Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP client causes SophisRisque.exe to crash on launch

Created: 04 Jul 2013 | 24 comments

Hi all,

Environment details: Windows 7 64bit running in a virtual XenDesktop.

We think that since updating to SEP 12.1.2, one of our bespoke applications is crashing when launched with the following Windows event:

Problem signature:

  Problem Event Name:                        BEX
  Application Name:                             SophisRisque.exe
  Application Version:                           6.2.2.6
  Application Timestamp:                     505748bd
  Fault Module Name:                          StackHash_4c0d
  Fault Module Version:                        0.0.0.0
  Fault Module Timestamp:                  00000000
  Exception Offset:                                76874913
  Exception Code:                                  c0000005
  Exception Data:                                   00000008
  OS Version:                                          6.1.7601.2.1.0.256.4
  Locale ID:                                             2057
  Additional Information 1:                  4c0d
  Additional Information 2:                  4c0d4d78887f76d971d5d00f1f20a433
  Additional Information 3:                  4c0d
  Additional Information 4:                  4c0d4d78887f76d971d5d00f1f20a433

We've excluded the SophisRisque.exe from on access scanning as per your recommendation:
 
http://www.symantec.com/business/support/index?page=content&id=HOWTO61213

We also have a policy in place on the SEP Management Console that excludes the directory on the C: drive where SophisRisque.exe exists.

Procmon.exe shows that during the crash, Symantec processes are called. 

The key thing is that If we uninstall the SEP client from the machine, SophisRisque.exe launches fine, with no problems.

Can you help us troubleshoot this issue?

Operating Systems:

Comments 24 CommentsJump to latest comment

.Brian's picture

Is this application something developed in house?

If so, is it an older app? Reason I ask is because it may be incompatible with SEP, depending on the components in use.

What components of SEP are you using and more specifically is application and device control installed? If ADC is in use then you can exclude this process from ADC and try again. Or you can remove ADC component altogether if possible. Use Process Explorer to see if sysfer.dll has been injected into the process.

Did this work with a previous version of SEP and if so, what version?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

- What SEP processes exactly are called during the crash?

- do you have Application and Device Control on that SEP Client - if yes can you deinstall only this component and then check if crashing is still occuring

- if you confirm the ADC is here the culprit try putting exception specifically for Application Control:

Excluding applications from application control

Article:HOWTO55212  |  Created: 2011-06-29  |  Updated: 2013-04-22  |  Article URL http://www.symantec.com/docs/HOWTO55212

 

Mithun Sanghavi's picture

Hello,

Could you please let us know what feature is blocking the "SophisRisque.exe", is that Autoprotect or SONAR detections?

Please open the SEP client and check the Risk log and Threat Log.

Creating exceptions for Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO80919

In case, you want to Whitelist an Application, then check this Article:

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ubie's picture

Hi all,

@Brian81 - Yes, this application was developed in house.  It's not particularly old, the version we are using now was implemented into production in November 2011.
We have 3 policies enabled via SEPM: Virus and Spyware Protection, LiveUpdate Settings, and Default Exceptions.  We do not have the Application and Device Control policy in use.
I've used Process Explorer to search for sysfer.dll but it doesn't appear to be injected into SophisRisque.exe

@SebastianZ - The following SEP paths appear in Process Monitor when filtering by SophisRisque.exe:

C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\IRON\IRON.DB-journal
C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\IRON\Iron.db
C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\IRON\IRON.DB-wal

 I've already answered the rest of the questions above.

@Rafeeq - As mentioned above:

We also have a policy in place on the SEP Management Console that excludes the directory on the C: drive where SophisRisque.exe exists.

We have also added an Application Exception for SophisRisque.exe within the Exceptions.

ubie's picture

Hi Mithun,

I don't know which feature is blocking SophisRisque.exe, hence why I logged this query.  The Risk Log and Threat Log on the client are both empty.

- Liam

Rafeeq's picture

can you try to create an exception from the client side for this pariticular exe SophisRisque.exe.( not the folder) but just the .exe file

.Brian's picture

So it sounds like you only use the AV component.

Very interesting. I assume if you simply turn of auto-protect, everything functions as expected?

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ubie's picture

Rafeeq,

That option is greyed out and locked by the administrator.  So I went into "My Company > Location-specific Settings > Client User Interface Control Settings" and changed the value from Server Control to Client Control.  Then I updated the policy on the desktop in question.  The options are still greyed out after 2 hrs of waiting.

Can you confirm that this is the correct way to enable the option?

.Brian's picture

You need to allow this from the Exception policy. Just tick the box to allow users to add this type of exception.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

From the Symantec Endpoint Protection Manager (SEPM) console, select :

 

Policies > Centralized Exceptions > select and edit the policy you want to change > Client Restrictions.

ubie's picture

Brian81 and Rafeeq, all options within the Client Restrictions page are already ticked.

Just to clarify the problem, I open the SEP client > Click Change Settings, the Configure Settings button is greyed out and when hovering over it with the mouse, the message says "Your administrator has locked this feature."

Rafeeq's picture

I doubt if client is taking the policy, is the client communicating with the manager. do you see the green dot?

open sep client- help and support- troubleshooting- do you see the sepm server name or does it say "offline"

ubie's picture

Rafeeq, yes, there is a green dot on the sheild icon in the taskbar.  No, it doesn't say offline in the Troubleshooting window.  It says the name of our server where the SEPM is installed.  Last connected time was today at 12:53.

ubie's picture

Okay, I think I've managed to get around this.  I logged onto the local PC as an administrator and these options are now unlocked.  However, if I attempt to add SophisRisque.exe as an Application Exception I get the message "This exception already exists."

.Brian's picture

Then the exception has already been added via the SEPM.

Issue still exists even with the exception added?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ubie's picture

Hi Brian, Yes, the issue still exists with the exception added unfortunately.

Any other suggestions?

Rafeeq's picture

if its getting detected by symantec then it should show up in risks, can you check this and confirm it under detected process?

http://www.symantec.com/business/support/index?page=content&id=TECH176906

ubie's picture

Hi Rafeeq, There are no entries in the Risk Logs.  Any other suggestions? 

.Brian's picture

Place a call to support. If all the necessary excpetions have been added and nothing is showing in the logs, it could be a compatibility issue between one of the drivers and your program.

Support will need to troubleshoot this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

is it a mapped drive?

Mapped network drive exceptions for A:, B:, and C: are not honored

Fix ID: 3094293

Symptom: Mapped network drive exceptions for A:, B:, and C: are not honored when you uncheck the option "Only when files are executed" for Auto-Protect.

Solution: Modified the Auto-Protect feature to check correctly for network mappings on drive letters A: through C:.

ubie's picture

Rafeeq, no it isn't a mapped drive.

I have Case #04756047 open with Symantec support.  So far we've discovered that the Application and Device Control component of the client are causing the crash.

When this component is not installed, it works.  We're still trying to narrow down the exact cause.

.Brian's picture

Out of curiosity, have you tried testing this with the latest version, 12.1.3?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Francky15's picture

Did you ever got an answer on what was the trouble. I got a very similar problem since an definition update earlier this monts(We think it was between the 2 and the 5 of december).60 Production tools stop and we rollback to SEP11 to solve the problem.  Nothing is log but our program wont work since this update. It is definitly the AutoProtect component, and no difference between 12.1.2 or 12.1.4 client packadge