Why does Symantec End Point Protection Tamper Monitor lock out my LabView App for up to 5 seconds?

[spaaw]

Why does Symantec End Point Protection Tamper Monitor lock out my LabView App for up to 5 seconds?

I am running a multi threaded application where each thread is assigned to a different core on a 4-core PC running XPPro. Two of the threads are identical and started through a VIT. LabView queues are used to communicate between the various threads. The application makes extensive use of the Vision Development software, including real time acquisition from multiple GigE cameras. Software is LabView 2009, Vision 2010 and VAS 2010 and Windows XPPro. We use serial communication and write TXT files to disk. We do not access the Internet.

Our customer runs Symantec End Point Protection (corporate version of the Norton AV software) V11.0.6200.754. Something in our application causes the Symantec Tamper Protection EXE to lock out our LabView app and all other software including the XP task monitor for periods of up to 5 seconds at random intervals. If you disable tamper protection, the application runs fine. You can also download a standalone version of Symantec AV and the application runs fine. So it seems like it is something about the Symantec Tamper Protection.

Anybody else seen this problem?

/Peter

(text quoted from my boss)

[crelf]

Could be because of the GigE cameras communicating over ethernet - the protection might be considering some of those communications as suspicious and is scanning them for yucky things?

[asbo]

It sounds like Tamper Protection just protects Symantec SW from being altered somehow (not sure what kinds of stuff it prevents). If you're not running your LV App, does the system still hang-up?

There's a lot of black magic in how LV actually does what it does in the RTE (to me, anyway), so it'd be hard to pin-point exactly what's causing a problem without knowing the implementation details of both your software and Symantec's software. Can your customer open a support issue with Symantec?

[Jon Kokott]

Because its terrible. Check to make sure you have the "unreleased" fix for endpoint, they may have allready pushed out an update since the version from a few weeks ago bled memory so badly (it was literally 10MB/min for me.) I think it straight up crashes around 250 MB of memory.

Anyway, you'll have to talk to your IT department about your individual settings, but my advice is to disable the firewall on all the ports you are using on the test setups. It is TERRIBLE with UDP (as in it will kill your connections, make you timeout, and restart.) We couldn't do TFTP updates on any machine running endpoint because it would close our connections after like 1 min of transferring.

I would just start fighting the war that is computer security with your IT department, and hopefully get it straight up taken off the machine. It causes nothing but problems for any kind of network activity not called web surfing.

~Jon

[spaaw]

Thank you for your suggestions.

I realized that in an earlier release of my program the problem doesn't exist. The things that have been added since then are:

1) The assignment of the timed loops to specific cores.

2) The use of a VIT structure and LabView queues to create multiple threads.

must be one of these two options that is cusing a conflict between my app and temper protection.

I will play with the code and keep you updated!

/Peter

[Wire Warrior]

If you are using a VIT structure doesn't that me you are creating clones. Could it be that when these clones are created that the Symantec initiates a scan of the clone. I could see where that might cause problems.

Jason

[Aristos Queue]

I found some commentary online, unrelated to LabVIEW, suggesting that Symantec doesn't like being locked out -- it might be a program trying to avoid detection. I wonder if the Timed Loop could be causing Symantec to think it is being locked out.

[Jordan Kuehn]

What is the processor usage while it is running? Could it be maxing out one of the cores and thus killing one of those timed loops that's tied to that core?

[spaaw]

If you are using a VIT structure doesn't that me you are creating clones. Could it be that when these clones are created that the Symantec initiates a scan of the clone. I could see where that might cause problems.

Jason

It could be.. ill look into that.

What is the processor usage while it is running? Could it be maxing out one of the cores and thus killing one of those timed loops that's tied to that core?

While running, the processor is at 13-16%. When freezing (thats when its conflicting with Tamper Protection) it jumps up to 90% for up to 5 sec. I tried 2 different computers and the problem is the same. I tried changing the assignments of the timed loops and changing the core assignments with no luck.

I also disabled all writes to disk and tried running 1 core with no luck either.

I will keep you updated.

Thanks again!

/Peter