SEP_INST.log

ScriptGen: ShowServiceProgress() Look for timeout starting SepMasterService or other failure loading SIS.dll.

or

"Could not open registry key SYSTEM\CurrentControlSet\Services\SepMasterServiceMig for flushing. Error: 2"

SIS_INST.log

File C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.8268.5000.105\bin64\EFAInst64.exe is not trusted. Verification result: 20

or

File C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.12167.10000.105\Bin64\Smc.exe is not trusted. Verification result: 3

Cleanwipe log

Failed to initialize SEPRemovalToolNative. WaitForSingleObject returned 258. Last error: 0. Check C:\WINDOWS\Temp\CleanWipe_timestamp\SepRemovalToolNative_x86.log file.

• Symantec Endpoint Protection
• Symantec Endpoint Security 

The device lacks required root certificates and cannot validate the protection agent binaries. This issue can occur if:

• If certificates are removed or blocked by the System Administrator.
• Windows Server base image does not include current valid root certificates.
• Computers are on a protected network that does not have access to run Windows Update.

To fix this issue, update the root certificates on the computer. This can be accomplished automatically with Windows Updates or manually by importing required certificates.

Update Certificates with Windows Updates

If the computer has internet access, launch Windows Update. The download and installation of the updated root certificates occurs automatically in the background. You do not need to take additional action.

Manually Importing Required Certificates

If the computer does not have internet access, use the process below to download and install the necessary files. Multiple certificates are required to properly validate the Symantec Endpoint Protection binaries.  Two files are attached to this document.

• Required_Certificates_For_Installation.zip: All certificates in this compressed file must be imported.
• Additional_Certificates_For_Backwards_Compatibility.zip: In some instances these certificates may also be required for install.

The Windows interface for adding certificates may look slightly different depending on your version of Windows. Symantec Technical Support does not officially support this process; these instructions are provided for your convenience.

Download the necessary root certificates

1. Download Required_Certificates_For_Installation.zip at the bottom of this article.
2. Extract all files from the Required_Certificates_For_Installation.zip file into an empty folder.

Add the Certificate snap-in

1. Click Start > Run and then enter MMC.
2. The Microsoft Windows Management Console opens.  
3. Under Console Root, check for Certificates (Local Computer).
   • Note: If this snap-in is already present, skip the rest of these steps. 
4. Click File > Add/Remove Snap-in. Under Available snap-ins, click Certificates, and then click Add.
5. In the Certificates snap-in dialogue, click Computer account, and then click Next.
6. Ensure that Local computer is selected, and then click Finish.

Install the required certificates

1. Double-click on the file and click on the Open button.
2. Click on the Install Certificate button.
3. Set the Store Location to Local Machine.
4. Click the Next button.
5. Select Place all certificates in the following store.
6. Click on the Browse button to locate the certificates previously downloaded and select the entry: Trusted Root Certification Authorities.
7. Click on the Next and then the Finish button.

Additional Steps

It may also be necessary to delete one or more Symantec/Verisign certificates in the "Untrusted Certificates" folder that display the following error upon review of the root certificate before following the steps above

This certificate has been revoked by its certification authority.

When you discover that one of the certificates shows up as 'revoked' even though Symantec/Versign did not revoke the certificates, it typically means that the certificate was either moved or copied to the "Untrusted Certificates" store on the local machine.

Notes:

* In some instances additional certificates may be necessary. These are available in the Additional_Certificates_For_Backwards_Compatibility.zip attachment. 

* The VeriSign_Class_3_Code_Signing_2010_CA.cer needs to be placed into the Intermediate Certification Authorities store instead of the Trusted Root Certification Authorities store. 

• You can download the Digicert Trusted Root G4 certificate directly from https://cacerts.digicert.com/DigiCertTrustedRootG4.crt
• More information about the DigiCert roots is available here: DigiCert Root Certificates - Download & Test | DigiCert.com
• 14.3 RU8 requires Microsoft Azure Code Signing (ACS) support. To correctly verify modules signed by Azure Code Signing, computers are required to have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed.