A system with Endpoint Protection hangs or crashes after downloading or installing a Windows 10 Language Pack
Last Updated October 24, 2017
On a Windows 10 build 1703 (September 2017) system, when you set the language to a different one after installing Symantec Endpoint Protection (SEP) 12.1 RU6 MP6, MP7 or MP8 with the Application and Device Control (ADC) feature, then reboot, you experience a Blue Screen of Death (BSOD). When you install the same version of Windows, download a language pack, reboot, then install SEP with the ADC feature and reboot, the system hangs indefinitely during the startup phase. You find that disabling our SysPlant driver in Safe Mode resolves the issue.
SEP 12.1 RU6 MP6-8
Windows 10 build 1703 (September 2017)
During the Windows 10 startup phase, when sysfer.dll (SEP's Application Control user mode component) hooks into fontdrvhost.exe (Microsoft's Usermode Font Driver Host), the latter calls Windows API function CreateActCtx() as a result of that. This fails with an Access Denied error because, although embedding manifest files are a Microsoft recommended practice, fontdrvhost.exe essentially trips over sysfer.dll's, causing it to exit unexpectedly, leading to a hang or crash.
It was found that, if sysfer.dll does not included an embedded manifest file, fontdrvhost.exe does not call the Windows API function that leads to failure. As such, it was decided to remove it, starting both SEP 12.1 RU6 MP9 and 14 RU1.
If an upgrade is not an option, the issue can be worked around by creating an exclusion for fontdrvhost.exe, using a file exception with "Application Control" checked for the type of scans that will exclude that file and %[SYSTEM]% as the prefix variable.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe