Need solution and mitigation techniques for memory exploit attack signatures.

I need a solution

Hi Guys,

Recently, there was a couple of IPS signatures triggered as shown below:

Memory Exploit Attack: Memory Heap Spray detected for legit MS file : C:Program FilesMicrosoft OfficeOffice14EXCEL.EXE

Attack: Structured Exception Handler Overwrite for file ccSvcHst.exe under path C:Program Files (x86)SymantecSymantec Endpoint Protection14.0.3929.1200.105BinccSvcHst.exe.

We also have symantec ATP Endpoint solution through which we receive incidents for these signatures. Upon checking, both files are legit and did not experience any applicaiton crash or anything. 

We are wondering how to handle memory exploit attacks in terms of handling, mitigation and action. Can any expert guide me with links and process for handling this. Was there any FP alerts reported for legit files before?




ccSvcHst.exe crash – Symantec Framework error

I need a solution

I have been seeing this error repeatedly on a single server in our environment. The SEP icon is not showing in the taskbar, but I can open the client (from the All Programs menu) and it opens without issue. I’ve checked the SEPM and it appears as online and fully updated. However, this error re-occurs about once a day. 

Error message below:

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    ccSvcHst.exe
  Application Version:
  Application Timestamp:    599f4250
  Fault Module Name:    ntdll.dll
  Fault Module Version:    6.3.9600.18895
  Fault Module Timestamp:    5a4b127e
  Exception Code:    c0000022
  Exception Offset:    0009d4e2
  OS Version:    6.3.9600.

Read our privacy statement online:

If the online privacy statement is not available, please read our privacy statement offline:



Can’t install App Layering Agent, “System.MissingMethodException”

The Citrix Agent install fails because the Agent won’t start. Windows says there was a timeout waiting for the service, but in reality it immediately crashes with a .Net error in the Windows Application event log.

Application Log events:

Log Name: Application

Source: Application Error

Date: 5/31/2018 4:10:15 PM

Event ID: 1000

Task Category: Application Crashing Events

Level: Error

Keywords: Classic

User: N/A

Computer: ComputerName


Faulting application name: Citrix.AppLayering.Agent.Service.exe, version:, time stamp: 0x5aafec57

Faulting module name: KERNELBASE.dll, version: 6.3.9600.18895, time stamp: 0x5a4b1cf7

Exception code: 0xe0434352

Fault offset: 0x00000000000092fc

Faulting process id: 0x8024

Faulting application start time: 0x01d3f91b5a5c5df7

Faulting application path: C:Program Files (x86)CitrixAgentCitrix.AppLayering.Agent.Service.exe

Faulting module path: C:Windowssystem32KERNELBASE.dll

Report Id: a15b981a-650e-11e8-80ed-005056aa2ca7

Log Name: Application

Source: .NET Runtime

Date: 5/31/2018 4:10:00 PM

Event ID: 1026

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: ComputerName


Application: Citrix.AppLayering.Agent.Service.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.MissingMethodException

at Castle.Facilities.WcfIntegration.WcfBehaviorActivator..ctor(Castle.Core.ComponentModel, Castle.MicroKernel.IKernel, Castle.MicroKernel.ComponentInstanceDelegate, Castle.MicroKernel.ComponentInstanceDelegate)

at DynamicClass.lambda_method(System.Runtime.CompilerServices.Closure, System.Object[])

at Castle.Core.Internal.ReflectionUtil.Instantiate(System.Reflection.ConstructorInfo, System.Object[])

at Castle.Core.Internal.ReflectionUtil.Instantiate[[System.__Canon, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Type, System.Object[])

at Castle.MicroKernel.DefaultKernel.CreateComponentActivator(Castle.Core.ComponentModel)

Exception Info: Castle.MicroKernel.KernelException

at Castle.MicroKernel.DefaultKernel.CreateComponentActivator(Castle.Core.ComponentModel)

at Castle.MicroKernel.Handlers.DefaultHandler.InitDependencies()

at Castle.MicroKernel.Handlers.AbstractHandler.Init(Castle.MicroKernel.IKernelInternal)

at Castle.MicroKernel.Handlers.DefaultHandlerFactory.Create(Castle.Core.ComponentModel)

at Castle.MicroKernel.DefaultKernel.AddCustomComponent(Castle.Core.ComponentModel)

at Castle.MicroKernel.DefaultKernel.Register(Castle.MicroKernel.Registration.IRegistration[])

at Castle.Windsor.WindsorContainer.Register(Castle.MicroKernel.Registration.IRegistration[])

at Castle.Windsor.Installer.AssemblyInstaller.Install(Castle.Windsor.IWindsorContainer, Castle.MicroKernel.SubSystems.Configuration.IConfigurationStore)

at Castle.Windsor.WindsorContainer.Install(Castle.MicroKernel.Registration.IWindsorInstaller[], Castle.Windsor.Installer.DefaultComponentInstaller)

at Castle.Windsor.WindsorContainer.Install(Castle.MicroKernel.Registration.IWindsorInstaller[])

at Citrix.AppLayering.Agent.Service.Program.ConfigureWindsorForService()

at Citrix.AppLayering.Agent.Service.Program.Main(System.String[])


SEP 14.2 crashes

I need a solution

We have started testing SEP 14.2 and on atleast two of our Windows 10 machines we see that the SEP service crashes right after boot.

