Situation
This article describes the new features and fixes in each update of Symantec Endpoint Protection 11 and Symantec Network Access Control 11.
Solution
As updates to Symantec Endpoint Protection are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top.
Note: To download the latest release of Symantec Endpoint Protection, read the following document: Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control.
This document contains information for the following versions:
- Release Update 7 Maintenance Patch 4 (RU7 MP4)
- Release Update 7 Maintenance Patch 3 (RU7 MP3)
- Release Update 7 Maintenance Patch 2 (RU7 MP2)
- Release Update 7 Maintenance Patch 1 (RU7 MP1)
- Release Update 7 (RU7)
- Release Update 6 Maintenance Patch 3 (RU6 MP3)
- Release Update 6 Maintenance Patch 2 (RU6 MP2)
- Release Update 6 Maintenance Patch 1 (RU6 MP1)
- Release Update 6a (RU6a)
- Release Update 6 (RU6)
- Release Update 5 (RU5)
- Maintenance Release 4 Maintenance Patch 2 (MR4 MP2)
This document should be read in conjunction with the appropriate Readme files:
- Readme_SEP.txt
- Readme_SNAC.txt
- Readme_appliance.txt
- Readme_trialware.txt
Release Update 7 Maintenance Patch 4 (RU7 MP4)
For complete information on new features and known issues in this release, see the Release Notes. For new fixes and component versions, see below.
Blue screen crash caused by teefer3.sys on Windows Vista
Fix ID: 2387830
Solution: Modified the Teefer driver code to resolve this crash.
Error generated by securitynotifytask: "Intermittent Authentication failure. Please try again."
Fix ID: 2763318
SEVERE: Authentication Failure. Please try again. in: com.sygate.scm.server.task.SecurityAlertNotifyTask
Solution: Resolved an issue where the server state could become out of date, resulting in the Symantec Endpoint Protection Manager console regarding the local server as offline.
Symantec Endpoint Protection Manager console is slow to load client groups
Fix ID: 2793951
Solution: Optimized a SQL query to increase performance for domain admin users.
"Japanese" displays multiple times for LiveUpdate Content Languages
Fix ID: 2844897
Solution: Modified Symantec Endpoint Protection Manager to verify whether the language already exists before adding "LiveUpdate supported language" to the replication partner.
Traffic log shows incorrect information about blocked packets
Fix ID: 2867420
Solution: Modified the logging code to display the correct packet type.
Symantec Endpoint Protection Manager port scan report from Windows 7 shows incorrect data
Fix ID: 2914500
Solution: Modified the port scan report to correctly detect packets on the loopback adapter of the client.
Explorer.exe process stops responding after installing the Symantec Endpoint Protection client
Fix ID: 2916250
Solution: Modified the Sysplant.sys driver to correct a suspended thread.
Computer becomes unresponsive after installing Symantec Endpoint Protection client
Fix ID: 2919278
Risk Type "APPLICATION_DETECTION_TYPE_-1_0" in Symantec Endpoint Protection Manager logs for Macintosh clients
Fix ID: 2935579
Solution: Added the proper identifier type to the Symantec Endpoint Protection Manager resource file.
"Administrator not found" error when logging onto Symantec Endpoint Protection Manager
Fix ID: 2938977
“com.sygate.scm.console.util.ConsoleException: Administrator not found [0x11010000]”
Solution: Resolved an issue in Symantec Endpoint Protection Manager where the Symantec Network Access Control enforcer caused a deadlock when it connected to the server.
Custom scan scans files twice if the selected scan target does not display the plus sign (+)
Fix ID: 2939056
Solution: Modified the state of the folders to have the proper “check”, “check plus”, or “empty” selection.
Repeated Full.zip downloads when free disk space is between 700 and 900 MB
Fix ID: 2947400
Solution: The default required disk space estimate was updated to the current definition size.
Forced TruScan proactive threat detections are logged as Trojan Worm
Fix ID: 2948103
Solution: Resolved an issue where the application type and detection type could both be 0. The new application type will be "Heuristic application."
Scheduled/Quick Report filters only saves 255 characters for the Group field
Fix ID: 2953711
Duplicate entries are not generated in the Symantec Endpoint Protection Manager, despite a change of the hardware ID (HWID)
Fix ID: 2973571
Solution: Modified the client to resolve an issue when sending a hardware ID update request.
LastScannedVersionCheck property added to Lotus Notes documents
Fix ID: 3060147
Solution: Modified the Symantec Endpoint Protection client to properly honor the NotLeaveScanRecord option when enabled.
SMC.exe process terminates unexpectedly
Fix ID: 3067417
Solution: Resolved an issue in the client debug logging to prevent this crash.
Symantec Endpoint Protection recovers only once from a corrupted sdi.dat
Fix ID: 3087001
Solution: Modified the Symantec Endpoint Protection code to restore SDI.dat from SDI.bak if corruption is detected.
Scan log incorrectly displays a Scheduled Scan as a Manual Scan
Fix ID: 3093421
Solution: Updated the logger type in the registry to display the proper scan type.
GFValidate.exe process terminates unexpectedly
Fix ID: 3146457
Solution: Modified Symantec Endpoint Protection Manager to handle an exception to prevent the application from terminating unexpectedly.
SMC.exe service terminates unexpectedly on designated GUP systems
Fix ID: 3183935
Valid ping triggers false positive for "Smurf" attack
Fix ID: 3187443
IllegalThreadStateException in AgentLogCollector task
Fix ID: 3210577
SEVERE: Unknown Exception in: com.sygate.scm.server.task.AgentLogCollector
java.lang.IllegalThreadStateException: process has not exited
Solution: Modified Symantec Endpoint Protection Manager to catch an exception and record an appropriate log message.
Whitelisted application is detected by File System Auto-Protect
Fix ID: 3244632
Symptom: File System Auto-Protect detects and quarantines a custom application. The custom application is on the whitelist.
SMC.exe process terminates unexpectedly
Fix ID: 3257412
Symptom: The SMC.exe process consumes a large amount of memory and terminates unexpectedly.
Firewall does not detect outbound traffic on Windows XP
Fix ID: 3304422
Symptom: The Symantec Endpoint Protection firewall does not detect outbound traffic on Windows XP. Disabling the QoS Packet Scheduler resolves the issue.
Symantec Endpoint Protection Manager fails to process 64-bit definitions
Fix ID: 3337423
Symptom: Symantec Endpoint Protection Manager downloads the full.zip for 64-bit antivirus definition content but fails to extract it to the “full” directory. You configured Symantec Endpoint Protection Manager to use a Microsoft SQL Server database.
Solution: Resolved an issue where the antivirus content became too large to upload to a Microsoft SQL Server database.
Component versions in RU7 MP4
| Component | Version |
|
Autoprotect
|
10.3.8.7
|
|
Behaviour Blocking
|
3.5.3.004
|
|
CCEraser
|
20072.0.1.6
|
|
COH
|
6.1.16.2
|
|
Common Client
|
106.5.7.006
|
|
DecABI
|
1.2.7.1
|
|
Defutils
|
4.1.5.4
|
|
ECOM
|
61.3.0.17
|
|
Intelligent Updater
|
1.0.1.6
|
|
LiveUpdate
|
3.3.0.115
|
|
LiveUpdateAdmin
|
2.3.2
|
|
MAC Client
|
11.0.6970.236
|
|
Microdefs
|
2.7.0.13
|
|
QServer
|
3.6.7300.68
|
|
SAV
|
11.0.7300.228
|
|
SNAC
|
11.0.7300.183
|
|
SyKnAppS
|
3.0.3.3
|
|
SymEvent
|
12.8.6.38
|
|
SymNetDrv
|
7.2.6.1
|
|
SymProtect(Tamper Protection)
|
3.5.1.3
|
|
Teefer2
|
11.0.6970.32
|
|
Teefer3
|
11.0.5602.49
|
|
VxMS (MSLight )
|
5.2.1.3
|
|
WpsHelper *
|
12.4.0.23
|
|
PHP
|
5.3.16.0
|
|
SAVFL
|
1.0.14
|
|
JRE
|
1.7.0.25
|
|
TomCat
|
7.0.42
|
|
Boost
|
1.53.0
|
|
LibPNG
|
1.5.15
|
|
LibXML
|
2.9.1
|
|
OpenSSL
|
1.0.1e
|
|
cURL
|
7.31.0
|
Release Update 7 Maintenance Patch 3 (RU7 MP3)
For complete information on new features in this release, system requirements, and known issues, see this document. For new fixes and component versions, see below.
The LiveUpdate log file size does not save the default size setting in the settings.liveupdate file
Fix ID: 2516181
Symptom: As the size of file log.liveupdate increases, the default size setting is not saved in the settings.liveupdate file.
Solution: Fixed a cleanup call that was not invoked correctly.
Updating Symantec Endpoint Protection Manager from RU5 to RU7 fails
Fix ID: 2565649
Symptom: After you download the RU7 LiveUpdate definitions, event IDs 11328 and 1023 appear in the Symantec Endpoint Protection Manager log.
Solution: Older versions of MSIMSP sometimes create incompatible patches. Updated MSIMSP to the correct version.
Heuristic scans detect and block the application
Fix ID: 2587958
Symptom: A streamed virtualized application does not launch on the client. You can see an incorrect hash value for that application in the Symantec Endpoint Protection Manager log.
Solution: Fixed the issue by making sure that scans now correctly detect and allow a virtual application.
Symantec Endpoint Protection takes a long time to compile the profile for client groups
Fix ID: 2607064
Symptom: PackageTask takes a long time to compile the profile for client groups.
Solution: Improved the performance of XML serialization and handling multiple threads.
An email message that is based on a saved email is replaced by a draft email message
Fix ID: 2635881
Symptom: After users send a previously saved and scanned email that includes an attachment, the saved email is deleted and replaced by an identical draft of the saved email message.
Solution: The problem was caused by properties being added after the saved email was scanned. The properties caused the saved email to be unrecognized. Corrected.
Large database files are cloned for scans
Fix ID: 2642450
Symptom: Server becomes unresponsive or is brought down after scheduled scan leaves behind large number of .tmp files.
Solution: Fixed the issue by changing when database files are cloned.
Threats delivered through email in a non-modifiable container are not deleted
Fix ID: 2646790
Symptom: A threat that is delivered through email in a non-modifiable container, such as .rar or .cab, is detected but not deleted, regardless of the Antivirus and Spyware policy action for the threat. You can only clean the threat after you save and unzip it to the hard disk.
Solution: Fixed the issue by quarantining the email.
The Symantec Endpoint Protection firewall interferes with Microsoft Direct Access
Fix ID: 2653542
Symptom: Microsoft Direct Access does not work after you upgrade to Symantec Endpoint Protection RU7 (11.0.7000.975).
Solution: Fixed the issue by appending an Ethernet header into that packet.
Windows Firewall messages are not disabled in the Symantec Endpoint Protection Manager System log
Fix ID: 2656231
Symptom: The System log contains messages about the Windows Firewall, even after logging is disabled. The Windows Firewall service starts after the smc service starts. Therefore, the smc service cannot find the Windows Firewall server, and considers the Windows Firewall to be disabled.
Solution: Fixed the issue by having the smc service wait for the Windows Firewall service to start.
Client downloads content from Symantec Endpoint Protection Manager even when policy indicates it should obtain content from the Group Update Provider (GUP)
Fix ID: 2660859
Symptom: When the client switches from a GUP location to an external LiveUpdate location, sylink.xml tries to download content from Symantec Endpoint Protection Manager.
Solution: Before content is downloaded, the LiveUpdate thread in sylink.xml checks whether the "SEPM channel" has been disabled. If disabled, the moniker is deleted from the queue.
The time stamp changes on restored quarantined files
Fix ID: 2661232
Symptom: The original time stamp on a file changes after being restored from the quarantine.
Solution: Fixed an issue where the time stamp and the attribute of a file are modified after being restored from the quarantine.
Mismatch between reported clients in the Unmanaged Detector report
Fix ID: 2663136
Symptom: The total number of clients on an Unmanaged Detector report does not match the actual number of devices listed.
Solution: The Unmanaged Detector report now includes the total number of detected unknown devices and the unique number of unknown devices.
Reporting server hangs
Fix ID: 2697341
Symptom: Accessing the reporting server from a web browser hangs.
Solution: The problem is caused because Internet Explorer cannot find the HTML body before the web page is loaded. Fixed the issue by modifying the body-checking mechanism, which results in lower CPU consumption.
Server logs show that the Antivirus and Spyware policy was corrupt after migration from SAV 10.x
Fix ID: 2699388
Symptom: The log file states that the Antivirus and Spyware policy is corrupt when it is not.
Solution: Fixed the issue, which was caused because some Antivirus and Spyware policies did not have the necessary Auto-Protect actions. This generated a log entry in Symantec Endpoint Protection Manager.
Time lag in copying Risk log
Fix ID: 2702682
Symptom: Risk logs are transferred to the external Syslog Server with a delay of between 15 minutes to 2 hours.
Solution: Fixed the code that caused the delay.
The management server does not remove the database backup files
Fix ID: 2703417
Symptom: The "Remove the database backup files during uninstall" feature doesn't work if the server data folder has been moved.
Solution: Fixed by deleting the current data area in conf.properties when the data and backup folders are deleted.
Errors are generated due to disabled loopback adapter
Fix ID: 2704835
Symptom: "Authentication failure. Please try again" errors are generated by securitynotifytask or scheduledreportingtask when the owner/creator of the notification or report is valid.
Solution: Fixed the code to allow the IP request from the local computer.
Folder exclusions for scans does not work
Fix ID: 2705877
Symptom: Exclusions for a folder in the format of \foldername works for Auto-Protect but fails for manual and scheduled scans.
Solution: Fixed by expanding the folder exclusions for all possible drives. Folder exclusions now work for manual scans.
Notification not logged in notification view
Fix ID: 2712563
Symptom: "Single Risk Event" notification is not logged in the notification view in Symantec Endpoint Protection Manager when the event was triggered.
Solution: When a single risk event occurs, Symantec Endpoint Protection Manager now writes it to the database, where you can view it by clicking Notifications > View notifications.
Connection pool timeout on Symantec Endpoint Protection Manager
Fix ID: 2713908
Symptom: Cannot connect the Symantec Endpoint Protection Manager console with the database.
Solution: Deleted the unnecessary database connections that do not close.
Clients do not update definitions downloaded from Symantec Endpoint Protection Manager
Fix ID: 2715989
Symptom: After the clients come out of standby, the definitions are not updated until after Symantec Endpoint Protection Manager is restarted.
Solution: Fixed so that LiveUpdate restarts after the client computer recovers from standby.
"Definitions out of date" notification is not triggered
Fix ID: 2726085
Symptom: The notifications for "Definitions out of date" do not trigger if the "Computer name" filter is applied.
Solution: Fixed an issue where the SQL parameter "Computer name" was not set.
Virus definitions use too much disk space
Fix ID: 2733222
Symptom: Virus definitions are not removed after updates, which use a large amount of disk space.
Solution: Cleaned up definitions directories that were caused by a failure from integrating definitions.
Registry value not cleaned up
Fix ID: 2733251
Symptom: Some registry keys were left behind after uninstalling the client.
Solution: Fixed by deleting the registry keys that were added after initial installation.
Some system files are not visible in the unmanaged client user interface
Fix ID: 2740080
Symptom: Unable to exclude VMMS.EXE and VMWP.EXE in W2K8R2 in an unmanaged SEP 11.0 RU7 MP1 client.
Solution: Fixed the issue by calling an API that allows the viewing of all system files.
Remote push install of Symantec Endpoint Protection 11 RU7 MP1 with Lotus Notes email plug-in displays an error
Fix ID: 2743085
Symptom: When other users attempt to log on to the computer during a remote push of the client with the Lotus Notes plug-in, the following error message appears: "The User Profile Service failed the logon user profile cannot be loaded."
Solution: Added an API to retrieve the correct environment variable to correctly set the path in the registry key.
With Lotus Notes plug-in, the existing user can log on but new user gets error message
Fix ID: 2757734
Symptom: Limited admins can log on to the management server, but get the following error message: "Symantec Antivirus has stopped working." The nlnvp.dll is not loaded in nlnotes.exe and is not included in notes.ini file.
Solution: Fixed an issue that was not making the correct calls.
Older definitions are not removed
Fix ID: 2765535
Symptom: Virus definitions are sometimes not removed after being updated.
Solution: Fixed by allowing the removal of older definitions per customer settings.
.err files are not cleaned up
Fix ID: 2767546
Symptom: Files with the .err extension are produced but not cleaned up. This causes the parsing of events to be missed by Symantec Endpoint Protection Manager.
Solution: Fixed the code to bypass the error. Symantec Endpoint Protection Manager will continue to process the log and log the error line.
Limited admins cannot see LiveUpdate policy
Fix ID: 2770776
Symptom: The LiveUpdate policy does not appear correctly for limited administrators.
Solution: Fixed the issue by displaying the user selection for the limited administrator even if the checkbox is read-only.
Many *.tmp files are created under Common Client folder
Fix ID: 2775251
Symptom: After an Auto-Protect remediation and client restart, some .tmp files may remain in the \alluser\symantec\CommonClient folder.
Solution: Fixed the issue by adding a registry key to control the Auto-Protect thread exit time threshed (60 seconds by default).
Smc service crashes when using the Group Update Provider (GUP)
Fix ID: 2777440
Symptom: The GUP crashes in an environment without the bypass list in the current user's proxy settings.
Solution: Fixed by adding a null pointer check when copying the settings.
Symantec Endpoint Protection Manager Scan log status is not updated
Fix ID: 2778391
Symptom: The scan status of the Scan log doesn't get updated when an administrator-defined scheduled scan is suspended and then completed.
Solution: Fixed by adding the suspended event into a list of known events that the management server will process.
Scan time is not reported
Fix ID: 2782191
Symptom: The Symantec AntiVirus for Linux client does not report the last scan time to Symantec Endpoint Protection Manager.
Solution: Fixed by updating the LAST_SCAN_TIME in the table when processing the Security log from the Symantec AntiVirus Linux client.
Incorrect grouping in Symantec Endpoint Protection Manager reports
Fix ID: 2783830
Symptom: The Group by field in Symantec Endpoint Protection Manager reports always groups by the "Risk Severity" category. The correct Group by appears in edit mode.
Solution: Fixed by correcting the "group_by" string values.
RADIUS settings not saved for the Enforcer
Fix ID: 2791090
Symptom: The management server does not save the Enforcer RADIUS settings.
Solution: Fixed by removing a broken or unused management server list. When you edit the Enforcer properties, the broken or unused management server list is now skipped.
File or folder exclusions do not appear in the client
Fix ID: 2798801
Symptom: With Windows Server 2008 R2 Core and Symantec Endpoint Protection 11 RU7 MP1 or MP2, you could not add a folder or file exception in the Symantec Endpoint Protection client.
Solution: Fixed the issue by removing the flag that displays the browse dialog correctly.
Unmanaged client appears in the Symantec Endpoint Protection Manager console
Fix ID: 2800124
Symptom: When you create and deploy a client installation package using the default group policy settings but with the Use Group Communication Settings setting turned off, an unmanaged client is installed.
Solution: Fixed an issue to remove the location-level communication settings in the exported package.
Symantec AntiVirus for Linux logs are not replicated
Fix ID: 2804484, 2915591
Symptom: Symantec AntiVirus for Linux logs do not get replicated to remote sites.
Solution: Fixed an issue where legacy clients were deleted from some tables during replication.
Replication failed
Fix ID: 2810324
Symptom: The replication fails continuously. The data.zip file is generated and transferred, but replication is not successful.
Solution: Fixed this issue by cloning the default management server list in the Enforcer's policy.
End user can stop administrator-defined scans
Fix ID: 2823247
Symptom: Normally, when an administrator-defined scan runs and the scan dialog appears, users are not allowed to stop the scan. However, users can still stop the scan by pressing the Return key.
Solution: Fixed so that the admin setting is correctly processed if a user tries to stop a scan.
Clients do not communicate with Symantec Endpoint Protection Manager after a failed migration
Fix ID: 2823318
Symptom: After a failed migration from a 32-bit management server to a 64-bit management server, some clients stop communicating with the management server. To work around this issue, you could reimport the sylink file.
Solution: Fixed the issue by synchronizing the certificate between the database and the disk.
GUP list is reset
Fix ID: 2823881
Symptom: The GUP list is reset at midnight during database maintenance.
Solution: Fixed an incorrectly used operator in the SQL query.
Cannot log filename or directory name with "L SC" option
Fix ID: 2825062
Symptom: vpdebug.log cannot log the .dbcs file name and directory name with the "L SC" option. This happens on files or folders that contain unicode characters.
Solution: Fixed the issue by converting the unicode character to a multi-byte character in the function.
Lotus Notes scan records are left on the client computer
Fix ID: 2834021
Symptom: The default behavior is for scan records for Lotus Notes to remain on the client computer. You had to change the default value on each computer manually.
Solution: The default setting in the registry for Lotus Notes Auto-Protect is now "NotLeaveScanRecords=1."
OEMxx.inf files are deleted
Fix ID: 2838172
Symptom: The oem13.inf and oem14.inf files are deleted when uninstalling the client.
Solution: Fixed the issue by checking whether files are Symantec drivers before the files are deleted.
When Application and Device Control is enabled, Firefox hangs when user accesses pages with Flash content
Fix ID: 2877820
Symptom: When Application and Device Control is enabled, and the user accesses Flash-based content with Firefox 13.0.1 and the Flash player plug-in 11.3.300.242, the browser hangs and the user must kill the process manually.
Solution: Fixed the issue that caused the hang.
The Symantec Endpoint Protection Manager service crashes
Fix ID: 2883310
Symptom: The management server service crashes when you use a different version of the Java remote console.
Solution: Fixed the issue by adding a product version check (excluding the build number) between the console and the management server.
Performance impact with Limited Admin rights
Fix ID: 2885818
Symptom: The Home page and the client groups take a long time to load in the Symantec Endpoint Protection Manager Java remote console when you are logged on with a limited administrator account.
Solution: Improved the limited administrator performance issues and reduced the number of times the administrator context is reloaded.
Scan status in the Scan log is not getting updated
Fix ID: 2887476
Symptom: Scan status in the Scan log doesn't get updated when an administrator-defined scheduled scan is suspended and then completed.
Solution: Fixed an issue where the suspended status and scan complete info was not recorded correctly.
Pie chart rendering failure with error ezcGraphInvalidDataException
Fix ID: 2898439
Symptom: There is a pie chart rendering failure on the Symantec Endpoint Protection Manager Monitor tab > Comprehensive Risk Report > Risk Distribution graph.
Solution: Fixed an issue to deal with the computed percent value if it is < 0.
Component versions
| Component | Version |
| AutoProtect | 10.3.8.7 |
| Behavior Blocking | 3.5.3.004 |
| CCEraser | 20072.0.1.6 |
| COH | 6.1.16.2 |
| Common Client | 106.5.7.006 |
| DecABI | 1.2.7.1 |
| Defutils | 4.1.5.4 |
| ECOM | 61.3.0.17 |
| Intelligent Updater | 1.0.1.6 |
| LiveUpdate | 3.3.0.115 |
| LiveUpdateAdmin | 2.3.1 |
| MAC Client | 11.0.6970.236 |
| Microdefs | 2.7.0.13 |
| QServer | 3.6.7300.64 |
| SAV | 11.0.7300.228 |
| SNAC | 11.0.7300.183 |
| SyKnAppS | 3.0.3.3 |
| SymEvent | 12.8.6.38 |
| SymNetDrv | 7.2.6.1 |
| SymProtect (Tamper Protection) | 3.5.1.3 |
| Teefer2 | 11.0.6970.30 |
| Teefer3 | 11.0.5602.47 |
| VxMS (MSLight ) | 5.2.1.3 |
| WpsHelper* | 12.4.0.23 |
| PHP | 5.3.14.0 |
| SAVFL | 1.0.14 |
| JRE | 1.7.08 |
| TomCat | 7.0.27 |
| Boost | 1.49 |
| LibPNG | 1.2.47 |
| LibXML | 2.7.8 |
| OpenSSL | 0.9.8x |
| cURL | 7.26.0 |
*WPSHelper updates to the latest available version when LiveUpdate runs successfully.
Release Update 7 Maintenance Patch 2 (RU7 MP2)
For complete information on new features in this release, system requirements, and known issues, see this document. For new fixes and component versions, see below.
New fixes in this version
Auto-Protect and Scheduled Scan (ERASER) behave differently on risk detection
Fix ID: 2030979
Symptom: When scan actions are set to first "Clean Risk" and second "Quarantine", a scheduled scan Quarantines risks while Auto-Protect deletes them.
Solution: Actions taken by Auto-Protect are now the same as the actions taken by a manual or scheduled scan.
Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.
Client Security Alert Notifications do not contain data
Fix ID: 2100605
Symptom: Client Security Alert Notifications appear with no data.
Solution: Expected data was not returned upon a query. Fixed the query.
Cluster Server becomes non-responsive
Fix ID: 2228502
Symptom: Cluster Server becomes non-responsive when the server transitions from one node to another.
Solution: Moved the query of the mounted directory of the module out of the network traffic data checking cycle.
smc.exe crashes when large number of locations are configured
Fix ID: 2235166
Symptom: smc.exe crashes while doing autolocation switch by accessing invalid address within released object.
Solution: Fixed the problem maintaining the hash table of DNS host entries.
Database becomes corrupted
Fix ID: 2248662
Symptom: Database becomes corrupted after replication.
Solution: If an exception occurs while adding a group in the User interface, SEPM removes the group from Cache before the next save.
Cancelling sending Internet email with a large attachment file when Internet Email Auto-Protect is enabled causes the attachment file to be broken
Fix ID: 2249511
Symptom: When a user cancels sending email with Internet Email Auto-Protect enabled from Windows Mail (SMTP/POP3 mailer) while the mailer is sending the message, the message gets sent to the address although it is cancelled. If the mail has attachment files of large size, the attachment arrives broken.
Solution: Changed to correctly handle the situation when a cancel command comes in while data is being prepared.
Differences in number of scanned files between Administrator and Users
Fix ID: 2282822
Symptom: The number of files scanned as Domain Administrator and Domain User is different.
Solution: Created a new folder, DecTemp, with rights to everyone so that the compressed files can be scanned via Decomposer.
APQxxxx.tmp files are being re-detected by scheduled or manual scan.
Fix ID: 2326228
Symptom: Threats detected by Auto-Protect are not added to Quarantine, and an infected APQxxxx.TMP file is left behind.
Solution: Corrected the error handling when failure occurs.
Error handling in case of Auto-Protect detected threats
Fix ID: 2344862
Symptom: If Quarantine folder access is blocked, scan results say Quarantine Successful, and (infected) APQxxxx.TMP file is left behind.
Solution: Detect the problem, log the related information, and delete the APQxxxx.TMP file.
SEPM does not create deltas in time
Fix ID: 2379262
Symptom: SEPM cannot create deltas quickly enough to satisfy large numbers of requests. The server gets multiple requests for the same delta, causing it to spend more time handling these requests. This takes away from actually creating the delta.
Solution: Added a delta request hash table to Secars. It will hold a list of pending requests and only send new requests to SEPM.
Clients cannot connect to server after performing threat tests
Fix ID: 2380290
Symptom: Server connectivity is lost after performing tests.
Solution: Reset the blocking flag after a connection is closed and set a limitation to SEP firewall TCP and UDP session.
Live Update fails
Fix ID: 2401024
Symptom: Event 1001 & 1004 occur, and LiveUpdate fails after deleting the old data folder.
Solution: Fixed a problem involving the Windows registry caused by the Windows Installer health check and self-repair.
'Scheduled Scan when user not logged in' is performed even after Administrator disallows it
Fix ID: 2407550
Symptom: The user-defined scheduled scan when no users are logged in is performed even when it is disabled through Anti policy.
Solution: Disable the corresponding “Perform the scheduled scan even when no users are logged on” option in UI.
Scan runs twice
Fix ID: 2409368
Symptom: Schedule scan runs 3 minutes after the last missed scheduled scan completes.
Solution: Fixed an issue where incorrect information was added into the registry key.
Quarantine server fails to connect to gateway.dis.symantec.com to submit files or download new definitions
Fix ID: 2419298
Symptom: Quarantine server 3.6 does not pass credentials for firewall/proxy that is configured in quarantine server console.
Solution: Added additional code to handle authentication needed by proxy (resolves error 407).
SEP cannot control Windows Firewall
Fix ID: 2419842
Symptom: Windows Firewall is enabled if IP address is renewed/released.
Solution: Added code to detect whether SEP firewall has been enabled on Win7/2008R2 and if not will retry to enable it. Also added code to deal with a very rare case where a call failed on Win7/2008R2 if the network service is not ready and the call returns a non-failure code.
PTP is off with "Waiting for updates" status
Fix ID: 2426074
Symptom: When updating the PTP definition, RUNDLL32.EXE fails to find the "Documents and Settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll" path.
Solution: Enhanced DIS engine to check for Short File Name to Long File Name conversion behavior setting.
Scan of USB drive does not pop up with scan window
Fix ID: 2438735
Symptom: If a USB drive is attached to the system and the file system within it is empty, the right click scan does not do anything.
Solution: Added error handling to deal with this case and show appropriate error dialog window.
Client cannot communicate with SEPM because SMC hangs
Fix ID: 2441903
Symptom: SMC hangs when receiving new AV commands, if it is processing some AV commands at the time.
Solution: Make a local copy of command list before releasing a plug-in lock. This prevents the hang.
Cisco's VPN does not work when selected
Fix ID: 2450673
Symptom: When Location Criteria > Network Connection Type is set to [Cisco VPN], Cisco's VPN does not work.
Solution: There is a known limitation where "connection type = Cisco VPN" doesn't work with Cisco AnyConnect. The customer can use "NIC description" and "DNS suffix rule" as a workaround to this limitation.
Script error message appears in Java remote console
Fix ID: 2486836
Symptom: In French language SEPM, a script error message appears in Java remote console > Monitors > Logs/Reports.
Solution: Escape all single quotes in a text message passed as an input parameter to a JavaScript function.
Location specific Liveupdate policies are not correctly set
Fix ID: 2488603
Symptom: When "Remember Last Location" is disabled, location-specific Liveupdate policies are not correctly set at boot time.
Solution: First do checking, comparing and updating of the policy hash. After that, if it is the first time, force a policy update. Otherwise, perform the update based on the return value of the initial checking.
Scheduled report of Application and Device Control shows no data
Fix ID: 2510697
Symptom: When SEPM sends the Scheduled Report for Application and Device Control, only the "Default" filter shows data. When using the "Custom" filter, the data is reported as "No Data."
Solution: An incorrect filter was used when using customized filter. Fixed it.
Installation of SEP 11 causes Lotus Notes plug-in to crash
Fix ID: 2513096
Symptom: Lotus Notes Plug-in crashes causing user-specific Notes data directories not to be created.
Solution: Some internal pointers were not correctly initialized. Fixing this resolves the issue.
SEPM "unknown exception: 0x10010000" error: com.sygate.scm.server.task.TelemetrydataTask, referencing HTTP 409 conflict
Fix ID: 2513174
Symptom: SEPM generates this error frequently: "unknown exception: 0x10010000".
Solution: Provide an exception handler for a HTTP error that was previously not handled correctly.
Windows Security Center reports that virus protection is Off
Fix ID: 2517760
Symptom: Windows Security Center reports that virus protection is off when definitions are loaded.
Solution: During the definition update, the 'Virus Protection' status is not updated. Fixed.
Java app loses connection with SEP installed
Fix ID: 2519427
Symptom: The application downloads .jar files on startup to function. Downloads are never completed.
Solution: Increased the internal buffer cache to avoid this issue.
SMC Fault : IdsTrafficPipe!ParseString
Fix ID: 2525143
Symptom: Smc.exe crashes when applying a new custom IPS library.
Solution: Changed code to safely exit the string delimiter when reaching the end of the string.
Web console does not work correctly when using SSL and Self-signed certificates
Fix ID: 2525234
Symptom: Host name is converted to IP Address in web console upon login.
Solution: Removed the code that specifically converted hostname to IP address for web console during login.
Configured scans are not printed correctly
Fix ID: 2525405
Symptom: The "doscan /list" command does not print the configured scans correctly.
Solution: Set Locale correctly and convert the Unicode scan name data to the appropriate character set.
Smc.exe takes up CPU during idle time
Fix ID: 2525510
Symptom: Very high CPU usage on any computer with many TDI connections known to wpsdrvnt.
Solution: Optimize the code to improve performance.
"Security Risk found" message is not recorded in Windows application event log
Fix ID: 2525521
Symptom: When an infected file within a zip archive is scanned and the file path length is more than 26 bytes, an event ID 51 "Security Risk Found!" is not recorded in the Windows application event log.
Solution: Fixed the parsing of the log events before it adds the entry to the event log.
User-specific notes directories are not created
Fix ID: 2526318
Symptom: Lotus Notes Plug-in crashes, causing user-specific Notes data directories not to be created.
Solution: Some Internal pointers were not properly initialized. Fixing this resolves the issue.
Unable to install SEP
Fix ID: 2527479
Symptom: Installation rolls back during the configuring services stage.
Solution: Fixed the error with buffer overrun that causes installation to be rolled back.
Client can't come back to the previous Group Update Provider (GUP) if it has already been shut down
Fix ID: 2531477
Symptom: If there are two GUPs, A and B, where A is off and B is on, clients will download from GUP B. iF B is turned off and A is turned on, the client insists on downloading from B and does not try A again.
Solution: If the end of the list is reached, reset the GUP to "NO_RESPONSE" status. Then in the next try, Sylink will iterate from the start.
Modification date of Notes document is changed while Notes Auto-Protect is enabled
Fix ID: 2534512
Symptom: When an attachment file is opened, it is scanned, even though the Notes document has not been updated or the virus definition has not been updated since the last scan for the temporary file.
Solution: Improved the bookkeeping function on when an attachment is scanned, so that the plug-in skips the file next time if it remains unchanged.
Enforcer groups become corrupted after a policy export/import, if replication is used
Fix ID: 2536571
Symptom: Enforcer groups become corrupted after policy export/import and replication, with an "unexpected exception" error. DBvalidator errors exist.
Solution: Use the existing Enforcer policy object reference when importing the policy, since the same object reference exists in the remote partner.
Error message after upgrading from SEP11
Fix ID: 2551819
Symptom: Issues when restarting the system. Error message "The Extend WG Protocol Driver service failed to start due to the following error: The system cannot find the file specified."
Solution: Fixed an issue with updating a registry entry (both 32bit and 64bit).
SEP Firewall blocks USB-over-wireless traffic
Fix ID: 2556466
Symptom: Wireless mouse interoperability problem with SEP Firewall.
Solution: Added default firewall rules to allow for client control mode and USB over IEEE802.
Sustained SMC.exe CPU utilization on virtualized Windows 2003 32-Bit Citrix XenApp terminal
Fix ID: 2559467
Symptom: Very high CPU usage on any machine with many TDI connections known to wpsdrvnt.
Solution: Better handling of how simultaneous calls are prioritized and processed.
Custom Application Control rule in place with test mode causes blue screen crash
Fix ID: 2559560
Symptom: Enabling a custom rule to block access to VPN configuration files in test mode only causes random crashes.
Solution: The process information list was damaged. The issue was resolved by adding a lock when doing process information updates.
Incorrect count of computers with out-of-date IPS and total computer count
Fix ID: 2559712
Symptom: From the Security status detail, the count of IPS out-of-date is more than the SEP endpoints that included the NTP feature.
Solution: Clients that do not have the Firewall feature are excluded.
ScanDuration DWORD value is not removed from registry when disabled through policy
Fix ID: 2561077
Symptom: Full system scans scheduled weekly with missed events, scanning limit and scan start randomization enabled fail to complete. They are logged as "scan suspended" after a few minutes of scanning
Solution: Fixed the issue that SEPM was not updating the default profile correctly.
Firewall malfunctions after migrating unmanaged client from SEP 11.0 RU7 to SEP 12.1
Fix ID: 2567235
Symptom: Firewall malfunctions after migrating unmanaged client from SEP 11.0 RU7 to SEP 12.1. The issue is temporarily fixed after reinstall but then fails.
Solution: The order of deleting a particular registry key and system file has been corrected.
SEPM sends notifications related to "The root cannot be deleted"
Fix ID: 2570868
Symptom: "The root cannot be deleted" appears when the querying ID contains an invalid character.
Solution: Changed the code related to the relevant error message.
Volume Shadow copies fail to be created in a clustered environment after a scheduled scan
Fix ID: 2575285
Symptom: After a scheduled scan, the VSS service can no longer create shadow copies on the mount drive for the mounted volume.
Solution: A problem in how ccScan is integrated with Windows Single-Instance Store (SIS) and its backup was corrected.
PSLucomServer_3_3.DLL is missing from 11.0.6 clients that repeatedly download TruScan definitions
Fix ID: 2575446
Symptom: The file is missing after rebooting the computer.
Solution: Fixed an issue where a file was deleted but the registry key was not cleaned up.
Application rule to allow traffic does not function
Fix ID: 2575698
Symptom: SEP Firewall blocks traffic to an application despite a rule allowing the application by file name and path.
Solution: Fixed an issue in teefer3 that caused a "\" character to be removed in the path.
Installing Network Threat Protection (NTP) causes loss in communication
Fix ID: 2575843
Symptom: Installing SEP with NTP causes the client to lose all communications with SEPM. All other network traffic remains unaffected.
Solution: Fixed the issue where a needed attribute was missing from a specific dll.
Process SecurityMiningTask can not lock the process status table
Fix ID: 2576036
Symptom: There are two symptoms for this.
- There is a repeated message in the server console: "process SecurityMiningTask cannot lock the process statustable. The process status has been locked by the server"
- In the server log there are related lines: "FINEST: Blob data: Host Integrity check failed to complete because the configuration file is not complete or has been corrupted".
Solution: Started filtering old security logs that are already processed and added a setting to avoid missing records.
Unexpected behavior when out of space for definitions on SEPM
Fix ID: 2582206
Symptom: When SEPM runs of disk space to store definitions, unexpected behavior occurs.
Solution: SEPM now checks disk space on functions that require writing to disk. Two new settings are added in conf.properties file:
- scm.server.diskspace.warning=1024
- scm.server.diskspace.severe=512
Units are in MB, and default values are as noted above.
A newly added group is broken
Fix ID: 2585686
Symptom: Exceptions happen while adding a group. Consequently, SemClientGroupTree modification and SemGroupPolicy inserting also fail.
Solution: Remove the group when exception happens during "add a new group" in UI.
Incorrect date and time while running Comprehensive scheduled reports
Fix ID: 2593263
Symptom: The "Risk comprehensive scheduled reports" do not update the time range even if the scheduled report is run repeatedly.
Solution: A field was added. Another issue was fixed with legacy data table settings.
After upgrading SEPM to RU7, Java Heap space errors and "OutOfMemoryError: GC overhead limit exceeded" error when replication is triggered
Fix ID: 2595106
Symptom: The size of the object that records site information keeps growing.
Solution: Corrected the mechanism that records the site information such that it does not cause memory issues.
Error: "Unexpected console error 0x80010000" and broken links on SEPM group policy
Fix ID: 2597044
Symptom: After a failed replication, the following message is seen on SEPM: "Unexpected console error 0x80010000"
Solution: Remove the group when an exception happens while adding a new group in the UI.
On a computer low in resources, blue screen error may occur while running a vulnerability scan
Fix ID: 2598652
Symptom: Blue screen error occurs on some computers after upgrading to RU7 and running vulnerability scans.
Solution: Fixed an issue where an access is made without checking the validity of the data.
Client count in SEPM computer status report doesn't match count in group details tab
Fix ID: 2600601
Symptom: SEPM Computer Status report has a different client count than the Clients tab.
Solution: Use the same logic to query registered computer and user count between client details, client properties and computer status report.
SMC crashes periodically
Fix ID: 2606596
Symptom: GUPs experience periodic crashes on application Smc.exe. Fault address 0x00014eee.
Solution: Fixed an issue where memory used by cache list wasn't released after memory allocation failure when loading content. Another issue was fixed as a result of which if the cache file of a valid cache entry is removed from disk, the status of the entry is reset and the file is downloaded again.
Clients are not blocking as expected when using the blacklisting feature
Fix ID: 2608450
Symptom: Blacklist policies are not effective.
Solution: Fixed an issue where the policy parsing the function does not download the protectionxx.dat file correctly.
An administrator account with space in the name cannot be deleted if it owns a scheduled scan
Fix ID: 2612812
Symptom: The following message appears: "Unexpected server error [0x10010000]"
Solution: Encoded the owner name in the URL request string.
SEPM service crashes when accessed by incorrect console
Fix ID: 2614798
Symptom: In the local console of RU7 SEPM, if server field is changed from localhost to point to an RU6 MP3 SEPM, then by logging in as SEPM administrator and clicking on client tab, RU6-MP3 SEPM service crashes.
Solution: Fixed SEPM to log the exception at both client and server console and server.
Removal of a policy removes all related historical activity entry of that policy
Fix ID: 2614962
Symptom: If the policy is removed, all of the related historical activity pertaining to that policy is also removed even though in Monitors > Logs >Audit, the historical entry is still present.
Solution: Fixed such that for policy and policy components, all the logs belong to the domain and same object type will be shown.
SEPM risk reports do not show anything after TruScan Risk log filter is enabled
Fix ID: 2620537
Symptom: There are options under Advanced filter settings for Risk logs for PTP events in scan type filter (Truscan). Therefore it is expected that PTP events in Risk Logs will be seen.
Solution: Truscan related options are removed from event type on risk log pages.
During upgrade of Hummingbird Exceed V.14 on systems with the SEP client, the install fails
Fix ID: 2622110
Symptom: During upgrade of Hummingbird Exceed V.14 on SEP client the install fails with the following error: "Open Text Exceed 14 -- Error 1406.Could not write value to key \Xstart.XstartCom.1\CLSID. System error Verify that you have sufficient access to that key, or contact your support personnel."
Solution: Rolled back an earlier fix that caused this issue.
"OutOfMemoryError: GC overhead limit exceeded" errors
Fix ID: 2623401
Symptom: Messages appear that indicate out of memory on SEPM.
Solution: Added a limitation on the minimum value of date filtering to avoid querying records that are old. The configuration in conf.properties is: scm.securityalertnotifytask.analyzetimerange.deltaforminimum
Out of Memory Messages
Fix ID: 2628941
Symptom: Many login requests in a short amount of time result in out of memory message.
Solution: There were two changes made to fix this issue.
- The cookie was saved correctly after login to tomcat in notification task. This allowed terminating the session properly after logoff.
- Session info is now recorded in the log file owned by thread.
Searching for invalid client ID causes an exception
Fix ID: 2634470
Symptom: While searching for Client by computer ID, entering an invalid ID causes an exception.
Solution: This action is by design. To improve the error handling, the blank spaces in "Logon User Name" and "Computer Name" are now not trimmed, but the blank spaces in "Computer ID" are now trimmed.
"Authentication failure" errors
Fix ID: 2635104
Symptom: Repeated "authentication failure" errors are seen on the Admin > Servers page in the SEPM. The System Server Activity Logs show many errors and the error type reads "An unexpected exception has occurred".
Solution: This issue is seen when the owner of a report is deleted. The fix is to allow a notification to be generated and to allow changing the ownership of the report.
Internal LiveUpdate server fails to connect when double byte characters are used in Server name
Fix ID: 2635398
Symptom: SEP client is unable to connect to internal LiveUpdate server with authentication information (user ID/password) supplied by a LiveUpdate policy, if the "Server name:" field in the LiveUpdate policy includes MBCS character string.
Solution: Provide the right data so that decryption key can be correctly generated.
The duration for weekly scan retry time changes
Fix ID: 2637991, 2647871
Symptom: The upper limit for weekly scheduled scans is seven (7) days. It shows up as three (3) instead.
Solution: Fixed the issue where the maximum duration was incorrectly showing as three (3) days.
Interrupted Active Directory Sync results in widespread client group deletion
Fix ID: 2638516
Symptom: SEPM drops or deletes a large number of Active Directory synchronized client groups from the SEPM.
Solution: The issue was with Active Directory synchronization continuing to run even when a communication exception occurred. This is now fixed and Active Directory synchronization is now interrupted.
Adding PTP feature using Auto-Upgrade does not follow update schedule
Fix ID: 2639011
Symptom: The upgrade starts immediately and does not follow the upgrade schedule. This happens if the upgrade package version is the same as the installed client version and auto-upgrade function is used to update client features.
Solution: Added a specific return code to handle this scenario. SMC returns this code to indicate that the upgrade package is needed, but it does not have to be downloaded. The upgrade schedule and user notification are controlled. When there is a request for upgrade it is fulfilled from the cache. If applying new features with cached installer fails, a full package is downloaded from the server.
Modification date of Lotus Notes document is changed while Lotus Notes Auto-Protect is enabled
Fix ID: 2641800
Symptom: When Lotus Notes Auto-Protect scans attachments of a Lotus Notes Journal Document, it records some text properties to the document. This is done so Lotus Notes Auto-Protect can determine whether it's necessary to scan the attachments when it is opened. This reduces the number of scanning for attachments, and improves the system performance. However, after the scan runs for attachments, the Lotus Notes GUI shows that the document has been updated.
Solution: Added the following registry value. If this registry value exists and is set to 1, Lotus Notes Auto-Protect does not leave the records after scanning attachments.
- Registry Key: (for x86) HKLM\Software\Symantec\Symantec Endpoint Protection\AV\Storages\LotusNotes (for x64) HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\LotusNotes
Registry Value: NotLeaveScanRecords
Type: REG_DWORD
Data: 1 (not to leave the records after scanning attachments), or other
Note: Setting the registry value to 1 may cause performance impact as attachments are scanned every time they are opened.
Sysfer injection causes the "M-Files" application to stop responding
Fix ID: 2643257
Symptom: The M-Files application hangs when a new file or document is created.
Solution: The presence of sysver.dll module causes the mfclient.exe process to stop responding when a new document or file is created. The fix is to use an extra critical section and separate the code to avoid calling Kernel32 API after obtaining the lock.
Clients do not communicate with the Symantec Endpoint Protection Manager (SEPM)
Fix ID: 2657985
Symptom: The policy serial number is blank and database validation fails after configuring replication.
Solution: Added broken link check in SEPM publishing area.
Policy serial number is blank and database validation fails
Fix ID: 2662405
Symptom: After configuring replication, the Policy serial number is blank and there are Prolog errors in the Admin - Server site. Further, client packages cannot be exported and the clients do not report the replication parter.
Solution: The issue was casued by the presence of a "-->" string. This string in the description of metadata marks the replicated XML content as broken and creates exceptions. This was fixed by reading the last "-->" as the end of description for replication.
Clients bypass recently promoted GUP in favor of SEPM
Fix ID: 2673894
Symptom: Sometimes the clients will bypass a newly promoted GUP and connect directly to SEPM even though the GUP is set to "never bypass".
Solution: Fixed an issue where if the GUP list was empty, the client would bypass to SEPM even if the policy did not allow it.
A lot of temp files are kept in tomcat\temp directory
Fix ID: 2675567
Symptom: Many jtdsxxxx.tmp files including Java Heap Dump [semsvc_heap.hprof] build up in the tomcat\temp directory.
Solution: Developed a cleanup mechanism in a separate task to clean up old accumulated JTDS tmp files.
Add 'Sophos version 9.0', 'Trend Micro version 10.0', and 'AVG version 9.0' support for Host Integrity template
Fix ID: 2677531, 2677532, 2677534
Symptom: Host Integrity cannot detect the AV signature correctly.
Solution: Added support to the Host Integrity template
The date of the next scheduled scan is incorrectly shown when the scheduled scan is aborted
Fix ID: 2679293
Symptom: If a scheduled scan starts and is aborted mid run, the next scheduled scan time is shown as double the expectation.
Solution: Fixed the issue where the time for next scheduled scan was being incorrectly calculated. This happened because the time for next scan got incorrectly added to the last scheduled scan time.
Error: BugCheck_STR: 0x8E referencing sysplant
Fix ID: 2688234
Symptom: Application and Device Control feature causes blue screen error when the machine enters hibernation.
Solution: Added a hook to link to the library only once and improved error handling.
Component versions
| Component | Version |
| AutoProtect | 10.3.8.7 |
| Behavior Blocking | 3.5.3.004 |
| CCEraser | 20072.0.1.6 |
| COH | 6.1.15.3 |
| Common Client | 106.5.6.002 |
| DecABI | 1.2.7.1 |
| Defutils | 4.1.4.3 |
| ECOM | 61.3.0.17 |
| Intelligent Updater | 1.0.1.6 |
| LiveUpdate | 3.3.0.115 |
| LiveUpdateAdmin | 2.3.1 |
| MAC Client | 11.0.6970.236 |
| Microdefs | 2.7.0.13 |
| QServer | 3.6.7180.64 |
| SNAC Scanner | 5.1.5.94 |
| SyKnAppS | 3.0.3.3 |
| SymEvent | 12.8.6.38 |
| SymNetDrv | 7.2.6.1 |
| SymProtect(Tamper Protection) | 3.5.1.3 |
| Teefer2 | 11.0.6970.30 |
| Teefer3 | 11.0.5602.45 |
| VxMS (MSLight ) | 5.2.1.3 |
| WpsHelper | 12.3.0.4 |
| PHP | 5.3.10.0 |
| SAVFL | 1.0.13.16 |
| JRE | 1.6.0_31 |
| TomCat | 6.0.35 |
| Boost | 1.49 |
| LinPNG | 1.2.47 |
| LinXML | 2.7.8 |
| OpenSSL | 0.9.8t |
| cURL | 7.24.0 |
Release Update 7 Maintenance Patch 1 (RU7 MP1)
What's new in this release
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use:
Administrator-defined scan extensions increased to 12 characters
Fix ID: 2337151
Previous behavior: The Symantec Endpoint Protection Manager administrator could not add more than four characters when specifying file extensions to scan during an administrator-defined scan.
Enhancement: The file extension limit was increased from 4 to 12 characters.
Quarantine dialog allows full path entry
Fix ID: 2362970
Previous behavior: In Symantec Endpoint Protection 11.0 RU6 MP1 or earlier, the Quarantine dialog allowed the user to enter or browse to a file path. In RU6 MP2 and later, this dialog was modified to show folders only. The user would like to return to the original file path behavior.
Solution: A flag to a Microsoft API was added to allow the user to browse to a full file path in the quarantine dialog.
Top impacting problems resolved in RU7 MP1
SMC.exe handle count on a GUP computer increases over time
Fix ID: 2399799
Symptom: On a client configured as a GUP, the handle count of SMC.exe increases over time, and eventually the computer becomes unresponsive.
Solution: SMC.exe was modified to prevent the handle leak.
Perl application in Cygwin terminates with fatal error "couldn't allocate heap"
Fix ID: 2241805
Symptom: CygWin terminates with fatal error "couldn't allocate heap" when running a Perl script with an active Application and Device Control policy.
Solution: The Application and Device Control driver (sysplant.sys) memory allocation routine was modified to prevent this crash.
SMC.exe process terminates unexpectedly
Fix ID: 2326986
Symptom: The SMC.exe process terminates unexpectedly when retrieving the system default proxy configuration. This occurs when the user selects "Update Policy" from the tray icon.
Solution: SMC.exe was modified to process the proxy name and bypass settings correctly when the fields are empty.
Domain controller becomes unresponsive after installation of Symantec Endpoint Protection 11.0 RU6 MP3
Fix ID: 2393251
Symptom: A domain controller may become unresponsive to RPC, authentications, replication, and file sharing after installation of Symantec Endpoint Protection 11.0 RU6-MP3. The server still answers to ping.
Solution: The AutoProtect driver (srtsp.sys) was modified to prevent a condition where calling into the mount manager could cause a deadlock.
Ports are abandoned in the CLOSE_WAIT state by GUP-to-Manager communication
Fix ID: 2413202
Symptom: Computers acting as static GUPs show a progressive performance degradation over time until they become unresponsive to network communications. The computer must be restarted to restore network connectivity.
Solution: SMC was modified to prevent the connection leak.
Symantec Endpoint Protection clients cycle through Management Server lists continuously (two solutions)
Fix ID: 2493886
Symptom: Symantec Endpoint Protection clients continually cycle through the Management Server Lists. The client will connect to one Symantec Endpoint Protection Manager, then another, and repeat.
Solution: The profile time is now converted to GMT to resolve a scenario where the profile does not match.
Fix ID: 2566167
Symptom: Symantec Endpoint Protection clients continually cycle through the Management Server Lists. The client will connect to one Symantec Endpoint Protection Manager, then another, and repeat. This occurs when clients are configured to download content from an internal LiveUpdate Administrator and the LUA policy contains a password to access the server.
Solution: Symantec Endpoint Protection was modified to ensure the encrypted password remains static when the policy is recompiled.
Computer status log shows virus definitions as "none"
Fix ID: 2023152
Symptom: When the client starts, SMC sends virus definition date information as "0" to the Symantec Endpoint Protection Manager. The computer status log in Symantec Endpoint Protection Manager shows a virus definition date as "none." The clients have the correct definitions. A workaround is to manually "Update Policy" or wait until the next heartbeat.
Solution: SMC was modified to send the correct virus definition data to the server on startup.
IPS status and numbers are incorrect in reporting
Fix ID: 2240928/2376877
Symptom: In some areas of Symantec Endpoint Protection Manager reporting, IPS signature data is inconsistent or incorrect. Affected areas include:
- Home > Security Status > More Details > Intrusion Prevention Signature Update Failures
- Reports > Quick Reports, where Report type = "Computer Status" and Select a report = "Intrusion Prevention Signature Distribution"
Solution: The Symantec Endpoint Protection Manager queries were modified to show the correct IPS client data.
Symantec Endpoint Protection client connects to Symantec LiveUpdate server despite being configured to use an internal LiveUpdate Administrator
Fix ID: 2267387
Symptom: On a managed Symantec Endpoint Protection client, if the local LiveUpdate settings file is corrupted, Symantec Endpoint Protection will revert to the default settings and connect to the Symantec LiveUpdate server.
Solution: To ensure the LUA server is always used, liveupdt.hst is be kept in the LiveUpdate Install folder. As a backup measure, a last known good settings file (Settings.LastGood.LiveUpdate) is created. This file is used when the original settings file is missing or zero byte.
All resolved problems in RU7 MP1
COH32.exe consumes high CPU and high memory
Fix ID: 2247120
Symptom: The process COH32.exe consumes high CPU and 500 MB+ of memory every hour. By default, COH (part of Proactive Threat Protection) scans every hour and some CPU and memory usage is normal. In some environments the COH process may consume excessively high CPU and memory.
Solution: COH32.exe was modified prevent a scenario where the scanner incorrectly identified too many processes to scan.
GUP hangs frequently, requiring a restart once every 24 hours
Fix ID: 2395985
Symptom: The SMC.exe process of a GUP computer may hang or crash unexpectedly
Solution: SMC.exe was modified to prevent a condition where one thread could delete the Sylink configuration data while another thread still needed it.
SERVER_CLIENT_LOG EVENT_ID 23 & 24 are not translated for external logging file scm_agent_act.tmp
Fix ID: 2351718
Symptom: In the Schema Reference Guide, SERVER_CLIENT_LOG EVENT_ID numbers 23 and 24 are not translated for the external logging file scm_agent_act.tmp.
Solution: For reference, the following text was added to the readme.html:
Event ID 23 = Client has downloaded globalindex.dax
Event ID 24 = Client has downloaded GUP list
Data is missing in the "Infected Only" compliance report
Fix ID: 2295643
Symptom: No information is displayed for some clients in the "Infected Only" compliance report. This report can be reached via Monitors > Logs > Computer Status > Filter for "infected only."
Solution: Compressed file containers (.zip, .rar, etc.) are now excluded from the "infected only" report. Only infected file(s) from inside the container will be shown in the report.
Symantec Endpoint Protection Manager email notifications are sent repeatedly for old events
Fix ID: 2233045
Symptom: Multiple outbreak email notifications are sent during the damper period
Solution: SQL queries were modified to prevent notifications during the damper period.
Symantec Network Access Control agent receives the message "Policy manager failed to verify client's UID"
Fix ID: 2310003
Symptom: A Symantec Network Access Control agent may become rejected during a VPN session with the Gateway Enforcer. The message "Policy manager failed to verify client's UID" appears in the compliance reports. The message "Get UID verify failed from Server <ID> for client <ID>" appears in the kernel logs.
Solution: The Symantec Network Access Control agent was modified to update the hash information with Symantec Endpoint Protection Manager if the hardware request was not completed successfully.
Client installations with AntiVirus only attempt to load the IPS library file sdi.dat and the SMC.exe process may crash
Fix ID: 2379995
Symptom: Installations that do not have NTP/IPS installed are still attempting to load the IPS library file "sdi.dat." If the IPS policy file is invalid the SMC.exe process may terminate unexpectedly.
Solution: SMC.exe was modified to only load the IPS policy when NTP is installed.
The client takes one hour or more to process a policy containing a large number of host entries
Fix ID: 2252732
Symptom: A policy contains a large number (10,000+) of host entries. It takes the client 1 hour or more to process the policy file.
Solution: An algorithm was optimized to allow the client to process the policy more quickly.
Ping response times are slow on Windows 2000
Fix ID: 1939651
Symptom: Ping response times are slow on a Windows 2000 computer running Symantec Endpoint Protection 11.0
Solution: The process ID of incoming ICMP packets is set to "System" to allow the client firewall to process them more quickly.
Auto-exclusions for Exchange 2010 are lost after installing Symantec Mail Security for Microsoft Exchange
Fix ID: 2330319
Symptom: Symantec Endpoint Protection 11.0 is installed on a server and correctly auto-excludes the Microsoft Exchange directories. When Symantec Mail Security for Microsoft Exchange is installed, the auto-exclusions are lost.
Solution: Additional methods of detecting Microsoft Exchange were added to the Symantec Endpoint Protection client to allow it to find Exchange and create the auto-exclusions.
Commands run by the limited admin on a Read-only group cannot be processed
Fix ID: 2399598
Symptom: A command is run by a limited admin on a Read-only group. There is no error message and the clients do not process the request.
Solution: The message "User has insufficient rights to execute the command" will be displayed when the limited admin does not have access to run the command.
SMC.exe process consumes 25% CPU usage on Windows 2008 R2 terminal server when idle
Fix ID: 2350900
Symptom: The SMC.exe process consumes 25% or more CPU on a Windows 2008 R2 terminal server, even when sessions are idle.
Solution: The SMC.exe process was modified to improve performance on terminal servers.
SMC.exe fails to start when the policy file (serdef.dat) is corrupt
Fix ID: 2351705
Symptom: SMC.exe will fail to start when the policy file (serdef.dat) is corrupt.
Solution: SMC.exe will now use the backup.dat and server.dat instead of serdef.dat, if serdef.dat cannot be loaded.
Extra bracket "]" character in the Symantec Endpoint Protection Manager firewall rule when the protocol direction is outgoing
Fix ID: 2413452
Symptom: When new firewall policy rules are being created in Symantec Endpoint Protection Manager, there is a circumstance where an extra "]" appears in the entry in the "Content" column.
Solution: The extra character was removed.
Unapproved Application List does not populate correctly when a large number of records are present
Fix ID: 2273709
Symptom: The Unapproved Application List cannot be viewed if there are more than 20,000 entries.
Solution: The Symantec Endpoint Protection Manager console logic was fixed to handle lists greater than 20,000 entries.
Risk "Event End Date Time is earlier than the "Event Date Time" on an external log server
Fix ID: 2392324
Symptom: The Symantec Endpoint Protection Manager inadvertently sends duplicate compressed logs entries to an external log server. This results in events with end date time earlier than the date time.
Solution: Symantec Endpoint Protection Manager was modified to get the latest site state from the database before updating the external log server.
Network Threat Full Report for past three month or past one year cannot be generated
Fix ID: 2366417
Symptom: The Network Threat Full Report for the past three month or past one year cannot be generated. The report may reply with the message "The server received an invalid response from another server while attempting to fulfill the request" or "The page cannot be displayed."
Solution: A PHP file was optimized to allow the reports to run correctly.
Symantec Endpoint Protection Manager sends old entries to external log server
Fix ID: 2392317/2366479
Symptom: The Symantec Endpoint Protection Manager sends old entries to external log server. This results in duplicate log entries on the external log server.
Solution: Symantec Endpoint Protection Manager now properly tracks when logs are sent to the external log server to resolve this issue.
Scheduled or on-demand scan detects threat in Recycle Bin and nothing is logged in Application Event Log
Fix ID: 2380072
Symptom: When a scheduled or manual scan detects an infected file inside of a compressed file in a Recycle Bin, no event ID 51 is entered in the application log. If an infected file is detected on another drive an event ID 51 is logged; however, the file found in the Recycle bin is not listed in the event. The compressed file is deleted/quarantined as it should be, and the Symantec Endpoint Protection client logs all locations, but no event ID 51 is entered in the Windows Application Event log.
Solution: The Symantec Endpoint Protection client was modified to record logs directly when handling the anomaly log.
Client logs are not generated for external logging and are not sent to syslog server
Fix ID: 2390237
Symptom: In some scenarios, client logs are not generated for external logging and are not sent to the syslog server. This occurs in a replication scenario when a site is re-installed with the same name.
Solution: The external logging USN cache is now cleared when a site is added to a replication scenario.
Duplicate clients appear in Symantec Endpoint Protection Manager reports
Fix ID: 2436309
Symptom: An Active Directory-synced Symantec Endpoint Protection client that changes its Hardware ID no longer generates multiple SEM_CLIENT entries in the database. However, the leftover entries in the SEM_AGENT and SEM_COMPUTER tables affect Reporting and result in inflated client counts.
