Endpoint Protection

I am having problems getting an Azure Connect Endpoint to connect properly with Endpoint Protection installed on the computer.

Here is what I know:

-It is not my firewall causing the problem. (Two other computers without Symantec Endpoint installed are currently communicating through Azure Connect and the firewall)

-I am not using a proxy server and local proxy settings on my laptop have been verified.

-Windows Firewall exceptions have been configured and verified for outgoing port 443, as well as testing with turning Windows firewall completely off.

-Application exceptions have been configured in Symantec Endpoint for Azure Connect Endpoint software.

-Manually stopping the ccSvcHst.exe service for Symantec and retesting the connection failed.

-Azure Connect Endpoint Diagnostics verify all settings and certificates are correct for the connection policy and IPsec authentication (certificates).

-A Wireshark capture of the SSL handshake between Azure and my laptop appears to be proper. “Keep Alive” pings between Azure and my laptop are being exchanged.

From what I can see, Symantec is blocking the creation of the PPP tunnel on my laptop.  So far, the only way to successfully create the connection to Azure is to completely uninstall the Symantec Endpoint software. Just turning Symantec off does not remedy the issue. This thread exactly describes the symptoms and steps we have observed and taken for this problem.

http://social.msdn.microsoft.com/Forums/en-US/windowsazureconnectivity/thread/f5e7c2bf-6542-41b4-a708-6efcc0bc4d1d

This appears in the sytem logs:

SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Event Info: Open Process ActionTaken: Blocked Actor Process: C:\WINDOWS\INSTALLER\MSIC331.TMP (PID 5272) Time: Thursday, August 16, 2012 9:59:00 AM

As well as this:

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 10:34:32 AM
Event ID:      20227
Task Category: None
Level:         Error
KeywordsLog Name:      Application
Source:        RasClient
Date:          8/16/2012 10:01:53 AM
Event ID:      20227
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      IAE2011012.iae-online.local
Description:
CoId={6FF7DAE8-7913-4AEE-88AB-67E80D094EC2}: The user SYSTEM dialed a connection named Windows Azure Connect Relay5 1 which has failed. The error code returned on failure is 703.

Is anyone familiar with this issue or a fix?

 

can you disable the tamper protection and check install?

I'm not so sure it is tamper protection. Tamper Protection just blocks interferences with the SEP services. It's worth a shot in trying though.

Gentlemen,

Thanks for the quick response. I have tried disabling the tamper protection without success. I even tried starting the Azure Connect Service (WACE) with an Adminstrator account credentials, but crashed the service. Could this be SmartDHCP?? 

Is there anything in the NTP logs, packet or traffic?

Brain can you clarify: NTP logs??

Open the SEP GUI

Go to View Logs >> Network Threat Protection >> View Logs

Check both your traffic and packet logs

Thanks for the clarification. Both the traffic and packet logs are empty. I set filter time to 3 days to encompass the whole time I've been dealing with this.

I have copied the entire process of the RASClient error here if this helps.

