Troubleshooting Symantec Endpoint Protection installations: Checking rights and permissions
search cancel

Troubleshooting Symantec Endpoint Protection installations: Checking rights and permissions

book

Article ID: 152814

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have problems installing Symantec Endpoint Protection, or you have installed it, but it is not functioning properly. You need a list of files, folders, and registry keys in order to check rights and permissions.

 

Resolution

The installation of Symantec Endpoint Protection on Windows Vista, Windows Server 2008, and Windows 7 computers requires use of an account with elevated user rights.  If you are installing in an Active Directory domain, the account used to deploy client software must also be a Domain Administrator. The Domain Administrator must also be a member of the Administrators group on each computer. Membership in other groups may cause restrictions on the Domain Administrator account's local rights. Verify that no restrictions on the Local Administrator or Domain Administrator accounts have been made.

Checking permissions within the registry

 


WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys specified. See the document How to back up the Windows registry before proceeding.


Note: When verifying permissions in Windows NT, verify that the Creator/Owner account has full rights to the registry keys listed. To propagate permissions to subkeys in Windows NT, place a check next to "Replace Permissions on Existing Subkeys."



To edit the registry

  1. Click Start, and then click Run.
  2. Type regedt32.exe in the Run box, and then click OK.
  3. Navigate to the following subkeys:

    HKEY_CURRENT_USER\Software\Symantec\Symantec Endpoint Protection
    HKEY_LOCAL_MACHINE\Software\Symantec
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\InstalledApps
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\Symantec Endpoint Protection
    HKEY_LOCAL_MACHINE\System\Symantec
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
For each of these keys, ensure that both System and Administrators have Full Control.


To check the rights on registry keys in regedt32

  1. Select the desired key.
  2. Right click on the key, and then select Permissions.
  3. If the Administrators and System accounts do not have full control, add them. Ensure that Deny is not checked for any rights.
  4. Click "Advanced."
  5. Check "Replace all existing inheritable permissions on all decendants with inheritable permissions from this object"), and click OK.
  6. Click Apply, and then click OK.
  7. Close the Registry Editor.


Checking permissions on an NTFS drive

Use the Windows Explorer to verify that System and Administrator have "Full Control" and Users have "Read Only" permissions for the following folders (if they exist):

(drive:)\
(drive:)\Program Files
(drive:)\Program Files\Common Files
(drive:)\Program Files\Symantec
(drive:)\Program Files (x86)
(drive:)\Program Files (x86)\Common Files
(drive:)\Program Files (x86)\Symantec
(drive:)\ProgramData\Symantec
(drive:)\Windows\Drivers
(drive:)\Windows\Installer
(drive:)\Windows\SysWOW64

 

To check the permissions, right-click the folder, choose Properties, and click the Security tab. Verify that both System and Administrator have Full Control.

The following folders should have Full Control permissions for the System and Administrator accounts, and Read Only for User accounts. If a folder does not exist, simply skip to the next one:

(drive:)\Users\Administrator\AppData\Local\Symantec
(drive:)\Users\Administrator\AppData\Local\Symantec\Symantec Endpoint Protection 
 

Note: Before attempting to change permissions on directories or subdirectories, you should take ownership. NT does not change permissions on a subdirectory where ownership is incorrect, and does not report that it cannot change the permissions. Using an Administrative logon is suggested.



Checking DCOM settings

The last place to check rights on a computer is in its DCOM settings.

To verify Distributed COM properties

  1. On the Windows taskbar, click Start > Run.
  2. Type the following, and then click OK:

    dcomcnfg

     
  3. Expand Component Services > Computers > My Computer. Then right-click My Computer and click Properties.
  4. On the COM Security tab, under Access Permissions, click Edit Default....
  5. Verify that Administrators and System accounts are set to Allow Access, and then click OK.
  6. Under Launch and Activation Permissions, click Edit Default....
  7. Verify that the Administrators, Interactive, and System accounts are set to Allow Launch, and click OK.
  8. On the Default Properties tab, verify that Default Impersonation Level is set to Identify.
  9. Click Apply, and then click OK.
  10. Restart the computer for the changes to take effect.



References
Some customers have reported fixing installation problems caused by incorrect rights or permissions by using Microsoft's SubInACL utility to change registry and NTFS permissions. This information is provided for your convenience. Symantec does not provide support for or assistance with Microsoft products.