Endpoint Protection

Hello,

In our company we are using Symantec Multi-Tier Protection Small Business Edition
I first installed the 11.0.4 manager from the cd's but upgraded it with the 11.0.5 version regarding issues with the java remote interface
After that i installed the central quarantine and the central liveupdate server and set the submission in the manager console to go to the central quarantine and configured the liveupdate(products, source server, distribution, etc)

Yesterday after configuring the policies from the endpoint protection manager, i exported the client install packages.

I selected

    * Antivirus and antispyware protection - antivirus email protection with microsoft outlook scanner(as we have outlook 2007installed)
    * truscan proactive threat scan
    * network threat protection

Next, in the protection manager under the created group from the client installation export packages i added all our domain user accounts and the server computer names and i managed them under different sub groups(departments)

So finally i installed them to the clients(win xp pro SP2) first, and the servers last(win 2003 standard SP2.
Copied every time the hosts file from the internal server(excep for the internal server itself) to the local liveupdate folder.

Everything went fine, installations successful


But now comes my problem:

This morning when the employees came to work, they started their pc's and one after the other, the client pc's just crashed/freezed/stopped responding without any other explanation..
(This only happens when the client endpoint protection is enabled)

Please can anyone help me, did i do something wrong, conflicts, wrong config??

I have noted the last crash time now from my pc and i am waiting for the next to see if it could be a configuration in an interval setting somewhere?

thanks

Do u see anything in the event viewer?
related to the crash?

No i think i cannnot see items listed around the time of the crash that are related to the crash

on the client side i do see a warning from EventSystem, event id 4356, category 52 telling me that the com+ event system failed to create an instance of the subscriber partition {'reg key'} CoGetObject returned HRESULT 8000401A (in the application log)

on the server i only see errors from norton antivirus for the eicar test string(cleaned by deletion) and an error from central quarantine for a trojan horse that we have deleted this morning.

also an error from SescLU telling me that some update may have failed to install, but that was before the client installation on all pc's

No actual program errors/conflicts..

In the meantime i have had a couple of freezes, and it's remarkable that it is once in an hour starting when you log on, here are the tims i have written down:
12:26AM
01:28PM
02:31PM

You mentioned that.

on the server i only see errors from norton antivirus for the eicar test string(cleaned by deletion) and an error from central quarantine for a trojan horse that we have deleted this morning.

ever used nortan on client machines?

The error

Event ID 13: "SescLU - LiveUpdate returned a non-critical error. Available content may have failed to install.

That you are getting on the server is beacuse the virusdefntions may be corrupted on the  server. So please uninstall and reinstall the SEP Client on the server.

as far as the 4356 error is concerned  stop and start the smc service.

 

Here are some settings that may be helpful?

Central LiveUpdate server
2 standard source servers
1 distribution center(only production, no testing) that is the url from the internal server
client settings is to only watch for the internal server

purge updates in distribution centers is daily at 12:30AM


Definition downloads: daily at 6:00am
Software downloads: weekly at 1:00am

Definition distribution: daily at 11:00am
Software distribution: weekly at 11:55am

Symantec Endpoint Protection Manager Console
ADMIN
On the Local Site i have
Console timeout 1 hour
LiveUpdate Continuously
LiveUpdate source server set to the internal source server with the ip as the server name

POLICIES
- Administrator-defined scans: weekly, Tuesday at 10:00am

- Allow sending of quarantined items to the central server, retry 600 seconds

- Use a liveupdate server > internal server(same as above); schedule "enable liveupdate scheduling" is not checked here but is set to continuously in the grayed out area


In the past when the company was part of a couple of people, they had "Norton AntiVirus Small Business Edition, Total Managed Protection Edition", or what did you mean with that last question?

on one of the machine can you remove SEP from add/ remove programs.

use nortan removal too.

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
run the sep install again. check if the issue persists.

Ok i will do that in a moment

Another remark, there is a computer where i forgot to log on when i was installing the client from the server. So the client pc was set to the ctrl alt del screen when i was installing the product. This person came a half hour before me at work today and her pc did not crash, but mine did.

Now should i install the product on a client pc when no-one is logged on, like in case with that person?

Very strange that it is always 1 hour untill the next crash(last one now was 03:35pm, next crash will probably be 04:38pm)

i have removed the program from add/remove programs and have executed the removal tool

after that i reinstalled it and waited an hour

it still keeps freezing

on the machine which is freezing
can you open taskmanager and check who is taking CPU. im sure that its becuase of liveupate or rtvscan.exe
what if you install a package without NTP( this install a kernel driver and reason for most of the BSOD) did that stabalize....any pecurilar event log ?

i see the following programs sometimes on top of the list : smc.exe, smcgui.exe, inetinfo.exe, jqs.exe, lsass.exe but mostly it is smc.exe but all of them are 1 sometimes 2 cpu

rtvscan is normal(almost 00 all the time), but i'm not working anymore today

another strange thing: we have 5 pc's with office 2003, i have installed the same package over there, and no pc is freezing over there..

thanks, i will try that tomorrow

yesterday i phoned symantec and the problem was found

The problem is the truscan proactive threat scan that is running every hour(default) in the antivirus/antispyware policy

thanks!

Now, is this critical, what to do about it?

Proactive scanning 

I did a similar upgrade recently and, if I do not stop the service "symantec client manager", I get very slow logons and, when folks finally do get a desktop, they cannot access any shares on the server.  Is my problem the same as discusse above with the same fix or is this another problem.  I know I need to start that service to keep clients updated but I can't if it cripples my network at the same time.  If this is another problem, can someone point me to another thread or provide me with some assistance?

Thanks.

Meant to say "symantec management client service"...