Is SEP the cause for newly "delayed write failed" errors?

I started another computer to see if this had the error. This was last started the 21st of June.

From the event log I can see the computer is started at 08:48 am. While starting the usual Symantec stuff starts - i.e. SRTSP and LiveUpdate. LiveUpdate starts and stops a couple within 10 minutes or so.

At 09:21 am the first "delayed write failed" error pops up:
http://eventid.net/display.asp?eventid=50&source=ntfs

Followed by:
http://eventid.net/display.asp?eventid=57&source=ftdisk

I get about 10 messages of these 2 events the next 2 minutes.

I then get a DCOM error:
Unable to start a DCOM Server: {7E477741-01A6-4C06-9DAC-55F6174C08A3}. The error:"Insufficient system resources exist to complete the requested service. "Happened while starting this command:C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe -Embedding

Now the errors 50 and 57 continues to occur and I can only press OK to the popup. There's maybe 50 incidents or so. It then stops for about 2 hours and the repeats itself again.

In the Application log I can see this around the same time:
http://eventid.net/display.asp?eventid=1004&source=MsiInstaller
Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{78451C05-F6C4-4B41-A80E-5F60B87C6E62}' failed. The resource 'C:\Programmer\Fælles filer\Symantec Shared\DefUtDCD.dll' does not exist.

Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core' failed during request for component '{30466A58-8174-4ED4-9171-A4D739E84E3A}'

Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{EA1EE0B5-8919-4935-A8F8-227891145D7A}' failed. The resource 'C:\Documents and Settings\All Users\Menuen Start\Programmer\Symantec Endpoint Protection\' does not exist.

It seems other have had the same issue:
https://www-secure.symantec.com/connect/forums/unable-start-dcom-server

Is it LiveUpdate that's the culprit?

Hi,

did you already try the Microsoft troubleshooting?

http://support.microsoft.com/?scid=kb%3Ben-us%3B33...

Regards,

Hello!

No, I haven't tried that as I think it's very suspecious that so many of my computers have this error within the same period. Also everything seems to indicate problems with Symantec.

I got another computer today which started having problems last week also:
Detection of product '{76B2BC31-2D96-4170-9C44-09E13B5555F3}', feature 'Core' failed during request for component '{30466A58-8174-4ED4-9171-A4D739E84E3A}'

And the only thing that has been updated on the computers are Symantec.

Yes, it is suspicious, but I believe that with the Microsoft KB you can start to analyze the issue, if there are some Windows features incompatible with SEP, a possible workaround and so on...

I really doubt that I will find the solution by going through that KB.

For now I have the problem on 6 computers (with different hardware) and they all have have SEP installed. 1 of these are running Windows 2003 Standard.

2 of those computers are rather old and have almost no software installed on them as they're mainly used for RDP applications. When I booted one of them the other day it took about 30 minutes before I had the problem and all that has been running on the computer was LiveUpdate.

Are you able to tell me anything on the above error messages? Why are these MsiInstaller errors?

I believe SEP is not the source of issue, it seems a victim of some OS or harware failures or the result of a tampering activity.

For example the event:

"Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{EA1EE0B5-8919-4935-A8F8-227891145D7A}' failed. The resource 'C:\Documents and Settings\All Users\Menuen Start\Programmer\Symantec Endpoint Protection\' does not exist."

It should means that you moved/renamed the SEP folder in the start menu.

Wrong permissions can also cause this kind of issues. You should check them with the tool TestSec provided by our Support.

On the weekend at my home PC i started having the "delayed write error" and i had to reboot every 30 minutes , windows xp with Norton antivirus 2009

Today at work, an employee came with his laptop and the exact same message! we are using SEP MR4.
I actually don't believe in coincidences and I'm bit frighten by these errors...what are the chances of two PCs having HDD problems with the same error ??
Could it be a new virus on the loose ? maybe a bad definition file that corrupts something...

Hi,

I did not receive notification of bad definitions (and no spikes of customers' calls).
OK, it is not an HDD failure but maybe some strange settings are applied to all of your PC's.
Can you please check the MS KB to exclude those sources of this issue?
Then you shoud call our Support.

if ou have problem with "delayed write error" with network connection, in much case is due to network connection (there is no forced is 100 full on card and / or switch). When you force speed t's ok (particullary with broadcom chipset)

OK, just a little update.

The 2 Dell computers that have the error I've removed SEP from and also used Cleanwipe. I then installed MS Forefront and they're still crashing from time to time. I've then tried to disable the NIC (Intel) and it seems they're not crashing now. I'll have to test this a bit more.

On the Dell Windows 2003 server I yesterday restored a fully working Ghost image from May. Still after that the server is crashing with the same event ID's. I believe the NIC is Broadcom.

As I've said this concerns 6 computers - 5 with XP and 1 with Windows 2003. It's 4 different computer models and with different hardward.

I don't belive they suddenly out of the blue all should have HDD problems becuase they started to having the same errors within days.

