Enable Arellia Application Control Solution and Symantec Endpoint Protection (SEP)

Owned by Anonymous
Last updated: May 20, 2014 by John Murphy (Deactivated)Version comment
3 min read

Problem

Out-of-the-box installations of Symantec Endpoint Protection (SEP) and Arellia Application Control Solution (ACS) may not work together.
Whenever a new process is detected ACS performs the following:

  • ACS pauses the new process
  • ACS checks the process against Application Control Policies and executes any configured actions
  • ACS then resumes the paused process

SEP treats the pausing of its service process as a malicious action and subsequently prevents ACS from unpausing the SEP service.
This has the effect of causing SEP to not start correctly, or in some circumstances causes the Windows Operating System to hang on start-up.

Solution

In order to allow both SEP and ACS to operate normally, a new Exception Policy should be made in the Symantec Endpoint Protection Manager.

Note

Symantec Engineering have advised that versions of SEP before 12.1 RU4 may not apply tamper exclusions as expected.

Arellia customers facing the issue described in this KB article should ensure they are running SEP 12.1.4100.4126 or newer.

  1. Open the Symantec Endpoint Protection Manger
  2. Navigate to Policies > Exceptions and click Add an Exceptions Policy
  3. Change the Policy Name to Arellia Exceptions Policy
  4. Click Exceptions on the left-hand side
  5. Click Add > Windows Exceptions > Tamper Protection Exception
  6. Change the File path to C:\Program Files\Arellia\Agents\ApplicationControl\ArelliaACSvc.exe
  7. Click OK
  8. Click Add > Windows Exceptions > Application
  9. Change the Folder to C:\Program Files\Arellia\Agents\ and check the box to include subfolders and change the type to Application Control (bottom-left)
  10. Click OK
  11. Click Add > Windows Exceptions > Folder
  12. Change the Folder to C:\ProgramData\Symantec\AltirisAgent\ and change the Dropdown box to All and check the box to include subfolders.
  13. Click OK
  14. Click Add > Windows Exceptions > Folder
  15. Change the Folder to C:\Program Files\Arellia\ and change the Dropdown box to All and check the box to include subfolders.
  16. Click OK
  17. Click OK to Save the Exceptions Policy
  18. Then Select the Arellia Exceptions Policy and then Assign the policy to deploy this policy to the appropriate computers.
  19. Click assign

The Arellia Exceptions Policy will be grabbed by the SEP agents the next time they connect to the SEP Manager. If SEP is unable to start on a machine, try disabling the Arellia Application Control Service, and then starting the SEP service. This should allow SEP to download the new policy and operate normally.

Other Resources

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
Creating a Tamper Protection exception
Excluding applications from application control
Symantec Endpoint Protection (SEP) clients generating Tamper Protection alerts on excluded applications