Video Screencast Help


Created: 02 Sep 2008 • Updated: 28 May 2010 | 20 comments
This issue has been solved. See solution.

Any one tried the google browse chrome ? well its not working with SEP application control.. regardless i have made application exception but it still getting blocked by the DEFAULT RULE

this is the error we are getting 

3/09/2008 11:52:17 AM    15    Block    Production    Unauthorized NT call rejected by protection driver.    System    Built-in rule    6052    chrome.exe    FuncID=74H, RetAddr=17005CH    abcde ab    None   


My question is WHY THIS BUILT IN RULE is kicking in when there is no Rule enabled they are all unclicked... i can understand that it could be google problem but i hate this built in rule can you tell me where is it ? and how can tweak/disable it

Comments 20 CommentsJump to latest comment

BNH's picture

Hi Auusie,



We are aware of this issue and currently investigating.

I trust that your  SEP is unmanaged ?


If yes, please perform the step below :

1) Back up the registry on an affected system.
2) Open the registry on the Agent system by entering regedit from a run prompt.
3) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant.
4) Open the Start DWORD.
5) Change the value to 4 to disable the drivers.
6) Reboot the system to commit the changes.


 Update us on your findings.

-- Got new virus ? Try update your defs here : --

benniiko1's picture

hey i when in to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services but when i where in the it was no map named Sysplant and i have added the sandbox thing and nothing works så plz if u got any other advicec please send me on email

Auusie's picture

Thanks for your reply :) nope my client is managed and that how i changed Application control settings and applied the policy,... do you have any configuration settings for managed clients yet ? and any info abt defualt rules ?


thanks again

akv's picture

great, it works...


BNH's picture

Hi Auusie,


A person in and suggested "a workaround".


Basically it is creating a shortcut and run Chrome without Sandbox.



Message Edited by herlambangBN on 09-03-2008 04:34 PM

-- Got new virus ? Try update your defs here : --

akv's picture

it works....but not sure about the role of --no-sandbox. need more info....

Mark Larson (Google)'s picture

--no-sandbox disables Google Chrome's sandbox protection that keeps the system safe from problems in web sites' HTML and Javascript. It's a workaround that helps us identify the root cause of this issue, but not a long term solution.


Can someone from Symantec contact me directly offline to talk about this issue? I'd like to understand the reg key workaround (eg, whether it's actually safe to recommend) and more importantly to work together on a good fix.  mal __at__ 


Jeremy Dotson's picture

No way am I going to accept disabling the sandbox as a solution.  The sandbox is an integral part of the revolutionary coolness of Chrome.  I know it's temporary, but the workaround isn't the problem I have here, it's the continuous stream of nonsense I get from Symantec products. 


Let me guess here, your solution is going to be to edit the managed environment, change some ungodly complex setting in some insanely illogical GUI, build a new package, and reinstall?  Sounds like a typical Symantec version upgrade to me!  Why on earth should I have to do anything other than make an exception in the software?  Because Symantec makes bloatware.  I have just about had enough of continuous headaches from Symantec.

Magnus_Sweden's picture

You can always remove Application and Device control in SEP. Then you can run Chrome without having to disable the sandbox feature.


If you still want to use Application and Device control, then don't use Chrome until they have fixed the problem, remember that Chrome is still in beta.


I run it without sandbox, but then I only use it on sites I can trust.

BigCompanySEPadmin's picture

Sysplant is a process-wrapping driver derived from the Sygate 5.x family of products acquired by Symantec (to the anonymous flame). It's a process wrapping driver which mediates resource requests made via win api's from the wrapped process. The reality is that windows lacks a secure, manageable process to resource mediation layer.

Until this is changed, anything trying to monitor, or manage windows processes is more or less doomed to clashes like this.



ch1221 2's picture

The Chrome issues appear to be resolved with MR3

CableGuy's picture

As the MR3 patch is now installed, I would like to enable SysPlant once more.  Was the default value set to 1?  Recall that it was changed to 4 to disable SysPlant prior to MR3 being released.


I suspect I can find the answer in about 4 hours when I get to work and check a "normal" PC's registry, but I figure I'd ask here first.



Amaury's picture

(sorry for my english i am french)

Hello all and thank you so much for this topic !


I use Google Chrome BETA on a windows XP sp3 OS with SEP 11.0.780.1109.


I have read your post and modified the HK value from 1 to 4 and restart my computer but the error 0xc0000005 stilled.

So i was obliged to change the target's properties of Google Chrome with "--no sandbox" and now the software run correctly.

But i think it's a really bad issue :smileymad:to decrease the security of this new browser and be obliged to not use this new function...i hope Google company work fast on a patch to resolve this problem.


Magnus_Sweden's picture



With the latest general version of SEP, 11.0.3001.2224 Google Chrome is working as stated above in earlier posts, even when using it without "no --sandbox", also make sure you have the latest version of the Chrome application from


I suggest you submit a support case to symantec about it, if you are certain SEP is the cause of the problem, since reading on others with the same version as you can use Chrome without problems.

Message Edited by Magnus_Sweden on 10-27-2008 01:30 PM
cldoud's picture

I have version 11.0.780.1109.  I have noticed that installation of Chrome was supposed to have been fixed with version 11.03.  However, the error keeps coming up in the newer version even though I disble it it on the install.


Do I need to do the recommended fix or is there a different problem?


Also, if I use this fix, what impact does it make on protecting my computer?



cldoud's picture

Also, I my OS is Vista, and I disable endpoint when I have tried to install Chrome.



Amaury's picture



If the new version does not fix the bug, use the '-no sandbox' solution.

This disable the sandbox function of Chrome, who split the different tab of chrome in differents systeme process, this is only a chrome advance security who does not exist in others software so without sandbox Chrome is as secure as the others soft like Mozilla.


Be careful about the futures version of symantec and when the bug will be fix for you, turn on the sandbox function with deleting the lign command in the file properties.



Message Edited by Amaury on 12-13-2008 11:21 AM
Citlali's picture

11.0.780 is not the right version.  You need 11.0.3001

zisis pontikas's picture

Hello all,

I have been using chrome for quite some time now and had this problem when I started using it.
Naturally I applied this workaround and then I had no problem. 

My question now is this:
Since this issue has been resolved and since I have the latest version of SEP installed, how can I remove this workaround (which actually consists of changing a registry value to 4)?

Also I know this is out of this scope but I would like to know if I am running chrome in no-sandbox mode or not, since it would be helpful to know.

Thank you.