Symantec Endpoint Protection: Managed clients repeatedly run automatic Windows Installer MSI repair or reinstall

Article:TECH170667  |  Created: 2011-09-28  |  Updated: 2012-08-14  |  Article URL http://www.symantec.com/docs/TECH170667
Article Type
Technical Solution


Issue



The Symantec Endpoint Protection client detects an error and senses that it must be repaired or reinstalled. This repair/reinstallation runs automatically, and disrupts productivity on the machine while SEP components are disabled and MSI executable(s) use processor resources. Upon reboot, the repair/reinstallation may repeat itself.


Error



Various symptoms--examples:

  • Clients showing various components (NTP, PTP, AV) as disabled. For example, the Graphical User Interface (GUI) shows "There are multiple problems (2). Network Threat Protection is disabled. Outlook Auto-Protect is malfunctioning. Click Fix All to fix all problems or click Details for more information." 
     
  • TruScan errors 9 or 11
     
  • High CPU usage
     
  • High memory usage for rtvscan.exe.
     
  • In the Application event log there are two event ID's: 1001 and 1004.

    Event ID 1001, Source: MsiInstaller. Detection of product "{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}", feature "SAVMain" failed during request for component "{0ABF6425-272D-4795-9BD8-F2428110EC95}"

    Event ID 1001, Source: MsiInstaller. Detection of product "{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}", feature "Rtvscan" failed during request for component "{E5A0A45A-2BE2-4B88-8228-E34EA9F30B5E}"

    Event ID 1004, Source: MsiInstaller. Detection of product "{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}", feature "SAVMain", component "{DADBB26D-F840-4BF4-A656-4777A707AB42}" failed. The resource "C:\WINDOWS\system32\loc32vc0.dll" does not exist.

 


Environment



These symptoms have been observed in Symantec Endpoint Protection 11.x, managed clients, on Windows XP SP3.

Symantec Endpoint Protection 12.1 is unaffected.

 


Cause



The cause is due to a slow memory leak of the trust verification process in Proactive Threat Protection scans. When memory consumption by rtvscan.exe becomes critical, this causes failures in the product that are interpreted as a corrupt installation and triggers an automatic repair of Symantec Endpoint Protection.

Further analysis indicated that the leak itself is actually in Microsoft’s crypt32.dll. There was an update for crypt32.dll that went out on September 19th of 2011, which coincides with the beginning of the reports from Symantec customers. This update has both embedded signature changes, as well as code changes for the DigiNotar signature types, because these were previously not handled:

http://technet.microsoft.com/en-us/security/advisory/2607712

http://support.microsoft.com/kb/2616676 (crypt32.dll update)

Why does this issue affect Symantec severely? Our software, through Proactive Threat Protection, frequently provides checks of digital signatures on executables during normal computer operations.
 


Solution



There is a hotfix available from Microsoft that addresses this memory leak in crypt32.dll. See the following Microsoft technical article:

http://support.microsoft.com/kb/959658 ("A memory leak problem occurs when you run an application that uses the HttpSendRequest function of the WinHTTP API or of the WinINet API to send Secure Sockets Layer requests in Windows XP Service Pack 3").

This hotfix is only for customers experiencing this issue and is available from Microsoft by request only. Please discuss the ramifications with Microsoft before deciding to deploy this hotfix. Other updates may be applied to crypt32.dll, but the hotfix in KB959658 will enforce an older developmental branch. You can even apply updates and this hotfix in any order, and you will still wind up with a hotfixed DLL. This may cause some confusion because the version differences aren't readily apparent. For example, if the update in KB2616676 has already been applied, crypt32.dll version will be 5.131.2600.6149 and applying the hotfix in KB959658 and rebooting, this version number is the same. To see the difference, you must go to the file properties version tab for crypt32.dll and highlight "File Version" to see more versioning details. For example:

Hotfixed: 5.131.2600.6149 (xpsp3_sp3_qfe.110906-1620)

No Hotfix: 5.131.2600.6149 (xpsp3_sp3_gdr.110906-1620)

As an alternative to applying the Microsoft hotfix, you may do one of the following:

  • In the Symantec Endpoint Protection TruScan settings, disable the "Scan new processes immediately" option to slow the leak. To further slow the leak, increase the TruScan interval (default is 1 hour).

    Monitor rtvscan.exe memory usage on the Endpoint Protection client. If it goes above 300MB then restart the rtvscan.exe service (the "Symantec Endpoint Protection" service) . No reboot should be necessary. After monitoring memory usage you may identify an hourly interval at which you can schedule a service restart.
     
  • Or, remove the Proactive Threat Protection component of the Endpoint Protection Client.
     
  • Or, remove the DigiNotar patch: http://support.microsoft.com/kb/2616676

     

 


Supplemental Materials

SourceETrack
Value2562429
Description

SEP 11 RU6 MP3 managed clients are stuck in installation/repair loop



Article URL http://www.symantec.com/docs/TECH170667


Terms of use for this information are found in Legal Notices