You are experiencing one or more of the following issues on Symantec Endpoint Protection (SEP) clients:
The Symantec Endpoint Protection (SEP) client SONAR and IRON drivers do not start.
The SEP client system tray icon displays a yellow exclamation point.
Symantec Endpoint Protection Manager (SEPM) Computer Status logs list the SONAR, Tamper Protection, and/or Download Insight components as "Component is Malfunctioning" for some client.
From Windows Event Viewer > Application log, you may see the following errors:
Event ID 73: "SONAR has generated an error: code 1: description: Heuristic Scan or Load Failure"
Event ID 74: "SONAR has generated an error: code 0: description: Definition Failure"
This problem can happen when the database files used to store information and settings for the SEP client BASH engine are unusable by the BASH engine, and the SEP client's automatic remediation process fails to repair them.
To determine if you are experiencing this issue, check the file size on the BASHOpts.dat and BASHOpts.000. By default these files for SEP 12.1.x are 4.94 KB, and for SEP 14 these files are 7.83 KB in size.. (location - C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH). If you observe inconsistencies in these files, typically the files will be undersized, or the files could close to the default size, but the beginning of the file precedes with whitespace.
To replace corrupt files with good
Disable Tamper Protection on the SEP client. (SEP UI > Change Settings > Client Management > Configuration Settings > Tamper Protection tab) Note: It may be necessary to disable Tamper Protection from the SEPM if the client is locked down. (SEPM > Clients > [client group] > Policies > General > Tamper Protection)
Uncheck "Protect Symantec security software from being tampered with or shut down."
Browse to C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH folder and delete BASHOpts.dat and BASHOpts.000 files.
Browse to C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\CommonAppData\Symc\Name\Version\Data\BASH folder and copy BASHOpts.dat and BASHOpts.000 files.
Paste BASHOpts.dat and BASHOpts.000 files into C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\BASH folder.
Restart the client machine and allow time for the Proactive Threat Protection definitions to update.
If you have more than a few machines that are affected by this issue, contact Symantec Technical Support.
ID: 3906882, 4102011
Subscribing will provide email updates when this Article is updated. Login is required.