A system with Endpoint Protection hangs or crashes after downloading or installing a Windows 10 Language Pack

book

Article ID: 170340

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On a Windows 10 build 1703 (September 2017) system, when you set the language to a different one after installing Symantec Endpoint Protection (SEP) 12.1 RU6 MP6, MP7 or MP8 with the Application and Device Control (ADC) feature, then reboot, you experience a Blue Screen of Death (BSOD).
When you install the same version of Windows, download a language pack, reboot, then install SEP with the ADC feature and reboot, the system hangs indefinitely during the startup phase.
You find that disabling our SysPlant driver in Safe Mode resolves the issue.

Cause

During the Windows 10 startup phase, when sysfer.dll (SEP's Application Control user mode component) hooks into fontdrvhost.exe (Microsoft's Usermode Font Driver Host), the latter calls Windows API function CreateActCtx() as a result of that. This fails with an Access Denied error because, although embedding manifest files are a Microsoft recommended practice, fontdrvhost.exe essentially trips over sysfer.dll's, causing it to exit unexpectedly, leading to a hang or crash.

Environment

SEP 12.1 RU6 MP6-8
Windows 10 build 1703 (September 2017)

Resolution

It was found that, if sysfer.dll does not included an embedded manifest file, fontdrvhost.exe does not call the Windows API function that leads to failure. As such, it was decided to remove it, starting both SEP 12.1 RU6 MP9 and 14 RU1.

If an upgrade is not an option, the issue can be worked around by creating an exclusion for fontdrvhost.exe, using a file exception with "Application Control" checked for the type of scans that will exclude that file and %[SYSTEM]% as the prefix variable.