Endpoint Protection

Hello,

I recently upgraded our 90 XP clients from Symantec AV 9 to Endpoint 11 (latest release).   Since then, I have been steadily receiving several reports each day of workstations that just display a black screen with the Windows XP logo.  Or, the user does not have that experience, but they log in, and instead see a blank blue screen with a frozen cursor.

This has been happening for at least a week on at least 20 workstations, and has occured more than once on some of the workstations, though it does not occur every day - it's intermittant.  I changed the AutoProtect setting to "Load AutoProtect when Symantec Endpoint starts."  This has made no difference.  I changed the scan frequency to once a week on Mondays at 1:30am (XP Automatic Update on the XP clients is set to run nightly at 3am) to be sure to scan is not occuring while Windows updates are downloading and installing.  Though maybe I should push that back to an even earlier time.

Endpoint is running on a Windows 2003 Standard R2 Server.  Also running on that server is Webroot Spysweeper Enterprise, which was installed there along with Symantec AV 9 before the Endpoint upgrade. 

We have a batch file that runs at startup which maps a few network drives on the workstations.  I did see the KB article 2008040712253648, though I'm not sure that would apply to us, as the batch file is not run through Active Directory.

One clue is that an affected workstation seems to always report ESENT errors in the event log (see below).   I'm not sure if these are even related, but these aren't errors we usually see.

When I called Symantec about this, the rep initially said to call Microsoft (after saying he had never heard of this issue before), with the idea that a specific MS update is to blame.  Looking at the error however, I'm wondering if Endpoint is somehow blocking access to files mentioned in the errors, which is interfering with an update.

Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 489
Date: 4/29/2009
Time: 7:09:18 AM
User: N/A
Computer: CMP71
Description:
wuauclt (9300) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Type: Error
Event Source: ESENT
Event Category: Logging/Recovery
Event ID: 455
Date: 4/29/2009
Time: 7:09:18 AM
User: N/A
Computer: CMP71
Description:
wuaueng.dll (9300) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Any ideas?

We are also getting many reports of Outlook slowness since the Endpoint upgrade - oy.  That's probably another thread though. 

Thanks,

Jamie

The second error message you are receiving in relation to the DataStore is directly related to the WSUS (formerly known as SUS) server and it's distributions.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log is where Windows is catalogging and reporting any errors in installations pulled from your SUS server.  I say SUS because you are still running version 2.0.  Just out of curisosity, why not upgrade to WSUS 3.0?

The first error message you are receiving in relation to wuauclt is the machine's Windows Update Client.  Have you made any recent modifcations to the Server or the GPO for pushing out updates?

What I can think of here, is for some reason, you are having communication issues with the SUS server.  It has been a long time, but I cannot at this time recall the exact port numbers in use from the SUS server in relation to the new WSUS server.

I am going to go on a limbe here and say, you have installed NTP (Network Threat Protection) on the workstations and probably also on the SUS Server. 
I would start by:
A. Uninstalling NTP from the server or
B. Identifying the port(s) in use on the SUS  server and create the appropriate Firewall rules.  This definitely seems to me as a timeout in communications issue while trying to write to the database.

For your clients that are logging in and receiving a "Blue Screen" but no desktop icons, etc.  This is because "Explorer.exe" is having a hard time loading up.  Most likely because the machine is processing tasks in the background, such as pulling down updates or trying to apply updates, which in turn may be being 'blocked' or 'scanned' while in route to the local machine. 

If both sides have NTP and SEP installed, than the file is being scanned on the way out (from the server) and on the way in (to the client).  Should this be the case, and multiple machines are trying to access the same updates simultaneously, the strain on the server and the client, due to the slowness of the access is causing most of your problems. 

If I recall, this has been addressed and fixed by M$ with the Background Intelligent Transfer Service (or BITS) for WSUS 3.X.

In a way, tech support may actually be correct.  Contacting M$ however may not yield any significant results... 

I hope that helps.  I may be completely off.

Apologies to Symantec for being completely out of scope (if applicable) in this thread.  Please post back.

Cheers,

Jason1222

If WSUS is also running on the same server as SEPM, you would need to set SEPM to use a different port than 80 (8530 is the default custom port), or one will cancel out the other, as they both use a Contents directory.

Hi Jason and SKlassen,

Thanks for your replies.  We actually do not have a WSUS server - the XP clients download MS updates from MS directly through Automatic Updates.

NTP is not installed on the Endpoint server, or on any of servers.  I did install that on the clients, which I now regret.  I had the firewall policy disabled for the clients, but I did notice the clients still showed NTP to be "on."  I have been wondering if simply disabling the firewall policy for clients would completely disable it, or not.  In any case, I uninstalled and reinstalled Endpoint on a test group of clients this morning (reinstalling using just the "AntiVirus and Malware" setting).  I rebooted each client a few times, but have not seen the frozen screen issue yet, though it has been intermittant.

I am noticing high paging file usage on the Endpoint server, and the OS on that server is now sluggish in general.  So when a user logs into the computer, how does the Endpoint client behave at that time?  Does the client check in with the Endpoint server at login/startup?  I wonder if our server is responding slowly, and if the client does communicate with the server at login, if a timeout issue might exist there.

Webroot Spysweeper Enterprise (installed on all our clients) seems to run a quick sweep at login.  I changed that this morning to delay for a period of time instead of running right away. 

In terms of Endpoint's malware protection - does that offer a pretty similar level of protection as something like SpySweeper?  I'm wondering if I should just do away with SpySweeper at this point.

Thanks again,

Jamie

 

 

Hi Guys,

Don't u think that this could cause due to not properly updated patches of Microsoft. Due to automatic update sometime it ahppens, i have faced some of these kind of problem.