You are experiencing one or more of the following issues on Symantec Endpoint Protection (SEP) clients:

• The Symantec Endpoint Protection (SEP) client SONAR and IRON drivers do not start.
• The SEP client system tray icon displays a yellow exclamation point.
• Symantec Endpoint Protection Manager (SEPM) Computer Status logs list the SONAR, Tamper Protection, and/or Download Insight components as "Component is Malfunctioning" for some clients.

From Windows Event Viewer > Application log, you may see the following errors:

• Event ID 73: "SONAR has generated an error: code 1: description: Heuristic Scan or Load Failure"
• Event ID 74: "SONAR has generated an error: code 0: description: Definition Failure"

This problem can happen when the database files used to store information and settings for the SEP client BASH engine are unusable by the BASH engine, and the SEP client's automatic remediation process fails to repair them. Corruption of these file may be triggered by unavailability or instability of system resources.

To determine if you are experiencing this issue, check the file size on the BASHOpts.dat and BASHOpts.000.  By default these files 7.83 KB in size for SEP 14 and 8.69 KB for 14.3 RU4 (Location - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH). If you observe inconsistencies in these files, typically the files will be undersized, or the files could be close to the default size, but the beginning of the file is preceded with whitespace.


To replace corrupt files with good

1. Disable Tamper Protection on the SEP client. (SEP UI > Change Settings > Client Management > Configuration Settings > Tamper Protection tab)
   Note: It may be necessary to disable Tamper Protection from the SEPM if the client is locked down. (SEPM > Clients > [client group] > Policies > General > Tamper Protection)
2. Uncheck "Protect Symantec security software from being tampered with or shut down."
3. Browse to C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH folder and delete BASHOpts.dat and BASHOpts.000 files.
4. Browse to C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\CommonAppData\Symc\Name\Version\Data\BASH folder and copy BASHOpts.dat and BASHOpts.000 files.
5. Paste BASHOpts.dat and BASHOpts.000 files into C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH folder.
6. Restart the client machine and allow time for the Proactive Threat Protection definitions to update.

If you have more than a few machines that are affected by this issue, contact Symantec Technical Support.