A step-by-step instructional guide on component isolation when a Symantec Endpoint Protection (SEP) or Symantec Endpoint Security (SES) client installation causes unexpected behavior. This includes "Core Files" only.

Symantec Endpoint Protection
Symantec Endpoint Security

Core Files Component Isolation Instructions

1. Remove all features except Core Files following this document: How to configure Symantec Endpoint Protection 14.x Enterprise Edition to include only "Core Files" (broadcom.com)

If the machine does not reproduce the reported issue, add protection components one by one starting with AV/AS with Basic Download Protection Only from the Control Panel until the issue occurs.

2. If the machine is still reproducing the issue with Core Files only, disable the remaining drivers one by one until the issue stops occuring.

Disabling driver Instructions

1. Open the command prompt as Administrator
2. Enter the following commands one by one. A reboot will be needed each time.
3. Attempt to reproduce until the issue occurs.


sc config SymEFASI start= disabled
sc config SymELAM start= disabled
sc config SymEvent start= disabled
sc config SymIRON start= disabled
sc config eeCtrl start= disabled
sc config EraserUtilRebootDrv start= disabled


Once the component or driver causing the issue is found please contact Technical Support

In the event that disabling symefasi does not work and it is necessary to stop it without modifying dependent drivers, rename the driver file.

To find the file:
sc qc symefasi

Look at the BINARY_PATH_NAME value to find the driver file, then rename the extension to .bak. Reboot the server to disable symefasi. Revert the change and reboot again to restore driver functionality.