On 160 out of our 10,000 machines running SEP 12.1.5 and 12.1.6 and Windows Server 2008, I see a large kernel paged pool leak. It has the tag "B1O1" (that's the letter O, not the number zero) and it is allocated from BHDrvx86.sys, part of Symantec Endpoint Protection. On each affected machine, there is one allocation of 8,104 bytes about once per second. Interestingly, this continues until it hits 20,001 allocations, which is about 160 MB of kernel paged pool.
Also on these machines, SEP itself is in a wonky state, such that when I try to run the client UI (SymCorpUI.exe), I get the error popup from "Symantec Endpoint Protection" stating "Symantec Endpoint Protection cannot open because some Symantec services are stopped. Restart the Symantec servies, and then open Symantec Endpoint Protection." So, it's not clear which of the issues (error or pool leak) is the cause of the other.
I couldn't find any other reports of this anywhere, but it seems unlikely that I'm the first to find it since I have quite a few machines affected.
Does this sound familiar to anyone?