Symantec Endpoint Protection 14.0 MP1 (14.0.2332.0100) Clients are not able to start the SepMasterService after an Exception policy is created/applied that uses a Prefix Variable with a sole trailing backslash. In addition, the SepMasterService (ccSvcHst.exe) will crash with Event ID 1000 if it was already running.
[PROGRAM_FILES]\ = NOT WORKING [PROGRAM_FILES]\\\ = NOT WORKING [PROGRAM_FILES] = WORKING [PROGRAM_FILES]\Symantec\ = WORKING
SEP Master Service (command: "sc query sepmasterservice") is STOPPED.
This issue is specific to Symantec Endpoint Protection 14 MP1. Prior releases are not impacted by this issue.
Exception policies that are created/applied that use a Prefix Variable with a sole trailing backslash are impacted. This issue only applies to prefix variables that do not contain a full path.
Symantec has released a refresh build of Symantec Endpoint Protection 14 MP1 (14.0.2349.0100) to address this issue going forward. It is available for download on Symantec FileConnect.
WARNING:Migrating from SEP 14 MP1 (14.0.2332.0100) to SEP 14 MP1 Refresh Build (14.0.2349.0100) is NOT a supported upgrade path. DO NOT attempt to perform an upgrade from SEP 14 MP1 (14.0.2332.0100) to SEP 14 MP1 Refresh Build (14.0.2349.0100). Both versions are considered current and if the precautions referenced below have been taken, there is no need to perform an upgrade. All other paths referenced in Supported upgrade paths to Symantec Endpoint Protection 14.x continue to apply.
It is possible to prevent this issue from occurring by performing the following steps, prior to migration to 14 MP1:
Login to the Symantec Endpoint Protection Manager Console
Review the Exceptions Policies for usage of a sole trailing backslash combined with a Prefix Variable, as noted in the examples above and remove the backslash.
If clients are already impacted by this issue, then the following workarounds can be deployed:
Recommended: Correct the exceptions policy with the prefix variables with the backslash (\) in the Folder field. Remove the backslash (\) in the folder field. Deploy the updated policy to systems prior to upgrading them to SEP 14.0 MP1.
Deploy 14.0 RTM (14.0.1904.0000) to the affected clients using a 14.0 RTM package with Install Settings to "Remove existing Symantec Endpoint Protection client software that cannot be uninstalled".
Alternately, perform the following actions on the client. Note: This process potentially requires editing multiple values manually in the Windows registry, which is an error-prone process. This is not the preferred workaround and should only be performed as a last resort.
Before you begin this procedure, back up the Windows registry. To do so, read the Microsoft document Back up the registry.
Boot into Safe mode
Open registry (regedit)
Find the registry values related to exceptions and remove the backslash from them. See the registry keys and values to edit below for further information.
Go to .\Program Data\Symantec\Symantec Endpoint Protection\<build>\data\config
Rename serdef.dat to serdef.dat.old and serdef.dat.bak to serdef.dat.bak.old.