Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEP SBS Eating my EXE Files

Created: 09 Dec 2012 | 32 comments
networkn's picture

Hi There!

We have a really strange issue with our SEP SBS whereby we are seeing that if we copy .exe files to a share on the network or a mapped drive, that exe files shows up on the server for about 1 second and then gets removed! Rebooting the server fixes it. If we uninstall SEP the problem goes away!

We are running SEP SBS 12.1.

 

Anyone else seeing this?

 

Comments 32 CommentsJump to latest comment

pete_4u2002's picture

is there any risk log associated with it?

check the application event logs.

Mithun Sanghavi's picture

Hello,

What OS are running on these client machines?

What version of SEP SBE 12.1 are running? Make sure you are running the Latest SEP 12.1 RU2 version on the machine.

What happens if you only uninstall NTP Feature from the SEP under Add / Remove programs?

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

Did you go thru the logs in the SEP client?

Is this any exe?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

networkn's picture

Windows 7 on the client side x64. No Client side AV so it must be a server side issue. No logs to check on the client side.

 

Nothing I can see anywhere in the logs for Server side. 

 

Any EXE does it. Also you can't rename a .txt file a .exe as it gives access denied!

.Brian's picture

Are you using an application control policy? Sounds very odd...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

If it's Small Business Edition, it won't have Application & Device Control. smiley

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

pete_4u2002's picture

check the application event viewer , on client side do you see in SEP logs related to this incident.

networkn's picture

Client side there won't be anything as there is no SEP logs as I don't have SEP on the client side. 

 

pete_4u2002's picture

on the server locally can you copy the file from one location to another?

 

networkn's picture

Yes that works fine. Also pulling files from a workstation from the server is ok too!

Ashish-Sharma's picture

HI,

What happend  when you are disabled SEP NTP feature ?

Thanks In Advance

Ashish Sharma

 

 

Ashish-Sharma's picture

Hi,

What sep feature do you have install ?

 Disable

SEP client ->Network Threat Protection ->Option ->Disable Network Threat Protection

Thanks In Advance

Ashish Sharma

 

 

networkn's picture

Well it appears it's already off so it's not that. If I remove SEP SBS from prior memory it works ok, reinstall works for a short while and starts eating my exe files again. I can't find any logs that reference it etc.. It's so odd.

 

Mithun Sanghavi's picture

Hello,

Could you Try uninstalling the NTP protection from Add / Remove Programs by - 

1) Under Control Panel, click on Programs and Features.

2) Highlight Symantec Endpoint Protection and click on Change

3) Click on Modify and click on Next

4) Click on "Basic Virus and Spyware Protection" and click on Next

5) Click on Next again.

6) Click on Finish

This would install only AV/ AS with PTP feature on the machine. Restart the server machine and check if that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

networkn's picture

Mithun: I tried this it told me the installation was interrupted. 

I have 12.1 RU1 MP1 can I upgrade right to 12.1.2 in 1 step?

 

I see SBE 2013 mentioned in file connect is that immediately pending release?

Mithun Sanghavi's picture

Hello,

SEP SBE 2013 is different from SEP SBE 12.1 RU2.

Symantec Endpoint Protection Small Business Edition 2013 is a truly Cloud-managed solution.

Do you see SEP SBE 12.1 RU2 OR SEP SBE 12.1.2?

Check this - 

https://www-secure.symantec.com/connect/articles/latest-symantec-endpoint-protection-releases-sep-121-ru2-and-sep-110-ru7-mp3

If yes, please try Migrating to SEP SBE 12.1.2

 

Please Note: If in case you do not see the SEP 12.1 RU2 Release on Fileconnect, you may like to try contacting the Symantec Licensing Department and they may provide you with the Temporary Serial number, with which you could download the Latest SEP 12.1 RU2 version.

http://www.symantec.com/business/products/licensing/index.jsp

Website: http://symantec.custhelp.com

Phone number: 1-800-721-3934

Email: license@symantec.com

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

sandra.g's picture

Client side there won't be anything as there is no SEP logs as I don't have SEP on the client side.

But is SEP installed on the server from where the file is disappearing, correct? You mentioned uninstalling SEP makes the problem go away. Servers and workstations are both considered 'SEP clients'. If SEP is installed on the server onto which the shared drive / network drive resides (and from where .exe files are disappearing), that's the 'client' whose SEP logs you should examine.

Edit to add: Looks like you've already been looking at the logs--my apologies. Anything in the Windows logs? Which OS?

This is very strange and I can't find anything else like it in our KB.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

AcelaHSR's picture

Running SEPM Enterprise Edition

SEPM's are Server 2008 R2 Standard- fail over load balanced setup with SQL2008-  

Starting yesterday, we saw same issue on a Windows Storage Server 2008 R2 running a 12.1.1000.157 SEP client-   .exe files placed in a shared folder would be there for a few seconds and then disappear.

