The latest Microsoft patch for Windows 10 Fall Creators Update (1709, aka Build 16299) is causing Symantec Endpoint Protection 14.0 RU1 MP1 (14.0.3876.1100) to report "Product Error requires attention" and the SEP system tray icon to report "There are multiple problems (2)". I thought you might want to work with Microsoft or create another SEP patch to fix this issue.

 

The patch I applied today, which you can get from the Microsoft Update Catalog and also through our corporate WSUS server downloads is KB4056892. After applying the patch, the Win10 version reports Build 16299.192.

When I remove the above Microsoft patch, SEP 14 no longer reports errors.

Please fix when you can.

https://support.microsoft.com/en-us/help/4056892

Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY.

Contact your Anti-Virus AV to confirm that their software is compatible and have set the following  REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

 

Hello,

A product fix has been released with the SEP 14.0 RU1 MP1 version.

As a work-around, disable the Windows Firewall rules that are conflicting with SEP firewall. Disabling Windows Firewall entirely is not recommended, as this will also disable DirectAccess protections that are provided even when SEP is fully managing the Windows Firewall.

See symantec.com/docs/TECH123729 for more details about the firewall categories that SEP normally manages.

Check these Articles -

Endpoint Protection is not managing Windows Firewall settings in Windows 10 Fall Creators Update

https://support.symantec.com/en_US/article.TECH247987.html

Endpoint Protection support for Windows 10 updates and Windows Server 2016

https://support.symantec.com/en_US/article.TECH235458.html

With Symantec Endpoint Protection Network Threat Protection installed, Windows 7 and later indicates that the Windows Firewall is still on

https://support.symantec.com/en_US/article.TECH123729.html

Hope that helps!!

@Mithun Sanghavi: This has nothing to do with the problem.

Related?

"Symantec will be releasing ERASER engine version 117.3.0 for Symantec Endpoint Protection 12.1 and 14 on January 4, 2018 to address a compatibility issue related to an out-of-band Microsoft Update released on January 3, 2018. This will be a full release. We strongly encourage all of our customers to apply the ERASER 117.3.0 prior to attempting to apply the January 3, 2018 Microsoft Update.

The ERASER 117.3.0 update was originally planned to be released on January 8, however Symantec is releasing early to address a compatibility issue with the January 3, 2018 Microsoft Update."

@Mithun Sanghavi - I think you've misread/misunderstood his question...

Where did you see this from? Link?

Symantec BCS email notification

Thank you.

I've been in touch with Symantec support...looks like there are two patches. One is this ERASER, but is NOT related to the CPU security issue. The patch will be released next week. Very poor, I think.

They have said:

Symantec is aware of it and this is related to Intel firmware.
At this time we are unable to verify if there are existing protections in place that may mitigate this issue. Given the lack of available details we cannot provide further comments at this time.
As of now make sure you have SEP installed with full protection and latest definitions.

The Eraser engine update is not related to this vulnerability.

About Eraser engine:
https://support.symantec.com/en_US/article.TECH191205.html 

This update will be released for enterprise users on 8th of January. 

 

Hi HoosierDaddy68 and other followers of this thread,

Thanks for the post.  We are looking into this now.  I will put a full update into this thread shortly. 

 

 

The information quoted by Tony, above, "The Eraser engine update is not related to this vulnerability" is not accurate. The Tech Support Engineer most likely meant that "this new Eraser update is not an AV signature against attempted exploitation of the vulnerabilites" but that's conjecture on my part. (Tony, feel free to PM me the case number and I'll make sure the TSE has the current details!)

Also, the expected release date of 8th of January is no longer accurate- that ERASER Engine is indeed coming out today. No need to wait until next week.

I just Update some systems to SEP 14.0.1 MP1, some have the registry key QualityCompat after some time, others still don't have this key after an update and a reboot? Any sugestions? Urgent!
 

With the full permission from Symantec Support, here's what they have sent me:

 

On January 04 2018, Symantec will be publishing an ERASER Engine update (117.3.0.358) to address a compatibility issue with a Microsoft Windows Update. (Time cannot be confirmed)

Microsoft has published a number of Security Updates today to address the Meltdown and Spectre vulnerabilities. These updates contain a compatibility issue with Symantec Endpoint Protection’s ERASER engine, which necessitates that we move up the previously scheduled ERASER engine update. This ERASER engine release was originally targeted for 1/8/2018, but we are moving it up to 1/4/2018.
 
Microsoft has implemented a check to verify the ERASER engine version that is currently loaded. If a version prior to 117.3.0.358 is detected, the update will not be visible to the end user. The update only becomes available once the ERASER engine update has been applied.
 
In the unlikely event that a customer has managed to install the Windows Update without updating the ERASER engine to 117.3.0.358 or greater, they will encounter a Blue Screen of Death upon execution of an On-Demand, Scheduled, or Active Scan.
Ensure that ERASER Engine 117.3.0.358 or greater has been applied before attempting to apply the Microsoft Security Updates intended to address the Meltdown and Spectre vulnerabilities.
 
Once this update has been applied, instruct customers that they should NOT attempt to rollback definitions to anything prior to this set of definitions or they will encounter Blue Screen of Death upon execution of an, On-Demand, Scheduled, or Active Scan.
 
Ensure that all installation packages are either loaded with NO content or content that contains this ERASER engine update.

Environment:

Windows Server 2016 - KB4056890
Windows Server 2012 R2 - KB4056898
Windows Server 2012 - KB4056899
Windows Server 2008 R2 SP1 - KB4056897

Windows 10 1709 - KB4056892
Windows 10 1703 - KB4056891
Windows 10 1607 - KB4056890
Windows 10 1511 - KB4056888
Windows 10 - KB4056893

Windows 8.1 - KB4056898

Windows 7 SP1 - KB4056897

Mind you, that having this reg key doesn't solve "Product Error requires attention" error even with 14.0.3876.1100.
These next few days are going to be fun... no they won't.

Basically, give it time for them to be updated.

Hi Mick,

I received further reply from support, and he corrected what he said earlier. I also copied & pasted the latest update here too.

Do you still want me to PM you the case number?

Thanks for the replies.

Tony

Ensure that all installation packages are either loaded with NO content or content that contains this ERASER engine update.

So, but which download does really contain the ERASER engine update?

ERASER is nowhere stated in the options of "Content Types to Download". Anyone?

In fact, no presence of the relevant Regkey on our W7 workstations until now.

Hi flutti,

I believe it was referring to the SEP install package as it would contain the defs in there (including the ERASER engine) - it's suggesting that if you were to deploy the SEP install package, it should contain no defs/contents with it or add the latest defs/contents that includes the latest ERASER engine update before deploying.

Adding for reference: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Hi HoosierDaddy68 and other followers of this thread,

Thanks for the post.  From what I understand, yesterday's MS patch was (at least partly) in response to these vulnerabilities:

Meltdown and Spectre
https://meltdownattack.com/
 

Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.ie/2018/01/reading-privileged-memory-with-side.html

Microsoft have published and article warning of potential issues between this new patch and AV:

Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
https://support.microsoft.com/en-hk/help/4072699/important-information-regarding-the-windows-security-updates-released

ERASER Engine 117.3.0.358 (or greater) is the latest available- I can confirm that when this Engine is downloaded and applied via LiveUpdate, the MS patch applies without problems. So: I recommend running LiveUpdate to receive the latest definitions for all components, then applying the MS patch.

Definitions available now (1/4/2018 rev. 1, Sequence 189937) include this new Engine.  Here's how to check that it's in place:

Hope this clears things up! &: )  To repeat my eternal mantra: "make sure your SEP definitions are up to date, make sure to apply all MS patches as soon as possible...."

Stay safe, everybody!

So, looking at this older article on Eraser Updates

https://support.symantec.com/en_US/article.TECH191205.html

 

What EraserUtilDrv version should we be looking for at HKLM\System\CurrentControlSet\Services\eeCtrl\Parameters\Clients?

EraserUtilDrv11730? 

I just did a live update on the server and it already rolled out the new Eraser engine 117.3.0.359 to my clients.

When can we expect a fix to the problem mentioned by HoosierDaddy68 in this thread?

Excellent stuff.

I've checked on a PC that has the latest ERASER engine and I can confirm it's EraserUtilDrv11730

Previously, it was EraserUtilDrv11721, EraserUtilDrv11720 and EraserUtilDrv11710

Hope this helps.

Well, the Eraser Engine Update and registry key DO NOT fix the SEP product reporting errors after the emergency MS patch is applied. Will anyone from Symantec actually look into the "Product Error requires attention" to begin my thread?

I tried to post an update, but for whatever reason it's not showing up. This "Eraser Engine" and registry key are NOT fixing the product error.I checked my Eraser Engine and it's .359, and the regisxtry DWord is all zeros. Yet the error's still there.

Someone serious at Symantec, please look into this. My Remedy tickets will go crazy at work when everyone gets notified of "Product error requires attention" all day long.

 

Your earlier post did show up, so not sure why you're not seeing it.

Is it still showing up after downlading & installing the latest defs? And after rebooting?

1/4/2018 rev. 1, Sequence 189937 - this is what you should see.

You could also try this def on the affected PC and see if it does resolve the issue.

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep

Hi HoosierDaddy68,

Please do contact Tech Support if you're having an issue that requires professional attention.  (Connect forums are intended for Peer-to-Peer help!)

How do we confirm the Erase engine version on a client again?

we are having the same issue to our test group. 

latest defenitions from symantec and latest eraser engine. after a reboot when instaling windows update we are getting Product Error requires attention in symantec

Ok, support case opened, since this whole thread has gone completely offtopic.

Please keep us posted as i dont think Symantec wants to be bombarded with the same questions. 

I wouldn't say that as both of the are still related.

But I'm interested to know what they say about this, so please do keep us updated here.

Seeing the same situation here.

Oddly, when I open the SEP client, it reports no problems detected.

Thanks Tony! I am seeing the same

Just to say that I'm getting the same as HoosierDaddy68. Latest defs (Eraser 117.3.0.359), but get "Product error requires attention" message for SEP once kb4056892 is installed. SEP taskbar icon displays the yellow dot of sadness with "There are multiple problems (2)". Status on the SEP window just says "No problems detected".

@HoosierDaddy68 - Thank you for opening this thread, we are also facing this issue. Please keep us up to date.

Also we first did a LiveUpdate where the Eraser was updated to 117.3.0.359, and after installing MS patches it's giving us the same error "Product Error requires attention" after the reboot.

If I can provide any more information, like the versions, let me know. Hope this issue gets fixed soon, else I'll also have to contact Symantec Support.

Cheers

What is Symantec's guidance on the client version that must be in place? We have a mix of Win7/Win10 machines and are running, for the most part, SEP 12.1. Do we just let them auto-update their virus definition files and that is sufficient enough for the SEP clients to receive compatibility with Microsoft's patch (update the registry key, etc.)? 

I installed MS's 1/3 patch on my Win10 system and am receiving the following message upon reboot when I tried to manually launch my SEP client (it wouldn't open automatically, oddly):

 

"Symantec Endpoint Protection cannot open because some Symantec services are stopped. Restart the Symantec services, and then open Symantec Endpoint Protection".

What is Symantec's guidance on the SEP client version that must be in place? We have a mix of Win7/Win10 machines and are running, for the most part, SEP 12.1. Do we just let them auto-update their virus definition files to receive compatibility with Microsoft's patch? I see the attached error upon applying all Live updates to SEP client, applying the MS patch, then rebooting.

Also, is the MS patch smart enough to not install (even if pushed via WUS or SCCM) if the Symantec client has not updated the regkey?

 

Lastly, when is Symantec going to release an adivsory page on this? We shouldn't have to research threads like this to find answers to something so critical...

 

The following article has been published, which offers additional info on this situation:

http://www.symantec.com/docs/TECH248545

Anonymous, in response to your question, simply allowing SEP 12.1 clients to receive Virus and Spyware definitions dated January 4th, 2018 rev 1 or newer will get them the necessary ERASER update.  I would try rebooting again on the system you mentioned which is getting the error launching the client UI, and ensure Symantec Endpoint Protection service is launching properly.  I am not aware of others encountering this specific symptom following this update. 

In response to others who have posted about receiving the "Product Error requires attention" following these updates, if time allows please collect a full set of SymDiag data and open a Support case so we can look into this further:

http://www.symantec.com/docs/TECH203029

While I'm seeing a lot of mention of this behavior in the forums, we are not seeing many actual cases coming in for this symptom.  Thanks in advance to anyone who can open a case and provide us with some data. 

I will circle back to this thread with any further updates as they become available. 

Hey Matt!

I've opened a case file #13888041 and uploaded a full diag data.

Either the mods are deleting posts on here or this forum isn't acting right. I posted the same issue and a mod responded with a request for me to upload diagnostic data. Now my post and his are nowhere to be found on this thread.

Message me if you want the case number...uploading diagnostic data to the ticket now.

Not sure if your mods are deleting posts or if your forum software just isn't working properly but my posts are disappearing even after Symantec responds to them. A response to one of my now-missing posts asked that I upload diagnostic data to a case ticket which I have now done. Let me know if you need the case#.

I opened case #13888833 and attached a full SymDiag as well.

@ Matt Mc

Regarding your suggestion to use SymDiag, don't we need an updated SymDiag?  The last update was in November 2017 and running a current scan on a 14.0.3876.1100 install in Win10 16299.192 yields a warning that the SEP install is newer than the latest 14.0.3752.1000.  What's up with that?

Can anyone confirm whether the "Product Error requires attention" error means a computer is unprotected in any way? Talking specifically about a Windows 10 machine with latest ERASER engine and Microsoft Update. Other than the error displaying, what is the actual impact? Thank you

Hello, 

Jumping in with the same issues. Tested on 14.0.3876.1100 version and result is the same "There are multiple problems (2)" after applying latest security MS patch on Windows 2016 DC Build 14393.2007. After uninstalling MS patch SEP problems disappear. 

@K. Petersons and jrippel: Thanks for the case numbers, I am ensuring these are properly advanced.  (Anonymous, I messaged you as well.) 

@JOHN_B: It does sound like you need an updated copy of SymDiag (it should update automatically if you have internet access), but even using an outdated version will yield some useful data. 

I also have some updated guidance as far as the specific data we are seeking for this issue.  If possible, please use SymDiag to collect WPP debug data while a machine is reproducing this error.  The following article offers information on these steps:

http://www.symantec.com/docs/TECH207795

Please note that only WPP debugging is needed, not Client debugging - if you configure the SymDiag options in the following manner this will gather the necessary data:

Thanks so much to evereyone for your patience as we begin to analyze incoming data and work towards resolution of this issue. 

@ Matt Mc

My SymDiag is up to date.  Last version of SymDiag is from November 2017.  When will an update be available that recognizes 14 RU1 MP1 as the latest version of SEP?

We are seeing "There are multiple problems (2)" (see attached screenshot) on our SEP cleints (14 RU1 & RU1 MP1) after recieving ERASER engine update and install Microosft updates (January 3, 2018) on Windows 10 1703 and Windows 7 clients. I have submited SymDiag logs to case 13888947. Is this the smae issue other peopel are seeing?

My posts are dissapearing too... I asked what the real impact of "Product Error requires attention" error is? Does that mean a computer is left unprotected? Running latest Win10 patch and have updated ERASER. Thanks

@JOHN_B: My apologies, I thought this update for SymDiag was out already.  I will ask my Support Automation team for any ETAs on that. 

@Scott K.: This does sound like the same, or very similar, behavior.  Thanks for the case number, I will look into it and ensure it receives proper attention. 

Same issue here.  We were planning to start rolling out SEP 14 clients to the cmapus on Monday.  Now I think I will wait and see is these issues get worked out.

 

What I am seeing is our test 14.0.1 agents are showing the "There are multiple problems (2)" messgage and a yellow agent icon. 

 

Should I export new clients for our installs to make sure they have the latest defs?  If not will they get a BSOD on install?

 

Anything I need to do for my 12.1.6 MP7 agents?

Hi Everyone,

A few updates here - first off, I wanted to let everyone know that the SEP Development team is aware of this issue, where the SEP clients display a yellow warning icon and alerts on "multiple problems" following installation of ERASER engine update 117.3.0.359 and MS KB4056892. 

