Auto-Protect related memory leak on systems with Endpoint Protection

book

Article ID: 170273

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Following the installation of Symantec Endpoint Protection (SEP) 14 MP2, memory usage becomes much higher than normal (e.g. 2-3 GB, rather than the normal 500-600 MB).
By running poolmon.exe, or running the !poolused 4 /t 5 command in LiveKD, you find that paged pool tag SAEA is responsible for the bulk of the memory usage.
4: kd> !poolused 4 /t 5
........
Sorting by Paged Pool Consumed
 
NonPaged Paged
Tag Allocs Used Allocs Used
 
SAEA 0 0 1429569 320223456 UNKNOWN pooltag 'SAEA', please update pooltag.txt
Sa_s 4 4416 1430161 183164864 UNKNOWN pooltag 'Sa_s', please update pooltag.txt
CM31 0 0 38455 176963584 Internal Configuration manager allocations , Binary: nt!cm
SaEF 0 0 2859139 160111808 UNKNOWN pooltag 'SaEF', please update pooltag.txt
SaEC 0 0 1429569 137238624 UNKNOWN pooltag 'SaEC', please update pooltag.txt
 
TOTAL 467656 162859008 8612890 1411343392

Cause

Our Auto-Protect driver leaks contexts, leading to a build-up of memory usage by its SAEA paged pool tag.

Environment

14 MP2
Windows 10 (other versions of Windows may be susceptible to the same issue)

Resolution

This issue has been resolved in SEP 14 RU1.

As a temporary workaround, consider running the following commands (which restart SMC/Auto-Protect and will do away with any SAEA pool tag related memory usage) on all affected systems, e.g. by configuring a scheduled task item via group policy that runs the script when a workstation is unlocked:
 

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
sc stop srtsp
sc start srtsp
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -start