The Symantec Protection Engine (SPE or symcscan) service hangs until restarted. System logs indicate that the system time has changed by more than a few seconds.
System time changes larger than a second can cause Protection Engine to become unresponsive. System time changes are logged in Windows in the Security Event Log with EventID 4616. The following are example entries that we would expect to cause the services to hang:
8/25/2020 6:14:26 PM Security Audit Success Audit Microsoft-Windows-Security-Auditing fqdnOfMachine 4616 "The system time was changed.
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process ID: 0x478
Previous Time: 2020-08-25T16:15:40.418027200Z
New Time: 2020-08-25T16:14:26.227486500Z
8/25/2020 5:56:08 PM Security Audit Success Audit Microsoft-Windows-Security-Auditing fqdnOfMachine 4616 "The system time was changed.
Security ID: S-1-5-18
Account Name: MachineAccount$
Account Domain: domainName
Logon ID: 0x3e7
Process ID: 0xbd8
Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
Previous Time: 2020-08-25T15:54:50.948823600Z
New Time: 2020-08-25T15:56:08.749000000Z
Affects all versions of SPE except 8.0.1 as of 2020-09-17.
This issue has been resolved in 8.0.1. If you are on 8.0 or earlier, upgrade to 8.0.1.
If you are on 8.1, install the hotfix listed below. If you are on 8.0 or 7.9.1 and cannot upgrade, install the appropriate hotfix below. If you are on any other version, upgrade to 8.0.1 or 8.1 and apply the hotfix.
Hotfixes are available for the following versions: