After a Symantec Endpoint Protection (SEP) IPS definitions update in a Citrix environment, Internet Explorer (IE) experiences a hang or immediate crash on startup. If IE crashes, the Windows Application log shows an Application Error event ID 1000 for process iexplore.exe, with faulting module IPSEng32.dll (our IPS Script Engine DLL) and exception code 0xc000005.

11/19/2015 4:04:46 PM    Application    Error    Application Error           1000    "Faulting application name: iexplore.exe, version: 9.0.8112.16708, time stamp: 0x55f27f71
Faulting module name: IPSEng32.dll, version: 15.0.2.19, time stamp: 0x561c6614
Exception code: 0xc0000005
Fault offset: 0x0010681f
Faulting process id: 0xa860
Faulting application start time: 0x01d1230deb760fc6
Faulting application path: c:\program files (x86)\internet explorer\iexplore.exe
Faulting module path: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20151117.013\IPSEng32.dll
Report Id: 29275d93-8f01-11e5-adcc-d89d675bd3a8"

The issue has a firm Citrix-based root cause:

• Nearly every dynamically linked library (DLL), including IPSEng32.dll, includes a relocation section (.reloc) table. If a DLL cannot be loaded at its specified preferred base address (e.g. because something else is already present at the same address), that table allows Windows to rebase the DLL and have it load at a different address. This is done before any of the DLL's code is run.
• An exception code 0xc00000005 (Access Violation) in this context has never been seen by us on a physical system. When using Citrix software-streaming and/or software virtualization, however, memory virtualization or optimization errors may cause Windows to rebase the DLL to an invalid address, leading to a crash of the application into which IPSEng32.dll is injected.
• As the related memory virtualization is done entirely by Windows/Citrix, any change in our IPS definitions could trigger this Citrix issue, making it completely outside of our control. This is a known issue with pre-PVS 7.1 installations in particular and only the Citrix-centric solutions presented in the Solution section provide a permanent solution.

Citrix Provisioning Services (PVS) 6.0 - 7.0

Citrix XenApp

To provide temporary relief, roll back the IPS definitions to the last known good revision:

1. In the Symantec Endpoint Protection Manager, click Policies.
2. Select View Policies.
3. Click LiveUpdate.
4. Double-click your current LiveUpdate Content Policy Under the LiveUpdate Content tab. The LiveUpdate Content Policy Overview dialog box appears.
5. From the LiveUpdate Content section, click Security Definitions.
6. Enable the Select a revision option located in the Intrusion Prevention signatures section,
7. Click the Edit button. The Select Revision - Intrusion Prevention signatures dialog box appears.
8. Expand the drop-down list and select the last known good revision definition set.
9. Click OK.
10. Click OK to close the Security Definitions dialog box and return to the Policies tab.

A more permanent solution might be found in:

• Disabling the Citrix Intermediate Buffering for Local Hard Drive Cache feature. See also Random Application Fails When Using Standard Image Mode with the "Write Cache on Target Hard Disk" Option.
• Using the new caching mode available in Citrix Provisioning Services (PVS) 7.1 or higher.

It is recommended that customers contact Citrix Support for guidance with these options. After the implementation of the Citrix-centric solution, it is recommended to undo the IPS definitions rollback, both to verify the solution and to fully restore your security footprint.