Endpoint Protection

Hello everyone,

**EDITED - I was directed to run the SymDiag tool using the WPP Reboot scan to hopefully catch this issue happening during logon. I also attached a "clean" log to compare against. Please find SymDiag logs attached below in the zip file.

Our network is currently running mainly Windows 7 computers with about 5 Windows 10 (which do not experience this issue).

Our DC is a virtual server running Server 2008 Standard 32-bit - being hosted by a Windows 2012 server

We have recently upgraded from WebRoot to Symantec, and since installing Symantec (14.0 RU1 MP2) we have had major issues every Weds & Thurs after normal Window Updates. I should state that we currently are running SEP unmanaged as our server was apparently set up as 32-bit, and we were unaware of that after our previous managed-service IT company split. So limping along until we can switch out our servers, we have been dealing with all the pop-ups everytime something changes. 

The main issue though, is after our computers install updates and are logging in again, they just sit and spin at the welcome screen for anywhere from 2-10 minutes; usually at least 5 minutes! It is not finalizing updates or anything (at least it doesn't show that on the screen, just the welcome screen and the blue spinning circle). Once it is finally done loading, the computer shows a black screen with the SEP pop-up stating that Local Security Authority (lsass.exe) has changed, blah blah blah. This is always the routine, and even adding the "lsass.exe" to the security exception did not help. 

I've read all sorts of "hotfixes" for windows and such, but I am very skeptical to install any of them, as it seems to be a SEP issue rather than a standalone windows issue. Has anyone experienced this, or have any ideas to test?

P.S. - I have tried a suggested hotfix for SEP 14.X that says to disable the popups on unmanged clients, to disable and then re-enable network monitoring, and I have had the same problems with that hotfix, the SEP pop-ups change to Windows Notifications that are constant (1-2x per minute) that svchost.exe and a few other things are trying to access the internet. So we uninstalled SEP and reinstalled to get back to our normal SEP popup issue as they are a lot less frequent. Worth noting that we did not leave SEP running with the hotfix long enough to see if that remedied our lsass.exe issue, it was too much to deal with multiple notifications every minute of the day, very interuptive for our typists / data entry positions.

Attachment(s)

SymDiag_lsass_hang.zip   14.74 MB 1 version

What comonents in SEP are enabled/installed?

Download and run SymDiag on the client. You'll need to let the issue re-produce while letting SymDiag run. You can then upload the logs to support for review.

Hi Brian,

We currently are using these 3 components: Virus & Spyware Protection, Proactive Threat Protection, and Network / Host Exploit Mitigation.

I don't think that tool is going to be able to catch our issue, as it only happens when we are logging on to the computer. And we only experience it either Weds or Thurs, after the normal windows updates (some computers install them AM and some PM). Esentially, as we leave, we choose to restart our computers. The next day, when we logon, that is when we are experiencing the issue. I have checked the event viewer, and it's hard to tell what may be causing the lag, all I can see for sure is a Kerberos time-out, but when the computer finally catches it's breath, it only shows the Symantec pop-up for the Local Security Authority (lsass.exe). When you click Yes, it loads the desktop like normal, if you click No it just sits at a black screen until you force restart it. 

Will that tool stay open during a restart process to be able to catch issues at logon?

Yes, there is an option "WPP reboot" that should allow it startup upon rebooting the machine.

Okay, very good. I am going to attempt to set that up on one of our computers that hasn't had that issue today, so it hopefully tracks it happening tomorrow. Otherwise I'll have to wait to test that until next week Tuesday evening.

Stay tuned!

Okay, so I was able to replicate the issue while rebooting with the WPP logging enabled on one of our workstations. I will also upload a "clean" logon where we didn't experience any hangs during the logon process.

Is this helpful to you at all, or is this just for uploading for the support ticket?  Either way, thanks!

Attachment(s)

SymDiag_lsass_hang_1.zip   14.74 MB 1 version

Make sure it gets to support. They have the internal tools to review these files.