You uninstall Symantec Endpoint Protection (SEP) and attempt to install it again. When you run Setup.exe, the installation hangs on the information collection screen. When you try to run the SEP Microsoft Installer (MSI) file instead, the progress bar hangs at about 90% of the installation, before the installer reports that the installation completed succesfully. In spite of that message, you find that SEP is not installed. 

You decide to run CleanWipe. Although CleanWipe completes succesfully, you find that you are still unable to install SEP.

RunSymEFAQuery: cmdline: "C:\Users\admini\AppData\Local\Temp\2\Symantec\Program Files\Symantec\Name\Version\Bin\EFAInst.exe" "Symantec Endpoint Protection 14.3.5589.6300" /query
RunSymEFAQuery: exitCode converted from HRESULT: 1392
RunSymEFAQuery: The SymEFA installer query had an unexpected exit code. The current installation will fail and rollback!

SEP_INSTALL.log excerpt

Date & Time:    5/3/2017 10:15:11 AM
Event Class:    File System
Operation:    IRP_MJ_DIRECTORY_CONTROL
Result:    FILE CORRUPT
Path:    J:\System Volume Information\EfaData\*
TID:    5516
Duration:    0.0365895
Type:    QueryDirectory
Filter:    

Procmon Event Properties of the related EFAInst.exe event

Symantec Endpoint Protection (any version)

Consider the following troubleshooting scenario:

• You generate a SymDiag and a Procmon trace while reproducing the issue.
• SEP_INSTALL.log (contained in SymDiag) shows that RunSymEFAQuery exited with error code 1392.
• You look up the error code in Microsoft's System Error Codes overview, which shows that 1392 means ERROR_FILE_CORRUPT ("The file or directory is corrupted and unreadable.").
• You open the Procmon trace file and add a filter to only show FILE CORRUPT results, which yields a single EFAInst.exe record that shows a QueryDirectory operation failed on <drive letter>:\System Volume Information\EfaData\*.
• Cleanwipe.log (also contained in SymDiag) shows the same 1392 error in relation to that folder:

2017-05-02T08:11:25.626Z TRACE Processing item: \\?\<drive letter>:\System Volume Information\EfaData
2017-05-02T08:11:25.719Z TRACE Item does exist.
2017-05-02T08:11:25.719Z TRACE Removing item due to 'delete' removal action.
2017-05-02T08:11:25.719Z DEBUG Deleting: \\?\<drive letter>:\System Volume Information\EfaData
2017-05-02T08:11:25.719Z TRACE Path \\?\<drive letter>:\System Volume Information\EfaData points to a directory, removing it recursively.
2017-05-02T08:11:25.719Z TRACE Error accessing directory: \\?\<drive letter>:\System Volume Information\EfaData. Error: 1392

In this specific scenario, the root cause is a corruption of a SymEFA data folder. Because of the corruption, CleanWipe is not able to remove the folder either.

Manually remove the <drive letter>:\System Volume Information\Efa(Si)Data> folder.

1. Open Windows (File) Explorer.
2. Click on the specific drive letter.
3. If the System Volume Information folder is not visible, perform the following:
   • Click the Organize drop-down menu button, then click Folder and search options.
   • In the Folder Options window, navigate to the View tab, select Show hidden files, folders, and drives, untick Hide protected operating system files (Recommended), then click OK.
4. Double-click the System Volume Information folder. If it shows an Access is denied message, perform the following:
   • Right-click the System Volume Information folder and select Properties.
   • In the System Volume Information Properties window, navigate to the Security tab and click the Edit... button.
   • Click the Add... button, type Everyone, then click the Check Names button. If a Multiple Names Found window appears, accept the default non-domain Everyone by clicking the OK button.
   • Click the OK button, which will return you to the Security tab. In the Permissions for Everyone area, select Full Control and click the OK button.
   • Click the OK button again to close the System Volume Information Properties window.
   • Open the System Volume Information folder.
5. Right-click the SymEFA data folder (either EfaData or EfaSiData) and delete it.