Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP client on XP reporting wrong virus definition date/ last scan + Manual scans gives "Error 536870915 occurred running scan"rates

Created: 23 Sep 2012 | 14 comments

Hi All,

I'm seeking some advice on this issue:

Our SEPM reports shows ~2200 SEP Clients 11.0.7101.1056 (Win XP SP3) virus definition 01/01/1970 and last scan as "never" since 21/09/201. They have been working fine for more than a year.

~1900 SEP Clients (Only in Win XP SP3) still working OK and the issue does not appears in our Win 7 computers.

When I look at the SEP clients interface the status page shows all the latest definitions are present and logs have records for all schedule scans running normaly.

However if I go to "Help and Support" -> Troblesooting -> Versions the definitions table has only one line for "IPS serial Number". In a good client I normally find other 4 entries: Definitions Patern, SyknAppS (twice) and COH. The same occurs if I export the troubleshoot data. So I believe is the client side which is reporting the wrong information to the server.

Other interesting point is these machines also gives "Error 536870915 occurred running scan" if we try to start scans manually.

I've follow the recommendations from:   http://www.symantec.com/business/support/index?page=content&id=TECH166585 , but there are no difference on permissions between the computers that are working and the ones with the problem.

I would appreciate any comment.

Regards,

Fernando

Comments 14 CommentsJump to latest comment

Ashish-Sharma's picture

Definition Dates for Newly Installed Clients Are Displayed as 01/01/1970 in Certain Reports within the Symantec Endpoint Protection Manager (SEPM)

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/3995ce5bd2370567802575830059780a?OpenDocument

Error messages, instability, and silent failures when creating a scan on a client

http://www.symantec.com/business/support/index?page=content&id=TECH156020

Thanks In Advance

Ashish Sharma

Mithun Sanghavi's picture

Hello,

In reference to the Issue of "virus definition showing 01/01/1970 and last scan as "never" since 21/09/201", I would suggest you to migrate SEPM and SEP clients from 11.0.7101.1056 to SEP 11.0.7200.1147.

Secondly, in reference to the issue: "Error 536870915 occurred running scan" 

Please Follow the Steps as below:

  1. Click on "Start"
  2. Click "Run"
  3. Type "regedit"
  4. Click on "OK" to see the Registry Editor Open.
  5. Scroll down to the Registry hive: HKEY_CURRENT_USER\Software\Symantec\Symantec Endpoint Protection
  6. Right click on Symantec Endpoint Protection Folder
  7. Click on Permissions
  8. Check if Administrators, SYSTEM and Network Service have Full Control Permissions.
  9. If these users do not exist, please Add these Users and provide with appropriate permissions
  10. Click on "Apply" and then "OK"
  11. Once done, close the Registry Editor.
  12. Restart the Symantec Management Client Services by:
    • Click on Start
    • Click on Run
    • Type smc -stop (this will stop the Symantec Management Client services and Symantec Endpoint Protection icon located in the System tray would disappear)
    • Type smc -start

Once, we have the Symantec Endpoint Protection icon located in the System tray appear, we can Open the Symantec Endpoint Protection and try running the Scan again.

Reference:

While running scan from Symantec EndPoint protection 11.0.7000 (RU7), receiving a Scan error "Error 536870915 occurred running scan"

http://www.symantec.com/docs/TECH166585

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fernando M's picture

Hi Ashish and Mithun,

Thank you for your feedback. Unfortunately my issue seem to be different that the ones found in the links you sent to me but I agree the symptoms are very similar.

I’ve checked the registry and ensured all permissions are corrected. I also deployed the SEP 11.0.7200.1147 in the same computer and reboot it but still the same issue.

Any idea what are we missing here?

Cheers,

Fernando

Ashish-Sharma's picture

H,

Try to remove SEP client using Cleanwipe Tool and again reinstall SEP client may be your issue resolved.

Thanks In Advance

Ashish Sharma

Fernando M's picture

Hi,

I finally isolated the cause of the problem today, but do not have a quick fix for it.

I have discovered the problems appear after the XP computers received hotfix KB2744842-IE7 and reboot. Unfortunately only removing the hotfix does not fix SEP. It is necessary also to reinstall the SEP clients.

We have now ~3000 XP computers that cannot manually scan and reporting wrongly.

Regards,

Fernando

Fernando M's picture

Hi  Ashish,

Our SEPM id already 11.0.7200.1147 but the SEP clients are 11.0.7101.1056.

Two things I've discovered:

1) Only running the installation for SEP 11.0.7200.1147 does not fix the issue. However if we unistall 11.0.7101.1056, reboot and then install SEP 11.0.7200.1147 and reboot again bring SEP to the normal again. I'm not happy to do it in ~3000 clients.

2) I have discovered the problems start after the XP computers received hotfix KB2722913-IE7 and reboot.

This hotfix was replaced by KB2744842-IE7 later.

Regards,

Fernando

Ashish-Sharma's picture

HI,

If where install Sep client 11.0.7200.1147 problem available or not ?

Try to remove hotfix two or three system where problem are occure after check problem are resolved or not ?

Thanks In Advance

Ashish Sharma

Nguyen Cao's picture

Hi Fernando,

I have the same problem with you. All XP clients running 11.0.7101.1056 and can not scan - Error 536870915 occurred running scan.

Beside the Auto-Protect and Tamper Protection in Status Summary also indicate that XP clients are OFF. Sharma also try to help me on this but seems no hope.

Re-install SEP client only work on XP clients for some days. After one week, 90% XP clients get back to Error 536870915 occurred running scan.

I have submited a ticket to Symantec Technical support but no lucky feedback.

Have you found out the root cause, Fernando?

Thanks in advance.

Fernando M's picture

Hi Nguyen,

Your case seems consistent with ours. The workstations that we fixed manually uninstalling and reinstalling the SEP clients also got the error back after few days.

We also have a support case opened, but no solution until now.

It’s very frustrating. At this point I’m looking to be able to migrate to version 12.1 and replace all the SEP clients by the end of the year. Unfortunately we need the promised 12.1 RU2 to be able to update from our present SEP11 implementation, which was not released yet.

If I got any solution I’ll post here.

Cheers,

Fernando

Nguyen Cao's picture

Thanks Fernando,

All the clients we re-installed SEP client exactly got back the same error except one machine. Everything seems OK on that client but that client has not downloaded virus definition for 3 days.

Seems that all the test clients got back that error when getting a new virus definition on Oct 30th.

We are also thinking about migrating to SEP 12 if Symantec has no solution on this case.

Anything new I will post here too.

Nice weekend ^_^

Nguyen Cao

Simpson Homer's picture

Solution

These problems occur if you do not have full administrative permissions to the following registry key:

HKEY_CURRENT_USER\Software\Symantec\Symantec Endpoint Protection

 To solve the problem, make sure that you have full control access to this key.

Nguyen Cao's picture

Hi Fernando,

How's things going at your site? We are planning to migrate the server to SEP 12.1 and deploy all client with 12.1 version too. Hope that can fix the issue.

From Symantec side, they only checking and more tools to run and logs to collect. No solution point out yet.

Anything new will be updated here.

Cheers!

Nguyen Cao