Jump to content
Welcome to our new Citrix community!
  • 0

Problem with Making SEP 14.2 RU1 MP1 to work on an App Layer

Brandon Prescott


We are on 1907 using 2016 servers.

We can't seem to get Symantec SEP version 14.2 RU1 MP1 (14.2.4814.1101) to update the def files, or recognize the SEP service is running from an app layer so we have it on the OS layer.now .  I have seen other forums that mention the filter minidrivrs or the SEP version may play a part.  Symantec has not really been any help.  Has anyone been able make this SEP version work on an app layer?


We have also noticed that putting the virus software on the OS layer can cause issues when the newer def files download while we are editing another layer.  We noticed this when we upgraded our SEP from 12.X to 14.2 last month then ran an update to all our images and noticed all of our updated images still had 12.1.. folders in the C:\programdata\Symantec\Symantec Endpoint Protection path along with the 14.2....  We had to clean each layer of the older def folders to keep the images clean. not sure we had to but it was a concern that OS layer activity, virus def updates,  can effect the layer being edited. 

Link to comment

6 answers to this question

Recommended Posts

  • 0

Rob, thank you for the info.  I have reviewed that sight before.  On this SEP version once the SEP client is installed via a app layer then added to an image template the SEP client does not acknowledge all the services the client requires.  On layer creation I did set the start types of the identified services to '2' rebooted and allowed the def files to update, then reset to '1' before finalizing for shutdown.   Going see if I can identify what services that might be.


With the SEP client on the OS layer we are still finding that other layers we build or modify are capturing the SEP def files if they update during the layer build process and are sealed to that layer once finalized.  We see 2 options to prevent this, 1 - delete any newer definition files and registry settings on the layer, or 2 - we have an earlier OS layer without SEP that we can assign to the packaging VM during a layer build or modify.  

Link to comment
  • 0

I am running 14.2.4815.1101 from an app layer this is what I have for notes. Gathered it from several sources don't recall them.

1> Copy install folder to c:\
2> run setup file
3> disable Tamper Protection
4> import sep.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Common]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\Virtualization]

5> Using regedit, change the Group and Tag values for each ccSettings GUID.
    a. Go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_{GUID}].
     If there is more than one ccSettings_{GUID}, start with the first one.
    b. For each ccSettings_{GUID}, change the Group value from FSFilter Bottom to FSFilter Virtualization.
    c. Change the Tag value to an 8 for the first GUID, and add 1 to the value for each succeeding GUID. The next GUID the value is 9, then 10, and so on.
When you install Symantec for the first time, there is one ccSettings_{GUID}. Each time you upgrade the application, Symantec adds another GUID.

6> Restart the Packaging Machine or the gold image. Then, restart the Packaging Machine as often as necessary until the post-installation restart request no longer appears in the App Layering management console.
7> Enable Tamper Protection.


Link to comment
  • 0

jrobers695 - Thank you for the input.  Didn't seem to work after the image was made in ELM. We are using 1907. Are you on 1911?  Maybe that difference is in the image build. 


We could live with SEP on our OS layer but we ran into an issue when we had to modify the platform layer and used the SEP OS layer version as the base on the packaging VM. During the PL work the SEP client ran an update and infected the platform layer with the newer def files and some reg additions. Cleaning those off was not pretty. now that platform layer version is breaking the SEP when combined on a new template.

We are going to engage our Citrix support for some answers... I hope. 

Thank you for the advise.

Link to comment
  • 0

Good day. On building the App layer I can get SEP to update and go to green status by disabling the Intrusion Protection service then reactivating it prior to the finalization for shutdown.  However, once the layer is on a vdisk and assigned to a 2016 server VM the SEP client will not run and throws the message that some of the Symantec services are not running.....  I've compared services with a working VM. Only thing I can think of is the OS does not recognize the App Layer services as running. Some of the services' drivers do have altitude values that match Microsoft's values and I don't see that I could modify them. 

I did put a ticket in to Citrix 2 days ago :34_rolling_eyes:. still waiting.  maybe something will come of that.  


FYI  - one other  side-effect has been that when I build new App layers the with the base OS, the SEP client will end up running an update and I find the app layer has been infected with SEP def files and the Symantec file structure in the C:\programData directory and registry.  I thought I could just delete them. But when I did and reassigned that layer to a image SEP quit working on the VM.  

Appropriate your help.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...