Jump to content

CCleaner damages Symantec Endpoint Protection 12.1 Client after running


Recommended Posts

Greetings - I am a Symantec Employee who supports the Symantec Endpoint Protection (SEP) Suite and I have been a long time user of CCleaner.

 

I have observed an odd behavior where shortly after running this utility that with a SEP 12.1.x client the AV client becomes unstable. Immediate behavior of the application is the fact that the LiveUpdate (Symantec Product updater) component stalls and will not make any attempt to connect to our servers for content.

 

When the services recycle (either by sending the command to stop client services and/or system reboot) the SEP back-end services fail to load.

 

Furthermore, SEP is unable to be repaired (leaving the client damaged completely) and also fails to uninstall, unless I go through a special procedure. I have to use the CleanWipe utility to remove the defunct client should I fail to unload and 'prepare' my machine for cleaning. This has been observed on Windows 7 64-bit and Windows Server 2008 R2 (which is 64 bit), I have not confirmed that if this exists on 32-bit OS and/or other OS.

 

There has only been one way for me to use CCleaner with SEP 12.1.x installed (current version is 12.1.3001 - or known as 12.1 RU3) - that is to disable Tamper Protection (guards against unauthorized 3rd party changes to client files and registry keys), disable all features of SEP, unload services completely, run CCleaner, then repair install SEP (takes around 20 minutes to complete the repair) then re-enable services, features then Tamper Protection.

 

 

I know there are application cleanups for Symantec Anti-Virus, however with them enabled and disabled this results into the same issue at hand.

 

I will follow up in the next day or so with further information (as time allows from my other duties at work) - I will gather a report on the damaged files (hopefully my tools will allow that) and I will try to pop that information there - however, if this persists, I may have to send a note to development and modify the strings of Tamper Protection to possibly block the usage of CCleaner due to the risk that it poses in the security aspect of the consultants and re-sellers that I support.

 

My guess though as to what is being axed is something in the C:\ProgramData\Symantec\Symantec Endpoint Protection\Current Version\Data\*.* is being manupulated or something in C:\Windows\Temp - possibly AV engine unloading definitions and using a folder inside there for temporary sessions and the final location is C:\System Volume Information\SymEFA\*.* as well

 

Again, I hope to have more information soon - but this is showing on all versions of SEP 12.1.x - I have not seen this be an issue on SEP 11.x (which will be end of life soon) and Symantec AntiVirus Corporate (SAV) 10.x (however, we have completely cut all support for that product on 7/8/13 and there are no longer virus definitions being produced for that product so I am not concerned with any type of incompatibility there)

 

If anyone has any questions or comments please let me know - or if this can be forwarded to the development teams for CCleaner for inspection - that would be great.

 

I frequently run into issues with my customers running out of HDD space for management console upgrades or other space concerns and I have frequently recommended use of this program. However, the machines that are being used on are servers and if this damages the SEP client - this will pretty much guarantee that the system would have to be rebooted to remove the defunct SEP client software then rebooted again to complete reinstallation of SEP. This obviously poses a significant problem because my clients cannot restart these machines during production hours, however these are consultants that I work with so setting up reboot windows are difficult and also leaving the system unprotected is unacceptable either - and searching through the file system manually can take much longer.

 

Anyhoo, hopefully there is enough information there to start awareness and concern - thanks

 

 

Tony

Link to comment
Share on other sites

For reference, below are the CCleaner entries relating to Symantec products:

 

[Norton AntiVirus]
ID=2060
LangSecRef=3024
Detect=HKLM\SOFTWARE\Symantec\Norton AntiVirus NT\Install\7.50
Default=True
FileKey1=%commonappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey3=%commonappdata%\Symantec\LiveUpdate\Downloads|*.*

[symantec AntiVirus]
ID=2061
LangSecRef=3024
Detect=HKLM\SOFTWARE\Symantec\Symantec AntiVirus\Install\7.50
Default=True
FileKey1=%commonappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey3=%commonappdata%\Symantec\LiveUpdate\Downloads|*.*

 

Anything there jump out at you, ftpookie?

I'm Shane.

Link to comment
Share on other sites

For reference, below are the CCleaner entries relating to Symantec products:

 

[Norton AntiVirus]
ID=2060
LangSecRef=3024
Detect=HKLM\SOFTWARE\Symantec\Norton AntiVirus NT\Install\7.50
Default=True
FileKey1=%commonappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey3=%commonappdata%\Symantec\LiveUpdate\Downloads|*.*

[symantec AntiVirus]
ID=2061
LangSecRef=3024
Detect=HKLM\SOFTWARE\Symantec\Symantec AntiVirus\Install\7.50
Default=True
FileKey1=%commonappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey3=%commonappdata%\Symantec\LiveUpdate\Downloads|*.*

 

Anything there jump out at you, ftpookie?

 

 

Negative - this happens with or without usage of the option of SAV (Symantec AntiVirus)

 

 

I did receive the message from dev - I do apologize for the delay - I will have to contact him on Monday, I ran a SymHelp (our SEP client information/log gathering utility) and have not had a chance to review it. Unfortunately, I have had some delay on other pressing matters but I will keep this going for further info

 

 

Tony

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.