After an upgrade to Endpoint Protection 14, Windows 7 client systems which have installed Microsoft Sysmon 6.03 become unresponsive upon Windows Login screen after the boot process.
If Sysmon or the Endpoint Protection client are removed, the issue no longer occurs.
There is no distinct error message. Windows will become unresponsive on or before the login screen after boot, either after or prior to login prompt.
This issue is caused by a deadlock between Endpoint Protection AutoProtect driver and Sysmon Filter drivers.
Microsoft Sysmon 6.03, installed on Windows 7 based clients, with Symantec Endpoint Protection 14+ and latest definitions.
Resolve the deadlock condition by excluding Endpoint Protection folders from monitoring within Sysmon Configuration XML. The following paths are relative to your install path and system configuration:
For steps to add these exclusions, see https://technet.microsoft.com/en-us/sysinternals/sysmon or consult the SysMon Administrator.