Endpoint Protection

I have a number of warnings and errors in the application and system event viewer. All seems to be related to Endpoint protection.

Event ID 1000
Faulting application ProtectionUtilSurrogate.exe, version 11.0.3001.2198, time stamp 0x48c9b939, faulting module ccL60U8.dll, version 106.3.7.9, time stamp 0x48a4a6be, exception code 0x40000015, fault offset 0x000420e8, process id 0x8c8, application start time 0x01ca506d0d53c8be

Event ID 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 2 user registry handles leaked from \Registry\User\S-1-5-21-1447001783-2274183133-4180765549-1228:
Process 2492 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 832 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Printers\DevModePerUser

Event 10010
The server {EE68EAFC-BF28-4017-8A92-D17DACF0B459} did not register with DCOM within the required timeout.

Event 10000
Unable to start a DCOM Server: {EE68EAFC-BF28-4017-8A92-D17DACF0B459}. The error:
"5"
Happened while starting this command:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe {EE68EAFC-BF28-4017-8A92-D17DACF0B459} -Embedding

Can not tell if the following is related

Event ID 6037
The program svchost.exe, with the assigned process ID 2504, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name

 

Check the dcom permissions once. You can refer below doc

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3f862957b21b671588256c620077a200?OpenDocument

 

You can try by upgrading the client to RU5 also. It is the latest version and the only version which Symantec is officially supporting with windows 2008.....

 

The latest version of endpoint RU-5 has better compatibility with Windows 2008. I would suggest you to upgrade to the latest version and if the issue still persists please let us know.

The document you referenced is not for Windows Server 2008. There are differences in Windows Server 2008 like the access is local and remote. My guess the correct settings for system are local access. However using the reference the best I can I do not see any settings that needed to be changed.

I am not familiar with the termology of RU-5. 

I will uninstall 11.0.3 and install 11.0.5 and see what errors/warning I get.

After uninstall of 11.0.3 and install of 11.0.5, Event ID 1530 check in as usual

Process 836 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Printers\DevModePerUser

Restart the server once and see any errors are present..
Also tell us the role of this server.... 

Server was restarted, The Event ID 1530s continues:

today 10:16AM

Refer the following docs and assure you had done all settings correctly

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101210172548

http://support.microsoft.com/kb/822158

http://technet.microsoft.com/en-us/library/cc816917(WS.10).aspx

 

 

In regard to the first link, there is no evidence of DHCP problem so I ignore this link
for now.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101210172548

The last two links are regarding the same subject. The last link states: Any antivirus
vendor should provide specific instructions to correctly configure their product to work
with domain controllers that are running versions of Windows Server and that have Active
Directory Domain Services (AD DS) installed. Does someone know if Symantec has such a
document?

Since both link 2 and 3 refer to the same subject and it is difficult to compare the
documentation, I will just select the second link since it is dated later.

The next problem is that link 2 is just general information and there is no specifics on
how to exclude files/folders from scaning.

The Endpoint Protection documents seem to be located at
http://www.symantec.com/business/support/documentation.jsp?language=english&view=manuals&pid=54619

Still  the problem is locating which of the many documents and which of many pages shows
how to exclude the files mentioned in the second link. I do see the Administrator manual
is 625 pages.

 

In my 2nd link it is telling about the scanning exceptions for certain files and directories. You can exclude those… Many of those SEP will exclude automatically .First you confirm is it happens. If no do it manually.

For creating exception refer the link below

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030423280248?OpenDocument&ExpandSection=1

To verify refer the link below

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent

On second thought I question the direction this thread is taking. Here is the 1:16PM event ID 1530


Note the Printers. This appears to be a problem between printers and Endpoint Protection.
The event was recorded at 1:16:22 PM. Looking at the DCHP leases, none of the more than 20 leases today occurred during the time of Event ID 1530.

If the problem is scanning files that should not be scanned then the problem should be during scaning and the scan was not occuring during the Event ID 1530s. This doesn't mean that the file/folder exclusion (once I figure how to do that) should not be done as that may prevent other problems.

Refer the following discussions

https://www-secure.symantec.com/connect/forums/endpoint-protection-client-causes-problems-printers-connected-intel-netports

https://www-secure.symantec.com/connect/forums/problems-network-printing-2003-server-terminal-services-sep-1104

Any way you consider also the exclusions in earlier links also. At least it will avid future problems.

 

I didn't see anything in the links that I thought would help. The links were for different type of problems.

i m facing the problem with Server 2008
DNS servies stops automatically although system is fully pateched with microsoft updates and lates virus definations
MRU5 Installed with only AV/AS on Server 2008
whtz the prb????????????????