Symantec Critical System Protection/Data Center Security Policy Override Failure

book

Article ID: 158940

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

In Symantec Critical System Protection (SCSP) and Symantec Data Center Security Server (SDCS), an "Unable to Override the Policy" error is incurred when attempting to override a policy.  Then, up to several minutes later, a notification appears in the system tray saying that "Prevention has been disabled".  Up to several minutes after that, a system tray message appears that states "Prevention has been enabled" without any user action.

Unable to override the policy.

 

A corresponding log in the Agent's ..\Agent\scsplog\SISIPSService.log is also seen:

MSTA,6,2014-01-28 21:05:19.213 Z-0500,I,10,,e1b21c63f2e420bd11577036fce0aa7c,10161,,,,,checkRetrans,,S,,Policy Retranslation,,,,,Policy Retranslation Triggered. Reason : HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Intrusion Security\Agent\IPS\Override Controls\SelfProtectionOverride key deleted


 

 

Cause

This issue occurs when there are timeout issues with translation process due to a large policy minus file that is generated by the policy translation process.

This is caused by too many variables that refer to lists of items in the Global section of the policy.  Because every rule in Global gets written to every process set in the minus file, placing a variable that refers to a list of items in the Global section will increase the size of the minus file by a factor of how many items are in the list.  Using multiple variables in the global section that refer to multiple lists of items only exacerbates the situation.

The amount of processing needed to create the minus file causes the translation process during a policy override to take too long, leading to a timeout.

A timeout during the translation process will cause the following symptoms

  1. The override will fail
  2. The override will then appear to work up to several minutes later
  3. Then the override will automatically end, sending the policy back into Enforce mode.

Resolution

Remove "custom lists" from the Global section of the policy and instead add the custom variable lists to the individual process sets that need them.

 

Applies To

 

This can occur more often on underpowered machines (slow CPU and limited memory).  On more robust machines, this error may not occur.

Attachments