I recently upgraded one of my clients from Symantec Antivirus 10.1 to Symantec Endpoint Protection 12.1. Technically speaking, I completely uninstalled SAV, rebooted all systems, and then installed SEP. Since SEP includes a firewall, I disabled the Windows Firewall and enabled the SEP firewall. Since then, users have been complaining about application lockups and lost data.
The server has the SEP basic package (AV only) -- the server does NOT have the firewall installed. Only the clients have the full SEP package.
Using Sysinternals' Process Monitor, I was able to see that when the application appears to lock up, it's really in an endless loop trying to read a file (but the ReadFile() function returns with result DISCONNECTED).
Using the server's Computer Management snap-in, I was able to see that the client's session is being closed after approximately 10 minutes of idle time, even if the session has open files. With the SEP firewall disabled, the session stays open for as long as necessary, but with the SEP firewall enabled, the session is always closed after approximately 10 minutes of idle time, causing the client to lose any unsaved data in those open files.
The users do not have a problem reconnecting to the server. Once they terminate the not-responding application, they can open it again and immediately re-open the file. The problem is that the session is being closed, forcibly closing the application's open files.
It appears that the SEP firewall also randomly terminates the client's session to the server. I created a utility which runs "net view \\server" every 3 minutes, and this keeps the session's idle time to 3 minutes or less. It seems to have helped, but the sessions are still being randomly disconnected (it's just not happening after 10 minutes of inactivity now).
To make myself perfectly clear, it is the SEP firewall on the client computer which is closing the session to the server after approximately 10 minutes of network idle time. It has nothing to do with the server (to verify this, I mapped a drive to a server which has no antivirus or firewall installed and opened a file from that drive, and the same thing happened). With the SEP firewall disabled, there are no session/disconnection problems.
When the session is disconnected, there are no events in any of the SEP logs or the Windows event logs.
I have confirmed this behavior when using Windows XP Pro SP2 (32-bit), Windows XP Pro SP3 (32-bit), and Windows 7 Pro SP1 (32-bit) clients and Windows XP Pro SP3 (32-bit), Windows 2000 Server SP4, and Windows Server 2003 R2 SP2 (32-bit) servers.
I like the powerful control, easy application, and easy administration of the SEP firewall, but if I can't find a solution to this, I'll have no choice but to go back to using the Windows Firewall.
Has anyone else experienced these issues, and does anyone know of any possible solution (other than going back to the Windows Firewall)?