Endpoint Protection

I've had two Windows 7 clients (on x86 and one x64) that have failed to upgrade and one Server 2012. I've upgraded a total of about 15, so this is an unusually high failure rate.

I advertise the update from within SEPM. I do a silent install and then prompt for reboot on the Win7 boxes, or just wait for reboot on the 2012 box. In each case, the install appears to finish successfully. SEPM shows that the machines need a reboot. Upon reboot, no SEP client appears to be on the machine. After another reboot, the old client is running again, but the machines fail at subsequent upgrade attempts.

The SIS_INST.LOG on all three machines show a similar error (see below). I can attached the entire log if needed, but it's about 10 Meg. Please note, the 2012 server is a GUP, so it has the same Feature Set as the Windows 7 machines.

2014-10-15T12:33:31.161Z INFO  I SIS    Executing action ( 3388 ) - RunCustomAction  currentPosition: 2514620
2014-10-15T12:33:31.161Z INFO  I SIS       
2014-10-15T12:33:31.161Z INFO  I SIS      Running custom action specified by objectID: {EA17B4EE-5378-498D-A017-7F132D30BFF1}
2014-10-15T12:33:31.177Z DEBUG I SIS        Creating transaction.
2014-10-15T12:33:31.177Z DEBUG I SIS        Created transaction 0x00000011:0x00000398
2014-10-15T12:33:31.177Z DEBUG I SIS        Committing transaction 0x00000011:0x00000398
2014-10-15T12:33:31.192Z DEBUG I SIS        Creating transaction.
2014-10-15T12:33:31.192Z DEBUG I SIS        Created transaction 0x00000012:0x00000398
2014-10-15T12:33:31.192Z INFO  I SIS        SISCustomActionKManager starting
2014-10-15T12:33:31.270Z WARN  I SIS        SISCustomActionKManager failed to process C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Config\cltdef.dat.bak
2014-10-15T12:33:31.270Z INFO  I SIS        cltdef.dat
2014-10-15T12:33:31.333Z INFO  I SIS        serdef.dat
2014-10-15T12:33:31.333Z ERROR I SIS        SISCustomActionKManager failed to process C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Config\default.dat
2014-10-15T12:33:31.333Z INFO  I SIS        SISCustomActionKManager complete
2014-10-15T12:33:31.333Z ERROR I SIS        Failed custom action Execute() method with error: 0x80004005
2014-10-15T12:33:31.333Z ERROR I SIS         
2014-10-15T12:33:31.333Z ERROR I SIS        Dumping action parameters from the script:
2014-10-15T12:33:31.333Z ERROR I SIS          ObjectID=[{EA17B4EE-5378-498D-A017-7F132D30BFF1}]
2014-10-15T12:33:31.333Z ERROR I SIS          OldPath=[C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\]
2014-10-15T12:33:31.333Z ERROR I SIS          OldVersion=[12.1.4013.4013]
2014-10-15T12:33:31.333Z ERROR I SIS          NewPath=[C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\]
2014-10-15T12:33:31.333Z ERROR I SIS          OnFail=[rollbackExecution]
2014-10-15T12:33:31.333Z INFO  I SIS        ExecuteScript() - Successfully set failure event.
2014-10-15T12:33:31.333Z INFO  I SIS    ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK
2014-10-15T12:33:31.333Z INFO  I SIS   
2014-10-15T12:33:31.333Z INFO  I SIS  script completed with status: ACTION_FAILED_WITH_ROLLBACK
2014-10-15T12:33:31.333Z DEBUG I SIS  Rolling back transaction 0x00000010:0x0000026C
2014-10-15T12:33:31.333Z DEBUG I SIS  Creating transaction.
2014-10-15T12:33:31.333Z DEBUG I SIS  Created transaction 0x00000013:0x0000026C
2014-10-15T12:33:31.333Z DEBUG r SIS  Committing transaction 0x00000013:0x0000026C
2014-10-15T12:33:31.442Z DEBUG r SIS  Creating transaction.
2014-10-15T12:33:31.442Z DEBUG r SIS  Created transaction 0x00000014:0x0000026C
2014-10-15T12:33:31.442Z INFO  r SIS  TransitionToEnteringRollbackScript() - success

Yes, that works, and that's what I did on the two Windows 7 machines. The server is a little tougher since I have to request and schedule a new maintenance window, so it's currently sitting in an unresolved state.

However, I would really like to be able to advertise and upgrade our clients without that kind of manual intervention. I would like to determine why this is failing so I can move forward with the upgrade to 12.1.5337.500. It's just not reasonable to deploy our service desk folks to 20-30% of our machines to troubleshoot upgrade issues.

can you post the new SEP_inst.log and SIS log, ?you can delete the existing one, new one will be smaller in size.

Attached is my smallest SIS_INST.LOG.  I haven't found a SEP_inst.log yet, but I'll keep looking.

Attachment(s)

SIS_INST_10.zip   417 KB 1 version

do you have any application and device control policies applied?

SISCustomActionKManager failed to process C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Config\default.dat

On the Windows 7 boxes, we do have application and device control policies applied. On the 2012 server, we don't. Is there a way to peek into that default.dat file to see what's in it?  The SIS_INST.LOG has the exact same block of text in it that is referred to above. They also reference a file called "cltdef.dat.bak" that it fails to process.

I managed to replicate the issue again on a different machine. This machine was another 64 bit Windows 7. Since it looked like it might be one of our policies creating the issue, I created brand new polices (Virus and Spyware Protection, Firewall, Intrusion Prevention, Application and Device Control, LiveUpdate, and Exceptions) and left them pretty much at their defaults. I advertised it to this machine. I don't have any Host Integrity Policy applied.

After the machine accepted it, it installed silently. It prompted for a reboot when it was complete. When it rebooted, I logged in. After I entered my credentials, the computer rebooted. It rebooted again without making it to the login screen. On the third reboot, I was able to successfully log on. The SEP Client had reverted back to 12.1.4013.4013. 

I'll attach the SIS_INST.LOG. If there is another log I can grab and share, let me know and I'll see if I can find it.

Thanks! I appreciate all the advice so far!

Attachment(s)

SIS_INST_11.zip   406 KB 1 version