search cancel

Auto-Protect related memory leak on systems with Endpoint Protection


Article ID: 170273


Updated On:


Endpoint Protection


Following the installation of Symantec Endpoint Protection (SEP) 14 MP2, memory usage becomes much higher than normal (e.g. 2-3 GB, rather than the normal 500-600 MB).
By running poolmon.exe, or running the !poolused 4 /t 5 command in LiveKD, you find that paged pool tag SAEA is responsible for the bulk of the memory usage.
4: kd> !poolused 4 /t 5
Sorting by Paged Pool Consumed
NonPaged Paged
Tag Allocs Used Allocs Used
SAEA 0 0 1429569 320223456 UNKNOWN pooltag 'SAEA', please update pooltag.txt
Sa_s 4 4416 1430161 183164864 UNKNOWN pooltag 'Sa_s', please update pooltag.txt
CM31 0 0 38455 176963584 Internal Configuration manager allocations , Binary: nt!cm
SaEF 0 0 2859139 160111808 UNKNOWN pooltag 'SaEF', please update pooltag.txt
SaEC 0 0 1429569 137238624 UNKNOWN pooltag 'SaEC', please update pooltag.txt
TOTAL 467656 162859008 8612890 1411343392


14 MP2
Windows 10 (other versions of Windows may be susceptible to the same issue)


Our Auto-Protect driver leaks contexts, leading to a build-up of memory usage by its SAEA paged pool tag.


This issue has been resolved in SEP 14 RU1.

As a temporary workaround, consider running the following commands (which restart SMC/Auto-Protect and will do away with any SAEA pool tag related memory usage) on all affected systems, e.g. by configuring a scheduled task item via group policy that runs the script when a workstation is unlocked:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
sc stop srtsp
sc start srtsp
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Protection\Smc.exe" -start