The Protection Engine service hangs or stops responding until restarted

book

Article ID: 198390

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

The Symantec Protection Engine (SPE or symcscan) service hangs until restarted. System logs indicate that the system time has changed by more than a few seconds.

Cause

System time changes larger than a second can cause Protection Engine to become unresponsive. System time changes are logged in Windows in the Security Event Log with EventID 4616. The following are example entries that we would expect to cause the services to hang:

8/25/2020 6:14:26 PM    Security    Audit Success Audit Microsoft-Windows-Security-Auditing fqdnOfMachine      4616    "The system time was changed.


Subject:
    Security ID:        S-1-5-19
    Account Name:       LOCAL SERVICE
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3e5


Process Information:
    Process ID: 0x478
    Name:       C:\Windows\System32\svchost.exe


Previous Time:      2020-08-25T16:15:40.418027200Z
New Time:       2020-08-25T16:14:26.227486500Z


8/25/2020 5:56:08 PM    Security    Audit Success Audit Microsoft-Windows-Security-Auditing fqdnOfMachine      4616    "The system time was changed.


Subject:
    Security ID:        S-1-5-18
    Account Name:       MachineAccount$
    Account Domain:     domainName
    Logon ID:       0x3e7


Process Information:
    Process ID: 0xbd8
    Name:       C:\Program Files\VMware\VMware Tools\vmtoolsd.exe


Previous Time:      2020-08-25T15:54:50.948823600Z
New Time:       2020-08-25T15:56:08.749000000Z

Environment

Affects all versions of SPE except 8.0.1 as of 2020-09-17.

Resolution

This issue has been resolved in 8.0.1. If you are on 8.0 or earlier, upgrade to 8.0.1.

If you are on 8.1, install the hotfix listed below. If you are on 8.0 or 7.9.1 and cannot upgrade, install the appropriate hotfix below. If you are on any other version, upgrade to 8.0.1 or 8.1 and apply the hotfix.

Hotfixes are available for the following versions:

Version Hotfix Link
7.9.1 175834
8.0 174811
8.1 196674