Restart Manager restarts services during ENS installation
Last Modified: 2023-06-09 09:16:10 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Restart Manager restarts services during ENS installation
Technical Articles ID:
KB94045
Last Modified: 2023-06-09 09:16:10 Etc/GMT Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x ENS Threat Prevention 10.x Microsoft Windows Restart Manager Summary
During the installation of ENS, there might be services that have ENS modules loaded into their memory space. You might need to shut down and restart these services. The restart is needed to unload those modules, so the installation process can replace them. The Windows Restart Manager, on behalf of the MSI installer, cycles those services. You can observe the cycling through the Windows Application log or the MSI installation log of the respective ENS component. For example, Antimalware Scan Interface (AMSI) integration is available in ENS. Services that are restarted could have modules related to the AMSI scan functionality loaded into their process space. Problem
Windows Restart Manager restarts non-critical services during the ENS installation process. A list of non-critical services that might be restarted during the ENS installation is included below:
NOTE: Critical system services (services that wouldn't be subject to restart) in this context refers to services that Microsoft has identified as essential for the core operating system stability. For more information, see the Microsoft Restart Manager documentation. Using the Common module of ENS as an example, the MSI installation log file The Windows Application log also logs these activities. The installation log and the Windows Event Log must correlate to the same time: The ENS Common module starts its installation through MSI. INFORMATION A service needs restarting due to this process loading ENS modules that require replacement. INFORMATION The service is successfully reported as being restarted. System Change
You've upgraded ENS recently.
Cause
The ENS Threat Prevention and ATP AMSI features are enabled in the environment. When the AMSI feature is enabled, several DLLs or modules are loaded into third-party processes. The DLLs or modules need to be unloaded at installation time so they can be replaced.
Solution
This behavior is as designed.
Workaround
Perform the following 'Restart Manager' registry change steps to enable the key "DisableAutomaticApplicationShutdown" during the ENS install and to rotate the changes post ENS deployment. This change disables 'Restart Manager' from automatically shutting down applications and services.
Affected ProductsLanguages:This article is available in the following languages: |
|