Is this message from after installing and the reboot? Are you using IPS? Is prevention enabled?

Can we get the install logs for troubleshooting?

How to collect information from Symantec Critical System Protection (SCSP) Agents.

http://www.symantec.com/business/support/index?pag...

Regards,

Thomas

Yes. It happens after installing and reboot. Not sure if IPS is enabled.

No install logs as i revert to last known config n uninstall the agent.

I cannot open your link.

Not sure why the link does not work for you. Here are the contents of the page -

Solution

To collect agent information, run the agent collect information script. This script is installed with the SCSP agent package and can be run from the agent system or the management console.

Running the collect info script from a Windows agent system:
To collect information on a Windows agent computer, you can run the collect info script directly from the agent computer.
•  
  
  1. Log on to a Windows agent computer.
  2. Click Start > Programs > Symantec Critical System Protection> Collect Agent Info.

You see the following messages:
Collecting Install Logs...
Collecting Event Logs...
Collecting System Info...
Collecting Registry Info...
Collecting IPS Service Settings...
Collecting IDS Service Logs and Settings...
Collecting Logs...
Collecting IPS Driver Settings...
Collecting SCSP Environment Settings...
Zipping Info...
Cleaning Up...
*** Please send the ZIP file:
*** D:\Temp\20060720_133411_001_CW_MACHINENAME.zip
*** to Symantec support
Press any key to continue...

Running the collect info script from a UNIX agent system:
To collect information on a Solaris, Linux, AIX, HP-UX, or Tru64 agent computer, you can run the agent collect info script directly from the agent computer.

•  
  
  1. Log on to a UNIX agent computer.
  2. Navigate to the following directory: /opt/Symantec/scspagent/IPS/tools/
  3. At a command prompt, type and run the following command: # ./getagentinfo.sh

You see the following messages:
Collecting Install Logs...
Collecting System Info...
Collecting syslog Files...
Collecting System Startup Info...
Collecting SCSP Logs...
Collecting SCSP IPS Configuration Settings...
Collecting SCSP IDS Configuration Settings...
Zipping Info...
Cleaning Up...
*** Please send the Info File:
*** /tmp/20060720_133411_001_CW_MACHINENAME.tar.Z
*** to Symantec
Press any key to continue...

Running the collect info script from the management console:
To collect information about a Windows or UNIX agent computer to which you do not have login access, you use the CSP_Agent_Diagnostics detection policy. A version of the policy is available for Windows and UNIX agents.
See the Symantec Critical System Protection Detection Policy Reference Guidefor information about the CSP_Agent_Diagnostics policy.

•  
  
  1. Log on to the management console as an administrator.
  2. In the management console, in the Detection view, on the Policies page, in the Workspace pane, edit the CSP_Agent_Diagnostics policy.
  3. Enable Select a function to run on the agent, and then click Select a function.
  4. In the Value box, select Run the collect info script.
  5. Click OK to save the policy changes.
  6. Apply the policy to the agent. The policy runs the collect info script immediately after being applied to the agent.
  7. In the management console, monitor the events on the Monitors page to determine if the collect info output file was uploaded to the management server. Look for management events of type Agent Status. The event message contains the name of the collect info output file.
  8. Clear the policy from the agent (Right click the agent under the Assets tab of the Detection View and select clear policy).
  9. Log on to the management server to get the collect info output file. Get the collect info output file from the server directory: C:\Program Files\Symantec\Critical System Protection\Server\logfiles\\\

References
SCSP Admin guide

Because you are going to last known config and uninstalling it seems as if the kernel mode driver is hanging the system on boot (its starts very near PID0 INIT to thwart rootkits).

On install of the agent choose to disable the IPS driver (its a checkbox in the wizard on manual install, do not perform a silent install on this instance). Doublecheck the driver has been disabled by going to command prompt, navigating to and running <csp install root\agent\IPS\tools\bin\sisipsconfig.exe -v

IPS should show disabled.

Reboot the system - see if you are having the same issue. This will narrow it down to an actual IPS driver issue. From there we can go into gathering the getagentinfo as well as other troubleshooting steps.

Some items to look into further.

1. What other kernel mode applications are running on the system? Are you running any other forms of AV that may be interfering, are you running another host security program that may also be running such as bitdefener or other products such as several from Mcafee?

2. If you have IPS enabled, and you have a default policy that the install is forcing the agent to, is that policy too restrictive causing the machine to hang? Ensure the null policy is being used in this case.

Will give it a try when can.

Thanks

Hey Crisracker

Was there any policy pushed to that Agent? or Was Agent still on Null_Policy when it happened?

Regards

Vick

Hi,

Has not much time to test. But previously no policy is been pushed down. It happen after agent installation.