On servers that are running the ChangeAuditor agent along with Symantec Antivirus or Symantec Backupexec agents, the agent may hang when shutdown or during the upgrade process. A subsequent reboot may be required to resolve this issue.
Usually the RelatedFileObject field in the file driver is NULL and a check against it is sufficient to see if our driver can use the field. However in the case of requests forwarded by the anti-virus driver, the field may contain a non-NULL value and that caused our driver to use the field. The fix is to ignore the field and only use it in object opens and creations as documented now by Microsoft.
The driver unload logic has a loop to wait for all outstanding requests to finish before completing. If there a outstanding requests not satisfied, memory will not be released. Also since the usage of the RelatedFileObject was definitely wrong, the wrong usage may have lead to the unusually long file name which in turn can explain the leak.
WORKAROUND
Please contact technical support before implementing this workaround for updated information.
To make sure the agent will shut down properly, the ChangeAuditor file driver must be disabled via a registry key and the system rebooted.
Apply the following registry key to each server.
Prevent File Driver from Load
Path: HKEY_LOCAL_MACHINESOFTWARENetProChangeAuditor for ADAgent
Value Name: DisableFileDriver
Value Type: DWORD
Value: 1 - Disable File Driver
For the registry key to take effect, each server must be rebooted.
When rebooting the server use the shutdown.exe command with the force restart switch.
shutdown /r /f
This will force the ChangeAuditor agent to shut down. Once the server is rebooted, the file driver will be disabled and the service can be shut down properly.
The agent should then be uninstalled to remove the registry entry before installing a new agent. Version 4.7.46 or above.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center