Auto-Protect related memory leak on systems with Endpoint Protection
Article ID: 170273
Updated On:
Products
Endpoint Protection
Issue/Introduction
Following the installation of Symantec Endpoint Protection (SEP) 14 MP2, memory usage becomes much higher than normal (e.g. 2-3 GB, rather than the normal 500-600 MB).
By running poolmon.exe, or running the !poolused 4 /t 5 command in LiveKD, you find that paged pool tag SAEA is responsible for the bulk of the memory usage.
4: kd> !poolused 4 /t 5........Sorting by Paged Pool ConsumedNonPaged PagedTag Allocs Used Allocs UsedSAEA 0 0 1429569 320223456 UNKNOWN pooltag 'SAEA', please update pooltag.txtSa_s 4 4416 1430161 183164864 UNKNOWN pooltag 'Sa_s', please update pooltag.txtCM31 0 0 38455 176963584 Internal Configuration manager allocations , Binary: nt!cmSaEF 0 0 2859139 160111808 UNKNOWN pooltag 'SaEF', please update pooltag.txtSaEC 0 0 1429569 137238624 UNKNOWN pooltag 'SaEC', please update pooltag.txtTOTAL 467656 162859008 8612890 1411343392Environment
14 MP2
Windows 10 (other versions of Windows may be susceptible to the same issue)
Cause
Our Auto-Protect driver leaks contexts, leading to a build-up of memory usage by its SAEA paged pool tag.
Resolution
This issue has been resolved in SEP 14 RU1.
As a temporary workaround, consider running the following commands (which restart SMC/Auto-Protect and will do away with any SAEA pool tag related memory usage) on all affected systems, e.g. by configuring a scheduled task item via group policy that runs the script when a workstation is unlocked:
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
sc stop srtsp
sc start srtsp
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -startFeedback
Yes
No
Powered by
