Endpoint Protection

Recently i have been getting an error on the SEP clients.  Every so often when we log into a client machine using the domain admin account we get the error Rtvscan.exe Error "The exception unknown software exception (0x40000015) occured in the application at location".  This has been puzzling us for a long time now, and was wondering if anyone knew had to stop this error from appearing.  Clients never see this error, just when you log in as domin admin.

Thanks.

Error "The exception of unknown software exception (0x40000015) occurred in the application at location 0x6b1a20e8. Click Ok to terminate the program"

Question/Issue:
When opening the quarantine from the Symantec Endpoint Protection Client interface it generates the error: Symantec Endpoint Protection: SymCorpUI.exe - Application Error The exception of unknown software exception (0x40000015) occurred in the application at location 0x6b1a20e8. Click Ok to terminate the program

Symptoms:
Unable to open the quarantine interface.
A large number of files are located in the quarantine directory

Cause:
The system has quarantined a large number of files in the following location: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine


Solution:

1. A large number of quarantined files could indicate that an unknown threat is downloading known threats to the system. To confirm that there is not an undetected threat check for suspicious files in the Load Point Diagnostic Utility report.

For information on how to obtain and use the Load Point Diagnostic Utility please refer to the following document:
Using the Load Point Diagnostic Utility
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008053012231648?Open&seg=ent

2. Submit any suspicious files found from step 1.

Submit the files to Symantec at:
https://submit.symantec.com/websubmit/gold.cgi

If you are certain the file is malicious manually add the suspected file into the Endpoint Protection client quarantine (rendering it inoperable) by clicking Add... in the View Quarantine interface.

The file can be submitted directly from the quarantine using the steps in the following document:
How to submit file(s) from quarantine using the new user interface within Symantec Endpoint Protection 11.0
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007031308253048

3. Delete all files from the folder:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

4. Try to open the quarantine through the Endpoint Protection Client interface. It should open without error.

Thanks to the Symantec Knowledge Base.

Thanks i will test some of these out and see what happens.

Reading the release notes of MR4 MP2 it says it has a fix for an RTVScan.exe error.

You just create another installation pakage and deploy it. this was the issue faced in MR3, but MR4MP1 has resolved it.
Ajit

Where can i find those release notes?  We are running MR4.

Found them, thanks.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648 is the link to release notes..

Cheers
Pete

We have updated our machines to the newest release, but are still getting this same error.  What we cannot understand is why the error ONLY comes up when we login as administrator.  Regular users have never seen the error.  We have tried multiple methods of trying to resolve this error, but nothing is working.
The only thing we can think of as to why this error occurs is because we are running the server on a Windows XP machine currently.

Anyone have any clue as to why this would only pop up when we log in as Administrator?  And, any other ideas to fix this error?

Still having this problem...anyone have an idea?

Are you using Roaming profile or Local profiles?

Have you already cleared out the quarantine?

If it's using local profiles, and when you log in with Administrator it is crashing, than try removing the locally stored profile.  It's an XP machine, so if it''s a domain admin account that is bugging out, you may need to login as local admin to remove the domain admin local account (profile). 

**
Crafty buggers are beginning to exploit a "known weakness" in M$ code.  Although noone wants to admit to the flaw, because "legitimate companies" use it too. 
%userprofile%\application data  and so on -  is an environment in which almost anything can be executed bypassing conventional AS/AV scans.

It is entirely possible, that something has been placed here and is causing you these problems and filling up the quarantine whenever the Admin account is logged in and not affecting other accounts.

Flushing the Admin account from the machine can help to determine if this indeed is an issue.