You uninstall Symantec Endpoint Protection (SEP) and attempt to install it again. When you run Setup.exe, the installation hangs on the information collection screen. When you try to run the SEP Microsoft Installer (MSI) file instead, the progress bar hangs at about 90% of the installation, before the installer reports that the installation completed succesfully. In spite of that message, you find that SEP is not installed.
You decide to run CleanWipe. Although CleanWipe completes succesfully, you find that you are still unable to install SEP.
Symantec Endpoint Protection (any version)
RunSymEFAQuery: cmdline: "C:\Users\admini\AppData\Local\Temp\2\Symantec\Program Files\Symantec\Name\Version\Bin\EFAInst.exe" "Symantec Endpoint Protection 12.1.6608.6300" /query
RunSymEFAQuery: exitCode converted from HRESULT: 1392
RunSymEFAQuery: The SymEFA installer query had an unexpected exit code. The current installation will fail and rollback!
Date & Time: 5/3/2017 10:15:11 AM
Event Class: File System
Result: FILE CORRUPT
Path: J:\System Volume Information\EfaData\*
Procmon Event Properties of the related EFAInst.exe event
You open the Procmon trace file and add a filter to only show FILE CORRUPT results, which yields a single EFAInst.exe record that shows a QueryDirectory operation failed on <drive letter>:\System Volume Information\EfaData\*.
Cleanwipe.log (also contained in SymDiag) shows the same 1392 error in relation to that folder:
2017-05-02T08:11:25.626Z TRACE Processing item: \\?\<drive letter>:\System Volume Information\EfaData 2017-05-02T08:11:25.719Z TRACE Item does exist. 2017-05-02T08:11:25.719Z TRACE Removing item due to 'delete' removal action. 2017-05-02T08:11:25.719Z DEBUG Deleting: \\?\<drive letter>:\System Volume Information\EfaData 2017-05-02T08:11:25.719Z TRACE Path \\?\<drive letter>:\System Volume Information\EfaData points to a directory, removing it recursively. 2017-05-02T08:11:25.719Z TRACE Error accessing directory: \\?\<drive letter>:\System Volume Information\EfaData. Error: 1392
In this specific scenario, the root cause is a corruption of a SymEFA data folder. Because of the corruption, CleanWipe is not able to remove the folder either.
Manually remove the <drive letter>:\System Volume Information\Efa(Si)Data> folder.
Open Windows (File) Explorer.
Click on the specific drive letter.
If the System Volume Information folder is not visible, perform the following:
Click the Organize drop-down menu button, then click Folder and search options.
In the Folder Options window, navigate to the View tab, select Show hidden files, folders, and drives, untick Hide protected operating system files (Recommended), then click OK.
Double-click the System Volume Information folder. If it shows an Access is denied message, perform the following:
Right-click the System Volume Information folder and select Properties.
In the System Volume Information Properties window, navigate to the Security tab and click the Edit... button.
Click the Add... button, type Everyone, then click the Check Names button. If a Multiple Names Found window appears, accept the default non-domain Everyone by clicking the OK button.
Click the OK button, which will return you to the Security tab. In the Permissions for Everyone area, select Full Control and click the OK button.
Click the OK button again to close the System Volume Information Properties window.
Open the System Volume Information folder.
Right-click the SymEFA data folder (either EfaData or EfaSiData) and delete it.
Note: As CleanWipe iterates through a list of all drive letters, you may experience the same issue with a next drive letter and may have to repeat this procedure.
Subscribing will provide email updates when this Article is updated. Login is required.