Author Topic: [Bug] Norton Security Deluxe and deadlock  (Read 1246 times)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
[Bug] Norton Security Deluxe and deadlock
« on: June 16, 2017, 02:32:32 pm »
I haven't researched this issue in-depth, so some inaccuracy is possible. Looks like they have single-threaded communication of user-mode part with their driver. All events are gathered in a queue and served one after another. Sometimes user-mode part tries to start a process to show notification to the user. This process creation is intercepted by ReHIPS. ReHIPS wants to check its database to find rules for this process and tries to open ReHIPS.xml. Norton driver intercepts file access, queueing this event. Deadlock. Norton driver is waiting for the user-mode part, user-mode part is waiting for the process to start, the process is waiting for ReHIPS driver to allow it, ReHIPS driver is waiting for the service to signal, service is trying to open database and waiting for Norton driver.

Possible solutions are to disable autoprotection or add ReHIPS folder to exclusions. The better solution is to fix single-threaded events handling. So keep this Norton feature in mind if you're intercepting some functions and observe strange behavior in conjunction with Norton Security Deluxe.
BTW, ReHIPS was single-threaded in its <1.1.0 versions, but it proved to be dangerous, so from 1.1.0 it's fully multithreaded in terms of events handling.

This issue was found for about a year ago, it wasn't fixed then. I haven't checked it since.
« Last Edit: June 19, 2017, 12:08:03 pm by fixer »