Endpoint Protection

I've been fighting with this for a week.

We have a 2008 R2 server running SEPM 12.1 and I upgraded it to RU1 a week ago and deployed client upgrades to self and other 3 servers (2x 2008 Standard 32-bit and 1x XP SP3).

SEP 12.1 RU1 got upgraded successfully on 2008 R2 (primary domain controller with firewall) and win XP SP3 (simple member "server", firewall turned off), however it did very weird things with 2 windows 2008 servers.

namely on 2 machines (2008 domain controllers with firewalls) it went into a loop of uninstalling 12.1 (then asking for reboot) then trying to install 12.1 RU1 (and asking for a reboot) and then re-installing 12.1 again, and all over again until I deleted the deployment client package from SEPM server and local cache in Program Files on both machines to stop the madness.

Now, I tried exporting the SEP 12.1 RU1 32-bit package to a network share and installing it manually on problematic servers, no go. error status 1603, installation failed.

Then I removed all Symantec software from 1 problematic server, rebooted, used CleanWipe (all YES answers), rebooted, manually deleted left over files from Program Files, and again tried manually installing the exported SEP 12.1 RU1 32-bit package, no go. same error 1603.

I tried disabling the Firewall on both SEPM machine and the problematic machine, no effect. What is going here? Never had such deployment problems with SEP so far and we've been using it for long since ver 6.0 or 7.0 (was different name back then) ...

here is the error:

Log Name:      Application
Source:        MsiInstaller
Date:          4/23/2012 3:04:57 PM
Event ID:      1033
Task Category: None
Level:         Information
Keywords:      Classic
User:          XX\zzz
Computer:      yyyy.XX.lan
Description:
Windows Installer installed the product. Product Name: Symantec Endpoint Protection. Product Version: 12.1.1000.157. Product Language: 1033. Installation success or error status: 1603.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">1033</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-23T19:04:57.000Z" />
    <EventRecordID>29408</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-21-*************************************************" />
  </System>
  <EventData>
    <Data>Symantec Endpoint Protection</Data>
    <Data>12.1.1000.157</Data>
    <Data>1033</Data>
    <Data>1603</Data>
    <Data>(NULL)</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Binary>7B46413638393032332D304237322D343737312D393841362D4131433932374535383230377D</Binary>
  </EventData>
</Event>

forgot to add, UAC is disabled domain wide.

Hi,

For 12.1 check the below logs

C:\ProgramData\Symantec\Symantec Endpoint Protection\<Product version>\Data\Install\Logs\SIS_INST.LOG

Thanks and Regards

Prakash Kamalakannan

fresh SEP_INST.LOG uploaded showing error 1603 upon fresh install attempt using the managed package.

Attachment(s)

SEP_INST.LOG__0.zip   160 KB 1 version

actually the server's failed install log is under %temp% location. since I have no older SEP installed currently, my "C:\program files\symantec" folder is empty. server is after CleanWipe and I manually removed all Symantec files from Program Files. several reboots later, disabeld windows firewall and it still doesn't want to install ...

... Seems I will be re-installing the old (non RU1) package on those 2 problematic machines...

not good. I cannot install the formerly working 12.1 (non-RU1) version, either. Installation fails with the same error code 1603 ... what is wrong with this crap software? Thank you Symantec, that's what I needed, have nothing better to do than fighting with a broken software ...

disable the UAC and try installing the product.

as I said in second post, UAC is permamently disabled on every computer in our 2008 domain.

for time of installation I tried disabling Windows Firewall on SEPM server and potential SEP client to no avail, same problem. can't install neither 12.1 nor 12.1-RU1 product, error 1603 at the end of installation and rollback.

attached is another log, this one when I tried installing 12.1 (non-RU1) managed 32-bit client, Basic set of features.

any ideas what mightbe causing it?

I did check the Application Control policy on SEPM and there is nothing like "Protect client files and registry".

I guess my last chance is to install the unmanaged version of SEP, and then (if it works) inject the policy settings into it, so it becomes managed again. what a pain ...

Attachment(s)

SEP_INST_non-ru1.zip   167 KB 1 version

not funny. cannot install unmanaged client, same eror 1603.

log attached, all events copied and pasted from Application log in chronological order, names of server, doamin and user account have been edited out for security reasons.