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:31 PM
Event ID:      20221
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The user SYSTEM has started dialing a VPN connection using a per-user connection profile named Windows Azure Connect Relay5 1. The connection settings are:
Dial-in User = <DELETED>@External.com
VpnStrategy = SSTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = No
Authentication Type = EAP <Microsoft: Smart Card or other certificate>
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20221</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:31.000000000Z" />
    <EventRecordID>49731</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
    <Data>VPN</Data>
    <Data>per-user</Data>
    <Data>Windows Azure Connect Relay5 1</Data>
    <Data>
Dial-in User = <DELETED>@External.com
VpnStrategy = SSTP
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = No
Authentication Type = EAP &lt;Microsoft: Smart Card or other certificate&gt;
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:31 PM
Event ID:      20222
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named Windows Azure Connect Relay5 1 using the following device:
Server address/Phone Number = wacprodr5.connect.azure.com
Device = WAN Miniport (SSTP)
Port = VPN0-1
MediaType = VPN.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20222</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:31.000000000Z" />
    <EventRecordID>49732</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED></Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
    <Data>Windows Azure Connect Relay5 1</Data>
    <Data>
Server address/Phone Number = wacprodr5.connect.azure.com
Device = WAN Miniport (SSTP)
Port = VPN0-1
MediaType = VPN</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:33 PM
Event ID:      20223
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The user SYSTEM has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = wacprodr5.connect.azure.com
Device = WAN Miniport (SSTP)
Port = VPN0-1
MediaType = VPN.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20223</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:33.000000000Z" />
    <EventRecordID>49733</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED></Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
    <Data>
Server address/Phone Number = wacprodr5.connect.azure.com
Device = WAN Miniport (SSTP)
Port = VPN0-1
MediaType = VPN</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:33 PM
Event ID:      20224
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The link to the Remote Access Server has been established by user SYSTEM.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20224</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:33.000000000Z" />
    <EventRecordID>49734</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED></Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:34 PM
Event ID:      20227
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The user SYSTEM dialed a connection named Windows Azure Connect Relay5 1 which has failed. The error code returned on failure is 703.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20227</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:34.000000000Z" />
    <EventRecordID>49735</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
    <Data>Windows Azure Connect Relay5 1</Data>
    <Data>703</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        RasClient
Date:          8/17/2012 2:12:39 PM
Event ID:      20226
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:     <DELETED>
Description:
CoId={903E7AFA-CEAF-4A5C-AF44-1D7A97647216}: The user SYSTEM dialed a connection named Windows Azure Connect Relay5 1 which has terminated. The reason code returned on termination is 631.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20226</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-17T19:12:39.000000000Z" />
    <EventRecordID>49736</EventRecordID>
    <Channel>Application</Channel>
    <Computer><DELETED></Computer>
    <Security />
  </System>
  <EventData>
    <Data>{903E7AFA-CEAF-4A5C-AF44-1D7A97647216}</Data>
    <Data>SYSTEM</Data>
    <Data>Windows Azure Connect Relay5 1</Data>
    <Data>631</Data>
  </EventData>
</Event>

After a conversation with the Azure Program Manager at Microsoft we discovered that the SEP 12.1 installation re-routes the RAS client to a Symantec .dll.

This is visible in the registry on a windows 7 machine at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13\Path

The variable has been changed from the MS .dll path to:

C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SymRasMan.dll

This explains why disabling SEP has no effect on the Azure Connection and why an uninstall of SEP seems to be the only option.

Is there a way to revert this setting back to the MS .dll without breaking SEP?

Is there anyone at Symantec working on this?

Azure Endpoint Protection was designed around using the MS .dll to service the VPN connection and with the rise of cloud computing, I would think that Symantec would be interested in remedying this issue.

You're probably best off calling support and getting in touch with a backline engineer to make them aware.

The RAS registry keys that are changed by SEP are used only for communication to the SNAC LAN Enforcer.  Since you are not using LAN Enforcer on this client (it is in the cloud so you cannot use the LAN Enforcer here) then you can safely change these keys back to the Windows default.  It will not affect any other part of SEP.

Note: if you re-install SEP or upgrade SEP you will need to set these key back as SEP will update them on each installation or upgrade.

Can anyone help me and explain to me why I get the following message multiple times per day:

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
Event Info:  Write Memory
Action Taken:  Logged
Actor Process:  C:\Windows\system32\taskeng.exe (PID 2936)
Time:  Saturday, September 22, 2012  6:40:40 PM

I am not too computer savy so any help would be appreciated. Thanks in advance.

This looks to be from tamper protection. What log did you see this in?

taskeng.exe is trying to tamper with the SEP service (SavUI.exe) in some way.

In this instance, it is only being logged and not blocked. You can create an exception for this if needed.

Also, you may want to create a new topic for this so it gets better exposure.

Ok, Thanks Brian.