Symantec Critical System Protection/Data Center Security Policy Override Failure
Last Updated November 14, 2016
In Symantec Critical System Protection (SCSP) and Symantec Data Center Security Server (SDCS), an "Unable to Override the Policy" error is incurred when attempting to override a policy. Then, up to several minutes later, a notification appears in the system tray saying that "Prevention has been disabled". Up to several minutes after that, a system tray message appears that states "Prevention has been enabled" without any user action.
Unable to override the policy.
A corresponding log in the Agent's ..\Agent\scsplog\SISIPSService.log is also seen:
This issue occurs when there are timeout issues with translation process due to a large policy minus file that is generated by the policy translation process.
This is caused by too many variables that refer to lists of items in the Global section of the policy. Because every rule in Global gets written to every process set in the minus file, placing a variable that refers to a list of items in the Global section will increase the size of the minus file by a factor of how many items are in the list. Using multiple variables in the global section that refer to multiple lists of items only exacerbates the situation.
The amount of processing needed to create the minus file causes the translation process during a policy override to take too long, leading to a timeout.
A timeout during the translation process will cause the following symptoms
The override will fail
The override will then appear to work up to several minutes later
Then the override will automatically end, sending the policy back into Enforce mode.
Remove "custom lists" from the Global section of the policy and instead add the custom variable lists to the individual process sets that need them.
This can occur more often on underpowered machines (slow CPU and limited memory). On more robust machines, this error may not occur.
Imported Document ID: TECH214802
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe