Endpoint Protection

 View Only
Expand all | Collapse all

Is SEP the cause for newly "delayed write failed" errors?

Migration User

Migration UserJul 03, 2009 05:26 AM

Migration User

Migration UserJul 05, 2009 10:59 PM

Migration User

Migration UserMar 31, 2010 05:02 PM

  • 1.  Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 27, 2009 08:58 AM
    Hello!

    Starting from the 24th of June I've had problems with 4 out of 7 computers (with different hardware but all WinXP Pro SP3) that's often having "delayed write failed" errors. Windows tells me that it can't save certain files and them it locks up. It's like it freezes and I can't ping it or use keyboard or mouse -but the clock is still going. Only way is to turn off and on through the button.

    I have a feeling that it's SEP that's causing this because it started the same time on all of the computers and I can see errors in the event log pointing to Symantec. However, I can't see to find anything on the forums indicating that other people are having this issue. Also a general search on Google don't seem to find any newly updated threads on this subject.

    OK, so I've tried the following on 1 of the computers (Dell XPS 210).

    1. Uninstalled SEP and checked with CleanWipe.
    2. Installed SEP 11.0.4202.75 and ran LiveUpdate.
    3. Checked Microsoft Update but no new updates.
    4. Updated all drivers.

    It seems a *little* bit better but still I get the "delayed write error" within a couple of hours. It's very frustrating.

    I have 2 identical Dell computers with the error. I have 2 identical IBM computers with same version of SEP but only 1 of them has the error (so far).

    All of the computers are up to date with both Microsoft and Symantec updates.

    Anyone that has a clue what's going on?


  • 2.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 27, 2009 12:00 PM
    I started another computer to see if this had the error. This was last started the 21st of June.

    From the event log I can see the computer is started at 08:48 am. While starting the usual Symantec stuff starts - i.e. SRTSP and LiveUpdate. LiveUpdate starts and stops a couple within 10 minutes or so.

    At 09:21 am the first "delayed write failed" error pops up:
    http://eventid.net/display.asp?eventid=50&source=ntfs

    Followed by:
    http://eventid.net/display.asp?eventid=57&source=ftdisk

    I get about 10 messages of these 2 events the next 2 minutes.

    I then get a DCOM error:
    Unable to start a DCOM Server: {7E477741-01A6-4C06-9DAC-55F6174C08A3}. The error:"Insufficient system resources exist to complete the requested service. "Happened while starting this command:C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe -Embedding

    Now the errors 50 and 57 continues to occur and I can only press OK to the popup. There's maybe 50 incidents or so. It then stops for about 2 hours and the repeats itself again.

    In the Application log I can see this around the same time:
    http://eventid.net/display.asp?eventid=1004&source=MsiInstaller
    Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{78451C05-F6C4-4B41-A80E-5F60B87C6E62}' failed. The resource 'C:\Programmer\Fælles filer\Symantec Shared\DefUtDCD.dll' does not exist.

    Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core' failed during request for component '{30466A58-8174-4ED4-9171-A4D739E84E3A}'

    Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{EA1EE0B5-8919-4935-A8F8-227891145D7A}' failed. The resource 'C:\Documents and Settings\All Users\Menuen Start\Programmer\Symantec Endpoint Protection\' does not exist.

    It seems other have had the same issue:
    https://www-secure.symantec.com/connect/forums/unable-start-dcom-server

    Is it LiveUpdate that's the culprit?


  • 3.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 27, 2009 07:40 PM
    Hi,

    did you already try the Microsoft troubleshooting?

    http://support.microsoft.com/?scid=kb%3Ben-us%3B330174&x=12&y=14

    Regards,



  • 4.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 29, 2009 04:24 AM
    Hello!

    No, I haven't tried that as I think it's very suspecious that so many of my computers have this error within the same period. Also everything seems to indicate problems with Symantec.