For those who have submitted cases for this issue, my apologies if there is any delay in your specific case being picked up, but please rest assured we are currently reviewing data and working towards a resolution.  I am still marking any cases mentioned here, or feel free to send me a PM with your case number if you prefer. 

Please continue to review the following document for overall guidance on how to manage these updates:

http://www.symantec.com/docs/TECH248545

(@JAunmc - I believe the above article will address your questions about managing different client builds, and please see my earlier post about generating data from your test agent if you have time to do so.)

Finally, for anyone experiencing disappearing posts, I'm very sorry for this.  @hytekj: I believe the true impact of this is still in the process of being determined.  Further info will be provided as it becomes available.  Thank you. 

@ Matt Mc

Thanks for keeping us in the loop.  Good to know the Dev Team is working on the problem.

I am also getting the "There are multiple problems (2)" message and a yellow agent icon.

Opening the client (14.0 MP1 Build 2349) says that my computer is protected and that there are no problems detected.

Can we get confirmation that the Product is fully functional?

Not sure which to believe are there 2 problems or is my computer(s) protected?

Please could someone from Symantec put our minds at ease or warn us if our systems are at risk.

Interesting I've just had a post disappear - I was asking for confirmation as to system protection when you get the "There are multiple problems (2)" message and a yellow agent icon.

I have the same issue. 2 problems displayed on the tray icon. 14.0.3752.1000

@matt Please let us know if the multiple warning notification is purely cosmetic or if the SEP agent is in a defect state when this happens

This KB article just went up: http://www.symantec.com/docs/TECH248552 No definitive answer yet.

This just went live: http://www.symantec.com/docs/TECH248552 Nothing definitive yet.

Catching up, but a "me too" post here.

 

Install KB4056892 on a Win10 1709 machine.  Green dot on the SEP shield.

Restart.  SEP is yellow, multiple (2) errors on the taskbar shield, but SEP software itself says no issues and is green.

 

Eraser engine version is 117.3.0.359 so I guess I don't have to worry about blue screens....

A quick update - thank you, @Brian, for linking the following article, which is specific to the "multiple problems" alert from the SEP client after the recent updates:

http://www.symantec.com/docs/TECH248552

I would recommend everyone please subscribe to the above article, as the latest information, including details on whether this issue is cosmetic or does indeed impact protection status, will be published there.

Our Connect team is looking into the disappearing posts, and may reach out to some of those who have mentioned it via PM.  Thank you. 

My post isn't appearing....

 

Is it possible check the version of the Eraser engine on all clients from SEPM?  It doesn't look like it.  Can that be added to SEPM, along with the other troubleshooting info pieces?

 

I found this post.  It looks like I could script something but just having it listed in SEPM would be a lot easier.

https://support.symantec.com/en_US/article.TECH95856.html

 

I see some related information in SEPM but nothing like the client Troubleshooting info available.

I have the same issue with the tray notification icon saying There are multiple problems (2). after installing KB4056892.

I know this issue is being worked on however can this issue be resolved by unistalling KB4056892 and then reinstalling it? I have ERASER 117.3.0.359 installed.

@symantech10 - I have seen unconfirmed reports that removing the KB will restore SEP to reporting as normal, however I have not heard what effect is seen after re-applying the KB. 

 

My SEP software doesn't show OK after rebooting....

 

I uninstalled the Windows 10 patch and rebooted. I can confirm that it resolves the SEP issue described in this thread.

Hopefully a future Live Update from Symantec is on the way so we can re-apply the MS patch...

After re-applying KB SEP will again report having multiple problems.

Not limited to Windows 10 either, Our Symantec Endpoint Server, using Windows Server 2012 R2, also gets the "mulitple problems" after its January patch from Microsoft. So more than likely, Windows 7, 8.1, ad nauseum, will have problems between SEP and the January patch from MS.

KB4056892 for Win10 1709 Fall Creators Update and Server 2016.  I think I saw something for 1703 (Creators Update) but my Win10 machines are FCU so I didn't pay attention to it.

 

I see KB4056894 showing on a Windows 7 machine, update from today, 1/4/2018.  Will this also cause this SEP glitch?  And maybe Server 2008r2 then also if Win7 is affected?

