Network not working after removing Symantec Endpoint Protection

About a year ago, I made the switch from Symantec Endpoint Protection 12 to Microsoft Forefront on a small network I manage, and the transition was mostly smooth. I noticed a few weeks ago, though, that one of my servers still had SEP installed, though it wasn’t running. I uninstalled SEP, thinking it would go smoothly, and on reboot, I lost connectivity to the server. No ping, no remote desktop – nothing.

On rolling over to the server and checking the desktop, the network connectivity was completely dead – I couldn’t ping the gateway or browse the internet at all. Using Device Manager to uninstall the network card and rebooting didn’t do any good, not did attempting to update drivers. However, in device manager, I could see a “Teefer2” entry for every one of my network connections, and it was set to disabled – this is the Symantec Network Threat Protection driver, and it monitors your network activity. Thinking this could be the problem, I attempted to right-click -> Uninstall each of these, but nothing happened – they didn’t uninstall.

Trying to update the drivers on the network card (which said a file was missing) always give me the same error message: “The system cannot find the file specified.” It would almost work, up until the very end of the driver wizard, and then that error.

I found an article about running a Symantec tool called “Cleanwipe” that’s supposed to remove traces of failed Symantec Endpoint installations. You need an open support ticket to get it from Symantec directly, but if you know the filename, you can Google it and get it from others (note: I don’t vouch for the results – you’re on your own).

Running that tool didn’t solve my problem, though it did delete a number of components that were left. Next, I went through and manually deleted the remnants, following these instructions:

http://www.symantec.com/business/support/index?page=content&id=TECH91038&locale=en_US

That removed everything except the Teefer2 entries in my networking list. After about a dozen random fix attempts from all over the internet and reboots in between, I stumbled on an Experts Exchange question where somebody had posted a solution:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Q_23508822.html

For those without access, the fix is simple – delete a single registry value. It’s located under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetwork and is called “Config”. Don’t delete the Network key, and don’t just clear this value, delete the value entirely. Once you do, you’ll be allowed to delete your network cards and the Teefer2 entries from device manager – remove all the Teerfer2 entries and any network connections that were associated with them, and then reboot. Windows will detect your network cards and let you install drivers, except this time it will work.

About 7 hours of troubleshooting and a dozen reboots, and the fix was to delete a single registry value. The Cleanwipe and the manual removal of SEP might have been required as well, but hopefully this saves you some time.

Powershell command to get current sessions on an IIS site

After a Powershell session at SQL Saturday (Phoenix #131) this weekend, I’m now suddenly on the lookout for handy powershell commands. The first one lets you see the number of Active* sessions on your IIS site (* because HTTP is stateless, it’s really the number of connections that have been opened recently – not what’s currently active, which is likely next to zero. I tried browsing around on a test site and it showed only my one user connected).

To get the currently active user count, here’s the powershell:

# Ensure you use the server's actual name, not LOCALHOST, which won't work
$Servername = "Your Server Name"
$Sitename = "Name of your IIS Site"

Get-Counter "\\$ServerName\web service($SiteName)\current connections"

Changing SQL Server data file locations in clustered instance using service SIDs

Recently I added a second LUN to a clustered instance of SQL Server to isolate the logs files (and another for the TempDB) and I mounted them to an empty NTFS folder as I’ve done before, but when I started SQL Server, I recieved the following error:

CREATE FILE encountered operating system error 5 (Access is denied.)
while attempting to open or create the physical file
'X:\MSSQL10_50.INSTANCENAME\TempDB\tempdb.mdf

The error means that SQL Server doesn’t have NTFS rights to the location of the TempDB, but when I tried to add those rights, the permissions weren’t granted to the domain proxy account as I’d expected, but were instead granted to the service SID account, MSSQL$InstanceName. I attempted to grant the permissions to this account at the new location, but couldn’t get it to resolve to an actual account. What finally worked was:

  1. In the permissions change dialog box, change the “Location” from the domain to the local machine (even though it’s a cluster and your using a domain account to run the service)
  2. In the text box, type “NT Service\MSSQL$INSTANCENAME” and click “Check Names”

Even though that appears to be a local account, it will resolve properly on all the cluster nodes involved. This step, as opposed to using the domain proxy account the service is running as, was necessary because (during the initial SQL Server setup process) I’d selected to use the proxy account SID to host permissions rather than a domain group. The better choice permissions-wise, but the source of some confusion!

Launching Microsoft File Transfer Manager

In case you were in the middle of a download from MSDN or another Microsoft site that uses the transfer manager and you’ve accidentally closed it, you can find it at one of two locations:

If you installed it from an MSI:
x64 – C:\Program Files (x86)\Microsoft File Transfer Manager\TransferMgr.exe
x86 – C:\Program Files\Microsoft File Transfer Manager\TransferMgr.exe

Downloaded automatically in IE (more likely):
%SystemRoot%\Downloaded Program Files\TransferMgr.exe

Mine was hiding in that second location – if you download it directly in IE, it doesn’t create a start menu icon, so you’re not able to re-launch the tool unless you know the file location.

Dealing with an exception: “An attempt was made to access a socket in a way forbidden by its access permissions”

I was attempting to bind a remoting listening to a particular port and kept receiving an exception when attempting to bind on the production Windows 2008 R2 server itself – it always worked fine on both my development box and our test server. Here’s the exception:

Exception message: An attempt was made to access a socket in a way forbidden by its access permissions
Stack Trace:
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.Net.Sockets.TcpListener.Start(Int32 backlog)
   at System.Runtime.Remoting.Channels.ExclusiveTcpListener.Start(Boolean exclusiveAddressUse)
   at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.StartListening(Object data)
   at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel..ctor(IDictionary properties, IServerChannelSinkProvider sinkProvider, IAuthorizeRemotingConnection authorizeCallback)

Though Googling gave some suggestions to run the process as an administrator (no effect), the actual problem was that my process was trying to listen on a port that was already taken by another listener. Since the port was already in use, it couldn’t bind and I received the exception. Stopping the other process resolved the issue immediately.

Not really a clear error message, since it really had nothing to do with permissions at all, but there you go.