Solution: The Symantec Endpoint Protection Manager logic was fixed to re-use the computer ID when it is merged. In addition, all orphaned entries from the SEM_COMPUTER and SEM_AGENT tables are removed to avoid reporting conflicts.
Deleted groups are displayed in group selection drop down of Symantec Endpoint Protection Manager reports
Fix ID: 2033337
Symptom: Symantec Endpoint Protection Manager report filters show groups that have been deleted.
Solution: Symantec Endpoint Protection Manager now uses the deleted flag to restrict the group drop-down list to existing groups only.
GUP stops serving clients after the SMC service is restarted
Fix ID: 2349534
Symptom: When the SMC service is restarted, the client cannot open port 2967 and GUP stops delivering definitions to clients.
Solution: SMC was modified to prevent a condition where GUP would attempt to start before fully initialized.
GUP appears to fail content update and orphan a number of small files in SharedUpdates
Fix ID: 2371443
Symptom: GUP appears to fail content update and orphan a number of small files in SharedUpdates. These files contain only header information.
Solution: SMC was modified to prevent a condition where GUP state files are left on disk.
Symantec Endpoint Protection Manager services terminate unexpectedly and fail to start again. This may occur after migration to Symantec Endpoint Protection 11.0 RU7.
Fix ID: 2511715/2437330
Symptom: Symantec Endpoint Protection Manager services terminate unexpectedly and fail to start again. This may occur during or after migration to Symantec Endpoint Protection 11.0 RU7. The following message may appear in the Symantec Endpoint Protection Manager log:
SEVERE: Unexpected server error. in: com.sygate.scm.server.servlet.StartupServlet com.sygate.scm.server.metadata.MetadataException: Numeric overflow in conversion of value 2,147,485,326 to type INTEGER.
Solution: Symantec Endpoint Protection Manager was modified to resolve an integer overflow condition.
Symantec Endpoint Protection client with Internet Email AutoProtect cannot access port 465 on an SMTP server using SSL
Fix ID: 2329505
Symptom: A Symantec Endpoint Protection client with Internet Email AutoProtect enabled cannot connect to port 465 on the SMTP server with SSL enabled. The connection fails and times out.
Solution: A component of Internet Email AutoProtect (ccEmlPxy) was modified to allow use of port 465 for email submissions via SMTP tunneled over an initial SSL connection.
Scheduled scan terminates unexpectedly and may leave temporary scan data on the hard drive
Fix ID: 2315341
Symptom: A scheduled scan terminates unexpectedly and may leave temporary scan data on the hard drive. Over time this could consume all space on the drive.
Solution: A scanning component (ccScan) was modified to properly handle alternate data streams on stealthed files when the file cannot be accessed, there is a sharing violation, or the file is locked.
Auto-location switching does not work properly after upgrade to Symantec Endpoint Protection 11.0 RU6 MP2
Fix ID: 2317185
Symptom: After upgrade to Symantec Endpoint Protection 11.0 RU6 MP2 or later, auto-location switching does not work properly. The Symantec Endpoint Protection client does not switch to new locations as expected.
Solution: The Symantec Endpoint Protection client was modified to properly switch locations when the Wireless Zero Configuration Service (WZCSVC) service is stopped.
Limited admin can view data from a client group for which he does not have access
Fix ID: 2269664
Symptom: A limited admin can view unmanaged detector data from a client group where the admin has no access.
Solution: SQL queries were modified to enforce group access in Reporting Security Status 'More Details' and 'Find Unmanaged Computers'.
Event log error 11706, 1001, and 1004 after uninstallation of Symantec Endpoint Protection client from a Symantec Endpoint Protection Manager
Fix ID: 2173616
Symptom: The Symantec Endpoint Protection client software has been installed alongside Symantec Endpoint Protection Manager on the same computer. When the Symantec Endpoint Protection client is uninstalled, Symantec Endpoint Protection Manager's MSI resiliency detects a change and logs an error. Event log errors may include:
Event Type: Warning
Event Source: MsiInstaller
Event ID: 11706
No valid source could be found for product Symantec Endpoint Protection Manager.
Try the installation again using a valid copy of the installation package
'Symantec Endpoint Protection Manager.msi'
Event Type: Warning
Event Source: MsiInstaller
Event ID: 1001
Detection of product '{EAD22945-6D46-4073-8353-803523E9936B}, feature 'Bin' failed during request for component '{40B71840-0B33-42C7-A11D-EBDD5F3ACB63}'
Event Type: Warning
Event Source: MsiInstaller
Event ID: 1004
Detection of product '{EAD22945-6D46-4073-8353-803523E9936B}', feature 'Bin', component '{711CBE62-401D-47AC-8919-4C0029EC66DD}' failed. The resource 'C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\temp\UploadTemp\' does not exist.
Solution: The Symantec Endpoint Protection uninstaller was modified to keep a LiveUpdate registry key that is common to Symantec Endpoint Protection Manager, if the registry key is in use.
Symantec Endpoint Protection Manager web console does not allow a client install package to be fully configured
Fix ID: 2322366
Symptom: When logged into the Symantec Endpoint Protection Manager web console, edit the Client Install Package Properties. For "Client Features" the only option is "All features of Symantec Endpoint Protection." It is not possible to select other features.
Solution: The Symantec Endpoint Protection Manager web console was modified to allow the administrator to select other feature sets.
SymcorpUI.exe terminates unexpectedly
Fix ID: 2310799
Symptom: SymcorpUI.exe terminates unexpectedly with exception 0xc0000005.
Solution: SymcorpUI.exe was modified to prevent this crash.
Unmanaged client cannot perform a scheduled LiveUpdate on Windows 2000
Fix ID: 2329484
Symptom: An unmanaged client cannot perform a scheduled LiveUpdate on Windows 2000. Manually launching LiveUpdate is successful.
Solution: Symantec Endpoint Protection was modified to correctly handle a user token on Windows 2000.
Pressing Ctrl+Alt+Del causes blue screen error
Fix ID: 1848861
Symptom: Pressing Ctrl+Alt+Del causes a blue screen error with stop code 50.
Solution: The AutoProtect driver (srtsp.sys) was modified to prevent a condition where a scan could occur before the system volume was ready.
Custom scan cannot process files and folders
Fix ID: 2406379
Symptom: A custom scan may be unable to scan files and folders through a junction point on an NTFS volume.
Solution: A scanning component (ccScan) was modified to strip a trailing backslash from a junction point before a scan.
Manual scan terminates unexpectedly on Windows XP 64-bit
Fix ID: 2054028
Symptom: A manual scan does not complete and terminates unexpectedly on Windows XP SP2 64-bit.
Solution: Rtvscan was modified to prevent a crash during scanning on this operating system.
Installation of Symantec Endpoint Protection client causes Windows Defender to be set to "Manual" instead of "Disabled" on Windows 7
Fix ID: 2414274
Symptom: On Windows 7, Windows Defender service gets stopped and the service is set to Manual instead of "Disabled" after installing Symantec Endpoint Protection 11.0 RU6 MP3. On Windows XP and Windows Vista, the Windows Defender service is set to "Disabled" during the installation of the Symantec Endpoint Protection client.
Solution: The Symantec Endpoint Protection client installer was modified to properly set the Windows Defender status on Windows 7.
Symantec Endpoint Protection client content updates results in high I/O on SAN in a virtualized environment
Fix ID: 2399592
Symptom: The Storage Area Network (SAN) encounters high I/O utilization in a virtualized environment when clients download content.
Solution: The Symantec Endpoint Protection client was modified to prevent a scenario where the download randomization setting was ignored.
Client running Nortel VPN client freezes after establishing VPN tunnel
Fix ID: 2378999
Symptom: Client computers running the Nortel VPN client may freeze within 20 minutes of establishing a VPN tunnel. This issue occurs when Network Threat Protection is installed.
Solution: The Symantec Endpoint Protection firewall was modified to prevent a deadlock when querying process information.
Traffic log shows thousands of "Allow" entries for the rule "Allows NetBIOS UDP protocols in LAN subnet"
Fix ID: 2403041
Symptom: With Symantec Endpoint Protection in client control mode, the traffic log shows thousands of "Allow" entries for the rule "Allows NetBIOS UDP protocols in LAN subnet."
Solution: Default logging of the "Allows NetBIOS UDP protocols in LAN subnet" rule is now disabled in unmanaged or client control mode.
IPS exclusion by IP range does not work properly if remote IP is on the boundary of the range
Fix ID: 2336330
Symptom: Excluding IPS hosts by IP range does not work properly if the remote IP is on the boundary of the exclusion range. The remote IP is not excluded.
Solution: The IP range check was modified to properly exclude hosts.
SecurityNotifyTask hangs when multiple notifications are sent simultaneously
Fix ID: 2343856
Symptom: The SecurityNotifyTask hangs when multiple notifications are sent simultaneously from a batch file. The SecurityNotifyTask-0.log file no longer shows new entries.
Solution: Input and error streams are now merged and the combined stream is used to determine if the batch file is still running.
Computer status log data cannot be exported to CSV format if a field contains a comma
Fix ID: 2398707/2412310
Symptom: If data within a particular column of the computer status log contains a comma, and such report is exported to CSV, the columns for that row are disturbed when viewed in Excel.
Solution: All data in Computer Status Logs are now exported in double quotes.
Host Integrity Failed report shows client data that is out of the specified date range
Fix ID: 2353594
Symptom: The Host Integrity Failed report shows older client data that is out of range of the report.
Solution: A SQL query was modified to ensure Host Integrity data falls within the specified range.
W3WP service (w3wp.exe) terminates unexpectedly
Fix ID: 2226770
Symptom: The W3WP service (w3wp.exe) terminates unexpectedly due to secars.dll. This issue occurs when a tech extension directory does not exist.
Solution: Secars.dll was modified to prevent this crash.
After logging out of the Symantec Endpoint Protection Manager web console, admin accounts still show online and Java.exe memory usage does not decrease
Fix ID: 2217355
Symptom: After logging out of the Symantec Endpoint Protection Manager web console, administrator accounts continue to show online. Java.exe (JVM/AjaxSwing) memory usage does not decrease as expected.
Solution: The AjaxSwing default configuration (default.properties) was changed to resolve this issue, as follows:
router.clientsPerJVM=1
router.retireJVMAfterClients=1
Symantec Endpoint Protection Manager Monitors "last update time" does not reflect the current system time
Fix ID: 2418608
Symptom: The "last update time" on the Symantec Endpoint Protection Manager Monitors page is ahead by one hour if the time zone has a daylight savings setting but the setting has been disabled
Solution: Symantec Endpoint Protection Manager now handles the date and time when transferring from local (both regular and DST) time to GMT time. The logic was corrected to check for DST time.
Symantec Endpoint Protection scan report shows incorrect data
Fix ID: 2405910
Symptom: The Symantec Endpoint Protection scan report shows more clients when compared to a raw query (select * from sem5.sem5.scans).
Solution: The SQL query used in the report was corrected to accurately show the client data.
Client fails to communicate with Symantec Endpoint Protection Manager if the client has a large number of network interface cards or loopback adapters
Fix ID: 2218255
Symptom: With a large number of network interface cards or loopback adapters, the client fails to communicate with Symantec Endpoint Protection Manager because the HWID key fails to generate.
Solution: The client was corrected to account for a large number of NICs or loopback adapters.
Symantec Endpoint Protection Manager 'Policy edited' event fails to record individual 'Edit Location' events when multiple locations are edited
Fix ID: 2321593
Symptom: When multiple locations are edited in a Symantec Endpoint Protection Manager policy, the 'Policy edited' log event fails to record the individual 'Edit Location' events.
Solution: An Edit Location event is now logged when enabling/disabling the location or setting the location as default.
Replication fails after migrating to Symantec Endpoint Protection Manager 11.0 RU7
Fix ID: 2556217
Symptom: Replication fails after migrating Symantec Endpoint Protection Manager to 11.0 RU7.
Solution: The Symantec Endpoint Protection Manager migration wizard was modified to use the correct body encoding for URI during a fresh install or database schema upgrade.
Weekly reports in Symantec Endpoint Protection Manager are blank from one site
Fix ID: 2404695
Symptom: Weekly reports in Symantec Endpoint Protection Manager are blank from one site
Solution: Symantec Endpoint Protection Manager reporting was modified to correctly handle data inconsistency between replicated sites
C++ runtime error and DCOM encountered on Windows 2008 R2 server
Fix ID: 2347138
Symptom: After installing Symantec Endpoint Protection 11.0 on a Windows 2008 R2 server, the user encounters an error:
Microsoft Visual C++ Runtime Library
R6025 - pure virtual call
In addition, the System event log contains the following DCOM errors:
Source: Microsoft-Windows-DistributedCOM
Event ID: 10010
Level: Error
Description: The server {EE68EAFC-BF28-4017-8A92-D17DACF0B459} did not register with DCOM within the required timeout.
Source: Microsoft-Windows-DistributedCOM
Event ID: 10000
Level: Error
Description: Unable to start a DCOM Server: {EE68EAFC-BF28-4017-8A92-D17DACF0B459}. The error: "5" Happened while starting this command: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe {EE68EAFC-BF28-4017-8A92-D17DACF0B459} -Embedding
Solution: The ProtectionUtilSurrogate.exe process was corrected to wait until the process exits.
.DAT files accumulate in Inbox and are processed slower after moving from SQL 2005 to SQL 2008
Fix ID: 2428767
Symptom: After moving from SQL 2005 to SQL 2008, .DAT files accumulate in the Inbox and are processed more slowly.
Solution: The parameter "-C 65001" is now disabled for SQL Server 2008. This ensures that Symantec Endpoint Protection Manager will use BCP to insert logs.
SMC.exe process terminates unexpectedly
Fix ID: 2231076
Symptom: The SMC.exe process terminates unexpectedly in TfMan.dll when disconnecting from a VPN.
Solution: The Symantec Endpoint Protection firewall rule manager (TfMan.dll) was modified to resolve this crash.
Traffic logs are truncated on disk when opened in the Symantec Endpoint Protection UI
Fix ID: 2349055
Symptom: When a traffic log grows to the maximum size (specified by policy), viewing the traffic log in the Symantec Endpoint Protection UI incorrectly truncates the file on disk.
Solution: Corrected an issue in the Symantec Endpoint Protection log processor to prevent logs from being written while the log is loading into the UI.
Symantec Endpoint Protection Manager help file documentation (Glossary) for the Mac Centralized Exceptions pre-defined variables is incorrect
Fix ID: 2115714
Symptom: Prefix variables for centralized exceptions for Macs do not appear in the glossary.
Solution: The following entry was added to the readme file:
Prefix variables for centralized exceptions for Macs do not appear in the glossary
If you add a centralized exception for a security risk file or folder for Mac, the glossary for the prefix variables incorrectly displays an explanation of the prefix variables for Windows exceptions. The prefix variables for Mac exceptions are None, Home, Application, Library. The prefix variables are the top-level folders. You can specify sub-folders or specific files in the File or folder text box.
Release Update 7 (RU7)
- Certified support for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1
- Firewall support for mobile broadband adapters
- Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
- Windows XP Professional with Service Pack 1 or later
- Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Web Edition
- Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
- Windows XP Professional with Service Pack 1 or later
- Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Web Edition
- Install the Microsoft SQL Server 2008 Native Client:
For X86 OS: http://go.microsoft.com/fwlink/?LinkID=188400&clcid=0x409
For X64 OS: http://go.microsoft.com/fwlink/?LinkID=188401&clcid=0x409 - Download the Microsoft Drivers for PHP for SQL Server:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=80e44913-24b4-4113-8807-caae6cf2ca05 - Unzip SQLSRV20.exe and copy “php_sqlsrv_53_ts_vc6.dll” and “php_sqlsrv_53_nts_vc6.dll” to the directory <Symantec Endpoint Protection Manager installation folder>\Php\ext
- Open <Symantec Endpoint Protection Manager installation folder>\Php\Php.ini and add the following two lines:
extension=php_sqlsrv_53_ts_vc6.dll
extension=php_sqlsrv_53_nts_vc6.dll - Restart the Symantec Endpoint Protection Manager service.
Release Update 6 Maintenance Patch 3 (RU6 MP3)
Release Update 6 Maintenance Patch 2 (RU6 MP2)
What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use. This maintenance patch cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to RU6. It must be installed over RU6, RU6a, or RU6-MP1.
Symantec Protection Center
Symantec Protection Center is a Web-based console that allows you to access and manage multiple Symantec products. The console provides visibility and analytics across products as well as useful security feedback and attack statistics.
The console provides a single sign-on screen for the following registered Symantec products:
-
Symantec Endpoint Protection
-
Symantec Critical System Protection
-
Symantec Web Gateway
-
Symantec Brightmail Gateway
-
Symantec IT Analytics
-
Symantec Data Loss Prevention
Symantec Endpoint Protection Manager Web-based console
You can access Symantec Endpoint Protection Manager remotely in a Web-based console. The Java-based remote console is also still available.
Symantec Endpoint Protection for Macintosh
You can use Symantec Endpoint Protection Manager to manage Mac OS X clients that run Symantec software.
Randomized scheduled scans
You can specify a time interval during which scheduled scans start, and enable the scans to start at different times within that time interval. By running scans at random times, you can increase scan performance, especially in virtualized environments.
Enhanced default Antivirus and Antispyware security policies
For new product installations, changes in the default security policies make Symantec Endpoint Protection more efficient at detecting malware.
Customers who upgrade to Symantec Endpoint Protection version 11 RU6a MP2 do not receive new default policies. To see the new recommended Antivirus and Antispyware security policies settings so that you can make the settings changes in your policies manually, see Security Response recommendations for Symantec Endpoint Protection settings.
The Symantec Endpoint Recovery Tool
The Symantec Endpoint Recovery Tool provides an image that you can burn on a disc, and then use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively.
You can download the tool from the following URL: https://fileconnect.symantec.com/.
You need your Symantec Endpoint Protection serial number to download the tool.
Host Integrity policies check for additional security software
You can run a Host Integrity check to see whether the client computers run the following software:
- Norton Antivirus 2010
- Norton Internet Security 2010
- Norton 360 Version 3.0
- Symantec Endpoint Protection Version 11 Release Update 6a, MP2
- McAfee Internet Security 2010
- McAfee VirusScan Plus 2010
- McAfee Total Protection 2010
- McAfee VirusScan Enterprise 8.7i
|
Autoprotect
|
10.3.4.4
|
|
AVComp
|
2.0.58.0
|
|
Behaviour Blocking
|
3.5.3.004
|
|
CCEraser
|
20072.0.1.6
|
|
COH
|
6.1.12.15
|
|
Common Client
|
6.5.3.005
|
|
DecABI
|
1.2.6.1
|
|
Defutils
|
4.1.3.3
|
|
Deuce Engine
|
3.0.2.2007-06-06_01
|
|
ECOM
|
81.3.0.17
|
|
Intelligent Updater
|
5.0.1.6
|
|
LiveUpdate
|
3.3.0.99
|
|
LiveUpdateAdmin
|
2.2.2.9
|
|
MAC Client
|
11.0.57xx.203
|
|
Microdefs
|
2.7.0.13
|
|
QServer
|
3.6.6200.56
|
|
SAV for Linux
|
1.0.10.26
|
|
SNAC DHCP
|
11.0.389
|
|
SNAC ODA
|
11.0.6200.416
|
|
SNAC Scanner
|
5.1.5.94
|
|
SyKnAppS
|
3.0.3.3
|
|
SymEvent
|
12.8.3.23
|
|
SymNetDrv
|
7.2.5.9
|
|
Teefer2
|
11.0.6170.27
|
|
VxMS (MSLight)
|
5.2.0.4
|
|
WpsHelper
|
12.0.0.20
|
The UI option "Block security risks from being installed" was removed
New UI options have been added to File System AutoProtect > Advanced settings
- "Delete newly created infected files if the action is 'leave alone (log only)'" will get a new sub-option:
"Delete newly created security risks if the action is 'leave alone (log only)'".
The default state for "Delete newly created security risks if the action is 'leave alone (log only)'" will be checked.
- If the parent option "Delete newly created infected files if the action is 'leave alone (log only)'" is unchecked, "Delete newly created security risks if the action is 'leave alone (log only)'" will also be unchecked and grayed out.
Release Update 6 Maintenance Patch 1 (RU6 MP1)
|
Component
|
Version
|
|
Symantec Endpoint Protection
|
11.0.6100
|
|
Symantec Network Access Control
|
11.0.6100
|
|
Auto-Protect
|
10.3.3.4
|
|
Avengine
|
20101.1.0.89
|
|
Behavior Blocking
|
3.5.1.4
|
|
ccEraser
|
2007.0.1.6
|
|
COH
|
6.1.11.13
|
|
Common Client
|
106.5.2.003
|
|
DecABI
|
1.2.5.130
|
|
Defutils
|
4.1.3.2
|
|
ECOM
|
61.3.0.17
|
|
VxMS (MS Light)
|
5.2.0.4
|
|
LiveUpdate
|
3.3.0.96
|
|
LiveUpdateAdmin
|
2.2.2.9
|
|
Microdefs
|
2.7.0.13
|
|
QServer
|
3.6.43
|
|
WpsHelper
|
12.1.0.20
|
|
SyKnAppS
|
3.0.3.3
|
|
SymEvent
|
12.8.3.23
|
|
SymNetDrv
|
7.2.5.9
|
|
Teefer2
|
11.0.5708.18
|
|
Component
|
Version
|
|
Symantec Endpoint Protection for Macintosh
|
11.0.6100
|
|
LiveUpdate
|
5.1.2.22
|
|
Symantec Scheduler
|
4.0.3.9
|
|
SymProtector
|
1.0.5
|
|
Symantec QuickMenu
|
2.1.1.5
|
|
SymSharedFrameworks
|
2.3.0.15
|
|
Symantec Uninstaller
|
2.0.23
|
Release Update 6a (RU6a)
What's new in this version
Symantec Endpoint Protection RU6a provides a fix for two specific problems that existed in RU6. RU6a is a full build of Symantec Endpoint Protection.
Deploying or migrating clients when using multi-byte character group names in the Symantec Endpoint Protection Management console
Fix ID: 2020545
Symptom: If you create groups with names that use a double-byte character set, you cannot add new RU6 clients to those groups through any form of installation. New clients are automatically placed into the Default group.
Solution: With RU6, clients were incorrectly parsing DBCS characters resulting in a corrupt group name. When registering with the Symantec Endpoint Protection Manager using a corrupt group name, clients are placed into the Default group. With this fix, client-side changes were made to parse DBCS group names correctly.
Periodic CPU spike when using Symantec Endpoint Protection Manager Java console
Fix ID: 2022713
Symptom: With RU6, a periodic CPU spike occurs when a user selected the Policies, Clients, or Admin page in the Symantec Endpoint Protection Manager Java-based console.
Solution: This issue was caused by a periodic refresh of the Home page to prevent a time-out of the PHP session. The refresh task now refreshes the Reports page, which consumes fewer resources. In addition, you can now configure the refresh time by setting the scm.keepalivescheduleminute value in the conf.properties file.
|
Component
|
Version
|
|
Symantec Endpoint Protection
|
11.0.6005.562
|
Release Update 6 (RU6)
What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.
Symantec Endpoint Protection includes client software to run on a Macintosh computer. The client runs on the following versions of Mac OS X:
- Mac OS 10.4
- Mac OS 10.5
- Mac OS 10.6 (32-bit and 64-bit versions)
The following new features are available in RU6:
- Symantec Protection Center
Symantec Protection Center is a Web-based console that enables you to access and manage multiple supported Symantec products. The console also provides visibility and analytics across products as well as providing useful security feedback and attack statistics.
The console provides a single sign-on screen for the following registered Symantec products:- Symantec Endpoint Protection
- Symantec Critical System Protection
- Symantec Web Gateway
- Symantec Brightmail Gateway
- Symantec IT Analytics
- Symantec Data Loss Prevention
- The Symantec Endpoint Recovery Tool
The Symantec Endpoint Recovery Tool is an image that you can burn on a disc, which you can use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively.
You can download the tool from the following URL: https://fileconnect.symantec.com/ - Scheduled scans have the option to be run at random times
You can configure scheduled scans to run at randomized times, so that virtualized environments do not all run scan sessions at the same time.
Components included in this version
|
Component
|
Version
|
|
Symantec Endpoint Protection
|
11.0.6000
|
|
Symantec Network Access Control
|
11.0.6000
|
|
Auto-Protect
|
10.3.3.4
|
|
Avengine
|
20081.3.1
|
|
Behavior Blocking
|
3.5.1.4
|
|
ccEraser
|
2007.0.1.6
|
|
COH
|
6.1.10.13
|
|
Common Client
|
106.5.1.006
|
|
DecABI
|
1.2.5.130
|
|
Defutils
|
4.1.2.3
|
|
ECOM
|
81.3.0.13
|
|
VxMS (MS Light)
|
5.2.0.4
|
|
LiveUpdate
|
3.3.0.96
|
|
LiveUpdateAdmin
|
2.2.2.9
|
|
Microdefs
|
2.7.0.13
|
|
QServer
|
3.6.43
|
|
WpsHelper
|
12.1.0.20
|
|
SyKnAppS
|
3.0.3.3
|
|
SymEvent
|
12.8.0.11
|
|
SymNetDrv
|
7.2.5.9
|
|
Teefer2
|
11.0.5708.18
|
Macintosh components
|
Component
|
Version
|
|
Symantec Endpoint Protection for Macintosh
|
11.0.6000
|
|
LiveUpdate
|
5.1.2.22
|
|
Symantec Scheduler
|
4.0.3.9
|
|
SymProtector
|
1.0.5
|
|
Symantec QuickMenu
|
2.1.1.5
|
|
SymSharedFrameworks
|
2.3.0.15
|
|
Symantec Uninstaller
|
2.0.23
|
Behavior and user interface changes
Endpoint Protection scan changes permissions on files located on an NFS share
Fix ID: 1711377
Symptom: When a manual or scheduled scan is run from the Symantec Endpoint Protection client on the mapped NFS share the permissions of compressed files may change to read only.
Solution: The scan will only alter file permissions on files during compressed file scanning if a "repair" or "delete" is required on a compressed file.
File cannot be scanned if user has limited permissions
Fix ID: 1715669
Symptom: A file with special or limited permissions (no read, write or users) cannot be scanned
Solution: Updated scanning techniques to allow scanning of these files
Increase in the Quarantine Maximum allowable size
Fix ID: 1744576
Symptom: The maximum quarantine size Central Quarantine allows is limited to a range of 1 MB to 4095MB.
Solution: Changed the UI to allow from 1MB to 102400 MB (100GB).
Incorrect terminology on the "Client Count by Group" report
Fix ID: 1765903
Symptom: Following an upgrade from Symantec Endpoint Protection MR2 or an older build, on the "Computer Status"->"Client Count by Group" report, "Global" is displayed instead of "My Company"
Solution: Reporting change to display the correct terminology.
Computer Status log and log details do not use consistent naming
Fix ID: 1785158
Symptom: When viewing Computer Status logs, the summary view references "Last Check-in", but the log details and exported logs use "Last Update Time".
Solution: Change "Last Update Time" to "Last Check-in"
Unable to change the Intrusion Prevention Notifications configuration dialog box from the default of 5 seconds
Fix ID: 1810853
Symptom: Only when the check box "Amount of time before re-enabling Network Threat Protection" is selected the value of "Number of seconds to display notifications" can be saved successfully.
Solution: Save the value even if the check box "Amount of time before re-enabling Network Threat Protection" is not selected.
Inconsistency between reporting data showing in the console, and the data contained in an exported file
Fix ID: 1820711
Symptom: On the "Scan log for Current Month" report, the times are different to those contained in the exported data log
Solution: Changes to the export function to not reset the timestamp during export.
"Current IPS definition" version/date remains in Symantec Endpoint Protection Manager's client information even after IPS is uninstalled.
Fix ID: 1800463
Symptom: After uninstalling Network Threat Protection from the Symantec Endpoint Protection client, the IPS definitions remain on the client information tab and Symantec Endpoint Protection Manager home page.
Solution: Include checks the sem_agent.firewall_onoff flag when displaying the version of the IPS definitions.
Symantec Endpoint Protection Manager user-interface does not state administrative privileges are required to add central exceptions
Fix ID: 1835881
Symptom: Non-admin users cannot add exceptions on the client.
Solution: Symantec Endpoint Protection Manager user-interface changed to state administrative privileges are required to add central exceptions.
Client count discrepancy between "More Details" page and "Virus Definition Distribution" page
Fix ID: 1862285
Symptom: The virus definition distribution page only shows clients that have been online in the last 12 or 24 hours, while the "more details" page shows all clients.
Solution: Added the "Last check-in time" column under "Antivirus Definition Failures" and "IPS Failures" sections of the "more details" report. All the data will be sorted first by definition or IPS signature, then by last check-in time. Changed the report names to "Antivirus Definition Update Failures" and "Intrusion Prevention Signatures Update Failures".
Limited admin cannot access the advanced configuration of a read only AV/AS policy
Fix ID: 1879953
Symptom: Limited admin cannot access the advanced configuration of a read only AVAS policy
Solution: Changes to the policy editor UI, to make all information read-only for a limited admin user
Rename "UDP Destination Port" to "Destination Port" in the Symantec Endpoint Protection Manager UI
Fix ID: 1895035
Symptom: Symantec Endpoint Protection Manager can use UDP or TCP for the destination port, but the description implies only UDP is available.
Solution: Change the description from "UDP Destination Port" to "Destination Port".
Auto Location Switching does not recognize 144 Mb/sec 802.11n connections
Fix ID: 1927272
Symptom: Auto Location Switching does not switch a client to a 144Mbs wireless connection
Solution: Added support for a 144Mbps wireless connection.
Reports filtered by 'Group' return 0 results
Fix ID: 1934242
Symptom: Reports filtered by 'Group', where a group name contains an apostrophe (e.g. PC's), return 0 results
Solution: Upgraded to PHP 5.3.1
Reporting inconsistency in Symantec Endpoint Protection Manager on the 'Still Infected' count
Fix ID: 1947676
Symptom: The 'Still Infected' count is inconsistent between the Detection Action Summary report and the Security Status report
Solution: Modification to the PHP queries to correct the Detection Action Summary report value
Client and Manager fixes
Fix ID: 1232686
Symptom: Clients download the install package (full or delta) repeatedly, possibly creating network congestion.
Solution: Estimate the amount of space needed by the installer to complete the install successfully, based on the previous install package size and the new package size.
After upgrading to IE7, Quarantine Server can no longer get definition updates or submit samples
Fix ID: 1526557
Symptom: After upgrading to IE7, Quarantine Server can no longer get definition updates or submit samples
Solution: Definition servers used by QServer do not support the new SLL protocol enabled by IE7. Switched from Wininet to WinHTTP protocol.
Broadcom TPM chip is not recognized in Symantec Endpoint Protection Manager
Fix ID: 1536046
Symptom: Broadcom TPM chip is not recognized.
Solution: Added support for the Broadcom TPM chip
While installing a Symantec Endpoint Protection client locally, the install fails and rolls back with an error
Fix ID: 1545935
Symptom: Installation of Symantec Endpoint Protection fails and the SEP_INST.log contains a reference to "LiveUpdate registration failed"
Solution: Changes to the LiveUpdate installer to work around a COM failure caused by InstallShield in Microsoft Windows classes.
RTVScan unloads the user hive while windows is logging in the user
Fix ID: 1672322
Symptom: The Windows default profile is loaded showing a clean user desktop instead of the expected user's desktop.
Solution: Delay loading of user scans, which cause the hive to be loaded, during startup of RTVScan. This prevents the issue from happening during bootup.
Adding ADC policy results in Symantec Endpoint Protection pop up despite administrator settings
Fix ID: 1678176
Symptom: ADC policy results in Symantec Endpoint Protection pop up despite "Notify users when devices are blocked" option being disabled
Solution: Fixed the client pop-up notification rule to follow the applied policy.
Symantec Endpoint Protection User mode does not apply the same policy to multiple machines with the same logged in user
Fix ID: 1678248
Symptom: When logged in to several systems as the same domain account, all domain accounts do not apply the same policy in the Symantec Endpoint Protection User-Mode.
Solution: Updated logic to keep all references of a domain user logon together whenever the account is copied or moved to different groups.
HP Configuration Manager performance decrease with the Symantec Endpoint Protection firewall installed.
Fix ID: 1703292
Symptom: HP Configuration Manager takes longer to push updates when the Symantec Endpoint Protection firewall is installed.
Solution: Change in Teefer2 driver to support an additional packet status when forwarding packets.
"Server Busy" message appears when scan is run
Fix ID: 1706963
Symptom: When selecting a scan from the Symantec Endpoint Protection GUI (either "Run Active Scan" or "Run Full Scan"), an error message is displayed "Server Busy" with options to "Switch to process" or "Retry".
Solution: Check for a plugin installation, before trying to load the plugin
Symantec Endpoint Protection Manager Scheduled Reports do not consistently run as scheduled
Fix ID: 1711164
Symptom: Symantec Endpoint Protection Manager Scheduled Reports are set to run hourly, however the reports run sporadically.
Solution: Updated to PHP 5.3.1 to resolve this issue.
Windows Firewall on Windows Server 2003 is not disabled after installation of Symantec Endpoint Protection client with Network Threat Protection enabled
Fix ID: 1734372
Symptom: Windows Firewall on Windows Server 2003 is not disabled after installation of Symantec Endpoint Protection client with Network Threat Protection
Solution: Changes to the installer to disable Windows Firewall when NTP is installed
Virtual Apps running under MS App-V 4.5 will not run when Application and Device Control is enabled
Fix ID: 1734543
Symptom: Virtual Apps running under MS App-V 4.5 will not run when Application and Device Control is enabled and set to "Block programs from running on removable devices".
Solution: MS App-V loader was modifying the same PE header field as a Symantec driver, causing a synchronization issue. The corresponding field is no longer modified if App-V loader is detected.
Clients cannot use GUPs when assigned to a group with an ampersand in the name
Fix ID: 1741306
Symptom: With a location name containing an ampersand, and clients do not get updates from the designated GUP, the GUP doesn't create the SharedUpdates folder. Clients will also show an EventID12 error.
Solution: Correctly process text strings by escaping ampersands.
Random system crashes implicating sysplant.sys
Fix ID: 1743080
Symptom: A system crash occurs when sysplant is attempting to access another application that is only partially loaded into memory
Solution: Improved error handling for this situation.
RTVScan.exe terminates unexpectedly
Fix ID: 1745747
Symptom: Occasional RTVScan.exe crashes on Windows 2008 Exchange servers
Solution: Updated a number of function calls to avoid crash
Symantec Endpoint Protection Shield Systray icon intermittently changes from green to red
Fix ID: 1745765
Symptom: Symantec Endpoint Protection Shield Systray icon dot intermittently changes from green to red, and the product UI displays message saying "PTP definitions are out of date."
Solution: Included checks to make sure the Symantec Endpoint Protection client is prepared to accept messages before sending from the server.
Internet Email Auto-Protect has been configured to scan selected file types, however, all file types are scanned
Fix ID: 1746947
Symptom: Internet Email Auto-Protect has been configured to scan selected file types, however, all file types are scanned
Solution: Changes made to the Internet Email plugin, to allow longer strings to be processed
Scheduled "Comprehensive Risk" report no longer runs after upgrading
Fix ID: 1747133
Symptom: A scheduled Comprehensive Risk Report with a specified time range will fail to create a report. An IOException "Not in GZIP Format" can be seen in the server logs.
Solution: Resolved by using the usertimezone session variable.
Scheduled Daily Liveupdate runs at the wrong time
Fix ID: 1766600
Symptom: When the Symantec Endpoint Protection client is configured with a daily scheduled liveupdate, the client runs Liveupdate 24 hours after the previous scheduled liveupdate.
Solution: Corrected the logic behind LU schedules
Symantec Network Access Control agent is not communicating to the DHCP Enforcer
Fix ID: 1766913
Symptom: When data inconsistency exists between a Symantec Endpoint Protection Manager with a DHCP enforcer connected to it, and the Symantec Endpoint Protection Manager from which a Symantec Network Access Control client is getting profiles, the Symantec Network Access Control agent cannot connect to the DHCP enforcer.
Solution: The DHCP enforcer now verifies the UID from the Symantec Endpoint Protection Manager to which clients are connecting.
Clients downloading full LU content unexpectedly
Fix ID: 1782039
Symptom: Random clients continually download full LU content. Some clients may not be updated regularly. High network bandwidth usage.
Solution: Changes to allow clients to download the current full content even when newer content is available. This allows clients to retrieve deltas sooner, which will reduce network bandwidth usage.
The device tree cannot be shown when running DevViewer.exe on Windows 2000 Japanese Operating Systems
Fix ID: 1784061
Symptom: Device IDS information cannot be displayed when using DevViewer.exe on Windows 2000 with Japanese locale
Solution: Changes to DevViewer to be compatible with Japanese operating systems
On export of Computer Status logs the data is incorrectly formatted
Fix ID: 1786455
Symptom: When exporting Computer Status logs, if the "Computer Description" contains a comma, data will shift to the right when viewing in Excel.
Solution: Place strings that include commas between quotation marks
With an Application and Device Control policy enabled, a pop up message appears despite "Notify users when devices are blocked" option being disabled
Fix ID: 1790228
Symptom: When a device is removed from an existing application and device control policy, a pop-up message appears on the Symantec Endpoint Protection client despite "Notify users when devices are blocked" option being disabled. The message states that the device that was previously blocked has now been enabled.
Solution: Ticking the "Notify users when devices are blocked" box ensures that no popup messages will appear.
A deadlock occurs during replication
Fix ID: 1800313
Symptom: A deadlock occurs during Symantec Endpoint Protection Manager replication.
Solution: Deadlock priorities were changed so that the replication process should complete.
Password checks for RSA authentication are passed on to Symantec Endpoint Protection Manager administrators but not from Active Directory.
Fix ID: 1800533
Symptom: An Active Directory based administrator shows as expired in Symantec Endpoint Protection Manager even though the password has not expired in Active Directory.
Solution: A Symantec Endpoint Protection Manager will no longer show up as expired unless it has expired in Active Directory when using Active Directory synchronization for user accounts.
Virus definitions are installed on a client when AntiVirus is not selected as a feature at install time
Fix ID: 1800767
Symptom: After installing the Symantec Endpoint Protection client without AntiVirus selected, the install still
installs AV definitions on the system.
Solution: Modified the installer to only install AV definitions when AntiVirus has been installed
AutoLocation occasionally switches to another location momentarily
Fix ID: 1805871
Symptom: At startup, clients sometimes switch from one location to another even though "Remember Last Location" is checked.
Solution: changes to the AutoLocation logic during startup. When system starts, if "Remember Last Location" is checked, the correct last location will be used.
Symantec Endpoint Protection NTP behavior is inconsistent with policies in multi-site environments
Fix ID: 1806005
Symptom: If NTP policies differ between two sites, and a user disables NTP then switches to a location requiring NTP, NTP is not enabled correctly.
Solution: Remove use of a global variable in the update status thread, to prevent different threads from interfering with each other.
Text "GUI% GUICONFIG#SRULE@ADVRULECONFIG#Normal" shows in the traffic log rather than the actual rule name
Fix ID: 1822294
Symptom: The text "GUI% GUICONFIG#SRULE@ADVRULECONFIG#Normal" is shown from the client side rules (Mixed or Client Control mode) when viewing the traffic log, making it difficult to determine what the actual rule or action is referenced.
Solution: Updated the description for this rule, and code changes to ensure the description is returned.
Symantec Endpoint Protection client Operating System Language is not displayed correctly in Symantec Endpoint Protection Manager
Fix ID: 1823096
Symptom: Spanish and Vietnamese languages are not shown correctly in the computer status logs.
Solution: Spanish and Vietnamese were added to the resource bundle.
Symantec Endpoint Protection does not warn users on system shutdown about external USB floppy drive plugged into the system
Fix ID: 1824851
Symptom: Symantec Endpoint Protection is not detecting external floppy drives correctly.
Solution: Symantec Endpoint Protection was updated to properly detect USB floppy drives.
Tracking cookies are detected but filenames are not displayed
Fix ID: 1826582
Symptom: Whenever a Cookie is detected its File-name and Location are displayed as Unavailable.
Solution: When the information of the Anomaly is extracted, a check for its Remediation-type is done. The Check for Cookies was missing and has been added.
Definition arrival event from QServer is logged as an error upon arrival of new definitions
Fix ID: 1826837
Symptom: Events being logged in as "Error" where as they should be logged in as "Information".
Solution: Fixed logging to show an informational message instead of an error when new definitions arrive.
Semsvc.exe using approx 1GB of memory and slow Symantec Endpoint Protection Manager performance
Fix ID: 1827949
Symptom: Memory usage increases quickly over a short period of time. Symantec Endpoint Protection Manager will use approximately 1GB of memory.
Solution: The logic to handle multiple notifications from multiple administrators was changed.
Database Back Up and Restore tool does not perform a full database backup
Fix ID: 1827968
Symptom: Database Back Up and Restore tool only backs up logs.
Solution: A new popup dialogue was added asking the administrator if they are sure they would like to backup the database. The dialog also includes a checkbox to backup the logs. By default the configured settings for the schedule backup task will be used.
Cannot mount network drives when logging onto Active Directory through an Aventail VPN client.
Fix ID: 1828057
Symptom: Active Directory user profile logon script fails to run at boot up, when using Aventail VPN client and Network Threat Protection is installed.
Solution: The product logic in Network Threat Protection was changed to correctly handle this situation.
Stop 7F (8) Kernel Stack Overflow Blue screen after installing Symantec Endpoint Protection
Fix ID: 1829876
Symptom: A stack overflow crash occurs after installing the MR4 MP2 version of the Symantec Endpoint Protection Client
Solution: Updates made to the Auto-protect component to prevent the crash
Microsoft Sysinternal utility Dbgview displays Symantec Endpoint Protection debug messages
Fix ID: 1832257
Symptom: Microsoft Sysinternal utility Dbgview displays Symantec Endpoint Protection debug messages: "SmcGui.exe m_nMSBtnAllowedAttempt is -1" and "SescLU.exe SescLu - CContentUpdateManager::Initializemultiple tries to Initialize"
Solution: These messages will no longer be displayed in Dbgview, other Symantec Endpoint Protection product messages are still displayed.
There are missing and redundant events in log handling of AntiVirus and AntiSpam policies after migrating from Symantec Antivirus 10.1.x.
Fix ID: 1832957
Symptom: In Symantec Endpoint Protection Manager->Policies>AV&AS policy>Miscellaneous>Log Handling section, the policies which migrated from SAVCE 10.1x have missing and redundant events.
Solution: Modified the missing Event Ids with a default value so they will be displayed as disabled in the UI.
Virtualized application fails to load when Symantec Endpoint Protection Application and Device Control (ADC) is enabled
Fix ID: 1833530
Symptom: Virtualized app fails to load when Symantec Endpoint Protection ADC is enabled. MS App-V loader was modifying the same PE header field as the Sysplant driver. This caused a synchronization issue.
Solution: The PE header field will no longer be modified when MS App-V is running on the same machine.
Tracking cookies detected along with PTP threats do not appear in Symantec Endpoint Protection Manager logs
Fix ID: 1837333
Symptom: Tracking cookies detected along with PTP threats appear on client logs but do not appear in Symantec Endpoint Protection Manager logs.
Solution: Added support to display tracking cookies in the Symantec Endpoint Protection Manager logs.
Symantec Endpoint Protection Manager UID error after replication cleaning duplicate clients by HASH(UID)
Fix ID: 1840183
Symptom: After replication DHCP enforcer failed to verify client UID from Symantec Endpoint Protection Manager
Solution: After deleting duplicate clients by HASH(UID), update the reserved clients with a new USN and Time Stamp.
NetBeui traffic still blocked after adding NetBeui traffic allow rule.
Fix ID: 1840562
Symptom: With NTP enabled, NetBeui traffic (and protocols using 802.3 RAW or 802.3 LLC packet format) is blocked with NetBeui protocol allow rule.
Solution: Improved parsing logic for protocols using 802.3 packet formats.
Possible RTVScan handle leaks
Fix ID: 1840917
Symptom: In some edge-cases, RTVScan can leave handles open.
Solution: Additional function calls added to ensure handles are cleaned up.
Many ports on Symantec Endpoint Protection Manager are in CLOSE_WAIT on 9090
Fix ID: 1843026
Symptom: On the Symantec Endpoint Protection Manager, there can be a build-up of 9090 ports in a CLOSED_WAIT state.
Solution: Ports are closed when they are no longer in use.
System state backup fails due to a Symantec Endpoint Protection registry key referencing a non-existing file
Fix ID: 1845046
Symptom: After autoupgrade has been run once on a Symantec Endpoint Protection client machine, a registry key is leftover referencing a non-existing file.
Solution: The leftover registry key is removed.
Logreader parse error on MR4MP2 server with MR5 client
Fix ID: 1848680
Symptom: Install MR4MP2 server and an MR5 client. After the client sends opstate data to Symantec Endpoint Protection Manager, an exception can be seen from the logs; "Invalid log record: Too few fields."
Solution: GUP state handling logic is available in MR4-MP2, and this can cause an exception in processing agent logs for GUP Opstate. This is resolved in RU6 by ignoring certain unknown log values.
Blue screen error with Teefer2 driver on MR5
Fix ID: 1850556
Symptom: Blue screen error caused by the Teefer2 driver
Solution: Code changes to lock NDIS miniport block and copy information into local variable, preventing the crash.
Windows Malware Removal Tool can hang when it detects an infection when Symantec Endpoint Protection is running on the system
Fix ID: 1853399
Symptom: When running the Windows Malware Removal Tool to remove malware the tool might stop responding or the system might hang
Solution: A fix was made in AutoProtect that prevents it from causing a hang when it detects the malware being opened by the Windows Malware Removal Tool.
Files left behind in the temp folder for client management replication
Fix ID: 1854287
Symptom: After client management replication, files remain in the replication temporary folder.
Solution: Files are properly cleaned after client management replication.
Terminal Emulation program fails to run on Windows 7 when the Sysplant driver is running
Fix ID: 1854312
Symptom: Sysplant driver crash
Solution: Sysplant driver was changing the memory address of the import table, and in some cases, moving it to read-only memory space. Code changes to ensure the table is moved to writable memory space
Symantec Endpoint Protection Client migration error when an uninstall password has been set
Fix ID: 1854479
Symptom: A Symantec Endpoint Protection client migration will fail when an uninstall password has been set. The uninstall does not complete correctly, leaving two instances of the product installed.
