Symantec Endpoint Protection Services do not start after installing Arellia Access Management. This issue does not occur with SEP 11.0.x. It has also been observed that the issue does not occur on 64-Bit Operating Systems. Creating Tamper Protection exception for 'ArelliaACSvc.exe' does not help. However, disabling Arellia services (Arellia Application Control) or disabling Symantec Tamper Protection resolves the issue.
We see the following Tamper Protection Alerts with Event ID- 45 and Description in Application Event logs:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint
Event Info: Open Process
Actor Process: C:\PROGRAM FILES\ARELLIA\AGENTS\APPLICATIONCONTROL\ARELLIAACSVC.EXE (PID 5632)
The Arellia solution changes the way processes are launched in Windows. Symantec Tamper Protection blocks such behavior since it is considered as a security breach and is actively used by malwares. Adding Tamper Protection exclusion for Arellia doesn't help because it modifies 'explorer.exe' and is changes how Windows processes are launched.
Arellia's DLL's are hooked in to Symantec Service and are not released. Service Control Manager waits for 30 seconds and loads other services as there is no response from Symantec Endpoint Protection service.
To avoid compatibility issues with Arellia, an exclusion has been added for the Arellia process for ZwResumeThread. This has been included in Symantec Tamper Protection Driver Version- 18.104.22.168 which was released in June 2013.
Using this updated driver along with Exclusion for 'arelliaacsvc.exe' in Tamper Protection makes Arellia and Symantec Endpoint Protection work successfully on Windows7 32 bit machines.
Windows 7 32 Bit with SEP 12.1 RU2 and Arellia Application Control Agent(7.1.1672.0), Arellia Local Security Agent(7.1.1437.0) and Arellia Security Analysis Agent(7.1.1106.0).
ID: 3184129, 3117895
Imported Document ID: TECH205897
Subscribing will provide email updates when this Article is updated. Login is required.