Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

SEP rolls back install

Created: 01 May 2013 | 19 comments

I have a remote client that was not connecting to the sepm server. I removed the client and tried reinstalling but the silent installer was hanging and would not complete. I created a new interactive installer and copied to his system and when running that it start to write to the registry and then starrts rolling back the install. I've tried installing in multiple user accounts. I performed the cleanwipe on the system to verify that all old files are removed but it fails at the same point.

I have included the SEP_INST.LOG.

any assistance would be appreciated.

Operating Systems:

Comments 19 CommentsJump to latest comment

James007's picture

HI,

Action ended 11:15:25: ExecuteAction. Return value 3

SEP client install rollback. SEP_inst.log show "InstallFinalize. Return Value 3"

Article:TECH153687 | Created: 2011-02-18 | Updated: 2011-03-03 | Article URL http://www.symantec.com/docs/TECH153687
j.durlewanger's picture

I do not find any of the errors listed in that tech article which turn the value 3 as an install finalize. I dont think this relates to the issue I am having.

Brɨan's picture

Found this:

CustomAction ShowServiceProgress returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 11:02:45: InstallFinalize. Return value 3.

These can be tricky as there could be multiple fixes which may work

What is the OS of the affected machine? Is this an upgrade over an older version?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

j.durlewanger's picture

the original problem was that the client was updating but not showing as connected to the manager. so I tried updating the client from the manager and that did not work.

This is a windows 7 64bit client.

W007's picture

hello,

If sep client showing ofline in sepm console.It's fixed on sep 12.1.2 mp1

Clients report to the Symantec Endpoint Protection Manager as offline, even though they are online
Fix ID: 3002170
Symptom: Clients will randomly report into the Symantec Endpoint Protection Manager as offline, even though they are actively online and available.
Solution: Updated the client USN management to properly update the client status in the Symantec Endpoint Protection Manager reports.
 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

j.durlewanger's picture

the manager was showing the client as online. the problem was the client was not showing as connected to the management point and was stating the virus definitions were out of date even thought they were current.

Ch@gGynelL_12's picture

Try to replace and update the Sylink.xml of your Client. This will refresh the communication settings of your client to Manager.

Regards,

JM

j.durlewanger's picture

the client is not installed due to an error message.

Mithun Sanghavi's picture

Hello,

Upon checking the Logs, we see the following Errrors:

ScriptGen: ShowServiceProgress() script execution failed.
ScriptGen: ShowServiceProgress() reset script failure event.
ScriptGen: ShowServiceProgress() is returning an error (so close to the end!)
CustomAction ShowServiceProgress returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 11:02:45: InstallFinalize. Return value 3.
MSI (s) (94:44) [11:02:45:532]: User policy value 'DisableRollback' is 0
MSI (s) (94:44) [11:02:45:532]: Machine policy value 'DisableRollback' is 0

To check the root cause, I would require the SIS_INST.log as well... 

By that time, I would recommend you to -

1) Turn off the UAC from the client machine, restart the client machine

2) Install the unmanaged SEP client from the DVD of SEP 12.1 on the client machine.

Symantec_Endpoint_Protection_12.1.2_Part1_Installation_EN\SEP\setup.exe

Install only AV/AS feature only

OR / AND

Deploy a client install package with "Remove all previous logs and policies, and reset the client-server communications settings".

http://www.symantec.com/docs/TECH165801

and check if that is getting installed.

Secondly, check these Threads which refers to the same issue - 

https://www-secure.symantec.com/connect/forums/unable-install-sep-1212-windows-7-32-bit

https://www-secure.symantec.com/connect/forums/sep-121-client-installation-failure

https://www-secure.symantec.com/connect/forums/wizard-was-interrupted-symantec-endpoint-protection-could-be-completely-installed-1

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

j.durlewanger's picture

I cannot find this sis_inst.log. I can only find the sep_inst.log. Can you tell me where it would be located?

I attempted the other steps as well and still have not come to resolution.

