Alert receive report Symantec Endpoint Protection service is crashing multiple times a day. Investigation shows Faulting module is GEDataStore.dll
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_GEDataStore.dll!Unknown
14.3 RU3
The issue is a result of ccSvcHst.exe heap fragmentation issue that occurs when multiple sets of definitions are mapped into the process simultaneously and the heap exceeds a 32-bit user space memory limit and crashes. (e.g. when a new set of definitions are downloaded).
The issue is resolved in 14.3RU4 and above.
Workaround:-
Please implement Memorymonitor;
Note: Tamper Protection needs to be temporarily set to Log only to make this registry change. Revert the Tamper Protection settings to their previous configuration afterwards.
(32-bit machines)
HKLM\Software\Symantec\Symantec Endpoint Protection\SMC
(64-bit machines)
HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC
MemoryMonitor (DWORD) - Amount of memory that needs to be available.
Valid (Value data) are 350 to 500 MB (decimal). This value is required. Valid values will enable the feature.
Invalid values will enable the feature with a default of 350 MB.
A missing registry value or the value set to 0 will disable the feature.
MemoryMonitorFreq (DWORD) - Time in between checks. Valid (Value data) are 1 to 24 hours (decimal). Default value of 8 hours is taken when this value is not created. (Optional)
Settings are only checked once at start. To change settings, smc restart or system reboot is required.