2

We're having a strange issue with Symantec Endpoint Protection (SEP) version 12.1 on Windows 7 clients.

When our users try to map a new network printer from our print server (double-click on the printer name when browsing \OurPrintServer ) - the standard driver install process begins as usual but ends with the error message: "Windows cannot connect to the printer. Access is denied."

We have tested on multiple systems with different printer shares using different drivers and even different printer manufacturers. The install of all printer drivers not already present on the client system seems to be being blocked by SEP.

A strange thing is that when we disable SEP, the error still occurs and new printer drivers still fail to install. If we completely remove SEP from the client computer, the printer drivers install successfully and the printer shares map as expected.

To further test, we tried other Windows 7 clients on our domain without SEP and they map the printer correctly installing the drivers as expected.

Has anyone seen a problem like this with SEP 12.x on Windows 7 and if so do you have any suggestions on how to resolve the issue? Such a strange case, even when SEP is disabled it is still somehow blocking these printer driver installs. Only when SEP is completely removed do Windows shared network printer driver installs work correctly.

Mister_Tom
  • 446
  • 1
  • 10
  • 19
  • 3
    Q:Has anyone seen a problem like this with SEP 12.x? A: I've seen a number of strange network problems with SEP, specifically the Network Intrusion Prevention component. Try installing a new SEP package on a test client without the Network Intrusion Protection component and see if that resolves the problem. – joeqwerty Feb 24 '14 at 22:05
  • 1
    @joeqwerty yep, we leave it out, Windows Firewall works fine. – MDMoore313 Feb 28 '14 at 15:16

1 Answers1

2

It looks like recent Symantec definition updates broke something with one of the Host Intrusion Prevention System (HIPS) policies in use on our systems. Thanks for the tip @joeqwerty. The organization seems to want to keep this component installed, so they changed the rule to log instead of block. Here are the details:

  • Open Symantec Endpoint Protection Manager
  • Go to: Policies - Application and Device Control
  • Double-click name of Application and Device Control Policy that is in use
  • Select "Application Control" on left side to view "Application Control Rule Sets"
  • Select the Rule Set named "Prevent modification of system files (HIPS) [AC14]"
  • UN-check the "Enabled" button or set it to "Test (log only)"
  • "OK" to save changes
  • Apply the updated policies to clients as usual

After disabing the "Prevent modification of system files (HIPS) [AC14]" policy, client printer mapping and printer driver installs worked correctly. Here are some related screenshots as a visual aid:

Application Control Rule Sets

Prevent modification of system files

The best solution would probably be to exclude the IPS component from all Symantec Endpoint Protection (SEP) client installs. If your organization prefers to keep the HIPS installed, then you must wrangle with botched policies like this one.

Mister_Tom
  • 446
  • 1
  • 10
  • 19