We`ve been troubleshooting slow login and poor application performance on our Non Persistent VDI for a while now. App Volumes and Symantec Endpoint Protection 14.x doesn`t seem to like each other.

Without a SEP client installed everything is performing well and user experience feels like a persistent VDI. When SEP is installed including all obvious exceptions and even using the virtual image exception tool no significant change in performance is noticed. We`ve been testing all scenario`s disabling components of SEP. Only disabling "Application & Device Control" seems to improve login and application performance.

By accident we found out that SEP didn't work at all !! Everything looked fine from SEPM and SEP side.The SEP GUI indicated that there were no problems detected "Your computer is protected", but stopping and then starting the smc.exe resulted in a crash. It may seem that the service is running, but in reality the Symantec client has crashed see image below. The only way to start the SEP client was rebooting. We also saw that a simple EICAR test virus was not detected even when the SEP client was running and the GUI indicating that the computer was protected. Then we discovered that this behavior only occurs when an app stack is attached. 

With the knowledge we had that this behavior only occurs when an app stack is attached, we added exceptions for Symantec in the snapvol.cfg of the App Stack. These exceptions have solved the problem that the client could be restarted/stopped and also a EICAR test virus was detected again. 

Since Symantec is working now we see better startup times of thinapps in an app stack . Login times unfortunately not. We declared all the collected log files to be unreliable before the exceptions in snapvol.cfg, because the SEPclient did not work at all. And so we believe that specific non-persistent SEP policies and exceptions may not have worked at all.  We collected a large set of logs and offered it to Symantec for a second review. 

Another Interesting fact that is noticed by 'Scarlito' on the VMware forum (see link at the end of this post) is that this problem only appears after I applying Microsoft Security KB4056897 or later (and of course, with SEP agent installed and AppStacks mounted)

This means the problem is not only with SEP + AppVolumes, but SEP + AppVolumes + MS Updates (starting january 2018 and all the Intel security breaches fixes).

If I remove ANY ONE of these 3 elements, everything works well.

Until now, no Monthly security updates from Microsoft has solved anything.

These are the standard exceptions in the snapvol.cfg:

>

exclude_path=\ProgramData\Symantec
exclude_path=\Program Files\Symantec
exclude_path=\Program Files\Common Files\Symantec
exclude_path=\Program Files (x86)\Symantec
exclude_path=\Program Files (x86)\Common Files\Symantec

These are the custom exceptions we added to the snapvol.cfg:

Disclaimer: I would like to warn you and everyone else that this is at your own risk. On the other hand, without these exclusions the virus scanner probably didn't work at all !

For validation of these exceptions we opened a PR at VMware. Please report to VMware if you're facing the same problem. 

>

# Custom Exclusion Symantec Performance Issues

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Symantec
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Symantec

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BHDrvx64
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eeCtrl
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EraserUtilRebootDrv
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IDSVia64
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SepMasterService
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SNAC
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSP
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSPX
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyDvCrtl
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEFASI
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymELAM
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEvent
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymIRON
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SYMNETS
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysMain
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysPlant
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Teefer2

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Antivirus
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Endpoint Protection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Network Protection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec WSS Traffic Redirection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Symantec Endpoint Protection Client

exclude_path=\Program Files\Common Files\Symantec Shared
exclude_path=\Program Files (x86)\Common Files\Symantec Shared

exclude_process_name=ccSvcHst.exe
exclude_process_name=SmcGui.exe
exclude_process_name=SISIDSService.exe
exclude_process_name=SISIPSService.exe
exclude_process_name=SISIPSUtil.exe
exclude_process_name=sepWscSvc64.exe

>

This is the link of the topic we posted on the VMware forum. 

https://communities.vmware.com/thread/617203

I'm curious if there are more people who have this problem. Hopefully this post has also made people aware of the fact that their security may not function without them noticing. 

Currently we have cases for these problems ongoing at Symantec and Vmware

Hello everyone, the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump is utilizing considerable amount of disk space. Is it safe to delete the temp files inside this if yes then how ?

What is the minimum free memory and hard disk space require to download virus and spyware definition by SEP client?

I recieve an email every week that warns me of a customer's trial license being expired since 2015.  The server for this was never connected to the internet, and is currently de-commissioned.  The hardware is not installed, powered, or working.  It never had an email server, and cetainly does not now have the capability to email.

How can I stop this email from coming in?

Good evening Everyone!

can anyone help me out here regarding SEP client communication settings, recently I hve just build new SEPM 14.2 on Win12R2 with enough HW resources, prioir we're using old SEPM 14.0, 

Now I'm stuck here while moving existing SEP client from old server to new server, as we're here 500+ SEP clients are installed in office. 

Solutions I have already tried:

- Manually replacing syslink ( it takes too much time) 

- By adding New Server management list (but not succeed ) 

Regrads,

Ahsan 

 how the heck do I uninstall when It says contact the developer, but there is NO way to reach anyone!

We`ve been troubleshooting slow login and poor application performance on our Non Persistent VDI for a while now. App Volumes and Symantec Endpoint Protection 14.x doesn`t seem to like each other.

Without a SEP client installed everything is performing well and user experience feels like a persistent VDI. When SEP is installed including all obvious exceptions and even using the virtual image exception tool no significant change in performance is noticed. We`ve been testing all scenario`s disabling components of SEP. Only disabling "Application & Device Control" seems to improve login and application performance.

By accident we found out that SEP didn't work at all !! Everything looked fine from SEPM and SEP side.The SEP GUI indicated that there were no problems detected "Your computer is protected", but stopping and then starting the smc.exe resulted in a crash. It may seem that the service is running, but in reality the Symantec client has crashed see image below. The only way to start the SEP client was rebooting. We also saw that a simple EICAR test virus was not detected even when the SEP client was running and the GUI indicating that the computer was protected. Then we discovered that this behavior only occurs when an app stack is attached. 

With the knowledge we had that this behavior only occurs when an app stack is attached, we added exceptions for Symantec in the snapvol.cfg of the App Stack. These exceptions have solved the problem that the client could be restarted/stopped and also a EICAR test virus was detected again. 

Since Symantec is working now we see better startup times of thinapps in an app stack . Login times unfortunately not. We declared all the collected log files to be unreliable before the exceptions in snapvol.cfg, because the SEPclient did not work at all. And so we believe that specific non-persistent SEP policies and exceptions may not have worked at all.  We collected a large set of logs and offered it to Symantec for a second review. 

Another Interesting fact that is noticed by 'Scarlito' on the VMware forum (see link at the end of this post) is that this problem only appears after I applying Microsoft Security KB4056897 or later (and of course, with SEP agent installed and AppStacks mounted)

This means the problem is not only with SEP + AppVolumes, but SEP + AppVolumes + MS Updates (starting january 2018 and all the Intel security breaches fixes).

If I remove ANY ONE of these 3 elements, everything works well.

Until now, no Monthly security updates from Microsoft has solved anything.

These are the standard exceptions in the snapvol.cfg:

>

exclude_path=\ProgramData\Symantec
exclude_path=\Program Files\Symantec
exclude_path=\Program Files\Common Files\Symantec
exclude_path=\Program Files (x86)\Symantec
exclude_path=\Program Files (x86)\Common Files\Symantec

These are the custom exceptions we added to the snapvol.cfg:

Disclaimer: I would like to warn you and everyone else that this is at your own risk. On the other hand, without these exclusions the virus scanner probably didn't work at all !

For validation of these exceptions we opened a PR at VMware. Please report to VMware if you're facing the same problem. 

>

# Custom Exclusion Symantec Performance Issues

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Symantec
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Symantec

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BHDrvx64
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eeCtrl
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EraserUtilRebootDrv
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IDSVia64
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SepMasterService
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SNAC
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSP
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSPX
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyDvCrtl
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEFASI
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymELAM
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEvent
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymIRON
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SYMNETS
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysMain
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysPlant
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Teefer2

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Antivirus
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Endpoint Protection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Network Protection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec WSS Traffic Redirection
exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Symantec Endpoint Protection Client

exclude_path=\Program Files\Common Files\Symantec Shared
exclude_path=\Program Files (x86)\Common Files\Symantec Shared

exclude_process_name=ccSvcHst.exe
exclude_process_name=SmcGui.exe
exclude_process_name=SISIDSService.exe
exclude_process_name=SISIPSService.exe
exclude_process_name=SISIPSUtil.exe
exclude_process_name=sepWscSvc64.exe

>

This is the link of the topic we posted on the VMware forum. 

https://communities.vmware.com/thread/617203

I'm curious if there are more people who have this problem. Hopefully this post has also made people aware of the fact that their security may not function without them noticing. 

Currently we have cases for these problems ongoing at Symantec and Vmware

Hi,

I enrolled my SEPM to the cloud. Decided to apply my license. Have a case with Symantec since 21/10/19 because license appearing as invalid or expired though I have license till July 2020.

I need add exception for a folder. What are my options apart from unenrolling from the cloud? Is there a registry setting that can be changed so that I can get the option. Anyway to whitelist the folder for a specific device from the cloud.

Thanks to help!

Hello.

So, I have a couple of MACs running SEP, and recentrly I pushed newest update (14.2 RU2) for them.

This version adds support for OSX Catalina (10.15), and, as far as I can see, on Catalina everything is really fine.

But older OSX versions (10.13, 10.14) face a couple of troubles:

1. Random reboots. I don't know, how it is called in OSX terminology, but I mean black screen with white text "Your computer restarted because of a problem. Press a key or wait a few seconds to continue starting up."

2. Firewall notifications. At my SEPM server, my firewall policy for MACs have entry "Display a notification on the computer when the client blocks an application" disabled. But, ignoring this, users began to face notifications about different remote connections with buttons "allow" and "deny". The strangest part is the header of notifications - it says "Norton Security" :) Tested a bit, withdrawing firewall policy via SEPM prevents notifications from spawning.

