The Symantec Endpoint Protection (SEP) Application Control feature allows for creating rules to monitor or block various operations on the system matching a pattern; including file access operations, registry access, process launch attempts and DLL load attempts.
With the SEP 12.1 RU4 version of the product running on a Windows 8.1 machine, if an Application Control policy which contains "Load DLL Attempts" rules is loaded, executable files that have only recently been copied to the desktop may become "locked" by the system for some time, during which they cannot be deleted. The files typically appear to be locked by the Windows Search service SearchProtocolHost.exe process.
Attempting to delete the notepad.exe file which has just been copied to the desktop: The action can't be completed because the file is open in SearchProtocolHost.exe
The problem does not exist in the 12.1 RU5 and later versions of the product.
As a workaround, waiting 1-2 minutes typically releases the lock on the file, as does restarting the Windows Search service (or rebooting the machine) - after this the file can be deleted.
The files may on occasion be locked by the svchost.exe process (Application Experience etc. services) instead of SearchProtocolHost.exe, in which case a reboot may be needed to release the lock.
A SEP Application Control exception for the Windows executables holding the lock (C:\Windows\System32\SearchProtocolHost.exe, C:\Windows\System32\svchost.exe) also stops the problem from occurring.
Subscribing will provide email updates when this Article is updated. Login is required.