We have tried uninstalling all features except AV and the problem still persist.

If we are quick we are able to open the SEP GUI right after boot before it crashes. It will then be green until it turns red and malfunctioning.
At this point the SEPmaster service stops and we can’t open the GUI.

Anyone else experiencing this problem?

The environment is enrolled into the cloud




7022943: Attachmate.Emulation.Frame.EXE experiences crash on load when .NET machine.config file has malformed XML

The Attachmate.Emulation.Frame.EXE from Reflection Desktop 16 can experience a crash on load when the .NET machine.config file has malformed XML. The IBM ACCESS application for .NET can corrupt the .NET interface file named “machine.config” as noted in the following link.

Then when the Attachmate.Emulation.Frame.EXE from Reflection Desktop 16 loads, the .NET framework will generate an exception code that is passed to the Reflection Desktop software and this exception causes the Reflection Workspace to crash with the following types of errors listed below:

First error that appears:

Faulting application name: Attachmate.Emulation.Frame.exe, version:, time stamp:0x561cc4a5

Faulting module name: KERNELBASE.dll, version: 6.1.7601.19110, time stamp: 0x56842600

Exception code: 0xe0434352

Fault offset: 0x0000c42d

Faulting process id: 0xeb4

Faulting application start time: 0x01d15ed2aa44d69a

Faulting application path: C:Program Files (x86)Micro FocusReflectionAttachmate.Emulation.Frame.exe

Faulting module path: C:Windowssyswow64KERNELBASE.dll

Second error:

Application: Attachmate.Emulation.Frame.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.Xml.XmlException

at System.Xml.XmlTextReaderImpl.Throw(System.Exception)

at System.Xml.XmlTextReaderImpl.Throw(System.String, System.String[])

at System.Xml.XmlTextReaderImpl.ThrowTagMismatch(NodeData)

at System.Xml.XmlTextReaderImpl.ParseEndElement()

at System.Xml.XmlTextReaderImpl.ParseElementContent()

at System.Xml.XmlTextReaderImpl.Read()

at System.Xml.XmlTextReader.Read()

at System.Xml.XmlTextReaderImpl.Skip()

at System.Xml.XmlTextReader.Skip()

at System.Configuration.XmlUtil.StrictSkipToNextElement(System.Configuration.ExceptionAction)

at System.Configuration.BaseConfigurationRecord.ScanSectionsRecursive(System.Configuration.XmlUtil,System.String, Boolean, System.String, System.Configuration.OverrideModeSetting, Boolean)

at System.Configuration.BaseConfigurationRecord.ScanSections(System.Configuration.XmlUtil)

at System.Configuration.BaseConfigurationRecord.InitConfigFromFile()

Exception Info: System.Configuration.ConfigurationErrorsException

at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean)

at System.Configuration.BaseConfigurationRecord.ThrowIfParseErrors(System.Configuration.ConfigurationSchemaErrors)

at System.Configuration.BaseConfigurationRecord.ThrowIfInitErrors()

at System.Configuration.ClientConfigurationSystem.EnsureInit(System.String)

Exception Info: System.Configuration.ConfigurationErrorsException

at System.Configuration.ConfigurationManager.PrepareConfigSystem()

at System.Configuration.ConfigurationManager.GetSection(System.String)

at System.Configuration.PrivilegedConfigurationManager.GetSection(System.String)

at System.Diagnostics.DiagnosticsConfiguration.Initialize()

at System.Diagnostics.DiagnosticsConfiguration.get_SwitchSettings()

at System.Diagnostics.Switch.InitializeConfigSettings()

at System.Diagnostics.Switch.InitializeWithStatus()

at System.Diagnostics.Switch.get_SwitchSetting()

at Attachmate.Utilities.ProfileTrace.WriteLine(System.Object, System.String)

at Attachmate.Emulation.Frame.FrameApplication..ctor()

at Attachmate.Emulation.Frame.Program.Main()


14.0.1 Hot Fix 2 Still Crashing on Remote Connection

I need a solution

After applying hotfix 1 for the “Product Error Requires Attention” on some of my machines, I noticed using Bomgar to remote into clients would cause the crash as described here:…

I applied the new hotfix today and SEP still crashes when remoting into the machine, but this time without a popup. The GUI will crash and all the services will then stop and then restart.

I have a case in, but the engineer is telling me the only way to roll back is to uninstall (using cleanwipe) from all the machines I’ve updated and then re-install fresh. (Case 13986722). Are there any other answers for me?