Endpoint Protection

I posted this in Security last week, but haven't received any responses. Anyone here know anything about these errors when upgrading SEP from v11 to 12.1?

----------------------------------------------

VMWare Tools v4.0.0 build 392990

XP SP3 with latest patches and updates

Upgraded from SEP 11 RU6 using SEPM v12.1 RU1

After the upgrade, SEPM showed that the VM required a restart, so I did. When it started back up, it stuck at "Applying Computer Settings". I left it for over 30 minutes while I checked other VMs and a few of them had the same problem.

I was able to recover the others by going into safe mode and removing SEP using CleanWipe. On the other VMs, I was able to manually install SEP 12.1 RU1 (exported a full install and removed the /qn from setup.ini) and everything was fine. Not with this one.

I noticed that SEP installed a Teefer driver v12.1.808.5 (8/16/2011), which disabled the network card. When I revert back to v11.0.4819.6, my network starts working again - usually after disabling and enabling the card a few times.

When it hangs, there are two DCOM errors in the System log:

• ID: 10005
• Source: DCOM
• Description: DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service BITS with arguments "" in order to run the server:
  {4991D34B-80A1-4291-83B6-3328366B9097}

I'm trying one last install of 12.1 RU1 on this VM, and will be attempting to leave 12.1 with teefer drivers of 11.

Anyone have any suggestions on what may be causing this? Is there an issue with VMs and 12.1 RU1 that I missed?

Well, it appears that something comes in through LiveUpdate that disables the SEP service.

A somewhat clean installation of v12.1 RU1 installs ok. LiveUpdate runs and fails on one of the updates. All appears to be good until a restart of the system. SEP will no longer start because the service has been disabled. Not sure yet what in the LiveUpdate causes everything to go haywire, and why for only some VMs and not others.

Anybody run across this yet?

Hello,

If I am not mistaken, you are taking about the Thread:

https://www-secure.symantec.com/connect/forums/vms-stuck-applying-computer-settings-after-upgrade-sep-121-ru1

In your case, are these clients cloned / imaged?

Try these Articles:

Thanks, but no to all of that. We don't put applications in our images, whether they are VMs or physical. There is less administrative overhead without them in the image. This being a prime example for keeping apps out of the image.

Some of the VMs were P2V and some were cloned. These VMs have been around for a long time with separate entries in the SEPM. From what I've been able to determine so far, something happened during the upgrade of these 20 VMs. The installation log says that SEP 12.1 RU1 installed successfully, but the migration either didn't take place or failed somewhere.

There is nothing recorded in the installation logs about the migration wizard running. So, SEP 11 RU6 is still running with bits and pieces of SEP 12.1 RU1 also running, and of course SEP no longer communicates with the SEPM.

This appears to be related to VMs somehow. So far, none of my physical computers have had this problem.

Hello,

Check these Article: (Worth a Look)

The Symantec Endpoint Protection Service terminated with service-specific error %%-1.

http://www.symantec.com/docs/TECH167131

Access rights with DCOM and SEP

https://www-secure.symantec.com/connect/articles/access-rights-dcom-and-sep

Thanks, but that didn't help either. I don't believe starting the service to be the problem, unless that will start up the migration process again.

The PC(VM) appears to have failed sometime after a "successful" installation of v12.1, and the actual removal of v11.6. The PCs (VMs) appear to be stuck somewhere between v11 RU6 and v12.1 RU1. And, although DCOM permissions were incorrect for accessing, adding those permissions didn't help, and if you have to go to step 2, that's the uninstall.

When I check the registry, I see entries for SEP to be in a 12.1000.x folder, and others still in the SEP folder.

The only thing I've been able to do is to revert back to v11 RU6. And, the only way I've been able to get that to work is to:

• Uninstall v11, because the system thinks it is still installed.
• Run CleanWipe to remove anything else that may have been left behind.
• Take Ownership of %allusersprofile%\application data\symantec\symantec endpoint protection, and/or replace permissions on all folders/files below.
• Take Ownership of C:\Program Files\Symantec\Symantec Endpoint Protection, and/or replace permissions on all folders/files below.
• Open Regedit and go to HKLM\System\CurrentControlSet\Services and search on "Endpoint Protection". Delete anything that pops up. There are several drivers and a few services. One happens to be a SEPTempInstaller key. Keys, values and data inside that key vary from VM to VM.
• Restart the PC(VM)
• Delete the SEP directories/folders listed above. In addition to those, delete the LiveUpdate folders in the same locations.
• Install v11.6

Attempting another v12.1 has resulting in the same problem. So, at this point I'm in recovery mode. I'm not too interested in upgrading any more VMs. A 33% failure rate (32 failures out of 99 attempted installs) is just not acceptable.

Hello,

Check this Article:

Symantec Endpoint Protection 12.1 Virtualization Best Practices

https://www-secure.symantec.com/connect/downloads/symantec-endpoint-protection-121-virtualization-best-practices

Hope that helps!!

Good info. However, these PCs can't get that far. They are failing installation/upgrade/migration, and not having problems with performance...