    I got another computer today which started having problems last week also:
    Detection of product '{76B2BC31-2D96-4170-9C44-09E13B5555F3}', feature 'Core' failed during request for component '{30466A58-8174-4ED4-9171-A4D739E84E3A}'

    And the only thing that has been updated on the computers are Symantec.


  • 5.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 29, 2009 05:35 AM
    Yes, it is suspicious, but I believe that with the Microsoft KB you can start to analyze the issue, if there are some Windows features incompatible with SEP, a possible workaround and so on...


  • 6.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 29, 2009 08:48 AM
    I really doubt that I will find the solution by going through that KB.

    For now I have the problem on 6 computers (with different hardware) and they all have have SEP installed. 1 of these are running Windows 2003 Standard.

    2 of those computers are rather old and have almost no software installed on them as they're mainly used for RDP applications. When I booted one of them the other day it took about 30 minutes before I had the problem and all that has been running on the computer was LiveUpdate.

    Are you able to tell me anything on the above error messages? Why are these MsiInstaller errors?


  • 7.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 29, 2009 09:41 AM
    I believe SEP is not the source of issue, it seems a victim of some OS or harware failures or the result of a tampering activity.

    For example the event:

    "Detection of product '{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}', feature 'Core', component '{EA1EE0B5-8919-4935-A8F8-227891145D7A}' failed. The resource 'C:\Documents and Settings\All Users\Menuen Start\Programmer\Symantec Endpoint Protection\' does not exist."

    It should means that you moved/renamed the SEP folder in the start menu.

    Wrong permissions can also cause this kind of issues. You should check them with the tool TestSec provided by our Support.





  • 8.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 30, 2009 09:13 AM
    On the weekend at my home PC i started having the "delayed write error" and i had to reboot every 30 minutes , windows xp with Norton antivirus 2009

    Today at work, an employee came with his laptop and the exact same message! we are using SEP MR4.
    I actually don't believe in coincidences and I'm bit frighten by these errors...what are the chances of two PCs having HDD problems with the same error ??
    Could it be a new virus on the loose ? maybe a bad definition file that corrupts something...



  • 9.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 30, 2009 12:06 PM
    Hi,

    I did not receive notification of bad definitions (and no spikes of customers' calls).
    OK, it is not an HDD failure but maybe some strange settings are applied to all of your PC's.
    Can you please check the MS KB to exclude those sources of this issue?
    Then you shoud call our Support.


  • 10.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jun 30, 2009 01:09 PM
    if ou have problem with "delayed write error" with network connection, in much case is due to network connection (there is no forced is 100 full on card and / or switch). When you force speed t's ok (particullary with broadcom chipset)


  • 11.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 01, 2009 04:15 AM
    OK, just a little update.

    The 2 Dell computers that have the error I've removed SEP from and also used Cleanwipe. I then installed MS Forefront and they're still crashing from time to time. I've then tried to disable the NIC (Intel) and it seems they're not crashing now. I'll have to test this a bit more.

    On the Dell Windows 2003 server I yesterday restored a fully working Ghost image from May. Still after that the server is crashing with the same event ID's. I believe the NIC is Broadcom.

    As I've said this concerns 6 computers - 5 with XP and 1 with Windows 2003. It's 4 different computer models and with different hardward.

    I don't belive they suddenly out of the blue all should have HDD problems becuase they started to having the same errors within days.

    I can only say that they're all running SEP but with different versions. Also 2 of the computers crashed soon after being started and picking up LiveUpdate files. It seems quite odd but still I can't prove it is SEP causing the problems. Still after using Cleanwipe I could find entries in registry so I'm not sure if it's still is causing problems.

    I really don't want to turn off the caching stuff in Windows becuase the error must be somewhere else.

    Could this be virus related? If the problem is solved by disabling the NIC could it then be some random attacks that might be causing the problem?


