Dear Community,
hope this small note may help others to sort out the trouble I've faced with a couple of weeks before with one of the enterprise Customers.
Pre-history:
The customer decided to migrate from Kaspersky Antivirus for Windows Servers and Workstations V8.
There were a few servers "freshly installed" without any antivirus installed "yet". And vast majority with Kaspersky AV.
We've deployed SEP Management server 12.1.5 and started the rollout of the exported (managed) clients to the environemnt.
Should I note, that Kasperksy has been uninstalled manually from each server, as SEP optional software uninstaller was not capable to fully remove Kasperksy (no blame! - it was expected as per Product documentation https://support.symantec.com/en_US/article.TECH195029.html ).
However we've faced with the very unexpected issue, that after the install:
- on the freshly installed Windows Server (2008R2 and 2012/R2) - SEP 12.1.5 works perfectly fine
- on the ones, where Kaspersky has been uninstalled - SEP 12.1.5 (with all components installed, AV, SONAR, Application&Device Control, IPS) crashes immediately with the following sympthoms:
Faulting application name: ccSvcHst.exe, version: 12.11.3.11, time stamp: 0x53713b15
Faulting module name: SfMan.plg, version: 12.1.5337.5000, time stamp: 0x5413cac2
Exception code: 0xc0000005
Fault offset: 0x000115ce
Faulting process id: 0x4fc
Faulting application start time: 0x01d0833fa9c13d45
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
Faulting module path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\SfMan.plg
Report Id: e90eb9cf-ef32-11e4-80bf-00155d0329ed
...
Installing SEP client particularly without "Application and Device Control" - works fine.
After the thorough investigation with Symc Advanced Engineering it has come to a surface, that (perhaps) during Kasperksy uninstallation, it modifies some DCOM secrutiy access entries, which are vital for this (A&D Control) component to function. As its been explained by the Advanced team, in SEP 12.1.5 - there is a change in the Client architecture (to be compatible with W8 and W2012 Server) which uses DCOM object to monitor WMI for Hardware and Software "changes".
Solution:
1. Open Local Security Policy -> local policies -> security options and find "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax".
2. Even if it has a current setting of "Not Defined", open its Properties and click on "Edit Security"
3. Make sure ANONYMOUS LOGON has got "Grant" on "Local Access" and "Remote Access". Save these settings - they will appear as "defined string..."
4. Run gpupdate /force from the command line
5. Restart the server.
Making tries on the 6 suffering servers today - has given us positive results.
In a Domain environment, You may consider applying a Group Policy, which "aligns" this particular security parameter among all other hosts to let You have SEP 12.1.5 installed properly with all available components working fine.
Again, the "default" value of this partiular parameter in Windows is "Not Defined". However in such particular cases, as I've discussed above, it might be needed to "enforce" DCOM permissions to let SEP components work properly.
Hope this will save a time for some one!