If user profiles have been configured to be deleted during log off, either by Citrix or Group Policies, the deletion might fail and a new profile created upon next logon.
During a scan the SEP client holds a handle on the scan log located in \Users\%username%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\mmddyyyy.log. The handle is not closed when the scan is stopped, which prevents the profile from being deleted.
The issue has been resolved by upgrading the SEP Client to version 12.1 RU5 or higher and implementing the following registry key:
32 bit OS:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General\CloseUserLogFile
Type: DWORD
Value: 1
64 bit OS:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General\CloseUserLogFile
Type: DWORD
Value: 1
Note: Always backup the registry before making any changes to it.
Applies To
Symantec Endpoint Protection 12.1 and environments where user profiles have been configured to be deleted on log off.