Symantec Endpoint Protection Services do not start after installing Arellia Access Management.

book

Article ID: 157979

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection Services do not start after installing Arellia Access Management. This issue does not occur with SEP 11.0.x. It has also been observed that the issue does not occur on 64-Bit Operating Systems. Creating Tamper Protection exception for 'ArelliaACSvc.exe' does not help. However, disabling Arellia services (Arellia Application Control) or disabling Symantec Tamper Protection resolves the issue.

REF# http://portal.arellia.com/wiki/display/KB/Enable+Arellia+Application+Control+Solution+and+Symantec+Endpoint+Protection+%28SEP%29

  

We see the following Tamper Protection Alerts with Event ID- 45 and Description in Application Event logs:

SYMANTEC TAMPER PROTECTION ALERT
Target:  C:\Program Files\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Bin\Smc.exe
Event Info:  Open Process
ActionTaken:  Blocked
Actor Process:  C:\PROGRAM FILES\ARELLIA\AGENTS\APPLICATIONCONTROL\ARELLIAACSVC.EXE (PID 5632)
 

Cause

The Arellia solution changes the way processes are launched in Windows. Symantec Tamper Protection blocks such behavior since it is considered as a security breach and is actively used by malwares. Adding Tamper Protection exclusion for Arellia doesn't help because it modifies 'explorer.exe' and is changes how Windows processes are launched.

Arellia's DLL's are hooked in to Symantec Service and are not released. Service Control Manager waits for 30 seconds and loads other services as there is no response from Symantec Endpoint Protection service.

Resolution

To avoid compatibility issues with Arellia, an exclusion has been added for the Arellia process for ZwResumeThread. This has been included in Symantec Tamper Protection Driver Version- 7.8.0.10 which was released in June 2013.

Using this updated driver along with Exclusion for 'arelliaacsvc.exe' in Tamper Protection makes Arellia and Symantec Endpoint Protection work successfully on Windows7 32 bit machines.


Applies To

Windows 7 32 Bit with SEP 12.1 RU2 and Arellia Application Control Agent(7.1.1672.0), Arellia Local Security Agent(7.1.1437.0) and Arellia Security Analysis Agent(7.1.1106.0).