Endpoint Protection

Hi all,

I have been slowly pushing out 14.2.4814.1101 to our machines.  Most are Win 7 and a few are running Win 10.  I have experienced no issues until yesterday.   We have one PC running Win 10 Pro 1903 with the Hyper-V feature enabled.  The PC is running one Win 2012 Server VM which is the SEP Management console.  The host machine was running 14.2.4811.1100 with no issues.   When .1101 was installed and the machine rebooted, I started receiving a red User Account Control warning:

“This app mas been blocked for your protection.  An administrator has blocked you from running this app.  For more information contact the administrator   mmc.exe”

I have received the error when trying to open the Hyper-V mmc console and going into other areas that use mmc.exe such as device manager.  I tried some of the suggested solutions I found on the web with no success.  Fortunately, I use Veritas System Recovery and was able to restore the disk image before .1101 was installed.  Here are the results of some testing I have done.

1. I uninstalled .1100 and have uninstalled .1100 using clean wipe.  A fresh install of .1101 creates the UAC issue.
2. If I sign in with built-in Administrator account, the error disappears.
3. I created a new user with administrative rights and the UAC error continues.
4. When I uninstall .1101, the problem continues.  I must restore an image back to .1100.
5. As a control test, after uninstalling .1100 I pushed out .1100 again and it installs with no UAC issues. The problem ONLY occurs when .1101 is installed clean or as an upgrade.
6. I removed the Hyper-V feature and installed .1101.  UAC error continues.
7. I installed a “generic” unmanaged version of .1101 and the UAC error continues.
8. When I try to uninstall .1101 it fails and rolls back.  Clean wipe occasionally fails too.  The only trusted recovery is restoring the .1100 disk image. 

Unfortunately, restoring an image takes approx. 40 minutes, so testing has been a slow, tedious procedure.  I get one test per image restore.  I will be creating a support case but wanted to throw this out for comments or suggestions.  I certainly hope I will not have to refresh Windows and start over.   I NEVER have had an issue with this machine until .1101 was installed.  A couple of weeks ago the pc was upgraded from Win 10 1809 to 1903.  Several other machines are running 1903 and .1101 has installed with no issues.

I'm having the exact same problem.  I have a case open with support, but nothing as of yet.

I can get mmc applications to run if I first start a command prompt as Administrator, then run the command to start it from there.  I can also adjust either local, or domain policy as below, and get mmc apps to run.

1. Open Run and type: secpol.msc

2. Click on Local Policies | Security Options

3. Look for, and right-click User Account Control: Run all administrators in Admin Approval Mode

4. Select properties and then Disable

@Shuley

Thanks for the input.  I will file away the Security Policy change in my bag of tricks.  I would appreciate it if you would let us know what support finally has to say to resolve the problem.  I decided not to open a case and, instead, refreshed 1903 Windows.  The PC had a lot of unecessary software on it so I viewed the refresh as a good solution to start over.  After the refresh I enabled Hyper-V and imported the Mabagement Server VM.  I reinstalled the SEP Client on the host and had no issues with the mmc.exe,  The VM is running with no issues.

Are you also running Hyper-V?

I have mostly physical workstations, and one Hyper-V that displays the issue.  All on a domain.  I have not been able to sucesfully uninstall SEP.  I had to use the CleanWipe utility, and even that threw errors.  Even after that, I still couldn't run mmc apps.  I also cannot sucesfully get a clean install of SEP on the PC.  The teefer (firewall) driver will not install correctly.  It (SEP 14.2.4814.1101) also killed out WSUS server.  I have one standalone laptop that has never been on the domain that displays the same issue.  So it's not a domain GPO issue.

@Shuley

The symptoms you are describing are identical to what I encountered. My VM host is a standalone Workgroup machine.  CleanWipe was problematic and even after I could get a successful uninstall the mmc problem persisted..  In my case the only solution was to restore a backup image and try again.  I restored approximately 20 times as I tried different strategies to get a working install.  I also had had troubles with the firewall driver.  Given that the SEP Manager was running in a VM on that host, I decided the Windows refresh would be the fastest way to get me up and running.  The only other alternative was to stay on the older version of the client which I did not want to do.

As an additional FYI,  I made a checkpoint of the VM running the SEP Manager and then tried an upgrade install of 14.2.4814.1101.  Fortunately, the install was successful.  Please keep us (me) updated on your case.  I am concerned there is some sort of bug that could appear again.

Thanks!

I too have the same exact issue with UAC

So for those that have had issues is it specifically only on machines that are running the HyperV feature? Or even on some that it's not installed (such as  running vmware workstation or whatever)

It is not connected to the HyperV feature.  I have this issue on physical PC's, and a standalone laptop.  Not all systems that have been upgraded have issues.  There are a few that seem OK.

