Error messages, instability, and silent failures when creating a scan on a client
search cancel

Error messages, instability, and silent failures when creating a scan on a client

book

Article ID: 154010

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On an Endpoint Protection client, you try to create or start a scan. One of the following symptoms occurs:

  • Nothing happens.
  • An error message appears.
  • Endpoint Protection crashes.

The following messages can appear, depending on what action you are attempting:

  • "Error 536870988 occurred running scan." This happens when you try to start an active or full scan.
  • "Error 0x80070005 occurred deleting the scan." This happens when you try to delete a scan.
  • "Error 0x80004005 occurred creating the scan." This happens when you try to create a scan.

Resolution

This problem occurs because the logged in user lacks Full Control to a registry key that is used by SEP to store user specific scan-settings. Please make sure to make a backup of the registry, and/or any valued data before you proceed.

Symantec Endpoint Protection 11.x:

User specific scan settings are stored under the following key:

HKEY_CURRENT_USER\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

NOTE: As HKEY_CURRENT_USER is user-specific and the user may lack the ability to make (permission) changes to the registry, you may need to login as a local administrator and manually locate the appropriate user-specific registry key via HKEY_USERS.

The issue can be resolved by assigning the logged in user with Full Control to the following key as the permissions will propagate down:

HKEY_CURRENT_USER\Software\Symantec\Symantec Endpoint Protection

Symantec Endpoint Protection 12.x:

User specific scan settings are no longer stored in HKEY_USERS starting in Symantec Endpoint Protection 12.1. They are now stored in HKEY_LOCAL_MACHINE. Each user has a unique registry key under which the user specific scan settings are stored. To make appropriate changes to the registry, you may need to login to the system with a local administrator account:

Symantec Endpoint Protection 12.1.x on a 64-bit Windows Vista/7/2008/2008R2/2012 system:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\<USER SID>\Custom Tasks

Symantec Endpoint Protection 12.1.x on a 32-bit Windows Vista/7/2008 system:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\<USER SID>\Custom Tasks

The issue can be resolved by assigning Full Control to the user specific SID, or by deleting the entire SID underneath the Schedule registry key. When the user logs into the system, a new registry key with the unique SID will be re-created automatically, should you choose to delete it. Please note however that the user will have to re-create their custom scans and settings.

In some cases it may be preferable to delete all of the SIDs under the Custom Tasks registry key, as it may be difficult to determine which SID belongs to what user. The SIDs will be re-created upon login of the individual users.

For information on how to assign permissions to a registry key, please see the following Microsoft Technet article:

http://technet.microsoft.com/en-us/library/cc728310(v=ws.10).aspx

To ensure that the issue has been resolved, make sure to logoff and log back on with the affected user account(s) and run a custom scan.


Powered by Wolken Software