After a Symantec Endpoint Protection (SEP) IPS definitions update in a Citrix environment, Internet Explorer (IE) experiences a hang or immediate crash on startup. If IE crashes, the Windows Application log shows an Application Error event ID 1000 for process iexplore.exe, with faulting module IPSEng32.dll (our IPS Script Engine DLL) and exception code 0xc000005.
Nearly every dynamically linked library (DLL), including IPSEng32.dll, includes a relocation section (.reloc) table. If a DLL cannot be loaded at its specified preferred base address (e.g. because something else is already present at the same address), that table allows Windows to rebase the DLL and have it load at a different address. This is done before any of the DLL's code is run.
An exception code 0xc00000005 (Access Violation) in this context has never been seen by us on a physical system. When using Citrix software-streaming and/or software virtualization, however, memory virtualization or optimization errors may cause Windows to rebase the DLL to an invalid address, leading to a crash of the application into which IPSEng32.dll is injected.
As the related memory virtualization is done entirely by Windows/Citrix, any change in our IPS definitions could trigger this Citrix issue, making it completely outside of our control. This is a known issue with pre-PVS 7.1 installations in particular and only the Citrix-centric solutions presented in the Solution section provide a permanent solution.
To provide temporary relief, roll back the IPS definitions to the last known good revision:
In the Symantec Endpoint Protection Manager, click Policies.
Select View Policies.
Double-click your current LiveUpdate Content Policy Under the LiveUpdate Content tab. The LiveUpdate Content Policy Overview dialog box appears.
From the LiveUpdate Content section, click Security Definitions.
Enable the Select a revision option located in the Intrusion Prevention signatures section,
Click the Edit button. The Select Revision - Intrusion Prevention signatures dialog box appears.
Expand the drop-down list and select the last known good revision definition set.
Click OK to close the Security Definitions dialog box and return to the Policies tab.
Using the new caching mode available in Citrix Provisioning Services (PVS) 7.1 or higher.
It is recommended that customers contact Citrix Support for guidance with these options. After the implementation of the Citrix-centric solution, it is recommended to undo the IPS definitions rollback, both to verify the solution and to fully restore your security footprint.
ID: 3880884, 3875874, 4037633
Subscribing will provide email updates when this Article is updated. Login is required.