I am also having issues with the SEP Client 14.2.4814.1101, our wipe and load task sequence is getting stuck in provisioning mode and will not boot into windows, it does not happen to every machine. Once I reverted back to the older client the TS works just fine

Has anyone found a solution to this issue? Besides the machines that have Hyper-V installed, we have machines that do not have Hyper-V installed with the same issue. Symantec support has been useless so far. They keep stating that we need to go to Microsoft for a solution because once Symantec is uninstalled the same issue persists, so it cant be Symantec, that is according to them. The Symantec upgrade to the latest version (1101) broke the windows.

Symantec, NOT the user, should be reaching out to Microsoft.  If support is pushing it off, shame on them.  SEP 4814.1101 must have an issue and the fact that an uninstall or CleanWipe can fail is very suspicious. We have several Windows 2012 servers running Hyper-V and I have not dared to install the latest version of SEP.  It would be helpful if someone from Symantec would respond.

We're having the same issue with about 20 installations.

Fresh installations of 14.2.4814.1101 does seem to work without issues.
Upgrading from a previous version to 14.2.4814.1101 kills access to mmc.exe.

I currently have a machine where I did a hard disk image before upgrading and can reproduce the issue by upgrading.

Our Windows systems (both server 2016/2019, and workstation (Windows 10)) that SEEM to be working OK with the new version of Symantec are not able to install Windows Updates correctly.

Again, if we attempt to uninstall the new version, it fails.  CleanWipe doesn't cleanly wipe Symantec.  Upon attempting to install any version of Symantec on these systems, I am unable to install the firewall driver.  Symantec support has been bumping my ticket daily, but no progress (or even comments).

This is being investigating by our Development team. I will keep everyone updated here.

Please subscribe to this KB for the latest updates as well.

https://support.symantec.com/us/en/article.TECH256355.html?

Thank you John.

Please share your case numbers as well so I can get them where they need to be. 

Has anyone tried removing the ADC feature and rebooting to see if access comes back?

A good data set to collect for this issue would be:

1. Enable Verbose WPP logging (In Symdiag)

2. Run Procmon at the same time.

3. Try to run the application that is being blocked. mmc.exe for example.

4. Wait for the error to happen.

5. Upload this data to your case or open a case with this data ready to be uploaded.

Thanks for the update, John!

Our case number is 30391743.

I'll try your suggestion on an affected machine right away and see if I can collect any meaningful data.

I updated case 30391743 with advanced diagnostics data (SymDiag WPP logging and Procmon Log).

Please do not hesitate to contact me if you need further assistance in tracing down the issue.

Case : 30332505  These logs are allready in the case.

I have subscribed to the KB and look forward to some movement on this. Thanks.

As you can see from this thread, it's much more than just mmc thats a problem.

We are starting to rebuild systems from scratch to get them loaded with the old version of Symantec.  On my, and other PC’s with the new version, I cannot install the latest Windows Updates as I get an error.  This seems to be tied to this issue as well.  We have reloaded our WSUS server from scratch as it was damaged by the Symantec install as well.

John,

Case number: 30469207. We already uploaded logs to the case.

Same issues with the other guys. We cannot update windows security patches either to these machines. mmc applications get blocked.

We noticed that the cryptographic services is broken. Event ID 257 CAPi2 is showing up stating cryptographic services failed to initialize the catalog services. The ESENT error was -1805. These events started when .1101 got upgraded on the machines and they rebooted. Some further research showed that the following folder contains a database that is controlled by the cryptographic services:

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

The database never get regenerated or updated.

Thank you. We have found a possible workaround while we work through this.

1. Launch Powershell as Administrator.

2. Launch any mmc from there.

Let me know if it works for all of you.

Thanks,

John

If Windows Updates or installing Windows Components is not working can you give me some examples of the errors you are seeing? Is it failing during download or during processing? Has any data been uploaded to cases when this process fails?  We are not sure this is related or not so any details would be helpful.

We are having the same problems with about 200 Windows 10 build 1903 systems that upgraded to version 14.2.4814.1101.  We halted the upgrade process after that so that our remainig 2000 systems are still on version 14.2.4811.1100 (which seems OK).

We logged a case with Symantec and have downloaded logs as well.  Case 30451676

What conditions cause the SEP client problem?  It appears that it takes a combination of things to have the problem:

1. You must be running Windows 10 build 1903 that has been upgraded from at least one or more previous Windows 10 builds.  A fresh install of Windows 10 build 1903 seems to be OK.
2. You must either upgrade or do a fresh install of the latest SEP client (i.e. version 14.2.4814.1101).  Installation of previous builds of the SEP client are OK.
3. Our other OS's (Window 7 and Windows Server 2012 R2) are not affected by this problem.

What problems do we see?

1. Applications like MMC.EXE or any application that uses MMC (like Event Viewer or Services) fails to start with a message that says:  This application has been blocked for your protection.
2. The SEP client cannot be uninstalled or re-installed without error.  From what I can tell, the Teefer service (i.e. the firewall link into the OS) fails to uninstall or reinstall.
3. Even after using CleanWipe to remove the SEP client, the problems still exist.  This indicates that the SEP client was not fully removed or changes made to the OS were not fully reverted.
4. Other applications may also fail to install or update.  For example, I tried to do a nVidia driver update which failed.
5. There are numerous errors in both the Application and System event logs that are not normally there if the system is operating normally.  I am not sure how much this affects system performance, but it can’t be good.
6. I suspect there are other issues, but those are the ones I have seen and can replicate.

I hope Symantec can find a fix soon, or we will be rebuilding a lot of systems.

If anyone can post exact Windows Updates not updating that would be useful.

I have reports of the following:
 

Security Update for Windows (KB4516115).

Security Update for Windows (KB4512575)

Security Update for Windows (KB4516066).

These are the ones that we have issues with.

Cumulative Update for Windows Server 2016 for x64-based Systems (KB4516044)
Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4515384)
Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 for x64 (KB4514601)
Cumulative Update for .NET Framework 4.8 for Windows Server 2016 for x64 (KB4514354)
Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB4512574)
Servicing Stack Update for Windows Server 2019 for x64-based Systems (KB4512577)
Security Update for Adobe Flash Player for Windows 10 Version 1903 for x64-based Systems (KB4516115)
Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 for x64 (KB4514359)
Servicing Stack Update for Windows 10 Version 1903 for x64-based Systems (KB4515383)
 

Shuley,

Are they failing on Install or Download?

I currently have the following Windows updates failing (on a Lenovo L560):

Intel Corporation - HDC - 7/31/2019 12:00:00 AM - 15.9.8.1050 - Error 0x8007ffff
Lenovo - System - 2/12/2019 12:00:00 AM - 10.0.88.0 - Error 0x8007ffff
Microsoft .NET Framework 4.8 for Windows 10 Version 1803 for x64 (KB4486153) - Error 0x8000ffff

I also just tried to install .NET Framework 3.5 via "Manage optional features", which also failed with 0x8000FFFF ("Catastrophic failure").

All updates are failing during installation stage. The downloads seem to work fine (normal progress indication, then "installing...", then error).

Hello All,

We have found the issue and have fixed it in a hotfix build for SEP 14.2 RU1 MP1. It should be available on My Symantec tomorrow. If you need the hotfix now please request by opening a case and request the 14.2 RU1 MP1 b4815 hotfix .

Thanks,

John Owens

Thanks John.

I got the hotfix and the instructions, but we are using the Cloud version 15 of Symantec. We do not use the on-prem SEPM. How do you get a hotfix applied to the cloud version?

I am looking into that as of right now.  You may need to wait until the build is available for SEP 15 in the cloud portal.  That version is planned for early to mid November.

How many SEP 15 clients are impacted?

We will be refreshing the SEP 15 client packages with this hotfix build. They should be available in 2 days.

I have downloaded and installed the new version hotfix "Version 14 (14.2 RU1 MP1) build 4815 (14.2.4815.1101)".

On my Windows 10 box, it installed smoothly.  My mmc.exe apps run with User Account Control turned on.  My Windows Updates all installed smoothly.  My shield now has a green dot, and everything looks good.  I am pushing this version out to all other Windows 10 PC's, and don't expect any issues.

The hotfix installs smoothly, as do Windows Updates on my WSUS server.  WSUS is running as normal again.

I will continue to roll this out to the other servers, and then follow up with the remainder of my Windows 10 PC's.

Thanks John.

Good news. Very welcome Shuley!

A couple of questions for clarification:

Scenario 1   You have a machine that has been affected by the issue discussed in this topic and .4814 is STILL installed.  Will upgrading to .4815 resolve the UAC/updates issue?

Scenario 2   You have a machine that has been affected by the issue discussed in this topic and .4814 has been uninstalled.  Will a fresh install of .4815 resolve the UAC/updates issue?

Thanks!

@CQ

Yes and Yes.

The hotfix refresh build is now available on My Symantec as well.

Please mark a solution on this thread if you would. Thanks!

Hello Shuley, befrank, et all,

Have you noticed any other important issue on .4815?

Those commented known issues are really solved on .4815?

I was planning to upgrade to .4814, but maybe it's better to go to latest.. unless any other important bug comes out,

Thank you.