This sums up the issue: (Thanks to the Lizard King (My Boss).)
We have installed Symantec_Endpoint_Protection_11.0.4202_MR4_MP2 on our major servers and are still seeing periodic problems with user profiles. We did not have these issues until we deployed Symantec Endpoint Protection 11.x over a month ago.
Here are some details...
Systems:
1. Windows 2003 SP2 x64 File Server.
2. Windows 2003 SP2 Terminal Server.
Notes:
- We use roaming profiles. The actual profile files are stored on the file server (#1 above).
- Users log into the Terminal Server (#2 above) and their roaming profiles are replicated to the Terminal Server. When users logoff, their profiles are replicated back to the file server and then the profiles are deleted off of the Terminal Server per Group Policy.
What we have seen since the deployment of SEP 11.x:
1. Immediately after deploying SEP 11.x, the Application Log on the Terminal Server recorded an ongoing battle between UPHClean and Symantec Antivirus. This was recorded as four consecutive Event ID 45 entries with Symantec Antivirus as the source:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Event Info: Suspend Thread
Action Taken: Logged
Actor Process: C:\Program Files\UPHClean\uphclean.exe (PID 2336)
Time: Thursday, April 23, 2009 10:47:57 AM
These Event ID 45 entries were logged immediately after a user would logoff and UPHClean would attempt to cleanup any processes holding their profiles (Event ID 1401):
The following handles in user profile hive UNCLASS\<username> have been remapped because they were preventing the profile from unloading successfully:
Rtvscan.exe (2032)
HKCU\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks (0x9d8)
We believe that we eventually got around this issue by creating a Central Exception with the fully qualified path to UPHClean.exe specified. Once we configured this exception properly, we no longer saw the Event ID 45 events from Symantec AntiVirus.
2. About two weeks ago, we had two new problems pop-up:
- We'd receive about six calls per day from users indicating that Mozilla Thunderbird was acting as if they didn't have an Email account configured. After researching this issue, we found that the prefs.js file in the user's Mozilla Thunderbird profile was being corrupted. We would restore from backup and the user could continue. After several days of this, we decided to create a Central Exception for the "js" extension. We have not seen the prefs.js problem since adding this exception on the Terminal Server.
- About 30% of our users each day reported problems with logging in to the Terminal Server. When we would review the Application Log on the Terminal Server, we would see Events 1508 and 1500 logged:
Event 1508
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.
DETAIL - Insufficient system resources exist to complete the requested service. for C:\Documents and Settings\jdfryer\ntuser.dat
Event 1500
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, or that your network is functioning correctly. If this problem persists, contact your network administrator.
DETAIL - Insufficient system resources exist to complete the requested service.
This problem would happen for various users over about a 10 minute period and then go away for a random amount of time. Then, it would pop-up again for some users and then stop happening again. This continued until we added a Central Exception for the "dat" extension. Since doing that, we haven't seen this issue on the Terminal Server.
3. The final problem still occurs, but we have just this morning added a few more exceptions in an attempt to work around it. What we are seeing is that when some users logoff, their profiles are not being replicated back to the file server properly. This appears as Events 1509 and 1504 in the Application Log on the Terminal Server:
Event 1509
Windows cannot copy file C:\Documents and Settings\user1\NTUSER.DAT to location \\server1\UserProfiles\user1\UN-DOC\NTUSER.DAT. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The process cannot access the file because it is being used by another process
Event 1504
Windows cannot copy file C:\Documents and Settings\user1\NTUSER.DAT to location \\server1\UserProfiles\user1\UN-DOC\NTUSER.DAT. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The process cannot access the file because it is being used by another process
This seemed to us as if this time a process on the File Server was holding open the user's NTUSER.DAT file and therefore, the profile could not be replicated back properly. We are attempting to work-around this problem by adding a Central Exception for the "dat" extension under SEP 11.x running on the File Server. So far, we have not since this work-around help to resolve the issue.
A few notes:
1. I appreciate the ability to add a Central Exception for a file with a fully qualified path and for an extensions, but what is missing is the ability to add a Central Exception for a file name (e.g., NTUSER.DAT, prefs.js, etc.). It is not practical for us to attempt to add an exception for each user's roaming profile path and Thunderbird profile path as this would create a huge exception list for us. Also, having an exception for the "js" extension scares me quite a bit.
2. Why does it appear that the issue with Roaming Profiles and Symantec AV has returned in SEP 11.x? Please see:
http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d43f351f6888fd8b882571e2005545ee?OpenDocument
We did have this problem under SAV 10.1 and it was resolved when we installed the Maintenance Patch specified in this article. However, now it appears that the problem is back in SEP 11.x and so far, it has not been resolved. There are other forum postings concerning this issue:
http://www.symantec.com/connect/forums/endpoint-preventing-profiles-being-unloaded-terminal-server
http://www.symantec.com/connect/forums/sep-mr4-stumped
Sorry for the extra long posting, but I wanted to get as much information out there about this as possible. Thanks.