You have a 32-bit Windows 7 or 10 system with Symantec Endpoint Protection (SEP) 14.2 RU1 (MP1) and find that ccSvcHst.exe crashes intermittently. You open the related ccSvcHst.exe process dumps in %ProgramData%\Symantec\LocalDumps in Windows Debugger, which show the crash occurs as a result of a memory copy operation after many Listener.dll function calls.
SEP for Windows
Windows Debugger output (read from bottom to top):
Listener.dll is part of our Endpoint Detection and Response (EDR) definitions, which are located in %ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\EDRDefs. It receives events from BASH's Endpoint Monitor and Query (EMaQ) module, converts them to JSON and sends them to the EDR Store.
When the ccSvcHst.exe heap is severely fragmented, it will lead to virtual memory address space exhaustion, which in turn may result in a failed memory allocation within the RapidJSON library, causing ccSvcHst.exe to crash.
RapidJSON is open source. Its allocator class (rapidjson::MemoryPoolAllocator< BaseAllocator >) was implemented without proper exception handling for failed memory allocations. This was reported as RapidJSON issue 1269, but has yet to be resolved.
Actively monitor and resolve heap space memory fragmentation within ccSvcHst.exe by temporarily disabling Tamper Protection and using Registry Editor to create 32-bit DWORD HKLM\SOFTWARE\(WOW6432Node)\Symantec\Symantec Endpoint Protection\SMC\MemoryMonitor with a value of 1.
If the issue continues to occur, additionally create 32-bit DWORD HKLM\SOFTWARE\(WOW6432Node)\Symantec\Symantec Endpoint Protection\SMC\MemoryMonitorFreq with a value of 1 to 7 (the interval –in hours– with which ccSvcHst.exe will check its heap space memory fragmentation).
SEP 14.2 RU2 will further reduce ccSvchst.exe heap space fragmentation and is expected to provide a more permanent solution to this issue.
Subscribing will provide email updates when this Article is updated. Login is required.