Getting notification email for Endpoint Protection not installed even though it is installed
Article ID: 244694
Updated On: 05-15-2023
Products
Issue/Introduction
Symantec Endpoint Protection Manager (SEPM) has Symantec Endpoint Protection (SEP) agent installed, still getting a notification email with 'health status: poor' for SEP not installed on it.
Example notification found in 'SecurityAlertNotifyTask-0.log':
2022-06-22 03:06:06.130 THREAD 42 FINE: Add an action: type - EMAIL parameter - com.sygate.scm.server.task.notification.ActionParameter==> serialVersionUID=-637565179334270678; hasEmailAlerts=true; dbMessages=[Server Server_Name health status: poor. Reason: The Symantec Endpoint Protection Manager server does not have Symantec Endpoint Protection installed. Status reported on Jun 22, 2022 3:06:04 AM.]; noTagIdx=XXXX; triggerTime=Wed Jun 22 03:06:05 CST 2022; lastTriggerTime=1970-01-01 08:00:00.0; batchFileName=; cmdMessage=<ServerHealth><Server Name='Server_Name' Health='POOR' Reason='314' StatusTime=1655838364802/></ServerHealth>; response=null; visibilityFlags=WEBUI_ENABLED <==
Cause
Missing permission on registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps' or the ccSvcHst.exe process.
Resolution
We can get this issue if 'semsvc.exe' cannot read the registry to detect if SEP is installed. Verify and add the permissions for this registry key as follows:
- Right click on registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps' and click Permissions...
- Click on 'Advanced' tab.
- Add Read permission for 'SEPM_Server_Name\Users' and 'nt service\semsrv'
In addition, you will want to navigate to the location specified in 'HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE' and verify the same permissions as above. By default this location is at C:\Program Files\Symantec\Symantec Endpoint Protection\<version>\Bin64\.
The CCSVCHST.exe process will also need the EXECUTE permission for the 'nt service\semsrv'.
Reference screenshot:
Feedback
