Technical Advisory: Deadlocked TaniumClient.exe caused by Symantec Endpoint Protection

Summary
Due to a known deadlock issue in certain versions of Symantec Endpoint Protection, it is possible for the Tanium Client to spawn processes that can not be killed.  These processes are deadlocked by Symantec in the OS kernel when an anti-virus update is applied.  When this occurs, the Tanium Client parent process starts a child process in an attempt to continue communicating and operating properly.  This cycle can lead to a large number of TaniumClient.exe processes which can not be stopped, and effects the usability of the machine until the machine is rebooted.  
 
Symantec had previously identified and resolved the issue, and had also provided a workaround configuration to solve the issue on the effected version numbers.
 
Affected Customers
Tanium customers with Symantec Endpoint Protection version 12.1 RU4 MP1 or higher.
Solution
Update SEP to 12.1 RU6 or higher.
 
Workaround
The following can be used as a workaround until the product is updated to RU6 or later:
Manually create a folder exception for Symantec Endpoint Protection Virus and Spyware Definitions on affected computers. Follow the instructions in knowledge base document HOWTO80920 to create a folder exception for the following folder: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs
Additional Information 
Detailed instructions and information can be found at the following Symantec Support Article:
Windows computers sometimes hang on startup after installing Symantec Endpoint Protection 12.1 RU4 MP1 or newer 
Have more questions? Submit a request