search cancel

SEP client start automatically soon after it been stopped by command "smc -stop" .

book

Article ID: 163431

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

notice the SEP service started automatically soon after it been stoped by running "smc -stop"  on a windows 2008 server.

catch the debug log of the whole process as bellowing, the service start automatically, not by command "smc -start" or operations..

      [4572:5008] Entering the command line handler
      [4572:5008] Service request event handle: 0000012C
      [4572:5008] Sending CLCMD_STOPSERVICE_PASSWORD command
      [1672:2564] SmcNotifyStopServStatus: Command line password verified.
      [1672:2564] SepManagementClient is stopping. Starting cleanup.
      [1672:2564] Service is shutting down
      .........................
      [4572:5008] Successfully stopped the service.    
      [4572:5008] Exit SymProtectedStopService.    
      [4572:5008] Successfully stopped SepMasterService    
      [4572:5008] There are no outstanding instances of ccSvcHst running.    
      [4572:5008] Smc password verified successfully.    
      [4572:5008] Command line has been handled    
      [8012:5132] Enterprise version, Build 6608!!!    
      [8012:5132] To begin the GuiControl thread    
      .......... init..........
      [8012:5132] initial service success
      .......... sylink/HI ....
      [5684:7268] Starting SMC GUI
      ......................... 

Cause

This was reproduced in lab. and proved this related with multi-user session login on the server.

Although the user who issues the command close the SEP GUI in it own session, the SEP GUI do really opened in another user session(s).

When SEP detect there is SEP GUI opened in it own session, the "smc -stop" command will not work to stop SEP service.

When SEP detect there is SEP GUI opened in other session on the same server, the "smc -stop" command will stop SEP service and then start it automatically.

 

Resolution

ensure SEP GUI closed in any session on the server before running command "smc -stop"