PL 4.00.14 - Symantec Endpoint errors

MMcVeigh · November 15, 2010, 06:10:39 PM

I have actually been waiting for this to be fixed for a long time, but it is time I ask please. Way back in Sep - Dec, 2008 was a discussion about tamper alert warning from Symantec Endpoint. I was happy to see that topic and assumed a fix would eventually work for me. Alas, it was not to be. I have read the response to that article and tried adding entries to the PL ini file. Lacking documentation, I tried

OocHardCodedExclusionOverrides=SavUI.exe,SescLU.exe,ccSvcHst.exe,SmcGui.exe

These programs are also in my probalance exclusions and foreground boost is disabled. but I still get popups such as

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Event Info: Suspend Thread
ActionTaken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3084)
Time: Monday, November 15, 2010 3:06:39 PM

Is there a way to fix this?

Mark McVeigh

Jeremy Collake · November 15, 2010, 09:33:24 PM

I was actually investigating this the other day. It turns out Symantec has so many different products that I had a real hard time finding the one you are affected by. They have commercial products I can't demo easily.

You gave me the clue in the process names though. It is Symantec Endpoint Security (as the topic says I now see, lol). I will see what I can do.

You haven't set ccSvcHst.exe to be 'throttled' by any chance have you? I ask only because the 'Suspend' action it reports is not something normally done (e.g. not something ProBalance does).

Thanks, and we will try to finally get this taken care of for you.

MMcVeigh · November 16, 2010, 12:03:39 AM

I don;t have any throttles set.

I agree Symantec amd maybe others, there are so many possible executables. Could you just make an ini file keyword that we could use, rather than you trying to hard-code all of them? That would seem to take the pressure off of you.

Mark

Jeremy Collake · November 16, 2010, 05:23:36 PM

Quote from: MMcVeigh on November 16, 2010, 12:03:39 AM
I agree Symantec amd maybe others, there are so many possible executables. Could you just make an ini file keyword that we could use, rather than you trying to hard-code all of them? That would seem to take the pressure off of you.

The strange thing is it reporting the 'suspend' attempt. Maybe its report is in error and it is actually complaining about a priority class adjustment. In such a case, excluding the affected processes from ProBalance restraint should work. Otherwise, Process Lasso won't touch those processes unless instructed to. So, in this way, an INI setting already exist.

Something else is going on I believe, as Process Lasso shouldn't be touching anything EndPoint Security cares about. Check the LOG to see what it is touching, if anything.

I am trying to set up a proper test bed so I can see for myself. In the meantime, there may be settings you can change in Endpoint Security and/or ProBalance exclusions you can add. Since ccSvcHst.exe is already excluded by default, that shouldn't be the issue --- hence me thinking something else is happening.

Jeremy Collake · November 16, 2010, 05:26:45 PM

It occurred to me that maybe Symantec Endpoint Security is simply disallowing Process Lasso from running at all (or making any changes), and the 'suspend thread' is what it was doing to PL.. I dunno. We'll find out soon enough. Do you have control of your Symantec Endpoint config, or is that up to your network administrator? I will try to work around it, but I believe in theory that product could be configured to disallow all third-party software (probably not the case here).

MMcVeigh · November 17, 2010, 03:21:03 PM

Symantec is controlled by IT. I can not change configuration. I do know that PL and PL governor aren't terminated by Symantec. The Symantec logs hold no complaint about PL or PL governor. Other than the message popups they seem to play nicely together.

Jeremy Collake · November 17, 2010, 03:35:10 PM

Quote from: MMcVeigh on November 17, 2010, 03:21:03 PM
Symantec is controlled by IT. I can not change configuration. I do know that PL and PL governor aren't terminated by Symantec. The Symantec logs hold no complaint about PL or PL governor. Other than the message popups they seem to play nicely together.

Ok, it could be that the IT department has restricted what other processes can do to one another, or what rights they have. This would make sense, as Process Lasso (apparently) isn't acting on Symantec's processes. When does this occur? At startup, or upon some event (e.g. ProBalance restraint)? Randomly?

If you have your LOG file, that might be helpful too.

Thanks

MMcVeigh · November 18, 2010, 12:48:44 AM

I know that one of the popups occurs when Symantec gets the updated database. Every 4 hours a specific updater process runs, then I think Symantec shuts down and restarts so that it loads the new database. Other events occur within the Symantec system that don't seem related to work I am doing. In fact most of the time I am not starting any new processes, I am working within an X-Window server so there is very little load on the PC. I can be working along in this mode when suddenly a popup happens. I am a little concerned that Symantec is reporting back to IT that I have a rogue process running (PL).

Below is a partial copy of the system event log. I note that it contains complaints about ProcessLasso.exe, not ProcessGovernor.exe. Symantec logs do not contain any references to PL processes.

Mark

--- Excerpt from System Event Log ---

Event ID: 45

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3888)
Time: Wednesday, November 17, 2010 12:33:15 PM

Event ID: 45

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Resume Thread
Action Taken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3888)
Time: Wednesday, November 17, 2010 12:33:15 PM

Event ID: 45

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3888)
Time: Wednesday, November 17, 2010 12:33:15 PM

Event ID: 45

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info: Resume Thread
Action Taken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3888)
Time: Wednesday, November 17, 2010 12:33:15 PM

Event ID: 45

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Suspend Thread
Action Taken: Blocked
Actor Process: C:\Apps\SystemAdmin\ProcessLasso\ProcessLasso.exe (PID 3888)
Time: Wednesday, November 17, 2010 12:33:15 PM

Jeremy Collake · November 18, 2010, 02:11:33 PM

Quote from: MMcVeigh on November 18, 2010, 12:48:44 AM
I note that it contains complaints about ProcessLasso.exe, not ProcessGovernor.exe. Symantec logs do not contain any references to PL processes.

Yes, that is particularly strange. Thank you for the extended information. Please give me some time to digest this new info, test, and hopefully find a resolution here. I assume your IT manager hasn't blocked PL or something. But if he blocked it, then it sure is doing a bad job of blocking it. And if it is worried about actions, as you indicated, ProcessGovernor.exe is what actually applies rules (unless there is a ghost in the machine, lol). And the governor isn't touching the processes of Symantec.. so... WTF...

The whole thing is very... well, strange. Hopefully I'll have an epiphany today, maybe once I actually examine the software in question here I can better see how this could occur.

Thanks much for your patience. I have been working hard for weeks, so am moving a little slow today.

Jeremy Collake · November 19, 2010, 07:59:42 AM

A few notes:

The INI key you listed un-excludes my hard-coded exclusions, so these core Symantec processes ARE allowed for ProBalance to be worked on. So, I think you accidentally got the wrong key name. Please ensure they get an X beside their names. This may be the key to part of it. BUT see below as well
What if the difference in Symantec Endpoint Security's behavior is due to Process Lasso's new default to always run elevated (UAC)? In Vista+, previous builds ran with normal rights. You might try a reinstall and uncheck the Elevation checkbox underneath the 'manage all users / manage only me' two radio boxes.
You might also try a difference between processes of all users (or not)

MMcVeigh · November 19, 2010, 03:02:45 PM

In answer to your questions:

As soon as I found that setting values into OocHardCodedExclusionOverrides= of the ini file didn't help, I clean it out. There are no entries for that keyword and the event log info I sent is with the keyword blank.
I performed an uninstall with Revo Uninstaller, including directory cleanout, Reinstall PL 4.00.17. I didn't see an option for the UAC adjustment. Is that because this is Win XP? Anyway, complete, clean reinstall with no user config option changes reults in.
--- still have Symantec messages ---
Configure: PL start only for me, PL core only for me, and "only manage the processes of the currently active user". According to PL, all processes are owned by me.
--- still have Symantec messages ---

NOTE: I have found through testing that I can cause the Symantec popups by - shut down PL (leave core running), start PL (system tray), open PL GUI by clicking in system tray - will always cause the popups after 2-3 seconds. They also occur at other times though. I'll leave PL core running without PL GUI or tray and see if I get any popups today. Not a solution, but that would at least be a clue. Just a wild guess, but is PL GUI waiting to get all process creation time and other information until the GUI is actually popped up? Could that system interrogation be prompting Symantec to alert?

Jeremy Collake · November 19, 2010, 03:11:24 PM

Thank you for thoroughly checking those possibilities, it saves me considerable time. Please hold and I'll see what I can come up with on this end. I can hopefully see the interoperability problem first person in my test bed.

Jeremy Collake · November 19, 2010, 06:06:39 PM

Ok, I've signed away my first born and answered questions about my business, finances, relationships, religion, etc... and now have a trial version of Symantec Endpoint Protection 11 to play with

.

MMcVeigh · November 19, 2010, 06:20:03 PM

Jeremy, I truly appreciate the time you spend in this forum and working on the code. Thank you.

Since my last post on this topic, I have worked most of the day with only processgovernor running, no processlasso and can report that the only time I see the Symantec popups is when PL GUI is displayed. Even when the GUI is minimized to taskbar I haven't gotten popups. Unfortunately, my normal working mode is with PL GUI realized. I hope that is one more clue to the puzzle.

Mark

Jeremy Collake · November 19, 2010, 06:54:57 PM

Strangely, in my Symantec Endpoint test bed, I see the opposite - processgovernor.exe keeps crashing and processlasso.exe keeps running. I will figure it out soon I hope. I appreciate the additional clue, and hope to have this figured out soon.

Jeremy Collake · November 19, 2010, 08:08:54 PM

The crash with the x64 build of ProcessGovernor.exe I saw was actually a build configuration issue, for which I issued an immediate Server Edition build refresh. It only affected the Server Edition, not the standard edition (which is why it slipped by QA somehow no doubt).

There seems to be no general interoperability issue I've found yet, and although your administrator's particular configuration could have an impact, it doesn't sound like the principle factor. I am therefore continuing investigation.