Application Control policy doesn't work for 32-bit applications if SentinelOne agent is running and System Lockdown uses File Fingerprint List with more than one MD5 hash
search cancel

Application Control policy doesn't work for 32-bit applications if SentinelOne agent is running and System Lockdown uses File Fingerprint List with more than one MD5 hash

book

Article ID: 282076

calendar_today

Updated On: 06-18-2024

Products

Advanced Endpoint Defense (with SEP) Complete Endpoint Defense (with SEP)

Issue/Introduction

Application Control policy doesn't take effect for 32-bit applications if SentinelOne agent is running and System Lockdown uses File Fingerprint List with more than one MD5 hash. Problem exists on 64-bit SEP 14.3 RU5 and RU6 for non-administrator users. It doesn't exist on SEP 14.3 RU4 64-bit.

Environment

SEP 14.3 RU5+

Cause

After installing SentinelOne, cmd.exe introduced 2 third-party DLLs named ntd1l.dll and kern3l32.dll. When the Application Control (AC) sysfer.dll initialized with the MD5 fingerprint list is present, AC needs to calculate MD5 for each listed module. However, these two third-party DLLs are present in the module list but not on the disk. So, AC failed to open them. In SEP RU4, open failures are treated as mismatches. So, everything is still fine. However, SEP RU5+ returns an exception instead. As a result, sysfer.dll failed to initialize and lost protection.

Resolution

This issue is fixed in Symantec Endpoint Protection client 14.3 RU9 (14.3.11213.9000).  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

Additional Information

CRE-15009

Powered by Wolken Software