I can only say that they're all running SEP but with different versions. Also 2 of the computers crashed soon after being started and picking up LiveUpdate files. It seems quite odd but still I can't prove it is SEP causing the problems. Still after using Cleanwipe I could find entries in registry so I'm not sure if it's still is causing problems.

I really don't want to turn off the caching stuff in Windows becuase the error must be somewhere else.

Could this be virus related? If the problem is solved by disabling the NIC could it then be some random attacks that might be causing the problem?

I've tried all the steps on Microsoft kb and of course it didn't make any difference. I suppose the article is good if you have the symptoms from the beginning as it doesn't make any sense to have a computer working for 2 years and suddenly to remember that "i need a different cable"

My only option right now for the client is to format it. i will post an update afterwards.

I've reinstalled one of my computers and put SEP back on and so far it has been running without problems.

Giuseppe.Axia > The server that I have that has the problem I would like to restore through Ghost again but then disable the LiveUpdate to see if it still is having problems. Would that just be the "LiveUpdate" service I need to disable or can I risk any other component will try to look for new updates?

did you use disk cloning?

OK, another computer popped up today with the "delayed write failed" error. The same behaviour as the other computers. I've checked the event log and it's all the same errors that I see.

Again the computer had been running fine for all of June but on the 25th the error started. The computer wasn't turned on the 24th.

At 19:42 on the 25th the LiveUpdate did it's job:
"New virus definition file loaded. Version: 110624ak."

And then at 20:07 these errors came:
Identificeringen af produkt '{76B2BC31-2D96-4170-9C44-09E13B5555F3}', funktion 'Core', komponent '{9B3AF051-BB19-4ABE-B16F-90BA34728389}' mislykkedes. Ressourcen 'C:\Programmer\Symantec\Symantec Endpoint Protection\LDDateTm.ocx' findes ikke.

Identificeringen af funktionen 'Core' i produktet '{76B2BC31-2D96-4170-9C44-09E13B5555F3}' mislykkedes under anmodningen om komponent '{C7212F42-5794-4F22-A86D-0D9E7392F7E8}'

I've checked the "LDDateTm.ocx" and it's in that folder where Symantec can't find it.

Giuseppe.Axia > can you try to check the "110624ak" definitions and see if you can find anything interesting. As of now I've had 7 computers with SEP and they have all gotten "delayed write failed" errors around the 24th of June.

I'll try to restore the Windows 2003 server with Ghost and disable the LiveUpdate and see if the server can continue to run without the error.

Paul Mapacpac > The computers have all be Ghosted after being manully installed.

Hi,

I think it is better to call our Support in order to speed up the troubleshooting,

Regards,

 I too will second calling into support, or opening a case online and them calling you back..  http://mysupport.symantec.com

It looks like this issue was taken offline several weeks ago but if any conclusions were made it would be appreciated if you shared them.

I have a customer with peer to peer XP3 network who was frequently receiving this message when using a program that has a file shared ISAM database.

I have seen this message resolved by disabling Windows Opps locking also I have heard of it resolved by setting all nics and switches from auto-negotiate to a hard setting like 100mps full duplex.

This customer however, simply removed the Symantec AV two months ago and have not received this message again since then.

What if anything was decided about the users in this thread who called into Symantec?

We had to disable opslock after installing SEP, and since then performance of the servers has been down the toilet.
If I enable opslocks again, performance shoots up but no one can save Word files to the server.
It's sep as when I remove SEP totally, the issue goes away and we can enable opslock. With SEP there, we must disable it and suffer the performance hit.
This started with a new build install in December. It was fine with early versions of SEP.
So whatever was done in that install in December is what broke it and it's been broke since then.
As soon as we put opslock back on the server, the helpdesk phone rings off the wall! Lost files, inability to save.
We live with it because no one at Symantec believes it was SEP even though it started exactly when the new builds were installed, and removing SEP removes the issue.

Can you please provide an update, or your case # info?

Best,

Eric

We have the same "Delayed write failures" on some our pcs and notebooks since we are installing SEP. I opened a call and they say that they never heard about an error like that.

We are using disk cloning a´nd teh problem disappears when we deinstall symantec.

Would be fine to hear about the case you opened.

For me the problem was that it was missing a file in the C:\Program Files\SAV\SmcLU.  I created a new SmcLU, and the events disappeared.  I checked the permissions, an they match another domains settings.

I got the same problem on Windows 2003 R2 Server installed on Windows Virtual Server 2005.

Windows was reporting "Delayed Write Failed" and the file name was from Symantec Update folder.

I restarted server in safe mode  - everything is OK!
I started Server the normal way - problem was still in place.
I forced virus signature update from other server by System Center Concole.
After 5 min I restarted server in safe mode and checked virus signature update folder. The problem directory was deleted. But 2 temporary folders were present. I deleted both temporary folders.
Server was restarted - the problem was fixed.

I think the problem was after low disk space on my server. Symantec tried to write file - got error. After this files were writen by system, but symantec update started to ovewrite files and got the problem. Files were protected by Symantec AV!