In Symantec Critical System Protection (SCSP) and Symantec Data Center Security Server (SDCS), an "Unable to Override the Policy" error is incurred when attempting to override a policy. Then, up to several minutes later, a notification appears in the system tray saying that "Prevention has been disabled". Up to several minutes after that, a system tray message appears that states "Prevention has been enabled" without any user action.
Unable to override the policy.
A corresponding log in the Agent's ..\Agent\scsplog\SISIPSService.log is also seen:
MSTA,6,2014-01-28 21:05:19.213 Z-0500,I,10,,e1b21c63f2e420bd11577036fce0aa7c,10161,,,,,checkRetrans,,S,,Policy Retranslation,,,,,Policy Retranslation Triggered. Reason : HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Intrusion Security\Agent\IPS\Override Controls\SelfProtectionOverride key deleted
This issue occurs when there are timeout issues with translation process due to a large policy minus file that is generated by the policy translation process
This is caused by too many variables that refer to lists of items in the Global section of the policy. Because every rule in Global gets written to every process set in the minus file, placing a variable that refers to a list of items in the Global section will increase the size of the minus file by a factor of how many items are in the list. Using multiple variables in the global section that refer to multiple lists of items only exacerbates the situation.
The amount of processing needed to create the minus file causes the translation process during a policy override to take too long, leading to a timeout.
A timeout during the translation process will cause the following symptoms
Remove "custom lists" from the Global section of the policy and instead add the custom variable lists to the individual process sets that need them
NOTE:
This can occur more often on underpowered machines (slow CPU and limited memory)
On more robust machines, this error may not occur