Endpoint Protection

 View Only
Expand all | Collapse all

Endpoint Protection Stopping users from Reciving there Windows Profiles.

Migration User

Migration UserApr 13, 2010 02:19 PM

  • 1.  Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 24, 2009 09:58 PM
    Hi All

    I have a bit of a interesting Symantec problem which has stopped the deployment of SEP to the rest of our Machines.

    Users running SEP on there machine are having issues that are popping up about 60-70% of the time when they log on.

    It seems SEP take a hold of something in there profiles (directory C:\Documents and Settings\*username here*\) which is not allowing them to grab there profile so windows is gonig and creating a new profile for them each time, this means they lose all there favourites, desktop icons, lotus notes confirguration and more.

    Is anybody out there having the same or similar issues and if a fix/work around is out there can someone please point me in the right direction.

    I am still learning my way around SEPMC so the more basic the answer the easier it will be for me.

    Thank you to anybody that takes the time to read/reply to this

    Chris Watson
    Computer Support Officer
    Dept. Primary Industries and Water


  • 2.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 24, 2009 10:06 PM
    I haven't experienced this, but can you post error logs or screenshots?


  • 3.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Broadcom Employee
    Posted May 25, 2009 01:16 AM
    Hi,
    can you please let us know the version used ?

    Is this experienced across all systems (OS)?

    not sure if this is you referring to

    from the release notes...

    On Windows 2000 without Terminal Services, users may receive a default profile during logon
    Fix ID: 1266776
    Symptom: Users will receive a default profile during logon.
    Solution: Improved Symantec Endpoint Protection client's triggering mechanism for logon and logoff.


    Pete!


  • 4.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 25, 2009 02:02 AM
    Sorry yeah i need to go into more details, i'm still a bit new a looking after systems and  looking for help on forums so you will have to excuse me.


    Ok the OS is happening on Windows XP SP2 and SP3
    Running SEP 11.4000.2295
    Basically its happening when the user logs in.

    it is happening both when the user is reciving a new profiel for the first time and when they already have the profile on the machine.
    I don't have a screen shot (or exact wording of error (was just hoping someone else encountered)) yet as the tech that has been taking the calls did not get one, so as soon as i have one i'll post it yup.


    Using a program which determines what processes are locking what, one of our guys has found that the process smc.exe is locking out the below files.

    Documents and Settings\*username here*\Cookies\index.dat
    Documents and Settings\*username here*\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    Documents and Settings\*username here*\Local Settings\History\History.IE5\index.dat

    i'm at a bit of a lose as it is not happening on every login and just happens randomly to different users, it seems like there is no patten (although i'm sure there is)

    i hope this is enough information for now



  • 5.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 25, 2009 02:32 AM
    did it just happen today?

    What packages/components that are included for the workstations? AV and AS only?

    FYI, the lastest product version is MR4 MP2

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648


  • 6.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 26, 2009 02:13 AM
    We had exactly the same problem. After installing SEP MR1 and MR2, many users received a "your profile could not be loaded" event and an empty user profile.

    Since we upgraded to MR4, the problem is gone.  


  • 7.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 26, 2009 02:46 AM
    Hi have you installed all of the packages? AV, AS, PTP and NTP?


  • 8.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 26, 2009 08:38 AM
    Stephan,

    What version of MR4 did you upgrade to resolve the issue with the profile issue?

    Did you upgrade to the newest version below?

    Symantec_Endpoint_Protection_11.0.4202_MR4_MP2


  • 9.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.
    Best Answer

    Posted May 27, 2009 01:36 AM
    Chances are that the SEP client may be locking the NTUSER.DAT file for the user profile.

    Can you try and see if an exclusion of the NTUSER.DAT file from scanning helps to temporarily work around the issue?



  • 10.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 28, 2009 07:02 PM
    Hi Guys

    Sorry i haven't been back here in a while had a hell of a day yesterday.

