New England Security User Group

Morning, I've been looking at a few damaged SEP clients (12.1 RU-1 level currently) where it isn't properly communicating but a SMC -stop command will not stop the service, the only way to repair is to uninstall/reinstall. Is there a more forceful way then the SMC -stop command to pull SEP out of memory? Tamper protection is disabled so that isn't an issue.

If tamper protection isn't enabled than you should be able to use task manager or process explorer to kill the process.

I'll have to try that on the next one I encounter, the one I encountered this morning I already fixed via the reinstall route.

I'll respond with my results.

Here are two alternatives:

1. Under Add/Remove Programs, do a Repair on SEP.
2. Restart the system.

HTH

John

Just found another one. Sepmasterservice will not stop as a result of smc -stop and no SMC process in the process list to kill.

Going to pull a support tool report and send to my RPS.

When executing smc-stop make sure that the SEP client console (GUI) is not open on the screen - have already seen several cases where this prevented smc -stop from executing correctly.

Nope that wasn't the case either unfortunately.

Optimally I'd like to setup my script to force the sepmasterservice to stop in these cases so I can replace the policy dat files and sylink.xml file.

Try this:

Get the PID of smc.exe and ccsvhst.exe

Open a CMD prompt

Execute "taskkill /PID <PID> /f" where PID is that of smc.exe and ccsvchst.exe

For example, where PID of smc.exe is 400

taskkill /pid 400 /f

Can't kill ccsvhst even with the /f option, I received an access denied though granted I was trying to do it remotely using psexec, maybe locally I'd have more luck. The idea is to eventually have a process to repair these without any console access.

Check out this thread.  It should have data to help you remove the SEP client and reinstall it:

https://www-secure.symantec.com/connect/forums/how-get-cleanwipe-tool-endpoint-removal

Hi, 

If it is a corrupted client i am not thinking there is a way without repairing the client.

Regards

Ajin

The objective is to repair without uninstalling.

Very possible that may be the only solution. I'd like to explore the options, it is often easier to find the clients then to get the users off the devices to repair them.

Hello Scott,

Unfortunately there is no good way to repair the client.  There are few things in the SEP client that can be fixed by a repair.  If the install is bad the best bet is to remove the client, reboot and reinstall.

Is there some reason you don't want to uninstall and reinstall?

Aside from the time involved in Uninstall/Reboot/Install/Reboot/Confirm working, the problemis that every workstation with a broken SEP client has a user with the most important job at the company that can't afford any downtime. The rest of the company just pushes booms around by comparison.

For years I've looked for ways to fix these problems without impacting the user, I'm hoping to continue with these few broken SEP 12 clients.

Yes, understood.  However repairs can be just as impactfull as uninstall and reinstall.  Both require downtime and both require reboots.  However I understand the request.  You need a way to repair the system without downtime and without impacting the user.  We don't have this feature today, but it is something we can look at in the future.  For now I recommend uninstalling and then reinstalling.

1. Going back to your original post, what is the precise symptom of client-SEPM comm not working properly?

2. If the user will not let you on the machine how are you stopping SMC? 

3. Here are two batch script lines I use to stop SMC ... starting is similar::

rem  32bit sep 11 and 12
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" -stop && echo  "SMC -STOP" was applied.

rem  64bit
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" -stop && echo  "SMC -STOP" was applied.

John

Also, going to Add/Remove Programs and doing a Repair is simple enough that I have talked a couple of end users through it over the phone. They were happy that it only took a couple of minutes.