***

Log Name:      Application
Source:        MsiInstaller
Date:          4/24/2012 11:51:51 AM
Event ID:      1040
Task Category: None
Level:         Information
Keywords:      Classic
User:          YY\zzzzzz
Computer:      XXXX.YY.lan
Description:
Beginning a Windows Installer transaction: C:\Users\zzzzzz\AppData\Local\Temp\2\Symantec\Sep.msi. Client Process Id: 5384.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">1040</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:51:51.000Z" />
    <EventRecordID>29541</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-21-1060350465-1840301120-2247087147-4608" />
  </System>
  <EventData>
    <Data>C:\Users\zzzzzz\AppData\Local\Temp\2\Symantec\Sep.msi</Data>
    <Data>5384</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

***

Log Name:      Application
Source:        Symantec Endpoint Protection
Date:          4/24/2012 11:52:12 AM
Event ID:      34
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      XXXX.YY.lan
Description:
The description for Event ID 34 from source Symantec Endpoint Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

SepMasterService

the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Symantec Endpoint Protection" />
    <EventID Qualifiers="16384">34</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:52:12.000Z" />
    <EventRecordID>29542</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>SepMasterService</Data>
  </EventData>
</Event>

***

Log Name:      Application
Source:        Symantec Endpoint Protection
Date:          4/24/2012 11:52:12 AM
Event ID:      35
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      XXXX.YY.lan
Description:
The description for Event ID 35 from source Symantec Endpoint Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

SepMasterService

the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Symantec Endpoint Protection" />
    <EventID Qualifiers="16384">35</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:52:12.000Z" />
    <EventRecordID>29543</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>SepMasterService</Data>
  </EventData>
</Event>

***

Log Name:      Application
Source:        MsiInstaller
Date:          4/24/2012 11:53:17 AM
Event ID:      11708
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX.YY.lan
Description:
Installation failed
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">11708</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:17.000Z" />
    <EventRecordID>29544</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Installation failed</Data>
    <Binary>7B41334145454136382D414339332D344636462D384432442D3738424246374534323242387D</Binary>
  </EventData>
</Event>

***

Log Name:      Application
Source:        Symantec Endpoint Protection
Date:          4/24/2012 11:53:52 AM
Event ID:      36
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      XXXX.YY.lan
Description:
The description for Event ID 36 from source Symantec Endpoint Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

SepMasterService

the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Symantec Endpoint Protection" />
    <EventID Qualifiers="16384">36</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:52.000Z" />
    <EventRecordID>29545</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>SepMasterService</Data>
  </EventData>
</Event>

***

Log Name:      Application
Source:        Symantec Endpoint Protection
Date:          4/24/2012 11:53:52 AM
Event ID:      37
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      XXXX.YY.lan
Description:
The description for Event ID 37 from source Symantec Endpoint Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

SepMasterService

the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Symantec Endpoint Protection" />
    <EventID Qualifiers="16384">37</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:52.000Z" />
    <EventRecordID>29546</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>SepMasterService</Data>
  </EventData>
</Event>

***

Log Name:      Application
Source:        MsiInstaller
Date:          4/24/2012 11:53:56 AM
Event ID:      11708
Task Category: None
Level:         Information
Keywords:      Classic
User:          YY\zzzzzz
Computer:      XXXX.YY.lan
Description:
Product: Symantec Endpoint Protection -- Installation operation failed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">11708</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:56.000Z" />
    <EventRecordID>29547</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-21-1060350465-1840301120-2247087147-4608" />
  </System>
  <EventData>
    <Data>Product: Symantec Endpoint Protection -- Installation operation failed.</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Binary>7B41334145454136382D414339332D344636462D384432442D3738424246374534323242387D</Binary>
  </EventData>
</Event>

