search cancel

Pre-login hang with loading circle after installing Endpoint Protection

book

Article ID: 173725

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After having installed Symantec Endpoint Protection (SEP) 14.2 MP1 and performed the mandatory reboot, you experience a hang with a loading circle on a black screen prior to the login prompt being shown.

You find that the issue can be worked around by either removing our Application and Device Control (ADC) feature, or by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant\Start to 4 (i.e. disabling our ADC kernel driver).

Cause

Windows 10 performs a full certificate verification after a reboot. Otherwise, it uses a cache to prevent the associated performance impact. The certificate verification is performed in the context of the Plug and Play service (svchost.exe - k dcomlaunch -p -s PlugPlay). When it is able to complete verification within 30 seconds, the boot process continues as normal. However, when the time required to do so is upward of 30 seconds, the service will exit on most systems –due to Windows' default service time-out of 30000 ms. The exit will trigger a complete security catalog reload, which according to Microsoft could take 40 to 60 minutes.
As the Plug and Play service enabled option AuditBlockNonMicrosoftBinaries (first introduced in Windows 10 version 1709), the operating system spends an inordinate amount of time verifying whether sysfer.dll (our Application Control user mode component) has a valid Microsoft certificate and exceeds the service time-out. This results in the above described behavior, which is perceived as a hang on a black screen with a loading circle.

Environment

  • Windows 10 (version 1709 or higher)
  • SEP 14.2 MP1 (14.2.1031.1000)

Resolution

This issue was resolved in our Application Control definitions, which were published via LiveUpdate on February 25, 2019 (sequence number 20190213.022). They added support for the AuditBlockNonMicrosoftBinaries option (allowing to bypass it) and Windows 10 19H1 (previously RS6).