Application Resilience policies for Symantec Endpoint Protection

You can activate an Application Resilience policy for Symantec Endpoint Protection to collect information about the functional status of Symantec Endpoint Protection installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Reinstall mode is not supported when the Tamper Protection feature in Symantec Endpoint Protection is enabled, which locks the agent's registry settings, files, and services. This feature also prevents sms.dll from being reinstalled in Repair mode (although the RAR component will still be able to restart services that aren't running).

Application Resilience policies for Symantec Endpoint Protection are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

  • one of the following versions of Symantec Endpoint Protection:

    • 14.2.x or higher

      Significant software changes in higher versions may cause health checks to become invalid.

    • 14.1.x
    • 14.0.x

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • Symantec Endpoint Protection (ccSvcHst.exe) service
  • Symantec Endpoint Protection Scan Service (ccSvcHst.exe)1
  • Symantec Endpoint Protection WSC Service (sepWscSvc.exe or sepWscSvc64.exe)2

One of the signers entered in the policy configuration

By default, Signers contains "Symantec Corporation" and "Broadcom Inc".
  • Symantec Network Access Control (snac.exe or snac64.exe) service
 n/a
Binary files Exists Signed by
  • sms.dll

One of the signers entered in the policy configuration

By default, Signers contains "Symantec Corporation" and "Broadcom Inc".
Application name

The application uses the following name:

  • Symantec Endpoint Protection

1 Only checked if Symantec Endpoint Protection Scan Service is selected in the policy configuration

2 Only checked if Symantec Endpoint Protection WSC Service is selected in the policy configuration

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • Symantec Endpoint Protection (ccSvcHst.exe and sms.dll)
  • Symantec Network Access Control (snac.exe)
 Symantec Corporation
Binary files Exists Signed by
  • sms.dll
Symantec Corporation
Application name

The application uses the following name:

  • Symantec Endpoint Protection

You can configure an Application Resilience policy for Symantec Endpoint Protection to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Symantec Endpoint Protection if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Repair

One or more of the following services aren't running:

  • Symantec Endpoint Protection service (ccSvcHst.exe and sms.dll)
  • Symantec Endpoint Protection Scan Service (ccSvcHst.exe)1
  • Symantec Endpoint Protection WSC Service (sepWscSvc.exe or sepWscSvc64.exe)2

The RAR component restarts the service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • Symantec Endpoint Protection service (ccSvcHst.exe)
  • Symantec Endpoint Protection Scan Service (ccSvcHst.exe)1
  • Symantec Endpoint Protection WSC Service (sepWscSvc.exe or sepWscSvc64.exe)2
  • Symantec Network Access Control service (snac.exe or snac64.exe)

The RAR component reinstalls each missing service.
The sms.dll binary file is missing The RAR component downloads the applicable file from the configured location and reinstalls it.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • Symantec Endpoint Protection service (ccSvcHst.exe and sms.dll)
  • Symantec Endpoint Protection Scan Service (ccSvcHst.exe)1
  • Symantec Endpoint Protection WSC Service (sepWscSvc.exe or sepWscSvc64.exe)2
  • Symantec Network Access Control service (snac.exe or snac64.exe)

The RAR component downloads and installs the configured version of the application.
Symantec Endpoint Protection failed to be repaired, or the expected version isn't installed

1 Only checked if Symantec Endpoint Protection Scan Service is selected in the policy configuration

2 Only checked if Symantec Endpoint Protection WSC Service is selected in the policy configuration

Issue Resolution
Repair

One or more of the following services aren't running:

  • Symantec Endpoint Protection (ccSvcHst.exe and sms.dll)
  • Symantec Network Access Control (snac.exe)

The RAR component restarts the service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • Symantec Endpoint Protection (ccSvcHst.exe)
  • Symantec Network Access Control (snac.exe)

The RAR component reinstalls each missing service.
The sms.dll binary file is missing The RAR component downloads the applicable file from the configured location and reinstalls it.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • Symantec Endpoint Protection (ccSvcHst.exe and sms.dll)
  • Symantec Network Access Control (snac.exe)

The RAR component downloads and installs the configured version of the application.
Symantec Endpoint Protection failed to be repaired, or the expected version isn't installed

You can add a 32-bit installer, a 64-bit installer, or both. The installers:

  • must be EXE files
  • can have any file name
When you generate an installation package from the Symantec Endpoint Protection Manager console, be sure to set the installation type to Silent in the client installation settings to suppress all end user prompts.

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installers SymantecEPSetup.exe

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate the additional endpoint scans required for your configuration in addition to the settings in Configuring Application Resilience policies.

To configure the application version and endpoints:

  1. Under Application version, select 14.2.* or higher from the drop-down.

  2. Under Symantec Endpoint Protection version, enter the version of Symantec Endpoint Protection you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version number, for example, 14.* or 14.2.*.

    Make sure the version you are entering is consistent with version 14.2.x or higher.

  3. Under Additional endpoints that need to be checked, select the options that apply to your configuration:

    • Symantec Endpoint Protection Scan Service: if selected, the RAR component checks if the Symantec Endpoint Protection Scan Service (ccSvcHst.exe) is running
    • Symantec Endpoint Protection WSC Service: if selected, the RAR component checks if the Symantec Endpoint Protection WSC Service (sepWscSvc.exe or sepWscSvc64.exe) is running

If you selected the Report and repair, or the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

These steps are in addition to configuring the installer for Symantec Endpoint Protection.

To configure the Symantec Endpoint Protection specific settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  1. To enable the RAR component to download the sms.dll binary file to a device, you need to upload the file or provide the location information on the Symantec Endpoint server.

    Do one of the following:

    For Report, repair, and reinstall with Upload installer selected.

    1. Under sms.dll, select Upload.

    2. Do one of the following:

      • Click browse. Navigate to and select the sms.dll file.
      • Navigate to and select the sms.dll file and drag it to the work area.
    3. Wait for the file to upload.
    4. [Optional] Click Add description (optional) and enter a description, if desired.
    5. When you have finished uploading the file, click Save.

    For Report and repair, or Report, repair and reinstall with Host my own installer file selected.

    1. Under Location of the Symantec Endpoint Protection binaries, enter the path to the Symantec Endpoint server. Use the following format:

      Copy 
      https://example/com/myServer/
    2. Click Go to URI to test that you entered the location correctly.

    3. Under Username and password (if required):

      1. Enter the Username and Password of the user who is authorized to access the files on the Symantec Endpoint Protection Server.
      2. To verify that you've entered the password correctly, select the Show Password checkbox.

      You can skip this step if you are using File Shares.

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the application version:

  1. Under Application version, select 14.0.* - 14.1.* from the drop-down.

  2. Under Symantec Endpoint Protection version, enter the version of Symantec Endpoint Protection you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the minor version number, for example, 14.1.* or 14.0.3929.*.

    Make sure the version you are entering in consistent with the version 14.0.x to 14.1.x.

If you selected the Report and repair or the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Symantec Endpoint Protection specific settings:

  1. To enable the RAR component to download the sms.dll binary file to a device, you need to provide the location on the Symantec Endpoint server. Under Location of the Symantec Endpoint Protection binaries, enter the path to the server. Use the following format:

    Copy 
    https://example/com/myServer/
  2. Click Go to URI to test that you entered the location correctly.

  3. Under Username and password (if required):

    1. Enter the Username and Password of the user who is authorized to access the files on the Symantec Endpoint Protection Server.
    2. To verify that you've entered the password correctly, select the Show Password checkbox.

    You can skip this step if you are using File Shares.