End of log.
Jordan didn’t sleep that night. He wrote a PowerShell script to pre-check for that specific orphaned process and kill it before the upgrade. He tested it 22 times. It worked.
And that’s what they did. For 14 hours on a Saturday, Jordan, Dr. Reyes, two college interns, and a grizzled night-shift network admin named Carl went desk to desk. They logged into each affected machine, ran the script, verified the green “Communicating” status in the tray icon, and moved on.
“That’s it,” Carl said. “All 600.” symantec endpoint protection upgrade 14.2 to 14.3
“Talk to me,” she said.
Jordan felt the first knot in his stomach. The vault’s humidity sensor was critical. If that XP machine died, the physical vault—holding bearer bonds and client wills—would go into a safety lockdown, and the FDIC auditors would have questions.
That was the gap. 47 minutes where JCrawford’s machine—a call agent who processed credit card disputes—had zero protection. No logs. No alerts. Just a silent, screaming void. End of log
Jordan had been the Senior Security Engineer at Meridian Trust, a mid-sized financial firm, for seven years. He knew the network’s quirks like the back of his hand—the way the legacy AS/400 on the 3rd floor would hiccup if scanned too aggressively, or how the VP’s Surface Pro would bluescreen if a definition update ran during his 10 AM Zoom.
But he remembers those 47 minutes. The ghost that wasn’t a virus, wasn’t a hacker, wasn’t an APT. Just a gap. A silent, invisible gap between what the system promised and what it delivered.
Jordan remoted in. The service was stopped. That was fine. But the upgrade binary couldn’t replace the old DLLs because a phantom process— ccSvcHst.exe —refused to die. He used PsExec to kill it. The system hung. He hard-rebooted via iDRAC. He tested it 22 times
She didn’t blink. “Then we do it. I’ll pull three interns and the weekend NOC team. You write the script. We walk the floor.”
He spent three days writing a custom uninstall script for the old 14.2 driver, then a silent install wrapper for 14.3. It worked— once . But in production, with 2,300 endpoints? That knot tightened.
The Server 2016 took eight minutes but eventually reported “Version 14.3.5580.1000.” Green checkmark.
When the machine came back, SEP was gone. No agent. No firewall. No antivirus. Just a naked Windows 10 box sitting on the financial network, wide open.
The upgrade had changed the way SEPM authenticated to the database. The 14.2 service account had “db_owner” rights. 14.3 required “sysadmin” for the migration step, then dropped back. But the migration script timed out—30 seconds too short—and left the database in a half-migrated state.