KIENSKY-AICT's picture

I also installed a package for SEP 10 clients and also back.
I've used a number of ways, and the machine has finished installing.
You can use the SAV10 NoAV.bat in full to delete the entire package to install the symantec.
Then run to Cleanwipe.exe. Reboot the workstation and install SEP proceed.
please send to my mail address to get Nova.bat Tool and Cleanwipe
Wish you success.

j.durlewanger's picture

This looks like a phishing message. can an admin remove it?

KIENSKY-AICT's picture

Hi J.durlewanger

Why do you say so.
I have good intentions to help people.
And if you've never done to install SAV version 10 you do not know NoAv.bat file to delete all the symantec install.
You really unprofessional

j.durlewanger's picture

Excuse me? You've been a member for 6 hours and all your posts say almost the exact same thing on different threads. You are very suspicious.

James007's picture

You can find C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.201.3937.105\Data\Install\Logs\SIS_INST.LOG.

What logs do I need to gather in order to troubleshoot a failed SEP 12.1 client installation?
Article:TECH164067  |  Created: 2011-07-06  |  Updated: 2013-02-28  |  Article URL http://www.symantec.com/docs/TECH164067
AJ_01's picture
Symantec Endpoint Protection 12.1 client install rolls back, returning 1603
Article:TECH170259  |  Created: 2011-09-23  |  Updated: 2011-12-07  |  Article URL http://www.symantec.com/docs/TECH170259
Symantec Endpoint Protection (SEP) Client installation fails on LUCHECK 206
Article:TECH122691  |  Created: 2010-01-25  |  Updated: 2011-06-30  |  Article URL http://www.symantec.com/docs/TECH122691

Regard

AJ

j.durlewanger's picture

I found the sis_inst.log

AttachmentSize
SIS_INST.txt 10.37 MB
Rafeeq's picture

Hi, This should fix the issue. Simillar error try this

I raised a ticket with Symantec and together we solved the problem.

The first step was to examine the file C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.XXXX\Data\Install\Logs\SIS_INST.LOG

Where identified the following event:

2013-05-13T18:59:47.741Z INFO  I SIS    Executing action ( 2485 ) - CreateRegistryValue  currentPosition: 1170366
2013-05-13T18:59:47.747Z INFO  I SIS      KEY_NAME=[SYSTEM\CurrentControlSet\services\WinDefend]
2013-05-13T18:59:47.747Z INFO  I SIS      VALUE_NAME=[Start]
2013-05-13T18:59:47.747Z DEBUG I SIS      VALUE_TYPE=[DWORD]
2013-05-13T18:59:47.747Z DEBUG I SIS      VALUE_DATA=[4]
2013-05-13T18:59:47.754Z ERROR I SIS      ZwSetValueKey() failed in thal::RegistryWriteValue()   status: 0xC0000022 = {Access Denied}  A process has requested access to an object, but has not been granted those access rights.  
2013-05-13T18:59:47.754Z ERROR I SIS      RegistryWriteValue() failed. 0xC0000022 = {Access Denied}  A process has requested access to an object, but has not been granted those access rights.  
2013-05-13T18:59:47.754Z ERROR I SIS         
2013-05-13T18:59:47.754Z ERROR I SIS        Dumping action parameters from the script:
2013-05-13T18:59:47.754Z ERROR I SIS          ValueType=[dword]
2013-05-13T18:59:47.754Z ERROR I SIS          ValueData=[4]
2013-05-13T18:59:47.754Z ERROR I SIS          ValueName=[Start]
2013-05-13T18:59:47.754Z ERROR I SIS          Exists=[Overwrite]
2013-05-13T18:59:47.754Z ERROR I SIS          WOW64=[Default]
2013-05-13T18:59:47.754Z ERROR I SIS          Key=[HKLM\SYSTEM\CurrentControlSet\services\WinDefend]
2013-05-13T18:59:47.754Z INFO  I SIS        ExecuteScript() - Successfully set failure event.
2013-05-13T18:59:47.755Z INFO  I SIS    ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK
 

Showing that there was a problem disabling Windows Defender.

Further trouble shooting showed that Windows Defender was corrupt and couldn't start. I resolved this by uninstalling Microsft Security Essentials. Once Windows Defender was able to start again, I was able to install Symantec (which disables Windows Defender).