search cancel

Network issues after Endpoint Protection upgrade on machines running Sysmon

book

Article ID: 175851

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading Symantec Endpoint Protection (SEP) some machines are not connecting to network resources after restart and users were unable to login without cached credentials. Running cleanwipe and reinstalling resolved the issue and restore connectivity.

setupapi.app.log:

<<<  Section end 2019/08/24 13:01:23.446

<<<  [Exit status: SUCCESS]

     flq: CopyFile: 'c:\program files (x86)\symantec\symantec endpoint protection\14.2.1057.0103.105\bin64\teefervista\Teefer.sys'

     flq:       to: 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq: MoveFile: 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq:       to: 'C:\Windows\system32\DRIVERS\Teefer.sys'

!!!  flq: MoveFile: FAILED!

!!!  flq: Error 5: Access is denied.

!    flq: Targetfile 'C:\Windows\system32\DRIVERS\Teefer.sys' marked to be moved from 'C:\Windows\system32\DRIVERS\SETC84D.tmp' on next reboot.

     flq: MoveFile (delayed till reboot): 'C:\Windows\system32\DRIVERS\SETC84D.tmp'

     flq:                             to: 'C:\Windows\system32\DRIVERS\Teefer.sys'

 

Cause

Sysmon will "touch" the SEP Teefer driver during the upgrade when the file is trying to be renamed, so the installer schedules the file to be renamed on the next reboot. This prevents the driver from loading on the first reboot. In some instances, it took up to 3 reboots before Teefer loaded properly.

Resolution

The recommended solution is to uninstall Sysmon before upgrading SEP.  Alternatively, you could test disabling the Sysmon service so it doesn't re-enable on reboot.