Maybe anyone else faced these issues? Any ideas?

Is it possible to upgrade the clients from 14.2.1031 MP1 to 14.2 RU2 without upgrading the SEPM Server?

Hello.

So, I have a couple of MACs running SEP, and recentrly I pushed newest update (14.2 RU2) for them.

This version adds support for OSX Catalina (10.15), and, as far as I can see, on Catalina everything is really fine.

But older OSX versions (10.13, 10.14) face a couple of troubles:

1. Random reboots. I don't know, how it is called in OSX terminology, but I mean black screen with white text "Your computer restarted because of a problem. Press a key or wait a few seconds to continue starting up."

2. Firewall notifications. At my SEPM server, my firewall policy for MACs have entry "Display a notification on the computer when the client blocks an application" disabled. But, ignoring this, users began to face notifications about different remote connections with buttons "allow" and "deny". The strangest part is the header of notifications - it says "Norton Security" :) Tested a bit, withdrawing firewall policy via SEPM prevents notifications from spawning.

Maybe anyone else faced these issues? Any ideas?

Is it possible to upgrade the clients from 14.2.1031 MP1 to 14.2 RU2 without upgrading the SEPM Server?

Hi,

We are running EPM 14.2 RU1 MP1 on Server 2008 R2 SP1 but when we recently tried to instlla the RU2, its observed that instllation is failed due to Error 2738: could not access VBScript run time for custom action

We tried to re register the VB Script but unsucessful, so need solution to get it done

Hello.

So, I have a couple of MACs running SEP, and recentrly I pushed newest update (14.2 RU2) for them.

This version adds support for OSX Catalina (10.15), and, as far as I can see, on Catalina everything is really fine.

But older OSX versions (10.13, 10.14) face a couple of troubles:

1. Random reboots. I don't know, how it is called in OSX terminology, but I mean black screen with white text "Your computer restarted because of a problem. Press a key or wait a few seconds to continue starting up."

2. Firewall notifications. At my SEPM server, my firewall policy for MACs have entry "Display a notification on the computer when the client blocks an application" disabled. But, ignoring this, users began to face notifications about different remote connections with buttons "allow" and "deny". The strangest part is the header of notifications - it says "Norton Security" :) Tested a bit, withdrawing firewall policy via SEPM prevents notifications from spawning.

Maybe anyone else faced these issues? Any ideas?

Hi Symantec staffs,

Our customer reported to us that they could not see any log from client GUI.  After studying and searching, we found that we need local admin user, in order to see those logs.

Problems is that there is no warning or indicator showing from GUI about this ...

Q:  Is there any setting or workaround that we can show logs even with normal user?

If not, any method to show warning like "no log shown without local admin right"?

Hi,

We are running EPM 14.2 RU1 MP1 on Server 2008 R2 SP1 but when we recently tried to instlla the RU2, its observed that instllation is failed due to Error 2738: could not access VBScript run time for custom action

We tried to re register the VB Script but unsucessful, so need solution to get it done

So I am not exactly sure where to begin.

We have had the SEPM installed for years. I just recently started at my company and took over some of the IT duties that were orignally outsourced. I reached out to our management company (also our reseller) about obtaining updated software packages for the SEPM and my clients to upgrade their version. I was told that the license has moved and we need to be registered with our own account and that they started the process for me.

I receive the email confirmation for my account and attempt to access MySymantec for dowloads. I enter my support ID and it says that i have to wait for a Site Manager or Symantec Support Agent to approve my request. It has now been over 24 hours and I have not heard anything.

Chat bot is useless and it doesnt appear that any support agents are working or answering tickets, every place where it says to open a case or "call us" has broken links. I have my licsense number and a support ID but no way to get it registered or contact anyone for assistance.

Our organization have recently upgraded ASA to support new Cisco AnyConnect VPN Client ver. 4.8. During the upgrade host-scan module was upgraded to latest version as well (4.8). 

Same time we are testing SEP client ver 14.2 RU2 for Mac to cover newest MacOS Catalina. In our test atfer upgrade SEP 14.2RU2 is no longer detected by the new host-scan module therfore not passing posture check and preveniting VPN connection to succeed. Same Windows SEP client is passing host-scan for Windows with no issues (same AnyConnect and host-scan version as Mac).

Is there anyone with same issue? Was this reprted to Cisco or Symantec? Is there a workaround?

Any help is appreciated.

We are considering converting to MAC desktops.   Can anyone give feedback on SEP 14.2 support for MACs?   Are all SEP features supported?  How's the firewall support, etc?

Thanks,

Wally

Can anyone share their experience with SEP 15?   How does it compare to the SEPM feature and functionality-wise?  

Are there any security concerns using the cloud?   We noticed some months ago in the license agreement that Symantec may collect passwords but not user ids.  What's that all about?  Anyone know what passwords Symantec is referring to?