Critical System Protection

 View Only

Current Policy/Policy Prevention/Override State are unknown

  • 1.  Current Policy/Policy Prevention/Override State are unknown

    Posted Jul 27, 2016 02:39 AM

    Hello, sometimes our CSP agent goes to a unknown state. If you open the "Policy Monitor", you will see the the Current Policy/Policy Prevention/Override State are unknown, and the Policy Override are empty(The attached file Bad.png). What annoying thing is that you can't even use the "C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin\sisipsconfig.exe" -r to change the policy to BUILTIN, cause we have to reghost our system.

    After compared with a good machine, we found that it seems the file content of agent.ini and fallback.ini under C:\Program Files (x86)\Symantec\Critical System Protection\Agent\IPS\driver are damaged. So for a workaround we could startup windows with safe mode and repalce the agent.ini and fallback.ini. Then after reboot system, the CSP works fine, the Current Policy/Policy Prevention/Override State are showing correct value and "C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin\sisipsconfig.exe" -r could "stop" policy.

    Our customer not very happy with this workaround as there are too much steps and we need to enter safe mode of windows. As we don't have a stable way to reproduce this case, I wonder what's the root cause or what operation would cause it, and is there more simple way could recover the CSP instead of go to windows safe mode and replace some configuration files.