After migrating a Symantec Endpoint Protection (SEP) 11.0 client to Release Update (RU) 5 or installing RU5, applications fail to initialize properly with a 0xc0000005 or 0xc0000018 error. The client uses a non-default Application and Device Control (ADC) policy which has enabled Sysplant. In some cases there may not be any error message at all.
The following errors may occur after starting an application:
"The application failed to initialize properly (0xc0000005). Click on OK to terminate the application"
- There is no error message, but the application may just exit or not produce the expected result.
- The error does not occur with SEP 11.0 MR4 MP2 or earlier.
- The error only occurs after installing or migrating to SEP 11.0 RU5.
- The client is using an active ADC policy.
- If Sysplant is disabled, the issue does not occur.
- "The application failed to initialize properly (0xc0000018). Click on OK to terminate the application"
In SEP 11.0 RU5, when sysfer.dll loads it tries to load with a base image of 0x10000000 which is different than previous builds of sysplant and sysfer.dll. When the RU5 sysfer.dll attempts to inject into an application that is also using a base image of 0x10000000, this causes a conflict and the application fails to load. The image base of 0x10000000 can either be used by the main process itself, or by a dll used by the process.
A fix for this issue is included in SEP 11.0.6005 (RU6a) and greater releases.
NOTE: if there is a compelling reason to not migrate from RU5 to a greater product release, a fix for this issue was been released in SEP 11.0 RU5 PP1 (Point Patch 1). This is a client-only build (11.0.5024.404) which is supported only when freshly installed or migrated over SEP 11 RU5 (11.0.5002.333). This patch build is only available for the English language version of the product. To retrieve this update for the SEP client, contact Technical Support.
Process Monitor is a third-party utility and is not supported by Symantec. For more information on Process Monitor, please see the following Microsoft Technet article:
Process Monitor v2.8
A quick way to find out if this is happening is to collect process monitor logs, filter by the application process name, then look at the first "load image" event, then look at the properties at the "Image base" value.
If the Process itself does not have an Image Base of 0x10000000, a dll it loads may have:
An additional fix was provided in RU6 MP2 to include other applications that were also effected by this issue.
Imported Document Id