Endpoint Protection

Good morning, I am getting this on a server and I have removed and reinstalled SEP. What could be caused this? The server goes offline and stops reporting to the SEPM, the green dot is yellow. Any idea what can be the causeof this?

Does it come back online at all? How long has it been? Try a repair first.

here is a screen of what I have.

Tried a repair?

I did a cleanwipe and a reinstallation. I have been out for a week, and I still see that this is happening. It is causing the server to generate several GFI alerts. I am not even 100% sure it is related to SEP.

See if a repair helps

Ok, running some disk diags now. Never had this happend before.

I am missing the points.  It stinks that we all have to suffer due to abusers.

Log Name:      Application
Source:        Application Error
Date:          6/9/2014 8:52:18 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     SERVER
Description:
Faulting application name: Smc.exe, version: 12.1.4100.4126, time stamp: 0x532a1a5e
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000005
Fault offset: 0x00000000000532d0
Faulting process id: 0x1844
Faulting application start time: 0x01cf83e09cbc03a7
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\Smc.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e2ef2e63-efd4-11e3-b37f-e4115be5f48d
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-09T12:52:18.000000000Z" />
    <EventRecordID>1634834</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SERVER/Computer>
    <Security />
  </System>
  <EventData>
    <Data>Smc.exe</Data>
    <Data>12.1.4100.4126</Data>
    <Data>532a1a5e</Data>
    <Data>ntdll.dll</Data>
    <Data>6.1.7601.17725</Data>
    <Data>4ec4aa8e</Data>
    <Data>c0000005</Data>
    <Data>00000000000532d0</Data>
    <Data>1844</Data>
    <Data>01cf83e09cbc03a7</Data>
    <Data>C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\Smc.exe</Data>
    <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
    <Data>e2ef2e63-efd4-11e3-b37f-e4115be5f48d</Data>
  </EventData>
</Event>

Seems to be a server OS, check if it is a GUP

The SMC.exe processes crashes on Symantec Endpoint Protection 12.1 RU4 when Group Update Provider functionality is enabled

This a GUP?

Log Name:      Application
Source:        Application Error
Date:          6/9/2014 8:44:54 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SERVER.DOMAIN
Description:
Faulting application name: Smc.exe, version: 12.1.4100.4126, time stamp: 0x532a1a5e
Faulting module name: GUProxy.plg, version: 12.1.4100.4126, time stamp: 0x532a1b1f
Exception code: 0xc0000005
Fault offset: 0x000000000001558e
Faulting process id: 0x1ecc
Faulting application start time: 0x01cf83dd63fe627c
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\Smc.exe
Faulting module path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\GUProxy.plg
Report Id: da547973-efd3-11e3-b37f-e4115be5f48d
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-09T12:44:54.000000000Z" />
    <EventRecordID>1634829</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SERVER.DOMAIN</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Smc.exe</Data>
    <Data>12.1.4100.4126</Data>
    <Data>532a1a5e</Data>
    <Data>GUProxy.plg</Data>
    <Data>12.1.4100.4126</Data>
    <Data>532a1b1f</Data>
    <Data>c0000005</Data>
    <Data>000000000001558e</Data>
    <Data>1ecc</Data>
    <Data>01cf83dd63fe627c</Data>
    <Data>C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\Smc.exe</Data>
    <Data>C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin64\GUProxy.plg</Data>
    <Data>da547973-efd3-11e3-b37f-e4115be5f48d</Data>
  </EventData>
</Event>

Yes, it is GUP.

Yes, it is supposed to be.

Yep, known issue...see HighTower's post:

https://www-secure.symantec.com/connect/forums/gup-symantec-management-client-crashing

Gotta rollback to 12.1.2 until it gets fixed

Official Symantec KB article here:

http://www.symantec.com/docs/TECH213461

If this is a GUP, it's aknown issue...this was posted last week:

https://www-secure.symantec.com/connect/forums/gup-symantec-management-client-crashing

OH SHEESH, just my luck

Solution

I have like 30 GUP's, why this one? Case opening time.

Yep.

Was talking to Justin about it, he rolled back to 12.1.2 and working fine

rollback to any previous version, till we get SEP 12..1.5 release notes.. No other option...

It's a known issue so they will tell you to rollback to an earlier version if you're on the affected version.

I hope this doesn't happen on all of my GUPs

If they're on the affected version, the possibility exists...may want to spot check some....

Getting this when trying to open a case

	We are unable to find the correct support entitlement. Please continue to create your case by selecting ‘My Account is not listed’ and providing the additional information requested in the box below. This will help us locate the appropriate account and support entitlement.

My account is not listed or the account information is incorrect.
 

https://support.broadcom.com 

Got it. Thank you.

I have opened a support case. They may as well be in the loop, I guess I will just roll it back.

About all you can do for now :/

I made another server a GUP, if it takes too much BW, I guess I can make a client a GUP.

It's not on the affected though right?

Sorry, not sure what you mean sir...

For the GUP you just setup, it's not running the affected 12.1.4 version? Is it running 12.1.2 or lower?

It is, it has been for a while on the 12.1.4. Not all GUP's are encountering this issue.

Interesting...still on an affected version so it *could* potentially break

OK, Symantec is now involved.

The questions I have are

1. Why this specific server?

2. Why are none of the other GUP's having this issue?

3. Will this start to happen on other GUP's or will they be stable?

1. It could be any server which is on the affected version(s).
2. Not sure.
3. If on the affected version, the potential is there to break as well.

I am making a client the GUP for now, let's see how well that holds up. Since the server is no longer a GUP, it has the green dot again and appears to be normal.

I made a W7 Client a GUP, so far so good. So I guess this is specific to a Server O/S

Give it time :)

I am begining to wonder if this has something to do with a previous installation. Even though I did a cleanwipe, I still see a lot of "Installer" files in the Windows directory. 

This is not specific to servers, it is specific to any client that is a GUP. I tried on a Windows 7 and the same thing happened.

I can't wait for the next version for this to be fixed and something else will be broken. :-)