Endpoint Protection Small Business Edition

Hello,

We have Symantec Endpoint Protection 12.1 installed, and Enable Network Intrusion Protection is checked.

When running a function in our solution, an exe is generated and runs. As long as Enable Network Intrusion Protection is checked, we can perform our routines on that exe as expected. However, in less than one minute after unchecking Enable Network Intrusion Protection, the application crashes. Inversely, if we have Enable Network Intrusion Protection unchecked, and then we start the exe and it performs its tasks as expected, within one minute of checking Enable Network Intrusion Protection, the application crashes. We have been unable to find any logs in SEP or in Event Viewer regarding this crash. Additionally, we can replicate this on multiple Dell R720 servers with a Broadcom NetXtreme daughterboard BCM5720C NIC, but not on Dell R710s with a Broadcom NetXtreme II BCM5709C on-board NIC. We have already attempted to disable Flow Control, TCP/UDP Offload, and Large Send Offload on the NIC, as well as updated the driver to the latest Broadcom version.

I guess my question is, how does SEP's Network Intrusion Protection system work? Is there anything that gets embedded within a NIC's configuration? Is there an algorythm that runs to make determinations, and when the switch is toggled, if the app doesn't match what is expected from SEP, SEP will kill the application? If we don't clear some setting in SEP, and then uninstall SEP and run CleanWipe, is there still something that wouldn't get cleared that would cause this exe to crash?

Any help or technical explanations would be greatly appreciated.

Thank you.

Have you looked at the Security log on the client?

I guess my other question is why are you disabling NTP?

Hello,

The Security log re: SEP doesn't provide any errors per se; mostly noting that certain SEP functionality has been enabled or disabled. It has been very difficult tracking down any other message that might relate but doesn't have a SEP source.

Regarding disabling NTP, our customers have been directed by their management to move away from SEP. This issue was discovered immediately upon the removal of SEP and running CleanWipe. In an attempt to identify why removing an application would block an exe's functionality, since it's normally the other way around, we started tinkering with SEP settings to see if we could possibly locate the culprit. It seems that toggling NTP on and off triggers the failure.

Thank you.

Do you have the application and device control component installed and in use as well?

I've not seen NTP cause this but more from ADC.

Hello,

The only component we have installed is SEP. If this is something within SEP, it's possible. Looking at the SEP Console, the only options I see available are Virus and Spyware Protection, Proactive Threat Protection, and Network Threat Protection.

Thank you.

ADC is a component within SEP. It is not visible from within the GUI.

If you open the GUI and go to Change Settings >> Client Management >> Configure Settings and uncheck "Enable Application and Device Control"

Hello,

Enable Application and Device Control is set. I'm not sure if it matters or not, but we have been doing all of our testing by running the client portion of our application directly from its server, and not through a separate device. That said, the exe in question does receive and transmit data to an external system.

I have tried unchecking Enable Application and Device Control only, while all other options in SEP remain enabled (Firewall, IDP, etc), and then executing our exe. This does not appear to cause the exe crash. If I leave Enable Application and Device Control unchecked, and the uncheck Enable Network Intrusion Prevention, the exe will then crash when running its normal tasks.

Thank you.

I would test the firewall next, which is apart of NTP.

Open the GUi and click Options next to Network Threat Protection, then select Change Settings

Uncheck the box for Enable Firewall.

Try your test again and see what the result is.

If there are no issues then enable the firewall. Move over to the Intrusion Prevention tab and uncheck both options. Try your test again.

This should determine which component is the culprit.

I guess I forgot to ask but what is the exact version of SEP you're running?

Hello,

Going into this new test, Enable Browser Intrusion Protection, Enable Network Intrustion Protection, and Firewall are all checked, and Enable Application and Device Control is unchecked. The exe runs as expected.

After only disabling Firewall, the exe continues to run as expected.

After re-enabling Firewall and unchecking Enable Network Intrusion Protection, the exe crashes.

We are running SEP v12.1.4112.4156.

Thank you.

I would recommend opening a support case, however, you're on an old version so they may likely ask you to upgrade to the latest version 12.1.6.1a.

With that being said, support may have you run packet captures and enable advanced logging/debugging and have you send them the logs to begin troubleshooting.

What happens when you leave both the Firewall and IPS disabled? Is the application still crashing?

Note: Make sure that the Windows Firewall is also disabled.

Hello,

While Windows Firewall, SEP Firewall, and IPS are all disabled, the exe runs fine. Once we toggle IPS, the exe crashes within one minute of running a specific process. It doesn't matter if IPS is turned on or off before the exe is launched; once the exe is launched, and then IPS is toggled, the exe will crash.

Thank you.

I wonder, if the firewall is blocking the traffic related to your application and causing it to crash. However, it doesn't happen when IPS is enabled, which could be due to the IPS allowing that traffic before even the firewall gets a change to check that traffic.

I believe that you are going to remove SEP anyway. Can I ask you to remove SEP client from a PC and reboot and then disable Windows firewall and check if the application works?

Out of curiosity, is this a custom/in-house app?

Hello,

There are a couple of layers to this. We built the custom software solution that interfaces with the exe in question. The exe in question is also a custom application built by another company that we have to interface with. It provides the functionality that we need, and our software interprets the data that it receives.

Thank you.

Have you tried starting a packet capture prior to starting the exe and letting it run until the crash occurs?

Hello,

I have run two captures using Wireshark. Unfortunately, I'm not fluent enough in the network administration side to be able to decipher what's going on.

Thank you.

Best to engage support for that analysis, this is going to be more of an advanced problem.

Hello,

We have been doing our testing directly on the server that holds the database portion of our application. The client portion of our application can also run on the server.

Before we get to the point of actually uninstalling SEP as recommended at https://support.symantec.com/en_US/article.TECH161956.html, we disable the SEP services to not run at startup and modify the SEP Start keys, and then reboot the server. After the server comes back up, and we verify that the SEP services are disabled and not running, we run our application, initiate the exe in question, tell the exe to perform its function, and within 1 minute it crashes. Windows Firewall is still disabled.

Thank you.

Hello,

For additonal information, we have determined that the issue is related between SEP and the Broadcom BCM5720 4-port NICS built-in to the Dell R720. As I mentioned previously, we were not experiencing this issue with the Broadcom BCM5709C 4 port NICs built-in to the Dell R710s. We have plugged in a Gigabit PCIe single-port NIC and started running our application through it, and while we were running all the same tests, we did not experience the application crash. These tests included toggling SEP IDP on/off and off/on while the application is running. We have asked the developers of this particular executable to research the issue, and I will report back with any updates. If this updated information reminds anyone of anything, I'd love to hear about it.

Thank you.