Symantec Interoperability

Jeremy Collake · March 23, 2012, 05:04:17 AM

Norton Freezing your PC may be totally unrelated to Process Lasso, in fact. In this case, the primary report (to me) was that the responsiveness meter didn't accurately reflect system conditions, not that Process Lasso caused the frozen Windows. If I'm wrong, then please correct me. I'm retesting myself right now with Norton 360, just to be sure.. if there's any problem related to Process Lasso I'll hopefully see it as I get it updated.

Since Process Lasso does not inject hooks throughout the PC, or even interject itself into other processes (as many applications do), it is unlikely to cause any sort of system-wide troubles itself. Any actions it does take are logged, so easily traced.

Jeremy Collake · March 23, 2012, 05:56:30 AM

Also note the CPU Eater (while NOT started, just with window open) is a good Responsiveness Meter itself, if you ever need it for that purpose.

airborne · March 23, 2012, 01:57:07 PM

I have problem with windows freezing and slow boot time. In the log off Norton 2012 there was lots off reports about Process Lasso accessing thread data one log for every second during boot. The problem disappeared after disabling Process Lasso. Hope this can be some useful information.

Jeremy Collake · March 23, 2012, 07:59:40 PM

Quote from: airborne on March 23, 2012, 01:57:07 PM
I have problem with windows freezing and slow boot time. In the log off Norton 2012 there was lots off reports about Process Lasso accessing thread data one log for every second during boot. The problem disappeared after disabling Process Lasso. Hope this can be some useful information.

You mean this problem CAME BACK? Even with the latest Process Lasso? I thought this was long ago resolved by avoiding their processes! I do have new information on how to avoid this, and am doing so in v6, while still showing their processes.

What Norton process name do you see as the 'tampered' process? If you tell me that I can fix this RIGHT NOW.

Jeremy Collake · March 23, 2012, 08:01:39 PM

As a side note, to their credit, Symantec actively monitors Process Lasso for any interoperability issues, and I monitor Symantec.. that's why I was surprised by this! For instance, they are already in the early beta test group for v6.

Details are all I need to fix this. What Norton software (exactly, as they have several editions), what Norton version, and what Norton process is being 'hit' with these events.

airborne · April 09, 2012, 06:04:58 AM

Cant help you with that this time i uninstalled Process Lasso.
hope i in the future can re install the program. But the problem with Nis 2012 made
me uninstall the program this time.

Jeremy Collake · April 09, 2012, 01:19:09 PM

Sorry to hear that. In my testing I still haven't seen any recent NIS problems, though maybe my NIS versions are different than yours or something. The only v6 change was to simply allow listing of their processes again.

..content deleted..repeated below

Testing with Norton 360 and Symantec Endpoint Protection currently shows no problems. You may discover NIS and/or your PC has its own issues without Process Lasso, we'll see

.

ilikefree · April 17, 2012, 11:18:59 PM

As I stated earlier my problem has now gone but I don't use any Norton products
I use Windows Security Essentials as my full time anti virus with MalwareBytes Anti-Malware and Super AntSpyware as scanners I launch every couple of days.

Victek · April 18, 2012, 11:47:36 AM

Quote from: airborne on April 09, 2012, 06:04:58 AM
Cant help you with that this time i uninstalled Process Lasso.
hope i in the future can re install the program. But the problem with Nis 2012 made
me uninstall the program this time.

Could this be related to the Performance Monitoring feature in NIS 2012? I ran NIS 2011/2012 along side Process Lasso without problems, but I always disabled Performance Monitoring since I didn't find it useful.

Jeremy Collake · April 20, 2012, 01:59:35 PM

So far as I can tell, I have not seen additional interoperability issues with Symantec software, though it *may* occasionally warn you about automatic updates, which I suppose is its job. I believe any remaining problems with overall system performance are simply the overhead of NIS itself. Installation of Process Lasso won't fix, nor hurt, performance - I believe. This is my current analysis, subject to change of course, but that's what my own testing has shown.

Version 6 testing has not been completed. In these builds I re-list Symantec processes using the guidelines they gave me. Previously, this was not possible because simply 'looking at' their processes triggered waves of endless 'tamper detection events' in their log. They worked on their end to lessen this problem, and I worked on my end to work around it. The proper fix could not be rolled out until version 6, as if there's anything I've been reminded of lately, it's that hasty changes - no matter how small - can have big consequences. Version 5 literally treats critical NIS processes as if they don't exist, so unless one was missed somewhere in one of their products, it should be fine. That's why I asked for a process name here (something not given, from which I assume there is no issue in the log).

Do keep in mind that NIS 'scans' everything that's opened, as do other security softwares. You can improve the load speed of Process Lasso's main window by turning Process Icons off.

airborne · April 21, 2012, 01:52:54 PM

hello!

Checked Nis 2012 security history and the process affected is Norton Internet security 2012 process symerr.exe
One new log for every second during the boot.

Kind Regards

Despite i have uninstalled the program the information was stored in the security log.

Jeremy Collake · April 21, 2012, 02:07:20 PM

Thanks Airborne. I do apologize for the troubles, and don't want you to think I'm not taking it seriously.

First, I will take a look at it, and add that process to the list of excluded ones. They constantly have new process names, and have a variety of processes for different purposes. To me, it is especially annoying since the problems get attributed to me, but it's not my software that is writing out thousands of duplicate log entries because something 'looked at' one of their processes - and that's all I do, open with read only access. I mean, one log entry per minute would suffice ;p. The tamper detection they employ is just very sensitive.

Other security products don't suffer this problem. Many simply prevent tampering without logging every 'tamper attempt'. Makes sense, I know. Or, like I said, at least limit duplicate log events to 1 per minute. That's all it would take. Why they don't do this, ask them. They call it 'log throttling', something they supposedly improved in their 2011 development cycle (NIS2012).

Final resolution I spoke of above:

Again, evaluation of this recurring problem revealed that, indeed, simply opening their processes with query-only access via the Microsoft recommended way to open processes does trigger their tamper detection. The work around I am not going to publicly disclose, but it involves doing things the way not recommended, lol. What I *worry* about is if I implement this mechanism, am I going to trigger problems with some other security software, lol. This was the resolution I spoke of with Symantec, so this has all been confirmed - not speculatory.

Bitsum to Symantec: I'm opening your processes to cheeck their stats in the Microsoft recommended way, read-only access.. yet, your tamper detection is going off.
Symantec to Bitsum: Don't use the recommended way, use this alternate mechanism.

Once I've confirmed the alternate mechanism doesn't cause troubles with other security products, and generally is fine, I'll be switching to it in v6.

Bottom line is that these completely unnecessary log entries by Symantec are what slows the system down.

Mitigation Strategies

Depending on the Symantec product you use, you can add ProcessLasso.exe and ProcessGovernor.exe to the 'trusted processes' list and/or turn off Tamper Detection.

This issue may also only be present when the GUI is running and/or only when its main window is visible.

Note that NEWER Symantec software may do better with 'log throttling', e.g. Norton 360.

Jeremy Collake · April 22, 2012, 10:15:15 AM

Today I am issuing a minor update to update languages and fix this little issue, something again NOT seen in Norton 360 as far as I can tell. This week I am issuing the first of the alphas that implements the proposed superior solution.

Jeremy Collake · April 22, 2012, 10:38:59 AM

I also split the thread into two since the original poster had an issue where he was wondering why the responsiveness meter said 100% even when some windows were unresponsive.