Turned off Auto Protect by Policy and killed Tamper Protection - same result.  Nothing in quarantine; nothing in Risk logs.

Not related to Network Threat Protection as only AV/ASpyware loaded- Download Insight disabled by Policy.   

Ended up removing SEP AV/AS via Programs and Features modify-  problem went away.  Server however needs protection. 

Will restart and load an RU2 client tonight since I recently updated my SEPM's to 12.1.2015.2015 and see what happens.   This machine had been running fine with no complaints nad this issue was very odd. 

 

gnfoster's picture

AcelaHSR,

I have had the same issue for several weeks.  Any ideas yet?

I cannot copy .exe files into ANY directory on the shared server drive.

This is especially a pain since "My Documents" and every other file storage directory is located there...

Have made no changes to any settings myself.  It just started doing this on it's own or by some update.

 

Neil Foster

C&H Audio Visual Services, Inc. www.chavs.net

 

LWARNER's picture

Same here.  Just noticed this behavior.  Can't copy any files across the network to any shared drive on any 2008R2 server running SEP.  Locally works fine.

BigAnvil's picture

Same behavior here.  The interesting thing is that it just started happening between Tuesday and Thursday of last week, and only on one server.

I'm the AV admin here and I didn't install any client updates or SEPM updates, yet any exe files copied remotely from another machine to a share on the server disappears.  In addition to that information, I am able to copy the same file from the same user's computer to the same share on the server, and it doesn't disappear.

I disabled all AV features on the client and it didn't fix it.  Uninstalling the SEP client is the only thing that fixed it.

BigAnvil's picture

This problem was restricted to a single server but is now happening on a second server with SEP installed.  Both servers had SEP 12.1 RU2.  Nothing in any of the SEP client logs and nothing in the Windows Event Viewer logs either.  The client is set to issue a pop-up notification if a file is quarantined - there are no pop-ups when the file disappears and this is a known safe file.

Anyone?

.Brian's picture

Open a support case.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BigAnvil's picture

Yes, thanks for the advice.  I frequently have a support case open while also posting in the appropriate forums since the typical scenario is:  call outsourced (or whatever you want to call it these days) "scripted" support until you stump "scripted" support long enough for them to justify kicking it up the ladder to someone who knows enough to find the root cause.  Usually takes close to a week before that even happens.

If only the Endpoint Protection support was as good as it is for Enterprise Vault.

BigAnvil's picture

So I just received a call from support.  The nice lady asked for my phone number in case we were disconnected (nevermind that she called me and has the number), as well as my email (nevermind that this information is clearly in the support case notes she has in front of her).  She then asked what operating system was installed on the clients, and what version of the Endpoint Manager is installed on the server, and how many clients we have (which is not at all relevant to the issue) - oh, and not how many clients are affected by the issue, just how many clients in total.

As I explained the problem from the beginning in detail, she asked me if these are clients or servers.  When I explained that the computers with the problem are Endpoint Protection clients that run Windows Server 2008 R2 she seemed to become totally lost.  She asked me three different ways if the computers were clients or servers, and I kept explaining again in different ways until I finally hung up.

In all seriousness, Symantec... you really expect me, when I have many other things to work on, to endure level one support from someone who, if they can't follow me on the basics, has no chance to help me find the cause of the problem?  I'm actually being nice about the situation.  This kind of support is a travesty and this is what we pay additional support costs for?

So, with all due respect Brian 81, I would rather scream my problem in the forums and hope for someone with intelligent input to assist me than waste my time and breath speaking with someone who does not have the capacity to provide support for this issue.  I'm not being rude, I'm being realistic.

.Brian's picture

That's fine, I only suggested as I didn't know you already opened.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BigAnvil's picture

Decided to try downloading SEP 12.1.2 RU2 MP1 (12.1.2100.2093) released mid-April.  Have upgraded the SEPM server and pushed out an updated package to one of the problem clients and will post an update here once I've had a chance to restart the client.

BigAnvil's picture

Since I have read in other posts that restarting the client server can temporarily resolve the issue, it's difficult to say whether it is completely resolved or not but, things have been fine since upgrading both servers to the latest 12.1.2100.2093 endpoint client.

 

BigAnvil's picture

If anyone is still following this thread, the issue has NOT returned since removing the SEP client from the servers that were affected and installing 10.1.2100.2093.

.Brian's picture

Did support ever get back to you on this?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BigAnvil's picture

Brian81,

The short version is, yes.  Support tried to contact me about the case but I was "forced" to ignore them.  I am somewhat convinced that first level support is intentionally bad to drive support calls away.  I gave up because, without any exaggeration, the person who took my case could not understand my answers to her basic questions and continued to ask me the same questions for which I had already given very clear answers to.

This pattern continued for fifteen minutes until I simply hung up on them.  Providing script-reading first level support to the Enterprise community is a bit without excuse to me.  As soon as I hung up I checked to see if a newer version of the client existed, when I found one I figured I would venture on myself.