- Symantec Endpoint Protection 14 fixes
- Component Versions in Symantec Endpoint Protection 14.0.1904.0000
Multiple "Risk Outbreak" email notifications are sent out by SEPM
FIX ID: 3707721
Symptom: Symantec Endpoint Protection Manager sends out more than one "Risk Outbreak" email notification for each risk detection.
Solution: The management console now only sends one "Risk Outbreak" email notification per corresponding risk detection.
Long delay or system hang when logging on to Windows
FIX ID: 3718535
Symptom: After the installation of Symantec Endpoint Protection, a significantly long delay or a system hang occurs at Windows logon.
Solution: Removed a delay load operation for WS2_32.dll from the firewall packet processing thread.
A bad fingerprint list can be imported into SEPM
FIX ID: 3732720
Symptom: A corrupt or malformed fingerprint list can be imported into the management console without any errors by appending it to an existing fingerprint list.
Solution: Symantec Endpoint Protection Manager now checks a fingerprint list for corruption before appending it to an existing fingerprint list. An exception is thrown to notify the administrator and to prevent corrupt fingerprint lists from being allowed into the database.
SONAR-detected Threat/Risk names are missing from SEPM Report/Logs
FIX ID: 3712302
Symptom: The risk names associated with heuristic threats detected by SONAR do not display properly in the Symantec Endpoint Protection Manager logs.
Solution: Added a new column to the report and logs for SONAR that includes the risk name for heuristic threats in Symantec Endpoint Protection Manager. The risk name was also added to the detailed view of threats for the SONAR logs.
Orphaned rows in database tables despite retention limit of 60 days
FIX ID: 3719323
Symptom: There are orphaned rows present in the ALERTS/ANOMALY_REMEDIATION/ANOMALYREMEDIATIONS tables, despite a retention limit of 60 days.
Solution: The agent sweeping task now sweeps orphaned entries from these tables.
MMC.exe uses 100% CPU after closing the Display Virus List window in Central Quarantine
FIX ID: 3744905
Symptom: Closing the windows that display when you click Display Virus List in Central Quarantine causes the mmc.exe process to use 100% of the CPU.
Solution: Prevents an invalid object from being accessed when the thread completes.
Auto-Protect file exceptions exclude manual scans on files in Program Files folder
FIX ID: 3756513
Symptom: A manual scan does not scan files in the Program Files folder, which has been configured to be excluded from Auto-Protect scans.
Solution: Stopped excluding files from manual scans when exclusions are set for Auto-Protect only.
Weekly scheduled scans get suspended after the scan starts or resumes
FIX ID: 3715517
Symptom: Administrator-defined weekly scheduled scans get suspended within 1-2 minutes of starting or resuming them.
Solution: Cleared registry entries from previous scan type after a change to an administrator-defined scan, so that the correct suspend time is returned correctly.
Managed SEP client for Linux retains default LiveUpdate sources when configured to use a custom LiveUpdate source
FIX ID: 3755653
Symptom: A managed Symantec Endpoint Protection client for Linux that is configured to use a custom internal LiveUpdate source attempts to access Symantec LiveUpdate over the Internet if access to the internal LiveUpdate source fails.
Solution: A managed Symantec Endpoint Protect for Linux client now properly applies configuration changes for LiveUpdate hosts.
Timestamps are inconsistent when external logging is used in SEPM
FIX ID: 3761003
Symptom: The timestamp columns contain data in both GMT and a local time zone when you configure Symantec Endpoint Protection Manager to use external logging.
Solution: Only uses the local time zone format in the timestamps column in the log generated by the external logging server.
SEP Client migration by AutoUpgrade does not honor communication settings in the client install package
FIX ID: 3758498
Symptom: The Symantec Endpoint Protection client installer always maintains existing communication settings when upgrading by AutoUpgrade, regardless of policy configuration.
Solution: Client upgrade by AutoUpgrade now correctly honors the policy option to replace communication settings and policies.
Custom Host Integrity logging shows a notification area message
FIX ID: 3766370
Symptom: Custom Host Integrity logging incorrectly triggers the display of a notification area (system tray) message.
Solution: Disabled the flag which allows these messages to display for custom messages.
"Check floppies for boot virus when accessed" doesn’t detect a boot sector infection when a USB drive connects
FIX ID: 3705512
Symptom: Even with the "Check floppies for boot virus when accessed" option enabled, Symantec Endpoint Protection does not detect a boot sector infection when a USB drive connects.
Solution: Detects NTFS boot sectors in a similar fashion to FAT16/FAT32 for Auto-Protect to detect boot sector infections when a USB drive connects.
ADC logs exported from the SEPM console are delimited by forward slashes instead of backslashes
FIX ID: 3775299
Symptom: When viewing Application and Device Control logs in the Symantec Endpoint Protection Manager console, the "Caller Process" and "Target" paths are displayed properly with backslashes (\). However, when the logs are exported, the paths are delimited with forward slashes (/).
Solution: Exported Application and Device Control logs are now properly export using backslashes to delimit the paths.
SEP Client logs a timeout message when scanning empty folder
FIX ID: 3784549
Symptom: The following message appears in the system log when the Symantec Endpoint Protection client scans an empty folder: "Reputation check timed out during unproven file evaluation."
Solution: When there are no items to scan in a folder, the Symantec Endpoint Protection client now considers the scan successful and does not log an error message.
