Symantec Antivirus 10 (and higher), including Endpoint Protection uses certificates in the install and also for the application to run. If a Sofware Restriction Policy is in place for the computer, and we have "trusted publishers" defined as anything other than "End Users" we will automatically check for the existance of the certificate in the "Trusted Publisher" store for the machine. If it is not there, we block the software from running, as Software Restriction Policies are designed to do.
You can follow either of the given Options to resolve the issue
Option 1:
Use the MMC to copy and paste the certificate into the Trusted Publisher Store
1. Log into the machine as an administrator (local admin rights).
2. Launch MMC.exe
3. Add/Remove Snap-in and Add "Certificates"
4. Select "Computer account"
5. Click on Next
6. Select Local Computer
7. Click on Finish
8. Close Add Snap-in window.
9. Click "Okay"
10. Expand "Certificates (Local Computer)"
11. Expand "Trusted Root Certification Authorities"
12. Highlight "Certificates"
13. Find "Symantec Root CA" or the appropriate Trusted Root Cert for the application in question.
14. Highlight it and Right Click on it, then select "Copy"
15. Highlight "Trusted Publishers" in the Left Pane.
16. In the Right Pane, click on an empty spot and right click again, select "Paste"
17. A "Certificates" folder should appear under "Trusted Publishers"
18. Highlight it and you should see a copy of the Certificate you pasted in that store now.
19. The service will now start successfully.
Option 2: Use Certutil to import the certificates to the Trusted Publisher Store (certificates are exported from the Symantec applications previously)
1. certutil -enterprise -addstore "TrustedPublisher" c:\rtvscan.cer
NOTE: This is sufficient for SAV 10.1. For SAV 10.0.x or higher, you would also have to run the following procedure:
Example command - <Please change the (drivename) to the corresponding drive where the certificate store is located /certificates are stored>
1. certutil -enterprise -addstore "TrustedPublisher" c:\ccApp.cer
NOTE:
You will have to run the command as an administrator, and the *.cer files are those exported from the corresponding SAV executables. They are stored on the C: drive in the above given example.