***

Log Name:      Application
Source:        MsiInstaller
Date:          4/24/2012 11:53:56 AM
Event ID:      1033
Task Category: None
Level:         Information
Keywords:      Classic
User:          YY\zzzzzz
Computer:      XXXX.YY.lan
Description:
Windows Installer installed the product. Product Name: Symantec Endpoint Protection. Product Version: 12.1.671.4971. Product Language: 1033. Installation success or error status: 1603.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">1033</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:56.000Z" />
    <EventRecordID>29548</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-21-*****************************************************" />
  </System>
  <EventData>
    <Data>Symantec Endpoint Protection</Data>
    <Data>12.1.671.4971</Data>
    <Data>1033</Data>
    <Data>1603</Data>
    <Data>(NULL)</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Binary>7B41334145454136382D414339332D344636462D384432442D3738424246374534323242387D</Binary>
  </EventData>
</Event>

***

Log Name:      Application
Source:        MsiInstaller
Date:          4/24/2012 11:53:56 AM
Event ID:      1042
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      XXXX.YY.lan
Description:
Ending a Windows Installer transaction: C:\Users\cdmaster\AppData\Local\Temp\2\Symantec\Sep.msi. Client Process Id: 5384.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MsiInstaller" />
    <EventID Qualifiers="0">1042</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-24T15:53:56.000Z" />
    <EventRecordID>29549</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXX.YY.lan</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>C:\Users\zzzzzz\AppData\Local\Temp\2\Symantec\Sep.msi</Data>
    <Data>5384</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>(NULL)</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

***

do I have to install it using local console session? so far I tried a remote connection to admin session, is this a problem here now?

Attachment(s)

SEP_INST_51.zip   157 KB 1 version

Hello,

Correct, You would have to a remote desktop console session.

How to install or manage Symantec AntiVirus and Symantec Endpoint Protection components through Remote Desktop

http://www.symantec.com/docs/TECH104331

Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH163112

In your case, I would request you to manually Uninstall the previous version of SEP from the server machine and freshly install SEP 12.1 RU1.

http://www.symantec.com/docs/TECH161956

Hi Mithun,

Thanks for links. Actually I was and am running always a remote desktop connection session with admin priviledges to 2008 boxes. this means I do run it as session 0 (just verified it and it is rdp-tcp#0), so it couldn't be an RDC problem I encountered.

also, I had manually removed/uninstalled previous SEP completely before and on top of that I ran CleanWipe tool AND manually removed Symantec folders from Program Files and Common folder. there is nothing symantec on servers, I cannot install 12.1 nor 12.1RU1, check out the logs.

what is the error 1603 for? it happens always at the end of installation and causes a rollback. I am logged on as Domain Admin.

I am at total loss here...

will try restarting this server one more time and start installation in local console session mode. if the problem persists then I guess it's time to contact Symantec support for the latest version of CleanWipe tool and start over.

Hello,

Was the Server restarted, once you uninstalled / install SEP on the server machine?

Is there a Shortcut created for SEP client on the desktop of the server machine? 

After Manually uninstall of SEP client, verify and Manually remove affected registry keys in:

"HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\"

then,

Try Creating an install package with a custom setting under the “Client Install Settings” options to not use “Add the program to the Start Menu”, leave this unchecked.

If the install is successful, manually create the shortcut on the desktop that points SymCorpUI.exe.

If the above does not help, please upload the SIS_INST.log, Log Files are located in %temp% or %systemroot%\temp

Hope that helps!!

Hello,

What version of CleanWipe were you using?

Was that CleanWipe v_12.1?

If not, you would have to connect Symantec Technical Support for the same.

NOTE: It is not recommended to Run the CleanWipe Tool on server machines.

I used an older CleanWipe package I have from Symantec from the past. not a 12.1 I believe, the cleanwipe.exe package is dated Novemeber 2007, too old I guess?

How do you get an updated package from Symantec? I cannot create new case electronically, because I can't pass the account verification (have neither of the numbers it wants), do I need to call? what phone number?

just a quick update.

tried local console session instalaltion and it failed with the very same error 1603. geeeeez, why nothing works? why did this get broken during auto-upgrade deployment in first place? I am so annoyed with this software that you can't even believe...

server was restarted after every and each of uninstall or install (including failed ones).

there is no SEP shortcut on the desktop, there is no SEP in Programs and Features under Control Panel, in fact there is nothing related to Symantec at all.

*will get back about the rest in a minute.*

I found this registry key on the 2008 32-bit server:

HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection

removed the whole Symantec instance, restarted server again. preparing a new package of 12.1RU1 with Basic Feature Set (managed) and no start menu structure as suggested. will try another install soon.

