System might encounter hang issue if Endpoint Protection and ESCORT are installed together

book

Article ID: 170577

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

If you install both Symantec Endpoint Protection (SEP) and ESCORT into a system the system will hang randomly.
There are interoperability issues here with Reason Core Security (ESCORT) on the stack with SEP.

Details are as below.

  1. THREAD x is holding a loader lock on a .dll A in the context of ccsvchst.exe and generates an ALPC call to csrss.exe.
  2. The Server thread processing the ALPC message is thread Y.
  3. SEP is trying to scan "x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest" and then emulates the execution of ESCORT binaries (like Escndl.dll, icdcnl.dll).
  4. ESCORT binaries (like Escndl.dll, icdcnl.dll) then tries to load the same .dll A (above) on the critical section.

Cause

Deadlock or Hang results

Environment

SEP 12.x and 14.x

Resolution

Installing both SEP and ESCORT (Reason core Security anti-malware security software) on the same system is not recommended.
The following method can be used as a workaround.

  1. Add an exclusion to SEP for Manifest file.
    • Manifest file path-  \Windows\winsxs\Manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest
  2. Add exclusion to ESCORT for ccSvcHst.exe