Endpoint Protection

Hi there,

First post here, so hi to all.  I could find plenty of issues with SEP11 crashing XP machines while searching on these forums, but none of them relate to MR4.  I'll summerise as best possible...

I'm trialling SEP11 MR4 (11.0.4000.2295) to a 70 strong IT team here with a mind to roll out to in excess of 1000 users Firm wide.  As it's a trial, I want it to be right and although I'm having ad-hoc issues with some machines that can be corrected, this is the only one that really worries me at the moment.

We currently maintain a lacklustre SAV10 environment and each install removes this and overwrites with SEP11.  Only the AV and Spyware function are being installed.

All machines are of the same stock.  i.e. run the same XP build with the odd piece of additional software over the top of it.

The machine with the issue (currently, there is only one) is a Dell GX520 with 1GB of RAM running XP SP2.

SEP11 installs with no issues.  That is, pushed from the server or installed manually.  I've tried both methods having time to totally remove and reinstall (the problem still occurs).

Each time a Administrator Defined scan is run on the machine (timed or ad-hoc sent via a command from the management console) the entire XP explorer dies with ghosting effects on all windows, icons disappearing and reappearing, text missing from windows etc.  You get the idea.  Not one part of the machine continues to function, not even the Task Manager or SEP11 itself is savable.  Each time this happens we have to force the machine off and on again where it will be fine until the next scan.  I've managed to rescue it once by killing all applications (eventually) and re-starting explorer, but I got lucky.  It still crashes before any applications have been opened.

This isn't a case of performance impact, it's totally killing XP.

Oddly enough, if I run a scan from the client machine, it runs though fine.  The problem only arises when the command to scan is sent to the machine from the management console.

Any ideas or help would be very much appreciated before I go any further with this epic roll out!

Thanks,

Andy

Practically  

Can you enable debugging for SMC and Rtvscan on the client? Relicate the issue, then collect and post the logs here when done.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008122313093748

Thomas

Ed - moved reply to correct post

Thank you. I've edited my original message and attached the log files as you have specified.

In order to create these logs, I logged into the machine, loaded no applications and then kicked off a scan on the client from the management console. When it killed explorer I was lucky(!) enough to make out a Application Error for msiosrv.exe and then when ok'ed, one for explorer.exe. Before I could ok the explorer.exe error, the PC restarted itself.

When the PC restarted, I took copies of the logs as you see them before turning off debugging.

Do let me know if you see anything in the logs (it makes little sense to me at this stage I'm afraid).

Happy to grab some more info and do further testing if need be.

Andy

Looking at your log everything appears normal.  The msiosrv.exe error may be caused be a product called Devicewall . Can you confirm that is running on your system?

The software does application and device control. This is something that our software can do as well, so it should not be installed on the same systems as our software.

If you are not using Devicewall then I recommend you open a case with Symantec.

Regards,
Thomas

This is very helpful.  Thank you.

When removing DeviceWall, the Admin Defined Scan runs though with no issues.  Reinstalling it from afresh breaks it again.

My issue now is:

Why does this not affect in excess of 30-40 other users (all of which have DeviceWall installed).

The Application control element of SEP is not installed or active so surely this should not really be the cause.  Famous last words.

I will test:

Omitting the DeviceWall related files and processes from the scan.

Thanks again.

I am not sure why the other 30-40 users are not seeing this issue. Are all the clients running with the same MS patches? Are you running the same versions of DeviceWall on all the systems?

mancalledsun,

Can you give us an update? Be sure to mark this thread solved once you have a resolution.

Thanks, Thomas

Sorry for the delay.  Been tied up with other issues for some time.

All core Device Wall files have now been excluded from the scan.  The Application Contol policy has also been disabled (even though none of the features were installed or active within the policy in any case).

Guess what, it's still killing the machine.

There's a few errrors in the log relating to failed scans within archived items in the Temp folder.

Next tests will be to:

1) clear down all temp files

2) try MR4 MP2 (which I have packaged ready)

I'll let you know.

mancalledSun,

Are you seeing issues with the MR4 MP2 build? If so, you may want to open a case with Symantec support.

Thomas

Turns out it was a 3rd party piece of software called Devicewall that was causing this.  Support on the Centennial website (makers of Devicewall) have a fix for this - relates to the machine rapidly running out of paged memory during scanning etc.

SAV/SEP is not the cause of the issue.