6. April 2019
Running Docker containers in process isolation when Symantec Endpoint Protection is installed
A couple of month ago, Microsoft and Docker enabled process isolation for Docker containers on Windows 10. That matters a lot because the alternative is hyper-v isolation which means that you actually run a “mini VM” every time you run a container. Depending on the circumstances, that can be a very desirable feature but when you are running containers on your local machine for development, it probably it isn’t as it forces you to allocate memory in advance and just adds some overhead that you don’t need in that case. Therefore I was very happy when I saw this and even tried it with non-released builds but it failed. The containers froze on startup and I didn’t find a way forward, even with the help of John Howard, one of the persons working on Docker containers from the Microsoft side.
Then I found out that it was related to Symantec Endpoint Protection, a tool which usage is mandatory (for very good reasons, of course) in my company. Uninstalling it allowed the containers to run, but that wasn’t a viable solution. Fortunately one of the Security Administratory in my company, Laurent Dalciet, dug deeper and came up with a solution which now allows me to run containers in process isolation! As I found a couple of other people with similar problems, but no solution, I wanted to share this, so I asked him what he did and he was kind enough to create the following step by step instructions. Thanks a lot!
- Go to Application & Device Control Policies part in your SEPM
- Choose the policy you want to change (linked to the computers SEPM group)
- Go to Application Control and click on the Add button:
- Tick the “Sub processes Inherit…” box
- Click on Add
- Select Add Condition => Launch Process Attempts
- Click on Add
- Add the processes listed below and go to the “Actions” part
- Select “Allow Access” and quit all windows opened by clicking on “Ok” on each one.
- Go to the concerned computers and “Update Policy” on the SEP client to apply the change immediately.