 2.  RE: Registry key to delete

    Posted May 06, 2013 03:09 PM

    There could be many keys which rootkits like to add/alter, not one specific one. Also, the purpose of a rootkit is to hide itself so you may have a tougher time accomplishing this.

    You can post the SEP_INST.log file located in %temp% which will show why it is rolling back.

    If you think you're infected than try the Power Eraser tool or perhaps some other third party scanner.



  • 3.  RE: Registry key to delete

    Posted May 06, 2013 03:25 PM

    There is a specific key i am looking for .



  • 4.  RE: Registry key to delete

    Posted May 06, 2013 03:34 PM

    Depending of the type of rootkit/keylogger the reg location may be completely different. I believe there is not a single one specific location that would be "generally known" for all of them. Have a look at some documentation:

     

    https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

    https://www-secure.symantec.com/connect/forums/what-are-rootkit-detection-and-removal-capabilities-sep

    https://www-secure.symantec.com/connect/articles/introduction-spyware-keyloggers



  • 5.  RE: Registry key to delete

    Posted May 06, 2013 04:09 PM

    You don't mean this one, do you?:

    Installation fails with the message "Pending system changes that require a reboot have been detected"

    Article:TECH103109  |  Created: 2007-01-16  |  Updated: 2013-01-11  |  Article URL http://www.symantec.com/docs/TECH103109

     



  • 6.  RE: Registry key to delete

    Posted May 06, 2013 04:21 PM

    i am sorry , i forgot to mention it is not for pending system changes



  • 7.  RE: Registry key to delete

    Posted May 06, 2013 09:54 PM

    Hi Swapnil,

    Solution

    In the registry,

    Find

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
    value=%APPDATA%

    and change it to

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
    value=%USERPROFILE%\AppData\Roaming

    Install SEP client again.
     

    Check this artical

    The installation of Symantec Endpoint Protection (SEP) client fails and rolls back around the point of registering with LiveUpdate

     

    Article:TECH94596  |  Created: 2009-01-15  |  Updated: 2009-01-31  |  Article URL http://www.symantec.com/docs/TECH94596

    https://www-secure.symantec.com/connect/forums/rollback-issue-fix-works-windows-7-sep-1105



  • 8.  RE: Registry key to delete

    Posted May 06, 2013 09:58 PM

    Check one of artical

    SEP Installation Rollback on Windows 7, Windows Vista, Windows 2008

    https://www-secure.symantec.com/connect/articles/sep-installation-rollback-windows-7-windows-vista-windows-2008



  • 9.  RE: Registry key to delete
    Best Answer

    Posted May 07, 2013 08:35 AM

    thanks all for your help i had to get machine re-imaged.

     

    thank you