search cancel

Unable to start Symantec Management Agent Service due to error: Security must be initialized before any interfaces are marshalled or unmarshalled

book

Article ID: 175565

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

A customer recently noticed that many client machines in their conference rooms and training rooms the Symantec Management Agent (SMA) service will not start.
The message on agent logs is while trying to start the AexNSClient.exe service is:

Failed to initialize COM security: Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized (0x80010119)
-----------------------------------------------------------------------------------------------------
 

 

Failed to initialize COM security: Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized (0x80010119)
-----------------------------------------------------------------------------------------------------
Date: 7/26/2019 7:57:36 AM, Tick Count: 186362054 (2.03:46:02.0540000), Size: 392 B
Process: AeXNSAgent.exe (8848), Thread ID: 2064, Module: AeXNSAgent.exe
Priority: 1, Source: Agent

Environment

ITMS 8.5 RU2

Cause

This issue was caused by a third-party DLL injected into aexnsagent.exe process that initializes COM security before we do.

There were at least 3 DLLs injected in our process that belong to some Web Filter software.

These DLLs use COM as well which is a huge mistake made by the third-party developers, you cannot use COM blindly if you inject your DLLs into third-party process.

The problem is that COM have security settings that should be initialized exactly one time per process. The security settings can vary from process to process and SMA service wants them to have certain values.

Now if COM security is not initialized explicitly then COM will initialize the default security as soon as certain COM related actions are performed.

In this case those actions were triggered by WebFilterLSP32.dll, that creates some NETOP COM object before any SMA COM object is created and before SMA initializes security, this forces COM to initialize the default security.

ProcMon log showed the stack of API calls:

  • WebFilterLSP32 creates COM object - CoCreateInstance API call)
  • COM object lives in WebFilterMgr32.dll, which triggers COM security initialization - CoInitializeSecurity API call.

Resolution

Since this issue is caused by a third-party DLL, you can use ProcMon (Process Monitor from SysInternals) to narrow down which one is causing the problem.

After identifying which third-party application is causing the issue, the customer needs to contact that Software company to resolve the problem.