Symptoms
One or more “SYMANTEC TAMPER PROTECTION ALERT” error events are written by Symantec Antivirus to the Application log. These messages are usually paired with a "CPU Utilization Management cannot manage process <PID>" warning event written by CTXCPUUtilMgmt to the Application log.
An example Symantec Antivirus event is as follows:
Log: Application
Type: Error
Source: Symantec Antivirus
Event: 45
Description: SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Program Files\Citrix\Server Resource Management\CPU
Utilization Management\bin\ctxcpusched.exe
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 45
Date: 3/5/2008
Time: 7:35:38 AM
User: NT AUTHORITY\SYSTEM
Computer: YourServeName
Description:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpusched.exe (PID 3016)
Time: 2008年3月5日 7:35:38
An example CTXCPUUtilMgmt event is as follows:
Log: Application
Type: Warning
Source: CTXCPUUtilMgmt
Event ID: 1542
Description: CPU Utilization Management cannot manage process <PID>.
Windows system message: 0x5.
Event Type: Warning
Event Source: CTXCPUUtilMgmt
Event Category: (1)
Event ID: 1542
Date: 3/5/2008
Time: 7:51:47 AM
User: N/A
Computer: YourServerName
Description:
CPU Utilization Management cannot manage process 4172.
Windows system message: 0x5.
The two events are associated by the Process Identifier (PID) in the CTXCPUUtilMgmt event and the PID of the Target in the Symantec Antivirus event.
Cause
Symantec Antivirus has a configurable Tamper Protection feature. When enabled, the feature prevents Symantec Antivirus processes from being manipulated by non-Symantec processes.
In this case, Tamper Protection prevents the CPU Utilization Management feature from controlling Symantec's CPU usage.
Resolution
If the Application log messages are deemed to be a nuisance, CPU Utilization Management can be configured through the registry to exclude named Symantec processes from its control.
WARNING! Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Make sure you back up the registry before you edit it. If you are running Windows NT, also update your Emergency Repair Disk (ERD).
1. Go to Start > Run, type regedit, and then click OK.
2. Locate and click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CTXCPU
3. On the Edit menu, go to New and click Multi-String Value.
4. Type ProcessesToExclude and press Enter.
5. Right-click ProcessesToExclude and then click Modify.
6. In the Value data box, type the full path of each Symantec executable that you wish to exclude from Citrix Presentation Server CPU Utilization Management's control, and then click OK. Use one line per path.
Note: You can determine the path to each affected Symantec executable by noting the Target in each Symantec Antivirus event. Examples of Symantec executables are:
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
7. Quit the Registry Editor.
8. Open the Services Control Panel (services.msc), right-click the Citrix CPU Utilization Mgmt/Resource Mgmt entry and select Restart.
Note that you will still see one Application log error event from Symantec Antivirus for each affected Symantec process, but you will no longer see the related CTXCPUUtilMgmt Application log warning event.