    Using Abhishek Pradhan work around has seemed to fix the issue, thank you harterlynn i will be upgrading to MP2 this weekend so i'll remove the work around and see if i get the issue after then.

    I would like to thank you all for your quick and helpful responses, i'm glad there is such a helpful community out there for a new admin to this program like myself.



  • 11.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 29, 2009 04:44 AM
    It's funny as hell to me.

    This issue was supposed to have been fixed in MR4 MP2, as it was a part of the defect list that I saw a few months back.

    Can anyone throw some light on the fact that if they were actually facing this issue, did the MR4 MP2 upgrade fix the issue?



  • 12.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 29, 2009 09:41 AM
    This sums up the issue: (Thanks to the Lizard King (My Boss).)

    We have installed Symantec_Endpoint_Protection_11.0.4202_MR4_MP2 on our major servers and are still seeing periodic problems with user profiles. We did not have these issues until we deployed Symantec Endpoint Protection 11.x over a month ago.
    Here are some details...
    Systems:
    1. Windows 2003 SP2 x64 File Server.
    2. Windows 2003 SP2 Terminal Server.
    Notes:
    - We use roaming profiles. The actual profile files are stored on the file server (#1 above).
    - Users log into the Terminal Server (#2 above) and their roaming profiles are replicated to the Terminal Server. When users logoff, their profiles are replicated back to the file server and then the profiles are deleted off of the Terminal Server per Group Policy.
    What we have seen since the deployment of SEP 11.x:
    1. Immediately after deploying SEP 11.x, the Application Log on the Terminal Server recorded an ongoing battle between UPHClean and Symantec Antivirus. This was recorded as four consecutive Event ID 45 entries with Symantec Antivirus as the source:
    SYMANTEC TAMPER PROTECTION ALERT

    Target: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    Event Info: Suspend Thread
    Action Taken: Logged
    Actor Process: C:\Program Files\UPHClean\uphclean.exe (PID 2336)
    Time: Thursday, April 23, 2009 10:47:57 AM

    These Event ID 45 entries were logged immediately after a user would logoff and UPHClean would attempt to cleanup any processes holding their profiles (Event ID 1401):
    The following handles in user profile hive UNCLASS\<username> have been remapped because they were preventing the profile from unloading successfully:

    Rtvscan.exe (2032)
    HKCU\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks (0x9d8)

    We believe that we eventually got around this issue by creating a Central Exception with the fully qualified path to UPHClean.exe specified. Once we configured this exception properly, we no longer saw the Event ID 45 events from Symantec AntiVirus.
    2. About two weeks ago, we had two new problems pop-up:
    - We'd receive about six calls per day from users indicating that Mozilla Thunderbird was acting as if they didn't have an Email account configured. After researching this issue, we found that the prefs.js file in the user's Mozilla Thunderbird profile was being corrupted. We would restore from backup and the user could continue. After several days of this, we decided to create a Central Exception for the "js" extension. We have not seen the prefs.js problem since adding this exception on the Terminal Server.
    - About 30% of our users each day reported problems with logging in to the Terminal Server. When we would review the Application Log on the Terminal Server, we would see Events 1508 and 1500 logged:
    Event 1508
    Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

    DETAIL - Insufficient system resources exist to complete the requested service. for C:\Documents and Settings\jdfryer\ntuser.dat

    Event 1500
    Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, or that your network is functioning correctly. If this problem persists, contact your network administrator.

    DETAIL - Insufficient system resources exist to complete the requested service.

    This problem would happen for various users over about a 10 minute period and then go away for a random amount of time. Then, it would pop-up again for some users and then stop happening again. This continued until we added a Central Exception for the "dat" extension. Since doing that, we haven't seen this issue on the Terminal Server.
    3. The final problem still occurs, but we have just this morning added a few more exceptions in an attempt to work around it. What we are seeing is that when some users logoff, their profiles are not being replicated back to the file server properly. This appears as Events 1509 and 1504 in the Application Log on the Terminal Server:
    Event 1509
    Windows cannot copy file C:\Documents and Settings\user1\NTUSER.DAT to location \\server1\UserProfiles\user1\UN-DOC\NTUSER.DAT. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

    DETAIL - The process cannot access the file because it is being used by another process
    Event 1504
    Windows cannot copy file C:\Documents and Settings\user1\NTUSER.DAT to location \\server1\UserProfiles\user1\UN-DOC\NTUSER.DAT. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

    DETAIL - The process cannot access the file because it is being used by another process
    This seemed to us as if this time a process on the File Server was holding open the user's NTUSER.DAT file and therefore, the profile could not be replicated back properly. We are attempting to work-around this problem by adding a Central Exception for the "dat" extension under SEP 11.x running on the File Server. So far, we have not since this work-around help to resolve the issue.

    A few notes:
    1. I appreciate the ability to add a Central Exception for a file with a fully qualified path and for an extensions, but what is missing is the ability to add a Central Exception for a file name (e.g., NTUSER.DAT, prefs.js, etc.). It is not practical for us to attempt to add an exception for each user's roaming profile path and Thunderbird profile path as this would create a huge exception list for us. Also, having an exception for the "js" extension scares me quite a bit.
    2. Why does it appear that the issue with Roaming Profiles and Symantec AV has returned in SEP 11.x? Please see:
    http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d43f351f6888fd8b882571e2005545ee?OpenDocument
    We did have this problem under SAV 10.1 and it was resolved when we installed the Maintenance Patch specified in this article. However, now it appears that the problem is back in SEP 11.x and so far, it has not been resolved. There are other forum postings concerning this issue:
    http://www.symantec.com/connect/forums/endpoint-preventing-profiles-being-unloaded-terminal-server
    http://www.symantec.com/connect/forums/sep-mr4-stumped

    Sorry for the extra long posting, but I wanted to get as much information out there about this as possible. Thanks.







  • 13.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 29, 2009 10:46 AM
    We were running an older version of SEP 11.XXX and were having problems with users who would get the same "The process cannot access the file because it is being used by another process" errors etc. when logging on.

    User would then get logged in with a local temp profile.

    Upon reboot the user is able to log in just fine.

    We just pushed out Symantec_Endpoint_Protection_11.0.4202_MR4_MP2 last night which works out to version 11.0.4202.75 if you click Help, About.

    However, users were still getting the locked profile issue this morning.

    Is symantec actively working on this problem or what?? It's a bit mind boggling.

    Really looking forward to a resolution.



  • 14.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 29, 2009 11:27 AM
    Support call placed. Probably, will know something on Monday.

    An enginner on the Symantec side was given all relevent information.

    All solutions given by Enginner were implemented by us already and did not solve the issues.

    The enginner had some ideas, but needed to do some testing.

    The NTUSER.DAT file being locked (Held) being one of the major issue with roaming profiles.

    Hoping for a expeditious solution also.


  • 15.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Jun 02, 2009 01:32 PM
    I found the following posting:

    http://www.symantec.com/connect/forums/uphclean-rtvscanexe-2164-help-needed

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint
    Protection\AV\ProductControl]

    "DisableRTScheduledScanUpdate"=dword:00000001

    I made the suggested registry change on our Terminal Server and restarted the
    Symantec services. Since that change, I don't even see the Event 1401
    messages that UPHClean would always generate when stopping the
    Rtvscan.exe process from interfering with user logoffs. More to come on
    this, but we're making what I think is progress.



  • 16.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Jun 04, 2009 12:43 AM
    Guess it's back to the drawing board.

    I saw this issue being addressed in MR2-MP2, came backk in MR3, and was again supposed to be fixed in MR4-MP2.

    Can any Product Manager(s) or Tech Support people identify this as a recurring defect and raise a flag internally for it?

    I can see a lot of people getting affected by this.




  • 17.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Jun 15, 2009 09:18 AM
    Symantec,

    Any update on this situation? We get these errors all day long and it's really getting fustrating for the users.

    Thanks.



  • 18.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Aug 10, 2009 09:42 AM
    May I ask if this issue has been fixed? otherwise we might encountered the same issue in the latest build of SEPM


  • 19.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Aug 10, 2009 01:04 PM

    First thing I want to say, Symantec does not seem to truly understand this problem and at this point has no fix. Lizard King, came up with the below fix to get us up and running smoothly again.

    Here is a status update on this issue and what we have done to mitigate it.  Please understand that we are most likely running into this problem because of the way that we have configured our environment.  Specifically:

    ·         We utilize Roaming Profiles.

    ·         We utilize Folder Redirection.

    ·         We have deployed Terminal Servers (with multiple users on a single system).

    ·         We delete cached copies of Roaming Profiles when users logout.

    We began addressing this problem by first tackling the Symantec Endpoint Protection conflict with the User Profile Hive Cleanup service.  We configured two Centralized Exceptions:

    C:\Program Files\UPHClean\uphclean.exe

    C:\Program Files\UPHClean\*

    After making these changes, we no longer received the following Event Id 45 messages in the Event Log:

    Target: C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Event Info: Suspend Thread

    Action Taken: Logged

    Actor Process: C:\Program Files\UPHClean\uphclean.exe (PID 2336)

    We still had problems with user's profiles periodically becoming corrupted and local profile copies not being deleted at logout.  After doing some digging on the forums as well as conversing with Symantec support, we finally settled upon deploying the following registry entry to our systems:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint

    Protection\AV\ProductControl]

    "DisableRTScheduledScanUpdate"=dword:00000001

    We asked Symantec support what this registry entry does and received the reply, "This will disable the scheduled scan thread that checks for user scheduled scans.  Any scheduled scan created by the administrator via SEPM will still run."

     After deploying this registry entry, we no longer see the stuck user profiles or errors in the event log when users logout.  If I had to guess, I would say that SEP was keeping the user's profile open just long enough for Windows to time out trying to re-sync the user's profile back to the server.  Since Windows couldn't properly sync the local profile with the server copy, it didn't execute the deletion of the local profile copy as well.

    Hope this helps.  Please don't shoot the messenger.


  • 20.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Aug 18, 2009 03:59 PM
    Hello. Can we please get an update from SYmantec on this subject? 

    It is driving me absolutely insane.

    I cannot believe that symantec has not responded yet. This is simply ridiculous.


  • 21.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Aug 23, 2009 02:29 AM
    I see that you (harterlynn) has configured an exceptions of the following folders: "C:\Program Files\UPHClean\uphclean.exe"

    and "C:\Program Files\UPHClean\*" and the issue changed, i have found article with this error:

    TruScan has generated an error: code 9: description: Heuristic Scan or Load Failure
    Event Type:     Information
    Event Source:   UPHClean
    Event Category: None
    Event ID:       1401
    Computer:       computer
    Description:
    The following handles in user profile hive DOMAIN\user have been remapped because they were preventing the profile from

    unloading successfully:
    winlogon.exe (644)
      HKCU\Software\Classes (0x994)

    I don´t know if you have specifically the same error, but you can try this in the SEPM Console:

    1) Centralized Exceptions>add>Truscan Proactive Threat Scan Exceptions>Process
    2) Include the "uphclean" and clic "ok"
    3) Apply this policy to a group computer (test enviroment)
    4) Check the Monitors>Logs>Truscan Proactive Threat Scan>view log

    Repeat this procedure as necessary, like the "winlogon" process for example.

    I hope that helps...

    Regards,


  • 22.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Sep 01, 2009 06:22 PM

    Is there a complete "to do" list to correct this problem? 

    I finally uninstalled Endpoint and just installed SAV Corp.  I would like to use Endpoint when the issue has been resolved.  My users do not have any patience, they just want their remote session to work, now.  This affected about 20 of 150 users, including the distict manager.  They want me to explain why their profile isn't loading, in detail (even though they don't have any idea what I'm talking about).  They call back throughout the day to let me know they cannot connect. 

