Auto-Protect related memory leak on systems with Endpoint Protection

Article Id: 170273

Status: Published

Updated On: 12-10-2017 01:31

Legacy Id: TECH247806

Products:

Endpoint Protection

Issue/Introduction:

Following the installation of Symantec Endpoint Protection (SEP) 14 MP2, memory usage becomes much higher than normal (e.g. 2-3 GB, rather than the normal 500-600 MB).

By running poolmon.exe, or running the !poolused 4 /t 5 command in LiveKD, you find that paged pool tag SAEA is responsible for the bulk of the memory usage.

4: kd> !poolused 4 /t 5

........

Sorting by Paged Pool Consumed

NonPaged Paged

Tag Allocs Used Allocs Used

SAEA 0 0 1429569 320223456 UNKNOWN pooltag 'SAEA', please update pooltag.txt

Sa_s 4 4416 1430161 183164864 UNKNOWN pooltag 'Sa_s', please update pooltag.txt

CM31 0 0 38455 176963584 Internal Configuration manager allocations , Binary: nt!cm

SaEF 0 0 2859139 160111808 UNKNOWN pooltag 'SaEF', please update pooltag.txt

SaEC 0 0 1429569 137238624 UNKNOWN pooltag 'SaEC', please update pooltag.txt

TOTAL 467656 162859008 8612890 1411343392

Cause:

Our Auto-Protect driver leaks contexts, leading to a build-up of memory usage by its SAEA paged pool tag.

Resolution:

This issue has been resolved in SEP 14 RU1.

As a temporary workaround, consider running the following commands (which restart SMC/Auto-Protect and will do away with any SAEA pool tag related memory usage) on all affected systems, e.g. by configuring a scheduled task item via group policy that runs the script when a workstation is unlocked:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -stop

sc stop srtsp

sc start srtsp

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -start