When Proactive Threat Protection (PTP) component Application and Device Control (ADC) is installed, a .NET application intermittently experiences a hang.
Application and Device Control is a three component solution, whereby user-mode components Sfman.plg (a SMC plugin running in the SMC service) and Sysfer.dll interact with kernel-mode driver Sysplant.sys for the purposes of policy processing, injection, rule matching, logging and notification:
Consider the following scenario:
In this specific scenario, unaware that BASH obtained a lock on the same object, Application Control will attempt to obtain its lock again, resulting in a deadlock and consequent process hang.
In Symantec Endpoint Protection 14, Application Control locks were changed from infinite waiting to a 10 second time-out. If Application Control cannot obtain a lock within that time span, the file, registry or process operation will be allowed. In addition to this, before acquiring a lock, APC will also be disabled, preventing thread suspension. APC is re-enabled after the lock is released.
An Application Control Folder exclusion for the .NET application would prevent injection of Sysfer.dll into its binaries and provides a valid workaround for the issue.