search cancel

Network issues after Endpoint Protection upgrade on machines running Sysmon


Article ID: 175851


Updated On:


Endpoint Protection


After upgrading Symantec Endpoint Protection (SEP) some machines are not connecting to network resources after restart and users were unable to login without cached credentials. Running cleanwipe and reinstalling resolved the issue and restore connectivity.

<<<  Section end 2019/08/24 13:01:23.446

<<<  [Exit status: SUCCESS]

     flq: CopyFile: 'c:\program files (x86)\symantec\symantec endpoint protection\14.2.1057.0103.105\bin64\teefervista\Teefer.sys'

     flq:       to: 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq: MoveFile: 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq:       to: 'C:\Windows\system32\DRIVERS\Teefer.sys'

!!!  flq: MoveFile: FAILED!

!!!  flq: Error 5: Access is denied.

!    flq: Targetfile 'C:\Windows\system32\DRIVERS\Teefer.sys' marked to be moved from 'C:\Windows\system32\DRIVERS\SETC84D.tmp' on next reboot.

     flq: MoveFile (delayed till reboot): 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq:                             to: 'C:\Windows\system32\DRIVERS\Teefer.sys'



Sysmon will "touch" the SEP Teefer driver during the upgrade when the file is trying to be renamed, so the installer schedules the file to be renamed on the next reboot. This prevents the driver from loading on the first reboot. In some instances, it took up to 3 reboots before Teefer loaded properly.


The recommended solution is to uninstall Sysmon before upgrading SEP.  Alternatively, you could test disabling the Sysmon service so it doesn't re-enable on reboot.