When installing Symantec Endpoint Protection (SEP) 14 with the firewall component to Windows 10 and after restarting the computer, the SEP firewall may malfunction and fail to load.
Windows 10 64-bit
Windows 10 Enterprise
Windows server 2012 R2
Hovering the mouse pointer over the SEP shield, it shows “Firewall driver is not loaded”, when opening the SEP user interface, it shows “Firewall is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt” or "Firewall is Malfunctioning."
Example from Control Log:
(SEP > View Logs > Client Management > View Logs > Control Log)
2 1/24/2017 1:31:35 PM User Event 10 Block Production - Caller MD5=36f670d89040709013f6a460176767ec Registry Write 0 1/24/2017 1:30:18 PM 1/24/2017 1:30:18 PM Protect client files and registry keys | Client services 10.122.11.12 956 C:\Windows\System32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2 0 Bytes Default SYSTEM WORKGROUP Alert
2018-07-11 08:46:32 Unbinding symc_teefer2 failed. ret = 00000001
With Windows 10, svchost.exe will attempt to write registry path, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Teefer2. If you have an Application Control policy that is included in the Client Install Package that has an older rule called "Protect client files and registry keys" to protect this registry entry, the teefer installation will fail because the Application Control rule will act on svchost.exe and will cause svchost.exe to fail when writing the registry path.
Check your Application and Device Control (ADC) on the Symantec Endpoint Protection Manager (SEPM) and confirm if the Application Control policy has any Rule Sets to block access to the registry, especially to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Teefer2. Some customers have an older Application Control rule that migrated when SEPM was updated and is called "Protect client files and registry keys" which will block write access when creating the Teefer2 key.
Toward the later builds of SEP 11.0 we switched technologies to protect SEP from ADC to Behavioral Analysis and System Heuristics (BASH), which is also referred to as Tamper Protection. The older Application Control rule "Protect client files and registry keys" is no longer needed and essentially causes a problem as the two technologies (ADC and BASH) conflict while attempting to protect SEP.
1. Open SEPM and go to Clients > [group] > Policies. 2. On Application and Device Control, click Tasks > Edit Policy. 3. Click Application Control and look for Rules Sets that block access to the registry, like: "Protect client files and registry keys" 4. Highlight rule "Protect client files and registry keys" or (similar rule) and click Delete and Yes. 5. Click OK to close out of the Application and Device Control Policy. 8. Allow time for the client group policy to update, typically 3 to 5 minutes.
Export a new Client Install Package and select the client group where you deleted the older rule "Protect client files and registry keys" or similar. Using a new exported Client Install Package should allow the SEP 14 firewall component to install and load without issue.
Subscribing will provide email updates when this Article is updated. Login is required.