You uninstall Symantec Endpoint Protection (SEP) and attempt to install it again. When you run Setup.exe, the installation hangs on the information collection screen. When you try to run the SEP Microsoft Installer (MSI) file instead, the progress bar hangs at about 90% of the installation, before the installer reports that the installation completed succesfully. In spite of that message, you find that SEP is not installed.
You decide to run CleanWipe. Although CleanWipe completes succesfully, you find that you are still unable to install SEP.
RunSymEFAQuery: cmdline: "C:\Users\admini\AppData\Local\Temp\2\Symantec\Program Files\Symantec\Name\Version\Bin\EFAInst.exe" "Symantec Endpoint Protection 12.1.6608.6300" /query
RunSymEFAQuery: exitCode converted from HRESULT: 1392
RunSymEFAQuery: The SymEFA installer query had an unexpected exit code. The current installation will fail and rollback!
Date & Time: 5/3/2017 10:15:11 AM
Event Class: File System
Result: FILE CORRUPT
Path: J:\System Volume Information\EfaData\*
Procmon Event Properties of the related EFAInst.exe event
Consider the following troubleshooting scenario:
2017-05-02T08:11:25.626Z TRACE Processing item: \\?\<drive letter>:\System Volume Information\EfaData
2017-05-02T08:11:25.719Z TRACE Item does exist.
2017-05-02T08:11:25.719Z TRACE Removing item due to 'delete' removal action.
2017-05-02T08:11:25.719Z DEBUG Deleting: \\?\<drive letter>:\System Volume Information\EfaData
2017-05-02T08:11:25.719Z TRACE Path \\?\<drive letter>:\System Volume Information\EfaData points to a directory, removing it recursively.
2017-05-02T08:11:25.719Z TRACE Error accessing directory: \\?\<drive letter>:\System Volume Information\EfaData. Error: 1392
In this specific scenario, the root cause is a corruption of a SymEFA data folder. Because of the corruption, CleanWipe is not able to remove the folder either.
Manually remove the <drive letter>:\System Volume Information\Efa(Si)Data> folder.