Cannot edit the Host Integrity OS check in SEPM web console
FIX ID: 3783015
Symptom: When you log on by the Symantec Endpoint Protect Manager web console, you cannot edit or change the Host Integrity operating system check.
Solution: Logon with Symantec Endpoint Protection Manager web console now allows the Host Integrity OS check to be edited.
IPS, Download Protection, and SONAR definitions are reported as not available in SEPM
FIX ID: 3743115
Symptom: After replication completes, revision data for IPS, Download Protection, and SONAR definitions report as "Not available" in the Symantec Endpoint Protect Manager console.
Solution: Symantec Endpoint Protection Manager now correctly reports IPS, Download Protection, and SONAR definition information after replication.
SEP cannot be disabled from the notification area icon
FIX ID: 3778957
Symptom: The option Disable Symantec Endpoint Protection from the Symantec Endpoint Protection notification area icon is grayed out and unavailable. The policy indicates you should be able to disable Symantec Endpoint Protection.
Solution: Allow Symantec Endpoint Protection to be disabled from the notification area icon when configured to do so.
SEPM web console Host Integrity message dialog text cannot accept more than 480 characters
FIX ID: 3783027
Symptom: If you enter more than 480 characters into the message box for the Host Integrity policy option Utility: Show message dialog while logged on with the Symantec Endpoint Protect Manager web console, the text cannot be saved. The text you entered disappears.
Solution: Changed the text area limit from 480 to 1000 characters for this Host Integrity option.
Virus definition date becomes "Unavailable" on the SEPM console after a restart of the SEP client
FIX ID: 3747451
Symptom: The virus definition date is reported as unavailable in the Symantec Endpoint Protection Manager console after the corresponding Symantec Endpoint Protection client is restarted.
Solution: Stopped initializing registry entry when the ccSvcHst process starts.
Smc.exe crashing with AVMan.plg module
FIX ID: 3778949
Symptom: The Symantec Management Client (SMC) service crashes on system startup.
Solution: Initialize Symantec Management Client service properly so it does not crash on startup.
Host and Guest Virtual Machines do not ping each other with anti-MAC spoofing enabled
FIX ID: 3783087
Symptom: A guest virtual machine and its host computer cannot ping each other with anti-MAC spoofing enabled.
Solution: Modified the anti-MAC spoofing functionality to better handle virtual machine and host setups.
BSOD bugcheck 1E with Teefer.sys
FIX ID: 3769213
Symptom: Following a ccSvsHst.exe crash, a "blue screen of death" kernel crash occurs attributed to Teefer.sys, or network applications behave unexpectedly or crash.
Solution: Added safeguards to protect memory in heavy-load scenarios.
Report showing clients not scanned displays some clients with a scan date of 12/31/1969 or 12/31/1970
FIX ID: 3767156
Symptom: The report in Symantec Endpoint Protection Manager that lists computers that have not scanned displays some clients with a scan date of 12/31/1969 or 12/31/1970.
Solution: Modified how the timestamp is stored, so that the correct scan date displays.
SEPM Computer Status report with Windows Server 2008 OS filter includes Windows Server 2012 computers
FIX ID: 3809931
Symptom: In the Computer Status report in Symantec Endpoint Protection Manager, the operating system filter for Windows Server 2008 also displays Windows Server 2012 systems.
Solution: Added a check in the query filter for Windows Server 2008 so that the Computer Status report only displays Windows Server 2008 clients.
Replication fails with BCP error messages in the logs
FIX ID: 3730554
Symptom: Replication always fails with BCP errors: "BCP data error: Warning: -f overrides –c," "String data, right truncation"
Solution: When preparing a BCP import, remove any terminator strings that appear in the data.
SEPM crashes during ADSITask
FIX ID: 3806993
Symptom: When running the ADSITask, Symantec Endpoint Protection Manger crashes with the error "SEPM OutOfMemoryError: GC overhead limit exceeded".
Solution: Improved the memory efficiency of Active Directory synchronization.
SEPM 12.1 RU6 installation fails with rollback in MSI
FIX ID: 3823084
Symptom: The installation of Symantec Endpoint Protection Manager 12.1 RU6 fails with an MSI rollback. The Symantec Endpoint Protection Manager log indicates the failure occurs with the message "CustomAction GPOPolicyReview returned actual error code 1603".
Solution: Symantec Endpoint Protection Manager 12.1 RU6 install now succeeds if the environmental variables TMP and TEMP are not identical.
Broken link occurs when switching location order from both replication sites
FIX ID: 3805004
Symptom: After switching the location order by Clients > Policies > Client group > Tasks > Manage Locations, a broken link occurs from both replication sites.
Solution: Updated the schema data so that there are no broken links.
Auto-Protect fails to load during SEP for Linux installation on a system with Tripwire agent also installed
FIX ID: 3806382
Symptom: Symantec Endpoint Protection client for Linux fails to install because Auto-Protect modules fail to load. The failure occurs when the Tripwire agent is already present on the system.
Solution: Now uses system call handlers that are different than the ones that are hooked by Tripwire and other applications. This way, the Auto-Protect modules load properly during client installation for Symantec Endpoint Protection for Linux.
Unable to configure SEPM administrator with LDAP authentication
FIX ID: 3802652
Symptom: The Check Account button for testing directory authentication (Admin > Administrators > Tasks > Edit the Administrator) malfunctions. When you configure a Symantec Endpoint Protection Manager administrator to use LDAP authentication, you can modify the account name after you authenticate, but before you click OK on the properties window.
