When Proactive Threat Protection (PTP) component Application and Device Control (ADC) is installed, a .NET application intermittently experiences a hang.
Symantec Endpoint Protection 12.1 RU5 and higher
Application and Device Control is a three component solution, whereby user-mode components Sfman.plg (a SMC plugin running in the SMC service) and Sysfer.dll interact with kernel-mode driver Sysplant.sys for the purposes of policy processing, injection, rule matching, logging and notification:
Sysplant injects Sysfer.dll into processes, hooks Ntdll functions in target processes and acts as a bridge between Sfman and Sysfer.
Sysfer.dll is jumped into when hooked Ntdll APIs are called, does the rule matching after obtaining the policy from Sysplant and logs to the shared buffer it shares with Sfman.plg and Sysplant.
Sfman delivers policy and network share information to Sysplant and logging from the shared buffer to another component for further processing.
Consider the following scenario:
As part of a sysfer injection into a .NET application's file, registry or process operation, the hooked call gets transferred to its rule engine, where rules for whitelisting and any exclusions are verified and it is decided if a rule needs to updated. While determining this, a critical section is acquired.
The thread that acquired the critical section is suspended (e.g. by the .NET Garbage Collector).
Upon resumption of the thread, it is hooked by our our Behavioral Analysis And Security Heuristics driver (BASH hooks the NtResumeThread function), locking the same object.
In this specific scenario, unaware that BASH obtained a lock on the same object, Application Control will attempt to obtain its lock again, resulting in a deadlock and consequent process hang.
In Symantec Endpoint Protection 14, Application Control locks were changed from infinite waiting to a 10 second time-out. If Application Control cannot obtain a lock within that time span, the file, registry or process operation will be allowed. In addition to this, before acquiring a lock, APC will also be disabled, preventing thread suspension. APC is re-enabled after the lock is released.
An Application Control Folder exclusion for the .NET application would prevent injection of Sysfer.dll into its binaries and provides a valid workaround for the issue.
Subscribing will provide email updates when this Article is updated. Login is required.