Auto-Protect related memory leak on systems with Endpoint Protection
Article ID: 170273
Updated On:
Products
Endpoint Protection
Issue/Introduction
Following the installation of Symantec Endpoint Protection (SEP) 14 MP2, memory usage becomes much higher than normal (e.g. 2-3 GB, rather than the normal 500-600 MB).
By running poolmon.exe, or running the !poolused 4 /t 5 command in LiveKD, you find that paged pool tag SAEA is responsible for the bulk of the memory usage.
4: kd> !poolused 4 /t 5........Sorting by Paged Pool ConsumedNonPaged PagedTag Allocs Used Allocs UsedSAEA 0 0 1429569 320223456 UNKNOWN pooltag 'SAEA', please update pooltag.txtSa_s 4 4416 1430161 183164864 UNKNOWN pooltag 'Sa_s', please update pooltag.txtCM31 0 0 38455 176963584 Internal Configuration manager allocations , Binary: nt!cmSaEF 0 0 2859139 160111808 UNKNOWN pooltag 'SaEF', please update pooltag.txtSaEC 0 0 1429569 137238624 UNKNOWN pooltag 'SaEC', please update pooltag.txtTOTAL 467656 162859008 8612890 1411343392Cause
Our Auto-Protect driver leaks contexts, leading to a build-up of memory usage by its SAEA paged pool tag.
Environment
14 MP2
Windows 10 (other versions of Windows may be susceptible to the same issue)
Resolution
This issue has been resolved in SEP 14 RU1.
As a temporary workaround, consider running the following commands (which restart SMC/Auto-Protect and will do away with any SAEA pool tag related memory usage) on all affected systems, e.g. by configuring a scheduled task item via group policy that runs the script when a workstation is unlocked:
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
sc stop srtsp
sc start srtsp
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -startFeedback
Powered by