Solution: Updated the string filter for the LDAP context search. Now validates the Active Directory user before storing the account name to the database.
"Datastore error" when trying to add the exception "Allow DNS or host file changes" from SONAR logs in SEPM
FIX ID: 3826253
Symptom: A datastore error occurs when you add the exception to allow DNS or host file changes from the SONAR logs in Symantec Endpoint Protection Manager.
Solution: Added the logic to handle the case when there are multiple entries for the same application associated with the SONAR log in the SEM_APPLICATION table.
Correct NIC is not shown properly in the firewall rule on an unmanaged Japanese build
FIX ID: 3812465
Symptom: When you apply and save a firewall rule, and then close and open the Symantec Endpoint Protection client, the network interface card adapter no longer appears selected as the default one.
Solution: Updated the method of encoding the adapter card’s name string, so that the local adapter card name and firewall rule adapter card name now match.
"Object cannot be found: [0x16010000]" when trying to delete an installation package from a SEPM group
FIX ID: 3810355
Symptom: You cannot delete a client installation package from a client group in an environment that uses replication.
Solution: Added synchronization to prevent broken links from occurring during replication.
SEP for Linux client’s sadiag.sh -j switch does not return results
FIX ID: 3816808
Symptom: Running sadiag.sh -j does not return any Java LiveUpdate data. In sadiag.txt, the LiveUpdate command shows a failure, since the Java path to an installation of Symantec Mail Security for SMTP would not exist.
Solution: Modified the sadiag.sh script, so that LiveUpdate diagnostic does not fail.
SEP ccSvcHst high memory usage on XPe POS during scheduled Quick Scan
FIX ID: 3824316
Symptom: On Windows XPe point-of-sale terminals, scheduled Quick Scan scans do not complete due to high memory usage by ccSvsHst.exe.
Solution: Resolved a deadlock in the IRON component during a cloud-based Reputation Scan.
Page pool depletion occurring after installation of SEP
FIX ID: 3695520
Symptom: System hangs due to low resources and excessive page pool usage by Symantec Endpoint Protection.
Solution: Modified the memory allocation that was causing pool exhaustion.
GUP option to download by range doesn’t work
FIX ID: 3837363
Symptom: The Group Update Provider is unable to detect and handle download by range when the server has disabled the HTTP header range request in Apache.
Solution: Group Update Providers are now able to detect and download the whole file when the HTTP header range request is disabled in the Apache configuration file httpd.conf.
Duplicate server entry causing risk notification mail failures
FIX ID: 3835801
Symptom: When you take the recovery file from an existing Symantec Endpoint Protection Manager and uses it to install a new one, it duplicates the server ID, which can cause risk notification mail failures.
Solution: Resets the server ID if the recovery file from an existing Symantec Endpoint Protection Manager is used to install the new management console.
Forced Restart allows "Immediately" and "Randomize the start time" to be checked at the same time
FIX ID: 3834142
Symptom: In Restart Settings, when you switch from Custom Restart to Forced Restart, the option Immediately allows Randomize the start time to also be enabled.
Solution: Changed the logic to disable restart randomization when the immediate restart option is checked.
Continuous crash of ccSvcHst with 0x80000003
FIX ID: 3802635
Symptom: The ccSvcHst.exe process, module ccL120U, crashes continuously with bug check error 0x80000003.
Solution: Modified code to handle the method failure that caused the crash.
Symantec Content Distribution Manager tool displays incorrect content downloads
FIX ID: 3839021
Symptom: The Symantec Content Distribution Manager tool incorrectly reports no downloads under Virus/Spyware content downloads today from SEPM(s).
Solution: Fixed how the tool reads and processes Apache logs.
SEP for Linux JLU installation fails when first 3 lines of /etc/Symantec.conf are commented
FIX ID: 3846189
Symptom: Unable to complete installation of Symantec Endpoint Protection for Linux due to Java LiveUpdate failure. The sepjlu-install.log shows the exit status of 1. This occurs when the line that indicates the setting for the base installation directory is deleted or commented out in the configuration file /etc/Symantec.conf.
Solution: Displays a warning in sadiag.txt when the base installation directory setting is deleted or commented out in /etc/Symantec.conf.
Network Threat Protection notifications report incorrect number of computers attacked
FIX ID: 3676721
Symptom: Network Threat Protection notifications and reports in Symantec Endpoint Protection Manager randomly display the incorrect number of computers attacked.
Solution: Corrected the query mismatch and time range conflict in the notification and corresponding report.
Exported CSV data from Content Distribution Monitor tool is not in the correct format on a localized OS
FIX ID: 3849601
Symptom: Exporting a CSV file that contains numbers with decimals from the Content Distribution Manager tool breaks the CSV format when the decimal mark is defined as a comma in the operating system’s localization settings.
Solution: Corrected the number format to allow Excel to open CSV files in these localized operating systems.
SEP for Linux manual scan starting at root of file system does not scan the entire file system
FIX ID: 3831744
Symptom: A manual scan for Symantec Endpoint Protection for Linux scans fewer files than expected.
Solution: Manual scan now correctly handles when file access is denied.
Replication fails with an SQL Server exception
FIX ID: 3849411
Symptom: Replication attempts fail and there are multiple SQL Server exception entries in the logs. This failure occurs when there are a large number of hardware devices in the database.
Solution: Split a single large SQL Server operation into multiple smaller operations to better handle this larger volume.
