none
Sysmon 10.x conflict with Symantec EndPoint Protection and make system hang RRS feed

  • Question

  • No matter Sysmon 10.2, 10.4, 10.41 which will conflict with Symantec EndPoint Protection 14 and make win7 system hang after reboot, it will spent extra 30 mins to show login page. but no problem on win10. Have excluded Symantec install path to Process Access, Signature verification but still no luck. not sure if anybody here can have solutions.

    Wolfteeth

    Thursday, September 19, 2019 7:47 AM

All replies

  • Generally it's really difficult to say that there is a conflict with another product..

    SEP it's known to be really invasive, but generally doesn't create problem with other device driver..

    The real way to go is to take a full memory dump via CTRL+SCROLL LOCK+SCROLL LOCK or via notmyfault, and examine the dump while the machine is hang..

    But the fact that you say that after half an hour it will show the login page probably means it is not in hang but in a tight loop probably, because of an unexpected root find in the code.. or because of some lock that get released later.

    If you completely uninstall SEP and at that point the whole system works well as before, then you can point the problem to SEP. In that case send a report to Symantec.

    Share a full Memory dump of your system please, if you can or want investigate..
    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard

    Thanks
    -mario

    Thursday, September 19, 2019 9:25 AM
  • Hi Wolfteeth

    Sysmon like most AV products uses a file system filter driver. These intercept requests to and from the filesystem and it is quite common to have interoperability issues (a common pattern is that the AV vendor might intercept a request to open a file before the file is opened to scan it  and when they open the file another vendor's driver will intercept their open). We have seen one example before with SEP and our ImageLoad monitor. This only occurred on Windows 7 because Windows 7 holds a lock during the Image Load (see the remarks section at https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nc-ntddk-pload_image_notify_routine).

    Mostly we can mange this type of issue with excludes in one product or the other and in this example which sounds like what you are seeing as it resulted in a kernel mode deadlock, we resolved it using the following Sysmon exclude:

    <ImageLoad onmatch="exclude">
        <Image condition="image">ccSvcHst.exe</Image>
    </ImageLoad>

    Could you try this and if it fails to resolve the issue, ping me offline at syssite@microsoft.com and I will arrange to collect a memory dump from you

    MarkC(MSFT)

    Thursday, September 19, 2019 10:24 AM