Disable the Endpoint Protection Error Processor task

book

Article ID: 179322

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

SymQual statistical analysis allows to detect emerging issues in your environment. It is therefore recommended to enable submissions of crash-related data on systems running Symantec Endpoint Protection (SEP) to Symantec. With that said, your security policy, or a specific situation might dictate that not only submissions should be disabled at a site-wide level (by unchecking SEPM > Admin > Servers > Local Site > Edit Site Properties > Data Collection > "Let clients send troubleshooting information to Symantec to resolve product issues faster.", which is the preferred way of disabling submissions to Symantec), but also that the Symantec Endpoint Protection Error Processor scheduled task should be deleted.

While it is not possible to delete the scheduled task (it will be recreated if found missing when the SepMasterService is started), it is possible to create a Disable Symantec Endpoint Protection Error Processor task that counter-acts all its possible actions. Towards that end, save the file in attachment to the C: drive of the system where the task is to be disabled. Next, open an administrative Command Prompt (cmd.exe) window and run the following command:

schtasks /create /xml "C:\Disable Symantec Endpoint Protection Error Processor.xml" /tn "Symantec Endpoint Protection\Disable Symantec Endpoint Protection Error Processor"

To achieve the same on a large number of systems, replace C:\ by %LOGONSERVER%\netlogon\ in the above command and place the XML file on your domain controllers’ netlogon share, where it is accessible to all clients in your domain. In this fashion, allowing its use in a login script. 

The newly created scheduled task will disable the Symantec Endpoint Protection Error Processor scheduled task:

  • when the Symantec Endpoint Protection service is stopped or started
  • when there is a change (any change, not just stopping or starting) to the "Symantec Endpoint Protection Error Processor" scheduled task

The task was optimized to ensure it does this in any and all circumstances:

  • an on event trigger was added with a custom xpath XML query to detect SepMasterService start/stop (task action is run 30 seconds after trigger is detected).
  • a 30 seconds delay was added for other triggers (on boot, at logon).
  • it runs under the SYSTEM account, and will therefore run regardless of whether or not a user is logged in.
  • the author was configured to be Symantec, just like the other scheduled tasks in the Task Scheduler's Symantec Endpoint Protection folder.

Notes

After a system has booted and the Symantec Endpoint Protection Error Processor scheduled task is started, there will be a 30 seconds delay before it will be disabled. One may wish to test its efficacy by manually enabling the task. Unless one presses F5 in Task Scheduler\Task Scheduler Library\Symantec Endpoint Protection after doing so, one will not see the status of the Disable Symantec Endpoint Protection Error Processor task change to Queued before the Symantec Endpoint Protection Error Processor scheduled task's status changes to Disabled again after 30 seconds. In fact, one will not even see the latter change and its status will seem to continue to be Enabled, unless one presses F5 again after 30 seconds The Task Scheduler service is always started prior to the Symantec Endpoint Protection service, so this should not be an issue. If it should prove to be an issue, delete the task, re-import it, then try again.

Attachments

Disable Symantec Endpoint Protection Error Processor.xml get_app