A .NET application intermittently experiences a hang when sysfer.dll is injected into its process
FIX ID: 3836958
Symptom: When Application Control injects sysfer.dll into the .NET process cdmsdatamanagerservice.exe, this process hangs indefinitely.
Solution: Changed Application Control to avoid a deadlock condition.
IPS Definitions are not deleted from disk
FIX ID: 3365873
Symptom: Old IPS definitions for CIDS do not get purged and are filling up disk space.
Solution: Allows the oldest CIDS definitions to be purged when newer definitions arrive.
Unable to make policy changes in SEPM
FIX ID: 3843210
Symptom: When you try to make policy changes in Symantec Endpoint Protection Manager, they seem to fail, though no errors appear. After you run the DB Validator tool, it indicates a broken link.
Solution: Symantec Endpoint Protection Manager pops up an error dialog to let you refresh the console and redo your action, if the action causes broken link issues.
Auto-Protect and Download Insight Actions revert to defaults when in Client Control mode
FIX ID: 3852067
Symptom: When the Symantec Endpoint Protection client receives any new policy while in Client Control mode, user-defined settings for Auto-Protect and Download Insight are deleted and replaced with the default values.
Solution: User-defined Auto-Protect and Download Insight settings are no longer reset to default values whenever a new policy is applied to a client in Client Control mode.
VDI Virtual machines freeze and hang
FIX ID: 3704022
Symptom: Virtual machines in a Virtual Desktop Infrastructure freeze and hang.
Solution: Updated the IRON component to a newer version.
Computer’s IP address is missing from SONAR log and Application log by syslog
FIX ID: 3854999
Symptom: The SONAR logs and Application logs exported by syslog do not include the IP address of the client computers.
Solution: Added computer IP address to these logs when exported by syslog.
Status reports incorrectly report AP Portal List version
FIX ID: 3861691
Symptom: In the report Protection Content Versions from Symantec Endpoint Protection Manager, the AP Portal List version displayed is incorrect.
Solution: Fixed the query used in getting the content revisions installed on the client.
SEPM logs and reports fail to display with "Query failed" due to date format change
FIX ID: 3830629
Symptom: A "Query Failed" error occurs and reports fail to display in Symantec Endpoint Protection Manager after you change the language of the database within the SQL Server Management Studio. The error occurs due to a change in the date format.
Solution: The date format is now correctly converted to match the language selected by the administrator, and is passed on to these stored queries.
Blank error message displays if any exception is thrown from remote site while adding replication partner
FIX ID: 3867903
Symptom: A blank error message displays when an exception is thrown from the remote site when you add a replication partner with the Management Server Configuration Wizard.
Solution: Correctly parses the error code now to return the actual error message.
SEP service terminated unexpectedly when scanning a file
FIX ID: 3812341
Symptom: The Symantec Endpoint Protection service terminates unexpectedly when it scans a particular file. The computer then becomes unresponsive.
Solution: Updated the ConMan component to a newer version.
Replication partner installation fails with exception
FIX ID: 3861334
Symptom: Installing a new Symantec Endpoint Protection Manager as a replication partner from the Management Server Configuration Wizard fails with a null server exception during the "Registering Site Information" step.
Solution: Added additional cases to handle HTML decimal and hex constants which are used for URL encoding.
Error at SEPM logon on Turkish system: Request contents are invalid
FIX ID: 3871715
Symptom: On a Turkish system, when you log on to Symantec Endpoint Protection Manager, you see the error, "Request contents are invalid."
Solution: Sets the locale to English when converting to lower case and upper case.
Decomposer error when scanning a specific XLSX file
FIX ID: 3833043
Symptom: After a particular XLSX file is scanned, the following scan omission event is reported in the system logs: "Could not scan 1 files inside <filepath> due to extraction errors encountered by the Decomposer Engines."
Solution: Increased the limit of decompression ratios.
SEPM replication fails on both sides with "failed to submit" errors
FIX ID: 3872999
Symptom: "Failed to submit" errors occur when replicating two sites with different primary keys on their Filter tables.
Solution: Fixed the primary keys of the Filter tables during an upgrade.
Sysplant fails to start on Windows 10 with Device Guard/Credential Guard enabled
FIX ID: 3855690
Symptom: Sysplant causes a system blue-screen crash with the driver verifier option Code integrity checks enabled, and may not be loaded on the physical machine under HVCI mode.
Solution: Updated the firewall drivers.
ccSvcHst.exe crashes with allocation error
FIX ID: 3814364
Symptom: In 12.1 RU6, the process ccSvcHst.exe crashes when it reaches the 2GB limit with a memory allocation failure.
Solution: The process now catches the exception instead of crashing when memory allocation fails.
Broken link with HI content
FIX ID: 3843779
Symptom: During replication, Host Integrity content is treated as normal content. Therefore, after replication, there are two sets of Host Integrity content in Symantec Endpoint Protection Manager. This duplication causes a broken link.
Solution: Corrected how Host Integrity content is handled during replication so that after replication, only one set of Host Integrity content exists in Symantec Endpoint Protection Manager.
ccSvcHst crashes on GUP
FIX ID: 3867064
Symptom: ccSvcHst.exe crashes on the Group Update Provider in module MFC100.dll. The Symantec Endpoint Protection service restarts.
Solution: Added the logic needed to handle the out-of-memory exception.
SEPM does not properly show Windows 10 edition information
FIX ID: 3877279
Symptom: Symantec Endpoint Protection Manager incorrectly displays Windows 10 Enterprise 2015 LTSB clients as "Windows 10."
Solution: Updated the Symantec Endpoint Protection client and Symantec Endpoint Protection Manager to handle the Windows 10 Enterprise 10 LTSB edition.
SEPM Network Threat Protection log is missing data in the exported CSV file
FIX ID: 3871395
Symptom: The Repetition column is missing values when you export from Symantec Endpoint Protection Manager a CSV file of the Network Threat Protection log.
Solution: Added the missing values in the CSV file for Network Threat Protection log, and made the naming of fields consistent.
SEPM Site Health report returns inconsistent data for replication partners
FIX ID: 3886636
Symptom: The Site Heath status report from Symantec Endpoint Protection Manager displays the wrong information for disabled replication partnerships.
Solution: Symantec Endpoint Protection Manager now checks whether the replication is enabled or not when it generates a Site Health status report.
Certificate errors when exporting logs from SEPM web console with custom certificate
FIX ID: 3886756
Symptom: Exporting logs from the Symantec Endpoint Protection Manager web console returns certificate errors when it uses a custom certificate.
Solution: Symantec Endpoint Protection Manager now uses IP, FQDN, or host name, based on the URL used when exporting the logs.
Firewall rule inheritance is not working as expected
FIX ID: 3880002
Symptom: Rules in the firewall policies in Symantec Endpoint Protection Manager are not behaving as expected after inheritance is checked and unchecked.
Solution: Changed the logic for how rules are processed during firewall rule inheritance.
SEPM web console does not correctly display clickable areas
FIX ID: 3888135
Symptom: Areas that are not clickable appear to be clickable when logged on to the Symantec Endpoint Protection Manager using the web console.
Solution: Changed cursor behavior to match the cursor behavior on the desktop console.
Moving a client between SEPM domains doesn’t respect the SEP client "uninstall password" option
FIX ID: 3873664
Symptom: Symantec Endpoint Protection prompts for a password during uninstallation when the uninstall password option is set to off. The client computer previously belonged to a domain that enabled the uninstall password.
Solution: Added a missing item to the policy template so that the uninstall password is honored.
Scheduled Comprehensive Risk Report fails
FIX ID: 3891472
Symptom: Scheduled Comprehensive Risk Report from Symantec Endpoint Protection Manager fails with an exception in the reporting log.
Solution: Scheduled Comprehensive Risk Report from Symantec Endpoint Protection Manager now runs without any exceptions or errors.
Last modified time in SEPM displays invalid data for Learned Applications
FIX ID: 3897087
Symptom: The last modified time in Symantec Endpoint Protection Manager displays an invalid timestamp for Learned Applications.
Solution: Added validation check for the last modified time.
Scheduled comprehensive risk report does not work
FIX ID: 3868362
Symptom: Comprehensive risk report does not complete.
Solution: Updated the comprehensive risk report query so that it runs successfully with a custom risk report filter.
Application Control file/folder exceptions using the PROGRAM_FILES prefix variable is not working properly
FIX ID: 3891515
Symptom: Application Control centralized exclusions using the PROGRAM_FILES prefix variable do not work on 64-bit Windows.
Solution: Added new functionality to populate the other Program File path and to add it to the Application Control whitelist for exclusion.
SEPM Administrator Directory Authentication test fails for user logon
FIX ID: 3897016
Symptom: Using the Test Account button to test directory authentication for a Symantec Endpoint Protection Manager administrator fails when you use the User logon name (pre-Windows 2000) option in Active Directory.
Solution: Symantec Endpoint Protection Manager now tests both accounts when User logon name and User logon name (pre-Windows 2000) are both set.
SEP client loses its GUP role after a restart
FIX ID: 3891336
Symptom: A Symantec Endpoint Protection client configured as a Group Update Provider loses this role after a restart.
Solution: Modified how the Group Update Provider setting is initialized in the registry.
ccSvcHst.exe crashes during a scheduled scan
FIX ID: 3891980
Symptom: ccSvcHst.exe crashes during a scheduled scan.
Solution: Stopped the unloading of components that are not loaded into memory when "ForwardingEnable" is turned off.
DB Validator tool reports broken links for the object SemLocationConfig
FIX ID: 3902490
Symptom: The DB Validator tool reports broken links in the database for the object SemLocationConfig.
Solution: Symantec Endpoint Protection Manager will now pop up an error dialog to let the user refresh the console and redo the action if the action causes broken link.
SEPM incorrectly provides full definitions to clients
FIX ID: 3877104
Symptom: Symantec Endpoint Protection Manager shows Java "out of memory" errors and stops generating delta files. Instead, it provides full definitions to clients.
Solution: Created a tool to purge stale replication partners so that the sweeping task can automatically remove obsolete items in schema objects. Decreased database socket timeout value to reduce too many threads from getting blocked. Upgraded from 32-bit to 64-bit JRE.
System event notification doesn’t include "LiveUpdate succeeded" events
FIX ID: 3901314
Symptom: Events for when LiveUpdate successfully completed are missing from system event notifications in Symantec Endpoint Protection Manager.
Solution: Added "LiveUpdate succeeded" events to system event notifications in Symantec Endpoint Protection Manager.
Moving clients between groups causes the rest of the client list to disappear
FIX ID: 3897026
Symptom: Moving a client from the default group to a different group in Symantec Endpoint Protection Manager causes the rest of the clients in the default group list to disappear.