 

 

 

I asked our server guys to test on the Windows Server platforms out of caution. It's good to know Windows Server 2012 R2 is a no-go for now but what about the other flavors listed in Symantec's bulletin?

 

Windows Server 2016 - KB4056890 --> ?
Windows Server 2012 R2 - KB4056898 --> Known issues
Windows Server 2012 - KB4056899 --> ?
Windows Server 2008 R2 SP1 - KB4056897
Windows 10 1709 - KB4056892 --> Known issues
Windows 10 1703 - KB4056891 --> Known issues
Windows 10 1607 - KB4056890 --> Known issues
Windows 10 1511 - KB4056888 --> Known issues
Windows 10 - KB4056893 --> Known issues
Windows 8.1 - KB4056898 --> ?
​Windows 7 SP1 - KB4056897 --> ?

 

For now, I'm having to advise that our company hold back on deploying the MS patches until the Symantec updates mature a bit...

Well, hey... No issues on a test Win7 machine.

Win7 x64 Enterprise.  It's a VM though.  SEP 14.1.

Ran KB4056894.  Restarted.  

Everything's green and good.  The LiveUpdate button was greyed out at first but that's normal enough.  "Update policy" from the lower right taskbar icon solves that in a few seconds usually, and it did today.

 

I was expecting results similar to Win10 1709 machines for sure.

@Matt Mc, can you confirm that the tray icon is an actual issue with the engine or is this cosmetic only? 

Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software

https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

 

Mitgations for Speculative execution side-channel vulnerabilities-Meltdown & Spectre

https://social.technet.microsoft.com/wiki/contents/articles/51021.mitgations-for-speculative-execution-side-channel-vulnerabilities-meltdown-spectre.aspx

 

Can you imagine- we need a firmware update.... If it is not from Intel, Dell etc then most folks are screwed. What is the status without a firmware update, I wonder? 

If it's significantly bad, I can't wait to hear Intel's PR on this. 

We really need to know if the «multiple problem» is just cosmetic or not. If it is not cosmetic we need to warn our customers asap to withold the patch.

10 hours and still no confirmation if our systems are exposed or not - come on Symantec - if a client is showing the Multiple Issues Status - do we need to be concerned or is it a false notification - I need to know if I need to back out the MS Patch OR leave as is - WE NEED AN ANSWER PLEASE.

It's not just Intel, it's affecting other makes as well.

Meltdown = Intel

Spectre = other makes

Yeah, would be nice to have some answers. After 12 hours support finally gave me an answer... too bad it was still about how I need to update my ERASER engine before I apply KB4056892 :D Completely missing why I opened a support case :|
Can't wait to start getting calls from people why their AV reports having multiple problems.

Hi Matt, I have sent you an PM.

Thanks

So far what I'm hearing from support is that the 14 warnings are cosmetic.

Yep, I have the same issue here, and am running the same versions as you. 

However, on my desktops and laptops that have Bitlocker enabled, I can't even unistall KB4056891 since it blue screens it on the restart.  Then I have to do a system restore to get it working again.  Great job Microsoft.  I even tried suspending Bitlocker before the uninstall, but it still blue screens and the system restore brings it back with KB4056891 still installed.

Hopefully Symantec addresses this, but we're already 2 days without a fix from them.  

I'm having the exact same issue.  It would be nice for Symnatec to address this already.

according to acutal article https://support.symantec.com/en_US/article.TECH248552.html this seems not to be a cosmetic issue.

quote from this article:

 

As this issue is being investigated, Symantec is recommending that customers avoid applying the Windows Security Updates released on January 3rd, 2018 until our investigation has concluded.

 

so you can choose now: meltdown and spectre issues or a corrupt Antivirus solution which maybe let the machine running with other issues.

the real issue is here. did some @ symantec really test their eraser.sys update which sets the required registry keys for the windows update before they shipped this to their customers?

Clealy not I guess.

Suprised to see a antivirus company not to apply security fixes release by OS company.

I uninstalled KB4056891 from my laptop and symantec appeared to be running normally.  The task icon had a green dot.  I re-installed the KB and the problem came back.  Yellow alert on the task icon and when you hover over it there are 2 problems.