  • 12.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 01, 2009 10:03 AM
    I've tried all the steps on Microsoft kb and of course it didn't make any difference. I suppose the article is good if you have the symptoms from the beginning as it doesn't make any sense to have a computer working for 2 years and suddenly to remember that "i need a different cable"

    My only option right now for the client is to format it. i will post an update afterwards.



  • 13.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 03, 2009 04:48 AM
    I've reinstalled one of my computers and put SEP back on and so far it has been running without problems.

    Giuseppe.Axia > The server that I have that has the problem I would like to restore through Ghost again but then disable the LiveUpdate to see if it still is having problems. Would that just be the "LiveUpdate" service I need to disable or can I risk any other component will try to look for new updates?


  • 14.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 03, 2009 05:26 AM
    did you use disk cloning?


  • 15.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 03, 2009 04:03 PM
    LiveUpdate is the only component that looks for updates.

    Let this discussion up-to-date,

    Cheers,


  • 16.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 04, 2009 12:21 PM

    OK, another computer popped up today with the "delayed write failed" error. The same behaviour as the other computers. I've checked the event log and it's all the same errors that I see.

    Again the computer had been running fine for all of June but on the 25th the error started. The computer wasn't turned on the 24th.

    At 19:42 on the 25th the LiveUpdate did it's job:
    "New virus definition file loaded. Version: 110624ak."

    And then at 20:07 these errors came:
    Identificeringen af produkt '{76B2BC31-2D96-4170-9C44-09E13B5555F3}', funktion 'Core', komponent '{9B3AF051-BB19-4ABE-B16F-90BA34728389}' mislykkedes. Ressourcen 'C:\Programmer\Symantec\Symantec Endpoint Protection\LDDateTm.ocx' findes ikke.

    Identificeringen af funktionen 'Core' i produktet '{76B2BC31-2D96-4170-9C44-09E13B5555F3}' mislykkedes under anmodningen om komponent '{C7212F42-5794-4F22-A86D-0D9E7392F7E8}'

    I've checked the "LDDateTm.ocx" and it's in that folder where Symantec can't find it.

    Giuseppe.Axia > can you try to check the "110624ak" definitions and see if you can find anything interesting. As of now I've had 7 computers with SEP and they have all gotten "delayed write failed" errors around the 24th of June.

    I'll try to restore the Windows 2003 server with Ghost and disable the LiveUpdate and see if the server can continue to run without the error.

    Paul Mapacpac > The computers have all be Ghosted after being manully installed.



  • 17.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 04, 2009 01:24 PM
    Hi,

    I think it is better to call our Support in order to speed up the troubleshooting,

    Regards,




  • 18.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 05, 2009 10:59 PM
    so the Ghost is just for restoration, am I correct?


  • 19.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Jul 06, 2009 04:40 PM
     I too will second calling into support, or opening a case online and them calling you back..  http://mysupport.symantec.com


  • 20.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Aug 06, 2009 11:14 AM

    It looks like this issue was taken offline several weeks ago but if any conclusions were made it would be appreciated if you shared them.

    I have a customer with peer to peer XP3 network who was frequently receiving this message when using a program that has a file shared ISAM database.

    I have seen this message resolved by disabling Windows Opps locking also I have heard of it resolved by setting all nics and switches from auto-negotiate to a hard setting like 100mps full duplex.

    This customer however, simply removed the Symantec AV two months ago and have not received this message again since then.

    What if anything was decided about the users in this thread who called into Symantec?



  • 21.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Aug 06, 2009 11:22 AM
    We had to disable opslock after installing SEP, and since then performance of the servers has been down the toilet.
    If I enable opslocks again, performance shoots up but no one can save Word files to the server.
    It's sep as when I remove SEP totally, the issue goes away and we can enable opslock. With SEP there, we must disable it and suffer the performance hit.
    This started with a new build install in December. It was fine with early versions of SEP.
    So whatever was done in that install in December is what broke it and it's been broke since then.
    As soon as we put opslock back on the server, the helpdesk phone rings off the wall! Lost files, inability to save.
    We live with it because no one at Symantec believes it was SEP even though it started exactly when the new builds were installed, and removing SEP removes the issue.