Solution: Added check to ensure that every time a table column is moved, it can be rendered properly.
Sylink.xml mismatch between communication settings and exported installation packages
FIX ID: 3903087
Symptom: When comparing the Sylink.xml exported from the communication settings and one from an exported client install package, the latter Sylink.xml includes the server certificates from a deleted site.
Solution: Exclude server certificates from a deleted site in Sylink.xml.
Very old clients are not being swept
FIX ID: 3896480
Symptom: The computer status logs from Symantec Endpoint Protection Manager still show very old and stale clients in the database after the agent sweeping task runs.
Solution: Fixed the schema type in Domain schema to allow the sweeping task succeed, which in turn purges the stale clients from the database.
SEPM database backups intermittently fail to run and the embedded database service crashes frequently
FIX ID: 3896116
Symptom: The embedded database service crashes and causes database connection failures. Database backups for Symantec Endpoint Protection Manager intermittently fail.
Solution: Fixed the query which uses an OpenXML function that caused the database service to crash.
Client Deployment Wizard shows the default group even if another group is selected
FIX ID: 3907974
Symptom: While installing a new client from within a group the Clients tab, if you select a name on the client group tree in the Client Deployment Wizard, it does not appear. Instead, it displays the group name from which you launched the Client Deployment Wizard.
Solution: The Client Deployment Wizard now displays the correct group name selected during the process of installing new client.
Reputation Lookup Alerts continue to trigger and send email for an old event
FIX ID: 3906682
Symptom: Daily Reputation Lookup notifications continue to be sent out after the event has already occurred once. The notification email also contains old events.
Solution: Fixed the filter used in Reputation Lookup notification.
CPU usage for ccSvcHst grows until a restart becomes necessary
FIX ID: 3729549
Symptom: High CPU utilization by ccSvcHst.exe slows the computer down so badly that it needs to be restarted.
Solution: Regularly remove stale PIDs from database.
SEP does not recognize Juniper Pulse Secure 5.1
FIX ID: 3891819
Symptom: Location switching does not happen, and the client has the default policy when connected through Juniper VPN, Pulse Secure 5.1.
Solution: Added a check for an extra registry key which is available in Juniper Junos Pulse 5.1 that indicates whether it is installed or not.
When Enhanced Protected Mode is enabled, IE reports: "Symantec Vulnerability Protection from Symantec Corporation isn’t compatible with Internet Explorer’s enhanced security features and has been disabled"
FIX ID: 3903064
Symptom: The Symantec Vulnerability Protection plug-in displays a message that indicates it is incompatible when Enhanced Protection Mode is enabled in Internet Explorer.
Solution: Updated the IPS component framework so that the status of the Symantec Vulnerability Protection plug-in can be displayed as disabled.
SylinkDrop returns "Sylink file is too large" and fails
FIX ID: 3912542
Symptom: Unable to use SylinkDrop to import a Sylink.xml that is 64 KB or larger in size, with the error, "Sylink file is too large."
Solution: Increased the buffer size so SylinkDrop is able to import Sylink.xml that exceeds 64 KB in size.
ccSvcHst.exe crashes with reference to TSE.dll
FIX ID: 3914115
Symptom: The ccSvcHst.exe process crashes with a reference to the module TSE.dll.
Solution: Added a check and exception handling to prevent this crash.
SEPM does not purge obsolete items from stale and disabled replication partnerships leading to out of memory issues
FIX ID: 3904771
Symptom: When a replication partner is removed and a new replication partner with the same site name is added, Symantec Endpoint Protection Manager does not correctly purge obsolete items. These obsolete items accumulate over time and result in out of memory issues.
Solution: Correctly purge obsolete items associated with stale and disabled replication partnerships.
SEPM displays IPS silent signatures in the Add Intrusion Prevention Exceptions pane
FIX ID: 3890781
Symptom: In the list of intrusion prevention signatures from which you choose to add an exception, Symantec Endpoint Protection Manager displays IPS signatures marked "silent."
Solution: The Symantec Endpoint Protection Manager now hides these IPS signatures in the Add Intrusion Prevention Exceptions pane.
Notification for "Paid License issue" is performed on the day of the expiration date
FIX ID: 3911203
Symptom: The license expiration issue notification is sent on the day of the expiration date.
Solution: Updated the logic so the notification for Paid License issue is sent the day after the expiration date.
SEP for Linux scheduled LiveUpdate doesn’t run at scheduled time after restarting OS
FIX ID: 3902324
Symptom: The LiveUpdate schedule on a Symantec Endpoint Protection client for Linux is not applied after restarting the computer or restarting the SMC daemon.
Solution: Added logic to apply the correct LiveUpdate schedule on a Symantec Endpoint Protection client for Linux.
SEPM displays no results when searching for clients using the client version as search criteria
FIX ID: 3906627
Symptom: Searching for clients using the criteria Client Version from the Clients tab in Symantec Endpoint Protection Manager doesn’t display any results.
Solution: Symantec Endpoint Protection Manager now displays the correct search results.
symevent64.sys consuming high non-paged pool memory and high CPU usage
FIX ID: 3898587
Symptom: symevent64.sys impacts system performance due to high non-paged pool memory consumption and high CPU utilization.
Solution: Updated the SymEvent component to a newer version.
Offline clients are counted towards scan failures on SEPM home page
FIX ID: 3923218
Symptom: Offline clients are counted as scan failures in Symantec Endpoint Protection Manager.
