Client systems with Microsoft Sysmon installed become unresponsive at the Windows Login screen upon boot

book

Article ID: 169791

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After an upgrade to Endpoint Protection 14, Windows 7 client systems which have installed Microsoft Sysmon 6.03 become unresponsive upon Windows Login screen after the boot process.

If Sysmon or the Endpoint Protection client are removed, the issue no longer occurs.

There is no distinct error message.  Windows will become unresponsive on or before the login screen after boot, either after or prior to login prompt.

Cause

This issue is caused by a deadlock between Endpoint Protection AutoProtect driver and Sysmon Filter drivers.  

Environment

Microsoft Sysmon 6.03, installed on Windows 7 based clients, with Symantec Endpoint Protection 14+ and latest definitions.

Resolution

Resolve the deadlock condition by excluding Endpoint Protection folders from monitoring within Sysmon Configuration XML.  The following paths are relative to your install path and system configuration:

  • \Program Files\Symantec\Symantec Endpoint Protection Manager\
  • \Program Files\Symantec\Symantec Endpoint Protection\
  • \ProgramData\Symantec\Symantec Endpoint Protection Manager\
  • \ProgramData\Symantec\Symantec Endpoint Protection\
  • \Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection Manager
  • \Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
  • \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager

For steps to add these exclusions, see https://technet.microsoft.com/en-us/sysinternals/sysmon or consult the SysMon Administrator.