I'm going braindead after fighting a few machines like this today...

I have a laptop that was off for over a month.  I started updating it today and got an SEP message that a file was missing.  The laptop restarted.  I didn't get a chance to see exactly which file it wanted.  It look a while to restart and voila... SEP was uninstalled.  I know it was on here before for sure, plus I had the SEP error message.

I tried to reinstall.  No luck.  It will start but eventually I get this... "Symantec Endpoint Protection has detected that there are pending system changes that require a reboot.  Please reboot the system and rerun the installation."  I figured it was waiting on Windows updates we have forced through group policy so I did all the Windows update.  Still no luck.  Same error message.

I went on SEPM and found the computer.  It's got an orange down arrow and a red circle with a white x in it.  I deleted that and tried reinstalling.  Same thing -- SEP detected pending system changes....  I restart, try to reinstall SEP, no luck.

Right now, it appears to have no AV on it.  I tried renaming the c:\program files\Symantec folder.  No luck.

Questions...

Does SEP automatically uninstall itself if a machine hasn't been used for a while?  I could understand forcing updates to be installed or even forcing a reboot to install program changes.  I don't see the point of leaving it unprotected though.  Occasionally we do have laptops that we don't see for a month or... four-ish.  I'm stuck when the user doesn't bring their laptop back.  Most of the time, they're not using it so it's not a huge concern if it's not updated.  And we have Symantec now so that should catch anything that gets in... except it appears to have uninstalled itself.

How do I get Symantec installed on this thing again?  I'm out of ideas.

How do I prevent this from happening again?  It's not unrealistic that I won't see a laptop for a few months.  I just installed SEP on another laptop I haven't seen since Nov 2012.  I might not see that again for months.  But that's the situation here for a few laptops.

Why won't this install again?  I thought if I removed it from SEPM and reinstalled on the laptop that would work.  SEP isn't in the programs list anymore.  I don't see a way to uninstall SEP, but I renamed the programs folder folder.

It's a Windows 7 Enterprise laptop.  Everything's updated.  I've restarted it many times.  I'm thinking it's sitting here unprotected now, and I'm wondering what would have happened if the user started it... Would SEP see itself as out-of-date and uninstall itself?

SEP will not uninstall itself. It's more likely it got infected and malware disabled it. Run a scan on it with the tools found here"

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

After that you can either create a package and install locally or do a push from the SEPM. Check this article on how:

About client deployment methods

I keep losing my posts....

I'm doubting viruses.  I was the last person logged in.  It's been sitting on a shelf for over a month.  I'll run malwarebytes on it though.

It was upgraded with everyone else to 12.1.2, whichever the latest version of SEP is.

This isn't a user who would get viruses and the laptop hasn't been used.  ... If it is a virus, it just came through when I ran updates, actually before I ran updates.  There's nothing else on our network and the update files are the same ones I've used on dozens of computers before this one.

Sorry my assumption is it was out in the field.

Either way, SEP doesn't just uninstall itself unless some pretty fancy and scheduled scripting is done. And even more unlikely sitting ona shelf.

Do any of the SEP services show running in the task tray? No client icon in task tray?

What about in add/remove programs?

In regards to the reboot issue, try the solution here:

Not able to install SEP12.1 client on Windows 7 computer due to Pending restart issue.

Back this morning....

Nothing on Malwarebytes.

svchost.exe is running in the process tab.  Twice.  Top memory users.  Those are under System for the user name column.  I see another one under Network, svchost.exe  I thought those were Symantec.... Maybe not.  I thought they were the virus scans.

Nothing on the lower right task bar.  Nothing in the programs list. 

There is a Symantec folder in the Start menu programs list.  And I see there's a new Symantec folder in c:\program files, along with the Symantec_old folder I renamed yesterday.

SEPM still shows this laptop in the list with an orange down arrow, white x in red circle.  Time status last changed was yesterday, 4pm, probably when I installed it again.  It says it needs a restart.

Odd... I see about ten or so svchost.exe in the task manager....  I deleted them.  Two came back.  I'm restarting....

those are going to be present in task manager even after restart.