Solution: Modified query to filter out offline clients so that they are no longer counted as scan failures.
SEPM out of memory and SQLTimeoutExceptions in Agent Sweeping task
FIX ID: 3924096
Symptom: The Agent Sweeping task is not able to purge the stale entries in SEM_COMPUTER and SEM_CLIENT tables due to SQLTimeoutExceptions. The stale records accumulate and cause out-of-memory errors and performance issues.
Solution: Reduced the number of records being cached and deleted the stale records in chunks.
ccSvcHst.exe crashes repeatedly when switching from one GUP to another
FIX ID: 3930992
Symptom: ccSvcHst.exe crashes when client switches between GUP servers.
Solution: Resolved the access violation.
Broken link for MacAdminDefinedScan
FIX ID: 3924668
Symptom: If policy is imported then copied, and then either the imported policy or its copy was deleted, the remaining policy has a broken link pointing to MacAdminDefinedScan.
Solution: New imports can now be copied and deleted without resulting in broken links.
Single client request for delta content is creating a network load alert for full content
FIX ID: 3916699
Symptom: A client request for delta content creates a network load alert for full content.
Solution: Resolved a mismatch between the content download request and the actual content download, so Symantec Endpoint Protection client downloads content from the correct server.
The SEPM web console accepts invalid input
FIX ID: 3931604
Symptom: Invalid characters can be copied and pasted into the text fields within the Symantec Endpoint Protection Manager web console.
Solution: Added check to prevent a copy and paste operation in the Symantec Endpoint Protection Manager web console.
Unable to create or delete of client groups in SEPM. Error: Request contents are invalid. [0x120c0000]
FIX ID: 3939911
Solution: Fixed the request validation of script tags in Symantec Endpoint Protection Manager.
messageBundle_ja_JP.properties has incorrect strings in SEPM
FIX ID: 3943261
Symptom: When Advanced Threat Protection uses a web service to send commands to Symantec Endpoint Protection Manager localized for Japanese, the description of the command is displayed in pseudo-translated text.
Solution: The properties file is now properly translated, and the correct Japanese strings will be visible to the customers.
Clients incorrectly showing SONAR and IPS/DI/TP malfunctioning
FIX ID: 3880747
Symptom: Clients incorrectly report the statuses for SONAR, Download Insight, and Threat Protection as "Component is malfunctioning" to the Symantec Endpoint Protection Manager.
Solution: Clients no longer report the statuses for SONAR, Download Insight, and Threat Protection as "Component is malfunctioning."
Can’t disable earlier TLS versions to use only TLS v1.2 for Tomcat’s 8443 connector
FIX ID: 3870943
Symptom: Cannot disable TLS versions earlier than 1.2 to only use version 1.2 with the Tomcat 8443 connector.
Solution: Removed OS specific changes for enabling TLS versions, making it consistent for TLS v1.2.
Enabling SEP from the Action Center returns an error that SEP cannot be enabled, even though the SEP service enables
FIX ID: 3946691
Symptom: Enabling Symantec Endpoint Protection from the Action Center returns the following error, even though the service starts and is running: "You cannot turn on Symantec Endpoint Protection. This action is locked by the Symantec Endpoint Protection administrator."
Solution: No error or pop-up displays to the user if both AP and Security risk scan are turned on. For Windows 10 only one pop-up will be displayed if both the settings are off and locked by administrator.
Reduced-size client uninstalls without the installation package
FIX ID: 3945629
Symptom: When you attempt to uninstall the Symantec Endpoint Protection reduced-size client from the Control Panel, the installer indicates two or three times that it cannot find the file sep.msi. When you click Cancel, however, the uninstallation process continues and removes the client.
Solution: Added a condition so that the reduced-size client requires the installation package to uninstall or modify the feature set.
Client is unable to download and update content when full.zip download is disabled
FIX ID: 3945202
Symptom: The LiveUpdate Settings policy blocks the clients from downloading the full definition download file (full.zip) from Symantec Endpoint Protection Manager. However, when the first entry in the download queue is a full.zip request, the clients stop updating all content.
Solution: When Download smaller client installation packages from a LiveUpdate server is enabled, Symantec Endpoint Protection Manager no longer blocks other content from being downloaded.
Active Directory client sync fails when Active Directory objects have invalid characters
FIX ID: 3927805
Symptom: Active Directory sync fails and the log shows the following message: "SEVERE: org.w3c.dom.ls.LSException: The character ‘[BEL]’ is an invalid XML character."
Solution: Added a check to handle Active Directory objects with invalid characters.
Broken content links in embedded database are not fixed with the ludbfix64 tool
FIX ID: 3959382
Symptom: The ludbfix64 tool fails with a resource exception and cannot fix any broken links in the database.
Solution: Removed limit on the maximum values that can be processed.
Enable Firewall option is grayed out when Client Control mode is selected
FIX ID: 3956644
Symptom: Changing the managed client mode from Server Control to Client Control grays out and disables the Enable Firewall check box.
Solution: The Enable Firewall check box is enabled when Client Control mode is selected.
CSV file exported from SEPM > Monitor > Logs is missing records
FIX ID: 3869923
Symptom: When you export logs to a CSV file using the Symantec Endpoint Protection Manager user interface and you use a non-default file name, the export process excludes some of the records.
Solution: Log exports no longer handles by JDIC and IEmbed, but by the JavaFX web engine.
