If you check the task manager do you see anything as being suspended?

I have a similar issue with a web proxy program called websense/ForcePoint.

The websense - "wepsvc.exe" gets suspended and restarts over and over. I end up with 100 suspended wepsvc.exe in the taskmgr.

I have tried to exclude it from the anti-bot or threat emulation blade ? can't remember exactly- but it has not helped.

It seems to be a very intermittent problem. Just when I think it is fixed it comes back?

Basically the result is not being able to hit the internet until the machine is restarted. It has on occasion remained suspended through one reboot and a second reboot was necessary to clear it.

Good luck I will update as I learn more as well.

Larry,

I'm seeing a bunch of svchost.exe (around 10) but no processes that have duplicates over 10 on the machine having my issue.  Also, my problem persists through a reboot/shutdown.  I am seeing a bunch of chrome processes (around 4) everytime I boot the machine, I am thinking that is preloaded for the Chrome SBA extension?

Have you added that process into both Threat Emulation policies?  There is the Forensics Policy and the Threat Emulation Policy that you need to add it to. 

Steve,

I have also seen a lot of svchost.exe running on my windows 10 ent 1709, but no of them have been put in suspended mode.

While using sysinternal ProcessExplorer I was not able to find any abnormal about it. 

Have CheckPoint given any feedback to what you are seing?

Best regards

Kim

Hi Steve,

It is interesseting to see what are actually happing. Well for our user it is not that funny though.

I have seen a total lock down of the machine with almost no internet access. It is not specific related to 80/tcp or 443/tcp. 

What I have seen have been Threat Emulation blade were failing or not starting correct when machines boots into windows.

When this happens, I cannot ping websites or internal servers with hostname. reply times is also 4-5 minutes. But if I try to reach them by ip directly, I get a response right away.

So for example c:\> ping google.com 

takes 4-5 minues to resolve.

if I try c:\> ping 8.8.8.8

it takes less than a couple of seconds to reply.

I am in dialog with CheckPoint about this problem. Taking windows kernel dumps, and extracting different kernel dumps from running windows program. This can be done for example by running task manager and right clicking on a server or program, and click on create dump file.

Because we use sharepoint via webservice or web as part of office addin, they frezzes because of the 4-5 minutes timeout because we connect to hostname. So when it happens, the user cannot work or do anything.

When windows have been in locked mode, the only option right now is to reboot machine and hope that threat emulation starts. We have also seen if one blade is not running, the system are starting to generate different kind of problems.

Of course I hope CheckPoint developers are going to solve this. At the very moment it is only 1 machine affected of this bug.

So we spend a lot of time and effort to explain and finding the root course of the problem.

Hope my feedback help with to narrow the problem. 

Is this the same problem you see?

Best regards

Kim

Kim,

After many days and nights of testing, I believe it might be a combination of the Sandblast Blades and Anti-Malware Blade thats causing out issue.  I have seen your exact issue only on one of our machines, but our major recurring issue is different. We just rebuilt the machine that locks up and can only be hard shut down so after I figure out a solution for our ongoing recurring problem, I'll take a look at that one.

-Steve

Steve,

I’ve Got feedback from developers today. Root cause to my problem were related to firewall and threat emulation blade. Which were blocking the machine.

I have today installed a fix  and need to monitor any problems the next couple of days.

Best Regards

Kim

Kim,

Was this a software fix supplied by Check Point? or Registry / Windows changes recommended by Check Point?

Danny,

Yes EA developers made a fix to our e80.71 client where we had to exchange three files.

right now it seems to have solved our issues.

I dont know if the developers have a fix for e80.70. I Think they will need to analyze the root course to your problems. The fix is already included to the future GA of e80.71.

Would you be able to tell me which files they replaced? Is there any chance you'd be willing to message me your SR #, as well? I'd like to at least bring this to the attention of the team looking at our problem in case it is related and they just aren't making the association. 

Thank you in advance!

Daniel,

Please take a look at this thead from our local CheckPoint SE published yesterday.

E80.71 is now in GA, and therefore you would be able to get the version which have the fix included.

Check Point Endpoint Security E80.71 is now GA! 

Please take a look at sk119676 to download E80.71

Thanks

Great, thanks! We will pull down the GA release and see if it resolves anything for us. Fingers crossed!

Not sure if you use Full Disk Encryption but do you know if you had to upgrade your SmartConsole to be able to use FDE Recovery?  I am getting this message below that is saying the version of SmartEndpoint is not compatible with the uploaded client.  We are on R77.30.03 which as far as I know the latest version.  

We are currently not using FDE but because EA engineer recommended to E80.71 GA release because it should be more smooth.

For running E80.71 we needed to upgrade our R77.30.03 to a newer version. We run ver. R77.30.03 (990002040) as endpoint mgmt.

does that help?

Yes thank you!  We will download the newer version of the smartconsole.

What version do you run? Have you tried to upgrade to e80.71.023x? Or one of the newest version available for example e80.81?

Regards

Kim

For what its worth, it seems like we've seen massive improvements across the board with the e80.8x releases. I'd also recommend making sure your Win10 machines are booting using UEFI instead of legacy BIOS boot. We began switching our machines to UEFI and the performance differences across the board have been staggering. 

Hello together,

I'm not sure whether or not you received my direct answer. So I'm posting it here. 

I'm using the latest client that I downloaded a week ago. The reason was that I hat to reset my Computer for win 10 fall creators update (1709-16299). I'm using UEFI - this was the reason my wi 10 update didn't work originally (too small EFI Partition).

So

UEFI check

win 10 1709 check

CP Client e80.81 check

Are there any logfiles I can send to help?

Hmmm ... to be totally sure I searched for the e80.81 version and reinstalled it (prior to this I was sent to the download page by the old client - if I remember right). After reinstalling the software currently all seems to work. Possibly it wasn't the newest Version of the client?! Windows also sent another minor update meanwhile.

It might be, that it is necessary to work a while on the remote System. This I didn't check after reinstalling, i.e. I just established VPN and connected and disconnected to the remote system and disconnected cp client.

I will keep an eye on this and maybe come back. 

Until my return I will nevertheless thank you for your assistance.

Michael,

Good to hear that right now it is working for you.

Did you install/upgrade other software prior to your deployment of e80.71?

I cannot remember if I gave the root cause to our problems with the version we used. 

We had been testing this version on machines over time, and we didn't detect any critical incidents. Suddenly some our our controllers from the finance department complained their machines block the use of local and external resources.

Form there we started our bigger investigation together with Check Point developers. 

It was memory dumps from different programs and extraction of cpinfo from machines and so.. we had no 80/tcp or 443/tcp access. Check Point developers was not able to get remote access to do their work.

After a week or so, we started to see a pattern of who was affected.

It showed while upgrading to e80.71 our team had installed a new Microsoft finance application. So while we started to ask questions if this software could be the reason why the endpoint blocked and locked down the computers. Check Point developers did a amazing work, and pointed to a file named navsip.dll in a certain Microsoft build. 

Together with Check Point, Microsoft had as similar problem in their endpoint client. They did also confirm we could exchange this version of navsip.dll with a newer version, and then everything worked.

Check Point made a fix to e80.72 which was released in Q1-Q2 of 2018 that have a fix to the above issue.

I know our problems was solved in e80.71.0232.

We do deal with high CPU usage while once in a while, but as I remember the newer version of the Check Point endpoint have solved this.. I recall it might have something to do with threat emulation of scanned files while or after a scheduled malware scan.

Looking forward to hear, what the developers tells after analyzing your endpoint incidents.