Symantec Endpoint Protection 14.0 MP1 (14.0.2332.0100) Clients are not able to start the SepMasterService after an Exception policy is created/applied that uses a Prefix Variable with a sole trailing backslash. In addition, the SepMasterService (ccSvcHst.exe) will crash with Event ID 1000 if it was already running.
[PROGRAM_FILES]\ = NOT WORKING
[PROGRAM_FILES]\\\ = NOT WORKING
[PROGRAM_FILES] = WORKING
[PROGRAM_FILES]\Symantec\ = WORKING
Windows Event Log:
Event ID 1000 Application Error
"Faulting application name: ccSvcHst.exe, version: 126.96.36.199, time stamp: 0x57a2c77f
Faulting module name: MSVCR110.dll, version: 11.0.51106.1, time stamp: 0x5098858e
Exception code: 0x40000015
Fault offset: 0x000a327c
Faulting process id: 0x1274
Faulting application start time: 0x01d29148ebac2289
Faulting application path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.2332.0100.105\Bin\ccSvcHst.exe
Faulting module path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.2332.0100.105\Bin\MSVCR110.dll
SEP Master Service (command: "sc query sepmasterservice") is STOPPED.
This issue is specific to Symantec Endpoint Protection 14 MP1. Prior releases are not impacted by this issue.
Exception policies that are created/applied that use a Prefix Variable with a sole trailing backslash are impacted. This issue only applies to prefix variables that do not contain a full path.
Symantec has released a refresh build of Symantec Endpoint Protection 14 MP1 (14.0.2349.0100) to address this issue going forward. It is available for download on Symantec FileConnect.
WARNING: Migrating from SEP 14 MP1 (14.0.2332.0100) to SEP 14 MP1 Refresh Build (14.0.2349.0100) is NOT a supported upgrade path. DO NOT attempt to perform an upgrade from SEP 14 MP1 (14.0.2332.0100) to SEP 14 MP1 Refresh Build (14.0.2349.0100). Both versions are considered current and if the precautions referenced below have been taken, there is no need to perform an upgrade. All other paths referenced in Supported upgrade paths to Symantec Endpoint Protection 14.x continue to apply.
It is possible to prevent this issue from occurring by performing the following steps, prior to migration to 14 MP1:
- Login to the Symantec Endpoint Protection Manager Console
- Select Policies
- Select Exceptions
- Review the Exceptions Policies for usage of a sole trailing backslash combined with a Prefix Variable, as noted in the examples above and remove the backslash.
If clients are already impacted by this issue, then the following workarounds can be deployed:
- Recommended: Correct the exceptions policy with the prefix variables with the backslash (\) in the Folder field. Remove the backslash (\) in the folder field. Deploy the updated policy to systems prior to upgrading them to SEP 14.0 MP1.
- Deploy 14.0 RTM (14.0.1904.0000) to the affected clients using a 14.0 RTM package with Install Settings to "Remove existing Symantec Endpoint Protection client software that cannot be uninstalled".
- Alternately, perform the following actions on the client. Note: This process potentially requires editing multiple values manually in the Windows registry, which is an error-prone process. This is not the preferred workaround and should only be performed as a last resort.
Before you begin this procedure, back up the Windows registry. To do so, read the Microsoft document Back up the registry.
- Boot into Safe mode
- Open registry (regedit)
- Find the registry values related to exceptions and remove the backslash from them. See the registry keys and values to edit below for further information.
- Go to .\Program Data\Symantec\Symantec Endpoint Protection\<build>\data\config
- Rename serdef.dat to serdef.dat.old and serdef.dat.bak to serdef.dat.bak.old.
Registry keys to review:
Note that it is likely that there will be multiple exclusion subkeys. Each one will need to be checked for problematic values.
Values to edit in each key:
For each value, remove the backslash from %[PROGRAM_FILES]% or %[WINDOWS]% and or where it appears.