Video Screencast Help

SEP Not Getting Along With Particular Software

Created: 06 May 2013 • Updated: 14 May 2013 | 15 comments
This issue has been solved. See solution.

I recently rolled out a new Citrix Xenapp 6.5 server using Win 2008 R2. One of the published apps is Bartender by Seagull Scientific. Bartender crashes when I try to install or run the program.

I contacted support for Bartender and they asked if I happened to be running SEP. They have a few customers running into the same problem and found that SEP and Bartender don't get along in a Citrix environment. I unistalled SEP and sure enough, Bartender runs fine.

I doubt anybody here has happened to run into the exact same problem, but my question is if anybody has run into a specific program crashing due to SEP and what you did to address the problem. Leaving my Citrix server unprotected isn't a solution.

 

Since there are several players involved, I'm inquiring here, Bartender support, and Citrix support.

 

 

Faulting application name: bartend.exe, version: 10.0.3.2867, time stamp: 0x50d291c4
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x750b4913
Faulting process id: 0x1784
Faulting application start time: 0x01ce4a6bb535febe
Faulting application path: C:\Program Files (x86)\Seagull\BarTender Suite\bartend.exe
Faulting module path: unknown
Report Id: f2e74c61-b65e-11e2-ad0f-005056840332
Operating Systems:

Comments 15 CommentsJump to latest comment

P_K_'s picture

You can create an excpetion for the exe bartend.exe.

You can create a Auto Protect or  Tamper protection exception

http://www.symantec.com/business/support/index?page=content&id=HOWTO61213

Forcing SEP to Learn an Application

This can be done in two different ways:

  1. If you know the name of the application you would like to learn, you can force SEP clients to monitor that application and learn its fingerprint.
    See Forcing scans to detect an application
  2. If you do not know the name of the application and would like to monitor all applications on a client(s), you can force SEP clients to monitor all applications and learn their fingerprint.
    See Configuring the management server to collect information about the applications that the client computers run

Creating an Exception for an Application

  1. Login to the Symantec Endpoint Protection Manager (SEPM) and go to the Policies page.
  2. On the Exceptions Policy page, click Exceptions.
  3. Click Add > Windows Exceptions > Application.
  4. In the View drop-down list, select All, Watched Applications, or User-allowed Applications.
  5. Select the applications for which you want to create an exception.
  6. In the Action drop-down box, select Ignore, or Log only.
  7. Click OK.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

SebastianZ's picture

You an create a specific application excpetion for this executable:

How to create an application exception in the Symantec Endpoint Protection Manager

Article:HOWTO61213  |  Created: 2011-12-07  |  Updated: 2012-03-27  |  Article URL http://www.symantec.com/docs/HOWTO61213

 

_Brian's picture

What SEP components are installed?

Are you getting any alerts in any of the logs? (Risk or Threat log?)

 

rbrumm's picture

One of the first things I tried was add a file exception but I didn't do an application exception. I'm trying that now.

SebastianZ's picture

It may take a bit time before this one appears on the list - the way it works SEP client detects the apps being executed on client and provides this info to the SEPM - this information includes the hash of the executable - according to this data you can then exclude this specific executable in centralized exceptions.

rbrumm's picture

Yeah, right now my only option on the server is "log." I did add it as an exception on the endpoint. Didn't help. Same thing as setting up as the SEP server or can I expect different results?

SebastianZ's picture

...maybe it is a different component causing the issue - do you Application and Device Control running on that client? Can you check if the problem can be reproduced when you remove the application and device control from that SEP installation?

If this confirms you app is working without issues you can try as well setting a speficif exception for this component:

 

Excluding applications from application control

Article:HOWTO55212  |  Created: 2011-06-29  |  Updated: 2013-04-22  |  Article URL http://www.symantec.com/docs/HOWTO55212

 

_Brian's picture

Once it shows up in the SEPM you will than have the ability to set an action. It is a two part process. Add it first (log only) than once it shows up, go into the Application list (Exception policy >> Add >> Windows Exceptions >> Application is where you will find it) and select it and than pick an action (Ignore, Log only, quarantine, terminate, remove)

You can speed the process up by setting the application to be logged, open the software on the affected machine, than force a heartbeats check in so the info can be sent to the SEPM.

rbrumm's picture

 

Bartender is listed as an application exception and a folder/file exception. Still crashes. I tried to remove as many SEP features as possible from the policy. Still crashes.
 
Out of ideas for now. I uninstalled SEP and brought the server back online. Not feeling fuzzy that it's unprotected.
 
Posted this problem on the Citrix support forums as well since it's involved by the folks over there are suggesting basically the same thing.
SebastianZ's picture

I tried to remove as many SEP features as possible from the policy.

- Is it still crashing even if only the Basic AV feature is installed with no other components?

rbrumm's picture

 

I installed an unmanaged client with basic server protection. Don't know why, but that did the trick. Problem solved.

SOLUTION
_Brian's picture

Basic server protection contains AV only.

You likely had the full component set installed, including NTP. If so, it may have come down to just adding a firewall rule to allow traffic.

rbrumm's picture

No, I have basically the same settings with the managed clients that made Bartender crash. The only difference that I can see is it's an unmanaged client.

_Brian's picture

That shouldn't matter unless there is a port 8014 conflict between the two. Even than I can't see why it would cause the app to crash.

Either way, it's resolved so that's good.