Endpoint Protection

Installed SEP on a client machine. The installation completes successfully but the Symntec Endpoint Protection and Symantec Event Manager services can not be started. If I try to start them I get the following errors:

Could not start the Symantec Endpoint Protection service on >>>>
Error 1068: the dependency service or group failed to start


Could not start the Symantec Event Manager service on >>>>
Error 2: the system cannot find the file specified

Rebooted the pc, tried uninstall and reinstall but get the same results.

We are using SEP 11.0.4202.75.

Has anyone else experienced this problem?

any help would be appreciated.

Did you uninstall the old version of Antivirus before this installation? Did you have any customisation to your old installation?

Hi,
 
       Please try the following and let us know whether it helped.

Check the Symantec Settings. Manager service is set to Disabled


Set Symantec Settings Manager service to automatic.

Please let us know in case you require further help.

No customization to old client except for the management server (GRC.DAT and Cert under PKI\root directory). I did remove the old client and then install the new SEP. We were using SAV 10.1 previously.
 

Symantec Settings Manager is set to automatic and is started. Its only the Symantec Endpoint Protection and Symantec Event Manager services that are not started and cannot be started.

thank you for your reply.

Sounds to me that something has gone wrong with the installation or uninstallation of your old software. I have two suggestions:

1. Check your install package with another client to make sure the package is not dammaged
2. You need to uninstall SEP from the first client and use a cleanup tool to also remove any old entries in the registry from old SAV

I will give that a try but I did use Symantec Clean Wipe to clean up the install.
I think the services were working when it was installed. I noticed it when the user logged into their pc.

Another suggestion would be to use an online virus scanner to make sure you do not have a hidden virus screwing with the machine

Doug,

Was the uninstall of  SAV and install of SEP done local to the machine or done through any kind of remote connection? If so, be sure to get local and try again. Also be sure that you have full Administrator credentials.

Does the SEP_INST.log return any errors if you search for "Return value 3" or "Return value 2"?

All returning 1.
Except for main engine thread is returning 3010.
To install i connected to the client pc and logged on locally as administrator. Installed the symantec software.

Have you tried using a different service logon administrator?

To install i connected to the client pc and logged on locally as administrator. Installed the symantec software
______________________________________________________________________

I just want to make sure I understand you alright.

Above you said that you "connected" to the client. Does this mean you did it throught remote desktop or did you actually install it sitting at the machine?

I connected to the machine through Novell Zenworks Remote control. Its like VNC. I usually push out the install through the deployment wizard and have not had a problem. This particular pc was done this way originally but have this issue.
Last  night I uninstalled it and removed all instances of symantec from the registry and folders under program files and All users\app data.

Reinstalled logged in as the administrator. It all looks good. green light services are running.
Reboot log back in and the services wont start.

tart run & type rsop.msc- it will open a new window.
--> Under computer configrations go to windows setting-- then security setting & click on the system services.. On the right hand side find SEP serivices & check if there is any thing under stratup.

Everything is greyed out. Startup is not defined, permission not defined.
I got that off a working machine.
The none working machine is the same thing.

Before I forget I just want to thank everyone who is giving suggetions on how to fix this issue.
Hopefully a solution will be found.
I appreciate it.

Can you check this post

and try davidatwork suggestion..


https://www-secure.symantec.com/connect/forums/microsoft-visual-c-runtime-error-sav-client-fails-start#comment-2572551

Rafeeq,

I tried what was suggested on this post. It seemed to work. the services were started and had green icon on the shield but today it shows status as antivirus engine off again.
I am unable to start the services get the same errors.

 

Could not start the Symantec Endpoint Protection service on >>>>
Error 1068: the dependency service or group failed to start

Could not start the Symantec Event Manager service on >>>>
Error 2: the system cannot find the file specified

I did this all local on the machine. I even uninstalled/rebooted and reinstalled SEP 11.

I think the SEP service failed coz it depends on symantec event manager

can check the path for symantec event manager service

right click symantec event service, ( services.msc)
properties.
the path should be

"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

do u see that ??

anything in the event viewer??

It is blank.
It will not let me put anything in the path to executable.

Event viewer:

DCOM got error "The dependency service or group failed to start. " attempting to start the service Symantec AntiVirus with arguments "" in order to run the server:

{5CEC0E13-CF22-414C-8D67-D44B06420FC1}

Found a registry entry under HKLM\Software\Microsoft\Windows\Current Version\Run\
ccApp showed string Data as -
which is what the Event Manager service had in the path to executable.
I changed it to show "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

I havent had a chance to have the user reboot their pc yet but hopefully this works and does not change back.
I also noticed that the service for working clients has the path to the executable as:

"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

Should I be looking for anything else?
Any suggestions?
Im flying blind here.

Hello Doug,

good news so far lets reboot the box once and check what happens, i will try to reproduces the issue on my test machine..wait for your reply, :)

Rafeeq,

It seems to be good so far. I ran malwarebytes on the machine also. Found the vundo virus.
Weird since definitions from old symantec were up to date and it didnt pick it up before. Also the new SEP didnt pick it up until I ran a scan with it after I got it working.
Maybe it was a combination of the two things.

Should I look for anything else?
Seems to be working. I will post again if it disables itself again in the next couple days. I think the virus might have had something to do with it.

Thanks for all your help.

 Vundo is a nasty virus that can disable or use the virus protection software to help spreading the virus instead of doing the opposite.
Did you remove Vundo with the vundo removal tool? I would suggest you use it to make sure you get rid of it properly.
Removal tool => http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVundo.exe 
Info about removal tool=> http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

Read some more here: http://en.wikipedia.org/wiki/Vundo

Thanks Maximilian,
I did use the Vundo removal tool from symantec.

Thanks for the info.

 Hi Doug,

 Doug if you are satisfied with the answer please mark it as "solution".