Saving the installation log with the %PROGRAMFILES% variable in the file path prevents the client installation
FIX ID: 3944736
Symptom: If you define a path for the installation log that uses the standard Windows %PROGRAMFILES% variable, the installation fails, resulting in the following Windows Installer error: "Error opening installation Log File. Verify that the specified Log File location exists and is writable."
Solution: Blocks the usage of %PROGRAMFILES% and %COMMONPROGRAMFILES% in the installation log path because they are not supported.
Risk severity is categorized as "Unknown" in a risk report from SEPM
FIX ID: 3342586
Symptom: Risks that appear in Symantec Endpoint Protection Manager risk reports are categorized as "Unknown."
Solution: Added the correct category value to avoid returning "Unknown" in the risk report.
Unable to install SEP because EFAInst.exe fails to locate registry key
FIX ID: 3891593
Symptom: The Symantec Endpoint Protection Windows client installation fails. The error log for EFAInst.exe shows error = 2: "Failed to open key."
Solution: EFAInst.exe creates missing registry keys if necessary during installation.
System hangs after installing SEP
FIX ID: 3953313
Symptom: After you install the Symantec Endpoint Protection Windows client, the system occasionally hangs due to issues with BHDrvx64 and SymEvent.
Solution: Added code to prevent a deadlock condition.
SEP clients download full.zip when SEPM configured to block it
FIX ID: 3949582
Symptom: The LiveUpdate policy is configured to prevent the download of a full definition file (full.zip) by Symantec Endpoint Protection clients, but the network traffic shows that clients are still downloading this file from Symantec Endpoint Protection Manager.
Solution: Modified the response on the server to correctly block full.zip downloads.
Auto-Protect causes a shell script to fail when it runs during a Cygwin build compile
FIX ID: 3936679
Symptom: With Auto-Protect enabled, a shell script fails when it runs during a Cygwin build compilation.
Solution: Updated Auto-Protect driver so that shell script runs successfully during a Cygwin build compilation.
Cannott compile SEPFL Auto-Protect kernel module for Ubuntu 16.04 LTS 4.7.0 kernel
FIX ID: 3978035
Symptom: Compiling the Symantec Endpoint Protection for Linux Auto-Protect kernel module for the Ubuntu 16.04 LTS 4.7.0 kernel fails with multiple errors.
Solution: Added support for the Linux kernel version 4.7 for auto-compile and for custom compile.
Outbreak and New Risk Detected notifications are sent without notification details in the body
FIX ID: 3985541
Symptom: The email for Outlook and New Risk Detected notifications are missing the risk events.
Solution: Added the java token into PHP reporting link and added PHP token validation check in PHP files.
Processes crash on exit with SEP and Impero (Education) Pro 5.x installed on Windows 10
FIX ID: 3968310
Symptom: Multiple processes crash on exit when Application and Device Control runs on Windows 10 when Impero (Education) Pro 5.x is also installed.
Solution: Updated Application and Device Control so that it is able to work with Impero software installed on Windows 10.
Old registry key smcinst is not deleted after running AutoUpgrade
FIX ID: 3986532
Symptom: After AutoUpgrade runs, it does not delete the registry entry HKLM\System\currentcontrolset\services\smcinst, which points to an old AutoUpgrade package.
Solution: Updated the smcinst application path so that this registry entry is deleted correctly.
Directory server logon to the SEPM triggers a second authentication attempt
FIX ID: 3974654
Symptom: When you log on to Symantec Endpoint Protection Manager with LDAP authentication, it triggers a second authentication attempt.
Solution: Logon with Symantec Endpoint Protection Manager by LDAP authenticates only one time upon success.
Firewall Application displays as "Symantec Endpoint Protection,Symantec Endpoint Protection" on Control Panel
FIX ID: 3993417
Symptom: The application name of the firewall appears as "Symantec Endpoint Protection,Symantec Endpoint Protection" in the Windows Control Panel.
Solution: Updated logic to prevent the firewall application from registering more than once.
httpd crashes with reverse proxy configured
FIX ID: 3954493
Symptom: The httpd service crashes when you configure reverse proxy, when clients send file requests.
Solution: Correct the logic so that httpd does not crash.
"GetCommand 404 OpenFailed: Error (2) while opening the Command file" errors in exsecars log
FIX ID: 3999879
Symptom: Excessive "GetCommand 404 OpenFailed: Error (2) while opening the Command file" errors appear in exsecars log due to a failed command.
Solution: A failed command is no longer executed more than once in every heartbeat.
Definition updates stop processing on clients
FIX ID: 3961965
Symptom: Clients stop updating definitions and the SepMasterService is in a stopping state.
Solution: Fixed the deadlock condition so that the definition updates are processed correctly.
Explorer.exe hangs due to SymEFASI
FIX ID: 3973685
Symptom: Explorer.exe is unresponsive and hangs because SymEFASI blocks its prefetcher operations.
Solution: Updated a filter driver to avoid a deadlock condition.
Location switching fails using Management Server Connection criteria
FIX ID: 3778766
Symptom: Symantec Endpoint Protection clients that use the Management Server Connection location criteria do not switch to an alternate Symantec Endpoint Protection Manager.
Solution: Improved the heartbeat logic to allow clients to correctly switch managers with this location criteria.
Component Versions in Symantec Endpoint Protection 14.0.1904.0000
WLU (Symantec Endpoint Protection Manager)