To identify LSA plug-ins and drivers that will fail to load in LSA Protection mode, you enable the audit mode for Lsass.exe (Microsoft's Local Security Authority Sub-System), by creating 32-bit DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe\AuditLevel with a decimal value of 8 and rebooting the system.
While in the audit mode on a system running Symantec Endpoint Protection (SEP), the system generates Microsoft CodeIntegrity event IDs 3066 for sysfer.dll and snacnp.dll, indicating that they will fail to load under LSA if LSA Protection were to be enabled.
The messages are logged without blocking sysfer.dll or snacnp.dll.
SEP for Windows
Event 3066, CodeIntegrity
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\sysfer.dll that did not meet the Microsoft signing level requirements. However, due to system policy, the image was allowed to load.
Microsoft only allows Microsoft-signed binaries to run if LSA Protection is enabled. As Microsoft WHQL certification is limited to third-party drivers (SEP's drivers are Microsoft signed), it is impossible for third-party libraries to run when LSA Protection is enabled.
Given Microsoft's limitation, the only option is to work around the issue in the following manner:
Create an Application Control exception for lsass.exe, using either C:\Windows\System32\lsass.exe (if the path is the same for all affected systems) or prefix variable [Windows] in combination with path \System32\lsass.exe (do not use the \Device\HarddiskVolumeX\Windows\System32\lsass.exe path shown by the Windows event). There is no imagineable scenario in which Application Control could be applied to lsass.exe and thus no need for sysfer.dll to inject into it. Lsass.exe will remain protected by all of SEP's protection technologies.
Disable Tamper Protection, stop SMC, remove any snacnp.dll related registry entries and rename snacnp.dll in both SEP's Bin (typically C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin\ and Cached Installs folder (typically C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Cached Installs\\Program Files\Symantec\Name\Version\Bin\) to snacnp.old, start SMC and enable Tamper Protection. Snacnp.dll is the SNAC network provider library, which is no longer necessary, as SNAC has been deprecated. All SNAC components will be fully removed in a next release of SEP.
Subscribing will provide email updates when this Article is updated. Login is required.