Endpoint Protection

 View Only
  • 1.  Taskkill - Access Denied

    Posted Jul 15, 2016 03:58 PM

    We have a server running an app that has an uptime requiremtne of 24/7 with 1 scheduled monthly reboot.  The server is 2008 R2 Standard running 12.1.6 MP4 and has downloaded the files for MP5.  It was getting behind on Virus defs and we discovered that the defs were corrupt as there were multiple def folders so the app owner sought to follow the procedures to clear them out.  SMC got stuck in the stopping state however and, considering the requirements of the server, we sought a way to kill the process.  We tried the taskkill command on the PID of the SepMasterService and got access denied with standard command line, admin and domain admin.  As there is another week until this server is rebooted I would really appreciate if anyone that has another way to go about killing the task might share it.  This would also definitely be useful elsewhere with the servers as app owners are understandably gunshy of rebooting their servers.  



  • 2.  RE: Taskkill - Access Denied

    Posted Jul 15, 2016 04:04 PM

    Seems to be hard-coded that it is impossible to kill that service. Even with tamper protection disabled, I still get access denied errors. The only way I've reliably found is a reboot, despite uptime requirements.



  • 3.  RE: Taskkill - Access Denied

    Posted Jul 15, 2016 05:36 PM

    They need to follow the steps outlined in the KB article mentioned below to resolve the issue :

    http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

    Could you confirm if the customer has followed the above KB article?

    For now there are two suggestions that could possibly work in the current situation.

    1/Customer needs to follow the KB article mentioned above to clear the corrupt virus definitions and restart the server in question.

    2/They need to follow the above KB article and then try using the task kill utility with the switches mentioned below to see if the ccSvcHst.exe process could be gracefully killed. This utility should be available by default in the C:\Windows\System32 folder on the affected server.

    taskkill -F -IM ccSvcHst.exe

    Once the customer has followed the correct procedure to clear the corrupt virus definitions, the issue should not re-occur in future. However, if it does, we would be glad to investigate that further.

     

    Another solution is to set the service to disabled then reboot.