Computers hang at Welcome screen on login

book

Article ID: 169928

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Computers with Symantec Endpoint Protection (SEP) 14.0 or higher hang at the Welcome screen on login after updating to the August 2, 2017 Symantec Data Scanner (SDS) 1.4.1 engine.

Cause

Process csrss.exe (Microsoft's Client Server Runtime Subsystem) experiences an endless wait during login, due to an unhandled SDS exception when Microsoft's Data Execution Prevention (DEP) is disabled. 

In some circumstances the issue occured where DEP was enabled in the operating system, as explained below:

DEP works in conjunction with AMD's No Execute (NX) or Intel's Execute Disabled (XD) CPU feature to mark memory as non-executable unless the location explicitly contains executable code. Together, they prevent related attacks by malicious code. If DEP is enabled in Windows, but the CPU feature disabled via the BIOS on a physical system, or via CPU masking on a virtualization platform, the missing dependency will prevent DEP from working and the same issue will continue to occur.

Resolution

This issue is addressed in Virus and Spyware definitions dated August 3rd, 2017 rev. 6 or later (Sequence: 20170803.006). This update does not resolve the issue for systems that have already been impacted. For those systems, use one of the following remediations:

Re-enable DEP

  1. Restart the affected computer in Safe Mode (no networking).
  2. Open a command prompt, and enter the following command: bcdedit /set {DEFAULT.EN_US} nx OptIn
  3. Restart the computer in Normal Mode.
Note: DEP works in conjunction with AMD's No Execute (NX) or Intel's Execute Disabled (XD) CPU feature to mark memory as non-executable unless the location explicitly contains executable code. Together, they prevent related attacks by malicious code. If DEP is enabled in Windows, but the CPU feature disabled via the BIOS on a physical system, or via CPU masking on a virtualization platform, the missing dependency will prevent DEP from working and the same issue will continue to occur.
 

Delete bad SDS definitions

  1. For managed clients that receive their definitions from Symantec Endpoint Protection Manager (SEPM), ensure SEPM has downloaded August 3rd, 2017 rev. 6 or later Virus and Spyware definitions. All other clients can skip this step.
  2. Restart the affected computer in Safe Mode (no networking).
  3. Delete all files and folders under the folder C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\SDSDefs.
  4. Restart the computer in Normal Mode.
  5. Allow the SEP client to retrieve the updated Virus and Spyware definitions.

(Script) Delete bad SDS definitions

  1. Ensure the Symantec Endpoint Protection Manager (SEPM) has downloaded August 3rd, 2017 rev. 6 or later Virus and Spyware definitions.
  2. Download the SDSDefRemovalScript.zip file attached to this KB article.
  3. Extract the contents of SDSDefRemovalScript.zip (Password: Symantec).
  4. Restart the affected computer in Safe Mode (no networking).
  5. Copy the SDSDefRemoval.bat file to the computer, and run it.
  6. Restart the computer in Normal Mode.

Manually update definitions

  1. Download the latest Intelligent Updater (See: Verify which Endpoint Protection client type is installed for more information):
     
     
  2. Restart the affected computer in Safe Mode (no networking).
  3. Copy the Intelligent Updater to the computer, and run it.
  4. Restart the computer in Normal Mode.

(ITMS Deployment Solution Customers-Only) Semi-Automated SDS Definition Removal

  1. Ensure the Symantec Endpoint Protection Manager (SEPM) has downloaded August 3rd, 2017 rev. 6 or later Virus and Spyware definitions.
  2. Create a Job in the ITMS Management Console (Refer to ITMS Deployment Solutions documentation for additional detail).
  3. Setup the Job to contain the following tasks:
     
    1. Boot to PXE
    2. Configure Runscript with the text contents of SDSDefRemoval.bat
    3. Boot to Production
     
  4. Schedule this Job for a group of machines.
  5. Restart the targeted machines to trigger the Job.
  6. For any additional questions about this process, please reach out to ITMS Deployment Solutions Support.

{SUBSCRIBE.EN_US}

Attachments

SDSDefRemovalScript.zip get_app