    Two 2003 Enterprise servers running terminal services
    Two 2003 servers (file servers)
    One 2003 server running exchange
    All Sp2

    Clients are XP Pro or Windows CE using a remote desktop connection.

    Errors 1010, 1030, 1058, 1096, 1219, 1500, 1509, 1511, 1505 and 1508

    No errors after uninstalling SEP.


     



  • 23.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Oct 01, 2009 12:02 PM
    Mr I find every major issue in every symantec product i'm forced to use!

    I have this issue too..
    Anyway, my users in this case are pissed off and want answers..we just installed SEP I've since run updates, and set up exclusions for the user hives as well as uphclean.

    my version of SEP is 11.0.4202.75.

    Where is this new patch that 'might' work?



    Note to everyone else, I've been using Kaspersky Labs Enterprise solution at our office and several clients (http://www.kaspersky.com/) and i'm very impressed with the administration console - it has remote deployment options, automatic network grovelling and categorization (and if you want automatic deployment..), it even has deployment options for 3rd party products! (just enter a CLI installer with switches..) it EVEN has a an UNINSTALLER for MANY other 3rd party products, such as symantec Endpoint Protection. I really like Kasperskys ability to push out new licenses.

    I've also used Sophos' enterprise offering.. it's very nice, I wouldn't call it as powerful as Kaspersky but it's MUCH simpler and is very reasonable for deploying on smaller networks.


  • 24.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Oct 02, 2009 11:32 AM
    @Abhishek Pradhan
    @Ryk_8472

    In my company we have the same problem. Windows often generates a temporary userprofile during logon because the ntuser.dat file is locked by another process.
    Now I was trying to define a centralized exception for the ntuser.dat as it is described here: http://seer.entsupport.symantec.com/docs/331012.htm
    But how can I use a dynamic path for the file? Using "%userprofile%\ntuser.dat" seems not to work.
    Should I try it without the quotation marks? Or just the filename?

    As far as I understand the following knowledge base article it must be a pre-scan exclusion. So I have to use the full path:
    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a37d2c7e2044ddff882574810056c4f0?OpenDocument
    But we have 1600+ users and so the path is always different. I need a dynamic solution.

    Best Regards
    Sebastian


  • 25.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Oct 05, 2009 03:02 AM
    Remove the quotes and then add the exclusion as follows: %userprofile%\ntuser.dat

    This'll help to resolve the issue.


  • 26.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Oct 06, 2009 07:51 PM
    Scrath what i said before, it appered to be fixed with the soultion stated by Abhishek Pradhan but this appers to not be the case as it is still happening, although the amount of hits per week have lowered since i put the rule in excluding %userprofile%\ntuser.dat but it doesn't seem to reslove it.

    This is getting worrying as it has been a while since this issue is happening and i'm not the only user what are the plans for fixing this?


  • 27.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Oct 21, 2009 02:36 PM
    It's not a resolution, but a workaround. I'd faced the same issue with a bank in Greece where over 5000+ systems were affected! We had to wait till engineering came thru with a new build that fixed this issue.

    I guess your best bet is to open support cases for all customers who are facing this issue, as that's the only way the issue will get resolved faster from Symantec's end.

    For all people who are facing this issue, please open support cases, get in touch with your TAM / RAM, or try to touch base with Paul Murgatroyd, who's a TPM for SEP 11.x

    HTH


  • 28.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Mar 09, 2010 10:52 AM
    Are any of you seeing this occur on Vista machiens as well? Does logging help identify SEP as the culprit?


  • 29.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted Apr 13, 2010 02:19 PM
    Was this ever resolved by Symantec?


  • 30.  RE: Endpoint Protection Stopping users from Reciving there Windows Profiles.

    Posted May 11, 2010 10:33 AM
    no i dont think so ....

    this thread is in my opinion not solved !!! we see that the exclusion my not work everywhere.