A step-by-step instructional guide on component isolation when a Symantec Endpoint Protection (SEP) client installation causes unexpected behavior. This includes "Core Files" only.

Public facing version of this article: https://knowledge.broadcom.com/external/article/255167/

Core Files Component Isolation Instructions

1. Uninstall SEP and clean residual SEP registry entries and files from the client using CleanWipe. Reboot to normal mode.
2. Install an UNMANAGED, SEP 14.X client (Preferably the latest build) directly from the install media, locally on the computer, using a local administrator account.

• Install only the "Core Files" feature

If the machine does not reproduce the reported issue, add protection components starting with AV/AS (Virus and Spyware) from the Control Panel until the issue occurs, and contact technical support for assistance.

3. If the machine is still reproducing the issue with core files only, disable the remaining SEP drivers:

• Boot to Safe Mode and open a command prompt (Start > Run > cmd).
• To verify current start type for each driver (SymDS, SymEFA, SymEvent, SymNETS, SymTDIv, SymTDI):
  Open a Command Prompt and run the following command:
  sc qc < servicename>    (example: sc qc SymDS  )  press enter
  Note: SymNETS, SymTDIv, and SymTDI will no longer be present with only core files in 12.1.5 and newer. SymEFA and SymDS jointly became SymEFASI in 12.1.5 and newer.
• Run the following commands to disable core drivers:    

  Command	Operating System
  sc config SymDS start= disabled	ALL (<RU5)
  sc config SymEFA start= disabled	ALL (<RU5)
  sc config SymEFASI start= disabled	ALL (RU5+)
  sc config SymEvent start= disabled	ALL
  sc config SymNETS start= disabled	Windows 7 / 2008 R2 / 8 (<RU5)
  sc config SymTDIv start= disabled	Vista / 2008 (<RU5)
  sc config SymTDI start= disabled	XP / 2003 (<RU5)

  Note: Due to the dependency chain, SymEFASI will start even when configured as disabled whenever SymIRON or SysPlant are still installed and running. These drivers are not present if the SEP client has been installed with only "Core Files".
• Restart in normal mode.

5. If the reported issue no longer occurs, it will be necessary to see which of the "Core Files" drivers is causing the issue. To do so, reset the startup parameter for the drivers one at a time to the default setting, rebooting to normal mode each time. (i.e. Reset one driver, reboot in normal mode. If no issue occurs, reset another driver, reboot, etc.)
    
6. If the machine is still reproducing the issue after disabling all core drivers, or re-enabling some of them, contact technical support for assistance.

NOTES: Disabling and enabling drivers, and default parameters as of 12.1.6318.6100

To disable "Core Files" drivers, open a command prompt in Safe mode and run the following commands:

  
To Re-set the startup parameters to the default settings, open a command prompt in Normal Mode, run the following command(s), then reboot:

• Sc config SymDS start= Boot
• Sc config SymEFA start= Boot
• Sc config SymEFASI start= Boot
• Sc config SymEvent start= Demand
• Sc config SymNETS start= System 
• Sc config SymTDIv start= System
• Sc config SymTDI start= System

To verify the current start type, open a command prompt and run the following command:sc qc <servicename>    (example: sc qc SymDS  )  press enter

Start type codes: