How to get Chrome and "Symantec Endpoint Protection" (SEP) work together?

I absolutely love the browser, Google Chrome. If you have not tried it yet, I highly recommend it. You can download Chrome from http://www.google.com/chrome. It is small, fast, efficient, unobtrusive. Just the way a browser should be. However, this post is not about Google chrome. There are plenty about it, on internet. This post is about how to get the anti virus system "Symantec Endpoint Protection" (SEP) and Chrome coexist in your computer.

The problem:

SEP (http://www.symantec.com/business/endpoint-protection) is a pretty good product. I have been using it for some years now and I do not have any complains. Version 11 is latest. I am sure it is as good as its predecessors, if not more. However, it does not go along with Chrome. If you have the version 11 of Symantec installed in your machine, it will not allow Chrome to work. If you try to open Chrome, either by clicking on Chrome shortcut or by clicking on any hyperlink, the Chrome window will come up with an apology. It will not work.

Solution 1: Modify your antivirus

This was reported in the SEP support forum https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=15816.

If you go through the long post you will find the following suggestion as a workaround

1) Back up the registry on an affected system.

2) Open the registry on the Agent system by entering regedit from a run prompt.

3) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant.

4) Open the Start DWORD.

5) Change the value to 4 to disable the drivers.

6) Reboot the system to commit the changes.

It is a workaround and not a solution. I did not try this workaround since it involves disabling something in my anti virus system that I did not understand the implications of.

In the SEP, 11.0.3001.2224, Google Chrome is working by default, as claimed in https://forums.symantec.com/syment/board/message?message.uid=360914#U360914. I do not have that version of SEP and hence can not comment on it. There are suggestions in some post that the version 11.0.3001.2224, fixes the problem by forcing Chrome to work without its sandbox. I am not comfortable disabling that either.

Sandbox is a default security mechanism in Chrome. You can find a non techie explanation at http://blogoscoped.com/google-chrome/26. It is one of the unique features of Chrome and I am not comfortable switching it off. Chrome will not be the same without it. However, if you must switch off one thing or the other, I would rather switch off the sandbox system in Chrome. Since I do not have SEP, 11.0.3001.2224, I will have to switch off sandbox of Chrome, manually.

There are multiple points where the Chrome can be started from. Unfortunately, we will have to go to each of those points and switch off the sandbox security. So, here is how to do that.

Solution 2, Step 1: Modify the Chrome shortcuts

You could start Chrome from Start menu, Quick launch bar or desktop shortcut. In each of these cases a right click + click on "Properties", will reveal the "Target". Generally that is set to the full path name of Chrome, something like "...\Local Settings\Application Data\Google\Chrome\Application\chrome.exe". All you will have to do is append " --no-sandbox" to it and save the setting. Please note the empty space before "--no". Next time you start Chrome any one of these icons, your SEP will not be offended. You can find this suggestion also provided by the google support folks at http://code.google.com/p/chromium/issues/detail?id=38.

Solution 2, Step 2: Modify the way Windows launches Chrome

You could also start Chrome by clicking at any hyperlink, in your Word, email etc. Admittedly, this will not be the case unless you had set Chrome as your default browser. I like using Chrome as the default browser and hence the following bit was also required.

1) Back up the registry on an affected system.

2) Open the registry by entering regedit from a run prompt.

3) Search for ChromeHTML in keys. There might be multiple. However we are looking for one key named ChromeHTML which has "shell\open\command" as it's subkeys.

4) Navigate to ...\ChromeHTML\shell\open\command. Append " --no-sandbox" to the default key. Please note the empty space before "--no". Save it.

5) On the same hierarchy level as ChromeHTML, you should also have the keys "http" and "https", which also have "shell\open\command" as their subkeys. Do the same change, i.e appending " --no-sandbox" to the default key in "\shell\open\command" for keys "http" and "https" as well.

6) Save the values. Close registry. Reboot windows.

Now you should be able to click on any hyperlink and have it opened in Chrome.

I have not found any official source i.e. google, symantec, suggest a solution to bring up Chrome on click on any hyperlink. Hence I have tinkered around and found the workaround that I have just mentioned. As you can see, this involves a fair bit of working on registry of your windows, which should be avoided generally. However, since I just had to have Chrome working as the default browser, I risked it. If you are techie person, you should be fine following that procedure, but ultimately, use your own discretion.

So, there it is. Enjoy.