SepMasterService is not starting automatically after boot on some cloud virtual machines
search cancel

SepMasterService is not starting automatically after boot on some cloud virtual machines

book

Article ID: 235584

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SepMasterService not starting automatically. Needs to be started manually after rpc and dcom service start. The virtual machines are slower to boot and after boot are slow to use in the Windows user interface.  This is seen in the Google Cloud Platform environment at this time.

Environment

Virtual machines created in Google Cloud Platform environment

Other services are also logged as failing to start but eventually restart on their own

SEP has to be manually started without issue post boot as the retry limit is reached and we default to stop trying.

 

Cause

Windows Event Logs

Date Log Event Type Source Computer User Event ID Description Details
2/16/2022 12:15:45 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the SepMasterService service to connect. 
2/16/2022 12:15:45 PM System Error Service Control Manager  7000 "The SepMasterService service failed to start due to the following error: The operation completed successfully. (0x0000041D)" 
2/16/2022 12:15:44 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the CybereasonActiveProbe service to connect. 
2/16/2022 12:15:44 PM System Error Service Control Manager  7000 "The CybereasonActiveProbe service failed to start due to the following error: The operation completed successfully. (0x0000041D)" 
2/16/2022 12:15:42 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the SepScanService service to connect. 
2/16/2022 12:15:42 PM System Error Service Control Manager  7000 "The SepScanService service failed to start due to the following error: The operation completed successfully. (0x0000041D)" 
2/16/2022 12:15:41 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the GoogleVssAgent service to connect. 
2/16/2022 12:15:41 PM System Error Service Control Manager  7000 "The GoogleVssAgent service failed to start due to the following error: The operation completed successfully. (0x0000041D)" 
2/16/2022 12:15:41 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the CybereasonBlocki service to connect. 
2/16/2022 12:15:40 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the HealthService service to connect. 
2/16/2022 12:15:22 PM System Error Service Control Manager  7009 A timeout was reached (30000 milliseconds) while waiting for the google_osconfig_agent service to connect. 
2/16/2022 12:15:22 PM System Error Service Control Manager  7000 "The google_osconfig_agent service failed to start due to the following error: The operation completed successfully. (0x0000041D)" 

Resolution

We are able to resolve this by setting the SEP service to Automatic (Delayed) start.

You can do this via the registry with requires that Tamper Protection is disabled.  Or you can create an Host Integrity policy to have the value set without the need to disable Tamper protection feature.

  1. In the registry navigate to HKLM\SYSTEM\CurrentControlSet\Services\SepMasterService
  2. Add DWORD key named DelayedAutostart with a value of Hex 1  (see image below)

  4. Reboot

This will delay the service start without impacting security posture and will resolve the service boot contention on boot.

Additional Information

Sample example HI policy attached.

Attachments

1645812494417__Sample Add Delayed Start Registry Key for SEP master service.dat get_app
Powered by Wolken Software