No change again.

SEP not present as described above.

SEPM show the orange arrow, red circle again.

I'm trying copying in the Symantec folder from another 32 bit computer.  I had to skip 10 .dat files though. 

Hmm... Nothing in Programs, the tasbar... but under the Start menu, I clicked on the exe. It asked for admin approval to run like normal.

I believe this is the same error message as yesterday....

"SymCorpUIRes.dll could not be found."

I'm pretty sure that's it. It popped up and then the computer restarted and SEP wasn't quite there.

I wonder if I can grab that from another computer too....

Interesting...

\Program Files\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Res\1033

Is where that dll file.  It is there.  I copied one in from another computer.  I still get that error message about it not being there.

Also interesting...

When I click on the Start menu sometimes, I get this error message...

"VpShellRes.dll could not be found."

Maybe something's f'd up with Windows...

Yes, I get that error message consistently.  I click on Start, type cmd and right click on cmd.exe to try to get an elevated cmd prompt.  I can get there.  Just that error.

Even in c:\windows\system32, when I right click on cmd.exe... Same vpshell missing error.  Weird.  

I was going to do a sfc /scannow.

Trying a system repair disk.  This will take a while.

Otherwise I could rollback or try safe mode maybe.

Run a full scan from Recovery CD, then install SEP

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732

once you confirm that its clean, run cleanwipe and reinstall SEP

At this point run a cleanwipe and re-install

Startup repair was... startup repair. Nothing there. I tried to go on a command line and do sfc /scannow through the startup disk but got an error.

Same missing vpshell dll error in safe mode.

Restore points didn't go back far enough. It's still 'post updates/error.'

I'm just going to give up and reimage the computer.  No solution I see.  I think something got really messed up when group policy pushed the Windows updates and I started running updates.  Or some kind of corruption.

Interesting....

Maybe I botched the 32 bit standalone installer.  We did upgrad everyone.  Most worked with a push.  Some didn't... Maybe only a few 64 bit machines didn't work.

I reimaged the machine.  Got everything updated like normal.  Then installed SEP from the standalone 32 bit installer.  Similar effect.... It didn't have SEP pop up at the end and update itself like I've seen.  It's not in the task bar or programs list.  It's in the Start menu programs folder, but only a help file is listed.  After a restart, there are two help files in there.  SEPM has it enabled and doesn't say it needs a restart.

I rolled the laptop back to an earlier restore point so there's no SEP on it.  I made a new 32 bit standalone SEP installer.  I'll see if that works.

It still doesn't explain why the computer initially restarted.  Possibly corrupt files from whatever, a Windows update maybe.  And then botched 32 bit stand alone installer.

Unless there's a hardward thing with this laptop and SEP now.  That seems odd.

More strangeness.

Same result on this laptop with a new standalone installer.  It starts the installer file but never does the LiveUpdate at the end or says it needs a restart like normal.

I tested both the original (post upgrade) and newly create installer files on other 32 bit computer.  No problems.  Installs fine.  LiveUpdates.  Asks for a restart.  Appears in SEPM like normal.

This laptop was just imaged.... Same image as the other two 32 bit testing computers, too.  Those were just create a couple weeks ago.  Something about this laptop doesn't like SEP anymore.  This laptop was upgraded to the current version, 12.1.2 or whatever the latest is, no problems there. 

Hardware issue?  Memory issue?  I can test that next.  I don't understand why it would half-install SEP though.  All the other software installed ok and updated fine after reimaging.  I thought I was done with with this weirdness.

Tested memory... No problems.

Did a full format.  Reimaged... Same image as before and the same as three other 32-bit machines that used the standalone installer fine.

I'll prep it up tomorrow and see how it goes. 

Possibilities?

Hard drive, even after full format.

Something about the way the installer file gets to the computer.  Maybe a network card issue.  I can try copying it over from a thumbdrive.

After that... what could it be?  Corruption someone?  (evil spirit?)

Post the SEP_INST.log

I'll search for SEP_INST.log.

Update from today....

I did a 'clean' on the hard drive to remove partitions.  I did a full format.

Reimaged.  Same image as three other test machines that have no issues

Installed, tried to install, SEP... Exact same result.  It added a new entry in SEPM... computer name, offline (it's actually on) my logon, ip, date, says yes it needs a restart (nothing appears on the laptop itself), now policy serial number (maybe because it needs a restart?).

We have plenty of seats left for the software so it's not that.

Hmmm... Where is the SEP_INST.log?    There's not much in the program folders on this laptop.  My own computer (also client) has way more files, but still no SEP_INST.  I checked the SEPM server... I'm not seeing anything. 

Found it.

Is there any info I should strike out on the log to protect my identity?

computer name

my username

Anything else?  Is there a unique SEP policy number?

domain

username

pc name

IP address

That's probably about it

I need to ok posting the log with someone else.  I'm not seeing anything else that identifies me/myorg though.

I'll be back tomorrow.

I also copied over the install file on a thumbdrive instead of downloading it through the network.  No change, so it's not getting corrupted through the network.

Grr...

"Your submission contains invalid characters and will not be accepted."

Is there somewhere I can post the text anonymously online and link it to here?

Just attach it in a zip file

Trying Google docs....

There.

Attachment(s)

SEP_INST_topost.txt   2.94 MB 1 version

Logs show script execution failed

have we already tried this?

http://www.symantec.com/business/support/index?page=content&id=TECH170259

http://www.symantec.com/business/support/index?page=content&id=TECH170259&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D13614688017131zv9404lLL6ZiVWyg8fMKUAL4p5EyGM6q6yql

"Possible workaround:

Create an install package or create a custom setting under the “Client Install Settings” options to not use “Add the program to the Start Menu”, leave this unchecked.

If the install is successful, manually create the shortcut on the desktop that points SymCorpUI.exe."

Just not include it as an option in the Start menu?  I don't know what difference that would make, but I'm out of ideas.  I'm making a new installer with a new 'client install setting' that doesn't make a Start menu option. 

I'll roll the laptop back to before I installed SEP and try the new installer.  I can grab another SEP_INST.log when it fails... I'll be back later....

No luck.  Same result. 

I'll grab the SEP_INST file to post here....

Log file...

Attachment(s)

SEP_INST_2_topost_0.txt   3.02 MB 1 version

I guess I could try installing off the original Windows installation disk instead of the image... Except I've got at least three other machines that are perfectly fine off that image with SEP running fine.  Imaged in the past couple weeks.

The other machines are also updated for Windows...   Probably not a Windows update issue....

Memory tested fine.  I did a full format on the hard drive.  I could start swapping out parts from other laptops... but I don't see why it just wouldn't like SEP....  Memory and the hard drive might not be the issue.  Maybe it's a hardware issue with the mobo somehow....

Push install from the symantec server didn't work.  Same result.

On the laptop I watch the task manager and it bottoms out, flatlines, after a while.  It should have installed by now.  There's the orange down arrow and white x in a red circle on SEPM now.  It says the machine needs a restart so I did.  No change. 

I do notice SEPM doesn't have a policy number listed for this machine in the policy serial number column.  I don't know if that would come from the SEP side or SEPM.  I think it's just this laptop though.

Hey, hey.  Problem solved.

Something has changed with Microsoft Security Essentials in the past few weeks.  We used to have that on machines.  It was on the test machines that I installed SEP on a few weeks ago.

MSE was on this laptop, on the image.  We haven't had any issues leaving MSE on, installing SEP, and then removing MSE until now. 

I uninstalled MSE.  Then SEP finally installed.  Restarted.  SEPM shows it.  It looks good.

Something must have change recently with MSE that messes with SEP installation. 

When we switched over it was decided that SEP would be installed first, then uninstall MSE so the machines had some kind of coverage.  We didn't want to leave them without anything for part of a day before the user restarted them.

We also didn't want SEP on the image if it was tied to SEPM by computer name.  The name is wiped out when we copy the image.  It sounded like more trouble to have to reconfigure SEP if it existed on the image, rather than just reinstalling it once a new image is applied.  We'll have to remove MSE just before we install SEP now.