  • 22.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Aug 06, 2009 01:06 PM
    Can you please provide an update, or your case # info?

    Best,

    Eric


  • 23.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Aug 07, 2009 09:35 AM
    We have the same "Delayed write failures" on some our pcs and notebooks since we are installing SEP. I opened a call and they say that they never heard about an error like that.

    We are using disk cloning a´nd teh problem disappears when we deinstall symantec.

    Would be fine to hear about the case you opened.


  • 24.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Sep 25, 2009 05:27 PM
    For me the problem was that it was missing a file in the C:\Program Files\SAV\SmcLU.  I created a new SmcLU, and the events disappeared.  I checked the permissions, an they match another domains settings.


  • 25.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Oct 05, 2009 09:12 AM
    I got the same problem on Windows 2003 R2 Server installed on Windows Virtual Server 2005.

    Windows was reporting "Delayed Write Failed" and the file name was from Symantec Update folder.

    I restarted server in safe mode  - everything is OK!
    I started Server the normal way - problem was still in place.
    I forced virus signature update from other server by System Center Concole.
    After 5 min I restarted server in safe mode and checked virus signature update folder. The problem directory was deleted. But 2 temporary folders were present. I deleted both temporary folders.
    Server was restarted - the problem was fixed.

    I think the problem was after low disk space on my server. Symantec tried to write file - got error. After this files were writen by system, but symantec update started to ovewrite files and got the problem. Files were protected by Symantec AV!


  • 26.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Mar 31, 2010 05:02 PM

    What is meant by "created a new SmcLU"...


  • 27.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Apr 21, 2010 10:14 PM
    I am having the exact same problems on Windows 2003 Servers in regards to Delayed Write Fail errors that are seemingly caused by Symantec Antivirus.  My machines are all on closed networks with no connection to the internet, and I'm running Symantec Antivirus Corporate Edition 10.1.8.8000.

    I've been able to reproduce the problem about one in every 6 times that I run a script to install the latest Symantec Antivirus Definitions offline.  My script stops the Symantec Antivirus Services, then copies the extracted Intelligent Updater definition files to the "C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming" folder and then restarts the Symantec Antivirus Service, forcing it to install the latest antivirus definition files from the INCOMING folder.  I had to do the virus definition updates in this manner because the Intelligent updater files would fail to extract on some machines for no explainable reason, even if I tried to do it manually with the EXTRACT command.  At some point during or shortly after the definition file update, I receive the Delayed Write Fail errors.  It happens on many different types of hardware platforms, some are laptops, some are servers and we have about 10-20 of each different type of machine in our network, with the problem happening on most of them at one point or another.  The common element amongst them all is Symantec Antivirus, and the System Event log always reports Delayed Write Fail errors caused by the Symantec Antivirus application.

    I've also been able to reproduce the problem on command on 2 different occasions by merely running a script to disable and then stop the 5 Symantec Antivirus services on the machine... but the delayed write fails seem to happen after the services are disabled and while my script is actually stopping the services.

    Has anyone found a resolution for this issue?  It's a major problem, and I'm now almost definite that Symantec Antivirus is the cause, given the details mentioned above.

    I'm contemplating migrating our machines to 10.1.9, but only if there is a fix in that version for this problem.



  • 28.  RE: Is SEP the cause for newly "delayed write failed" errors?

    Posted Apr 24, 2010 10:49 PM
    Hi Silvaa,

    I appreciate that you took so much time to write such a clear response. However I hope you will create a new thread for this issue (and provide a link to this one). Just cut and paste what you wrote here. The problem is the thread you posted on is very old and I am afraid it is being ignored by most in the forums. You will find much better luck if you create a new thread.

    Thanks,
    Grant