Hello,

You would have to call symantec or log a web case.

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:

United States: https://support.broadcom.com (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

I cannot log a webcase as I don't have any Support number, technical contact id or technical case id mapped to my account ... will try calling them later.

anyways, I searched registry for symantec and found some more remnants from older versions, e.g.:

syKnAppS.dll in several places, it seems to be related to LiveUpdate, some references to Symantec\SAV and many other keys related to "symantec".

also discovered the whole folder of Symantec stuff sitting under ProgramData and found dozens of Symantec references throughout the registry, removing all.

I think I may quickly go manually through manual uninstall instructions after I am done with removing Symantec keys to remove maybe some more.

Hello,

I would request you to manually Uninstall the previous version of SAV / SEP from the server machine and freshly install SEP 12.1 RU1.

http://www.symantec.com/docs/TECH161956

and check this:

http://www.symantec.com/docs/TECH96924

Hope that helps!!

yeah, I am cleaning registry manually now as we speak according to one of former links (manual uninstall of SEP 12.1).

in meantime I called support for the Support id and logged the case too requesting a CleanWipe tool. I can do manual cleaning on this server, there is nothing really important on it except for Fax service and File server replica, but the other server having same trouble is a critical database sever, so I'd like an automated tool do that instead.

EDIT:

it appears that on top of registry entries that I found using search with keywords "symantec" and "syKnAppS.dll" there was nothing else in the whole registry.

However on hdd I found a few more symantec related folders and driver files under Windows (and sub-folders) thanks to instructions on manual removal.

HDD search using keyword "symantec" revealed 50 more files and folders (total weight of around 1GB) hidden in many different users, programs and windows folders, all related to SAV and SEP. deleted them all ... restarted the machine ... and voilla!

was able to install a managed client of SEP12.1RU1 (basic feature set), the one that failed during initial auto-upgrade via SEPM deployment. it's already up and running!!! :) ... now I need to do the same thing on the other machine :(

Hello,

Hardwork..Finally paid off...

For the other server machine, I would also recommend a manual Uninstallation as Running a CleanWipe on a Critical server machine is not recommended.

Hope that helps!!

Could you please Mark the Correct Comment in this Thread as "Solved" which have helped you the most.?

Thank you!

actually, I marked my own reply as Solution as I was aware of manual SEP uninstallation instructions in first place and all the troubleshootnig steps posted in this thread. I googled the problem before I started this thread and found half a dozen of unsolved/abandoned cases with lots of troubleshooting (same steps) and links (same) to Symantec documentation, all mentioning error 1603 and no quick & easy solution. I just didn't want to follow that path without exploring first other ways (there were no shortcuts it appears).

I am actually going to run the CleanWipe on that other critial server as well as it takes care of most of registry entries then I will just have to follow search for "symantec" in both registry and system hard drive to catch the rest. I have a fresh OS and db backup if things go wrong though ...

Issue was more complicated then simple CleanWipe can fix, because those both servers were initially running Windows 2003 (non-R2) and Symantec AV since 7.0 and through upgrades step by step they were upgraded up to SEP12.1 and eventually those machines were upgraded to Windows 2008 32-bit Standard OS about only a year ago. that's a lot of remnant Symantec files and registry entries that piled up over years...

completed successfully on other more important server :) clieant 12.1RU1 is up and running! :)

after running the latest cleanwipe (which got stuck on runtwice.bat process even after 2 reboots, so I had to manually remove it from registry, I again found the same things in registry and on OS partition as before on former server (whcih ran the older version of cleanwipe successully).

examples:

HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\components\
HKLM\software\symantec

s32evnt1.dll
syKnAppS.dll

a bunch under HKLM\system\controlset*\enum\root\legacy_**** (can't delete those keys but it doesn't matter)
some others under HKLM\system\currentcontrolset*\services\eventlog (those I haven't touched)

HKU\***\software\classes\local settings\software\microsoft\windows\shell\muicache (deleted all)

again a bunch of files and folders under:
program files\symantec
program files\common files\Symantec shared
programdata\symantec
windows\system32\drivers\sep

seach on local drive for "symantec" helps to remove them all quickly.

after server restart, the installation of 12.1RU1 managed package succeeded.