Solution: All stale product installs are properly removed from the system when migrating to RU6.
GUP can no longer be set to an FQDN in the LiveUpdate policy
Fix ID: 1854618
Symptom: GUP can no longer be set to an FQDN in the LiveUpdate policy.
Solution: Corrected to allow FQDN to be used in the GUP server settings.
NULL UID Errors appear in the Secars log
Fix ID: 1856572
Symptom: NULL UID Errors appear in the Secars log, or UID is not valid on the first try.
Solution: UID remains persistent across Symantec Endpoint Protection client restarts and machine reboots.
Application and Device Control does not process file path with "\\?\" prefix
Fix ID: 1857525
Symptom: Application and Device Control rule does not work or takes an incorrect action.
Solution: Added a condition check when processing file paths to ensure the path is interpreted correctly.
Certain applications crash with Symantec Endpoint Protection 11 RU5 Application and Device Control enabled
Fix ID: 1858321
Symptom: After installing Symantec Endpoint Protection 11.0 RU5 and deploying an Application and Device Control policy, applications with an image base of (0x10000000) will fail to launch.
Solution: Fixed Symantec Endpoint Protection ntdll hook to happen after Sysfer relocates, preventing the crash.
Clients copied from an Active Directory Organizational Unit import to regular Symantec Endpoint Protection Manager groups receive incorrect policies
Fix ID: 1858465
Symptom: Clients copied from AD OU's have a profile from the OU group instead of the copied non-OU group.
Solution: When copied clients are updated, the profile will not be overwritten in the Secars cache.
System hangs after new virus definitions arrive and the AutoProtect Option "Rescan the Cache when new definitions load" is enabled
Fix ID: 1859398
Symptom: System hangs after new virus definitions arrive and the AutoProtect Option "Rescan the Cache when new definitions load" is enabled
Solution: AutoProtect Rescan synchronization has been fixed
After upgrading to Symantec Endpoint Protection 11.0 RU5, web traffic is blocked
Fix ID: 1863574
Symptom: Web traffic is blocked after migrating from some earlier versions of Symantec Endpoint Protection to Symantec Endpoint Protection 11.0 RU5. When the firewall is installed, and a migration to RU5 is performed, the 'Allow all' firewall rule is disabled.
Solution: In RU6, the "allow all' firewall rule is preserved during a migration, preventing this from happening.
"PTP definitions are out of date" error if Client for Microsoft Windows is not installed or the computer is not connected to any network
Fix ID: 1864090
Symptom: If PTP is enabled, and Client for Microsoft Windows is not installed, or the computer is not connected to any network, an error message is displayed. Symantec Endpoint Protection will display an error message "PTP definitions are out of date" every time it tries to scan, and a TruScan engine load error will be logged.
Solution: This was occurring because the list of logged on users was empty. Added checks to ensure the list of users is not empty before processing.
False positive detection when using NTP Anti-MAC spoofing feature
Fix ID: 1864844
Symptom: With NTP anti mac spoofing enabled on newer versions of windows, a false-positive detection periodically blocks the gateway. This interrupts internet/wan connectivity for clients.
Solution: Correctly translate 64-bit time format which was causing the issue
Application and Device Control disables the PCMCIA controller
Fix ID: 1866316
Symptom: Application and Device Control incorrectly blocks the PCMCIA controller.
Solution: Changes made to correct behavior and to not block the controller.
Occasional blue screen error on Vista and Windows7
Fix ID: 1868542
Symptom: Computer experiences a blue screen errorbecause wininit.exe terminated abnormally on Vista or Windows7.
Solution: Changes made to prevent the blue screen from occurring, and to minimize the number of hooks into system threads.
Symantec Endpoint Protection client install failure when Regional settings are set to Hindi
Fix ID: 1869837
Symptom: Symantec Endpoint Protection MR4MP2 and RU5 clients fails to install when Regional settings are set to Hindi
Solution: When the user locale is set to the 'unicode-only' locale, user preferences were not being loaded. In this case, the product now reverts to the default locale.
Scanning a Read-Only file changed the file's Update Sequence Number (USN) in Windows Change Journal
Fix ID: 1870333
Symptom: Backup software which relies on USN might believe the Read-Only file had been modified by the scan, and an unnecessary backup of the unchanged file could be initiated
Solution: The fix prevents USN updates by modifying the Read-Only attribute code to only run when threats are detected in a container and modifications to repair or delete are requested
Product.Inventory.LiveUpdate file is not updated to reflect a location aware LU policy
Fix ID: 1874812
Symptom: When configured to download from the Symantec public LiveUpdate servers, location aware LiveUpdate policies download content from Symantec Endpoint Protection Manager instead.
Solution: When location switches or the profile is updated, the product.inventory.liveupdate file is also updated.
Disabling PTP from the tray icon will disable both PTP and OSP, but enabling PTP again will only enable PTP
Fix ID: 1879074
Symptom: Disabling PTP from the Systray icon will disable both PTP and OSP, but enabling PTP from the Systray icon only enables PTP.
Solution: Modified code to enable OSP when PTP is enabled from the Systray.
Discrepancies between report data and exported file data
Fix ID: 1879236
Symptom: When running the Symantec Endpoint Protection Manager Monitors > Scan > Logs > (Scan) or (Computer Status)
reports, there are discrepancies between the UI figures, and those figures showing in an exported file. This happens when using the time range "Past month" or "Current month".
Solution: Corrected SQL statements. The report is based on the same query as the export data function.
Network disconnect is experienced during migration
Fix ID: 1880118
Symptom: Network connection drops momentarily during some upgrades to RU5.
Solution: Delay the reinstallation of Teefer2 driver until after a reboot has occurred.
Mount Manager synchronization issue
Fix ID: 1880152
Symptom: Long time delay when mounting Ibrix file systems.
Solution: Code changes to check Mount Manager remote database semaphore status before calling Mount Manager.
Failed to mount quorum drive if SMC is running
Fix ID: 1880952
Symptom: Cluster Service doesn't work when Symantec Endpoint Protection client is running.
Solution: Code modifications to cleanup a handle leak when closing volumes.
Installation process appears to hang during LiveUpdate session
Fix ID: 1884202
Symptom: A client LiveUpdate session takes a long time to complete. The problem is more prevalent on Vista
Solution: Code changes to optimize a search by LiveUpdate for its configuration file
Script errors in the Symantec Endpoint Protection Manager remote console reports
Fix ID: 1886239
Symptom: Script errors sometimes appear when choosing start/end date of reports via the Symantec Endpoint Protection Manager remote console
Solution: Altered function naming to avoid naming conflicts that were causing the errors.
Long delay in opening large remote PowerPoint files when AutoProtect option Network Cache is enabled
Fix ID: 1886240
Symptom: Opening large files on a remote drive takes a long time
Solution: AutoProtect network file cache fixed
Incorrect LiveUpdate URL parsing
Fix ID: 1887520
Symptom: Symantec Endpoint Protection client writes an incorrect LU settings file when the LiveUpdate policy contains an HTTPS internal LU
Solution: Correctly set the protocol flag when using HTTPS URLs.
Outlook problems with attachments containing non-ASCII letters in the filename
Fix ID: 1892029
Symptom: In some specific cases, when being saved from an email in Outlook, file attachments with special characters in the filename were saved with a size of zero bytes
Solution: Added additional handling for files with special characters in their filename
Symantec Endpoint Protection Manager configuration wizard fails to install the database
Fix ID: 1892075
Symptom: cWhen installing Symantec Endpoint Protection Manager on Windows Operating Systems supporting IPv6, in some situations the installation can hang while initializing the database.
Solution: Reduce the number of getLocalHost() calls during the installation by saving the local IP value after the first call. This prevents a scenario where the database connection can time-out while getLocalHost() is called.
System Lockdown policy is not enforced unless applied twice
Fix ID: 1893435
Symptom: When System Lockdown is enabled on Symantec Endpoint Protection clients where there is no active Application Device Control policy, System Lockdown will not be enforced.
Solution: The policy will now be processed regardless of the status of Application Device Control.
GUP content update fails when the data folder is customized
Fix ID: 1893500
Symptom: The Sylink log shows "HTTP 500 internal error" when making requests with action code 310.
Solution: Instead of using the installation path, use the data folder path to publish GUP files to the correct folder.
SQL Error 1204 (cannot obtain a LOCK resource) and deadlocks observed
Fix ID: 1893574
Symptom: SQL Error 1204 and deadlocks on different transactions caused by an accumulation of LiveUpdate content in the database.
Solution: Database sweep task to clear LU content has been modified to commit changes in a smaller transaction to reduce resource consumption.
Some Symantec Endpoint Protection clients are showing multiple policies in Symantec Endpoint Protection Manager
Fix ID: 1895247
Symptom: Some Symantec Endpoint Protection clients are showing multiple policies in Symantec Endpoint Protection Manager.
Solution: Modifications made to purge out old client policies from Symantec Endpoint Protection Manager.
Replication failure notification contains additional information
Fix ID: 1896975
Symptom: When replication failure notification is enabled, events unrelated to replication are included in the notification.
Solution: Modified the notification code to include only replication related information in notifications
GUPs are deleted during the AgentSweepTask
Fix ID: 1897850
Symptom: After configuring a system as a GUP, the client entry will be removed after the Agent Sweep Task interval (default = 30 days)
Solution: Have the client report a full OpState in a defined interval (default = 24 hours)
Location switching not working on Windows 7 and Vista, when criteria is based on Wireless SSID
Fix ID: 1900965
Symptom: Symantec Endpoint Protection clients installed on Windows 7 and Vista operating systems will not switch locations when their criteria is based on Wireless SSID. Once the client connects to the SSID it will not switch to the appropriate location.
Solution: Modifications to the function calls used to obtain Wireless SSID's.
Login stalls when running Symantec Endpoint Protection
Fix ID: 1902263
Symptom: Login may take several minutes and may never complete
Solution: Fixed a synchronization issue in Tamper Protection
Simultaneous LU runs are disallowed
Fix ID: 1903409
Symptom: Only one WLU client instance can download files from a server via UNC at one time
Solution: Set the read handle as "shareable" on the server, allowing each WLU client to connect and pull files from the server
Replication failure during data aggregation
Fix ID: 1903766
Symptom: Replication failure with message "Value of Column 'CLIENT_ID' not found" during data aggregation.
Solution: Corrected the handling of "\r\n" in the client description field.
Adding a new Symantec Endpoint Protection Manager site does not update sylink.xml for clients
Fix ID: 1907898
Symptom: When adding a new Symantec Endpoint Protection Manager to an existing site, the default Management Server List (MSL) is updated but these changes are not propagated down to clients
Solution: Code changes to save the site ID in the "My ID" list
Database replication sites have inconsistent data
Fix ID: 1912561
Symptom: Despite reporting successful replication, database sites show different data for client status etc
Solution:
Added cache cleanup code prior to starting a replication job. This will ensure replication occurs with complete and accurate data
Clients continue to request the same data from their manager
Fix ID: 1912811
Symptom: In some situations Symantec Endpoint Protection clients randomly re-requesting the same content downloads repeatedly. This can cause network congestion
Solution: Path information in the xdelta packages was interfering with client processing in some cases, leading to multiple download requests from the server. Code changes made to correctly process path information in xdelta packages.
Custom message gets truncated in Application and Device Control notification when a user enters max characters in user notification
Fix ID: 1913040
Symptom: balloon tips on windows have a maximum of 255 characters and truncation would occur as necessary.
Solution: Added information on this limitation to the help documentation.
Servers show as "Offline" when replication takes more than 20 minutes
Fix ID: 1917123
Symptom: The server of a replication partner shows offline when the servers last check point time is more than 20 minutes.
Solution: Code changes to avoid this edge-case scenario from occurring. Servers will not show as 'Offline' during a long replication task
Symantec Endpoint Protection clients unable to connect to the network
Fix ID: 1935654
Symptom: Clients lose connectivity to the network, stopping and starting the SMC service restores connectivity
Solution: Generation of corrupt policy files was causing this issue. Code changes in Symantec Endpoint Protection Manager to restrict the number of processes writing to policy files simultaneously. This prevents the policy corruption from occurring
Symantec Endpoint Protection Manager console doesn't show latest IPS signatures in exception list.
Fix ID: 1943923
Symptom: If Symantec Endpoint Protection Manager has 2010 IPS content along with 2009 IPS content, the Symantec Endpoint Protection Manager console doesn't show 2010 IPS signatures in the Exception list.
Solution: Used numerical comparison of sequence number instead of string comparison to find the latest sequence number.
SRTSPL64.SYS crashes on Windows 2008 Server
Fix ID: 1949035
Symptom: BugCheck 50, PAGE_FAULT_IN_NONPAGED_AREA, in SRTSPL64.SYS
Solution: Fixed resource cleanup issues
High CPU use on Symantec Endpoint Protection clients
Fix ID: 1954276
Symptom: High CPU usage, Sysfer crash and possibly other unpredictable behavior related to Sysplant driver
Solution: Sysplant driver was failing to detach from the target process, causing an exception. Code changes made to correctly detach from target processes in all situations.
Excel hangs when opening encrypted spreadsheet when running Hibun
Fix ID: 1968574
Symptom: Excel hangs when the Hibun network file encryption feature is enabled and encrypted files are opened with Excel 2007
Solution: Update to AutoProtect to work around this error condition in the Hibun filter
Symantec Network Access Control Client is randomly disconnected
Fix ID: 1835054
Symptom: Symantec Network Access Control client is disconnected randomly with error message "WRONG GUID HI UNAVAILABLE" and the client is moved to a quarantine area
Solution: A client UID issue was resolved
Network Access Control Client Enforcement Agent fixes
Fix ID: 1955531
Symptom: Resuming from standby, docked laptops connected to an IP phone remain in Quarantine VLAN until user manually initiates a re-authentication.
Solution: Authentication is sent when resuming from standby when transparent mode is enabled.
High memory usage while using TLS authentication
Fix ID: 1953133
Symptom: High memory usage by svchost, winlogon, etc. while using TLS authentication, even if Symantec Network Access Control is not enabled.
Solution: Fixed process and token leak in Symantec RasMan plug-in.
HI policy utility: Run a Script creates 0 byte TMP files
Fix ID: 1828787
Symptom: After applying a HI policy to "Run a program" or "Run a script", the Windows temp folder is populated with multiple ~Ex\d{3}.TMP files each time the client executes the Host Integrity policy.
Solution: Temporary TMP files are deleted after the program or script is run from the Windows temp directory.
Symantec Network Access Control client does not detect definitions for Norton Internet Security 2009 on 64-bit operating systems
Fix ID: 1876489
Symptom: HI cannot detect Norton Internet Security 2009 status (e.g. signature date, AS running status, etc.) on 64-bit operating systems.
Solution: On 64-bit operating system, corrected the HI check to properly detect Norton Internet Security 2009.
IAS authentication issue caused by Symantec RasMan plug-in
Fix ID: 1862222
Symptom: When Symantec RasMan plug-in is loaded by multiple processes, the plug-in will crash or consume 100% of the CPU.
Solution: Improved synchronization of Symantec RasMan plug-in when loaded by multiple processes.
Symantec Network Access Control client does not get Production IP when HI status changes to pass
Fix ID: 1861128
Symptom: When Enforcer failover occurs and HI status is changed, the client IP will not change to Quarantine IP until DHCP lease time expires.
Solution: Symantec Network Access Control client will update the HI result change with the Enforcer during next communication to renew current DHCP lease.
Enforcer fixes
Fix ID: 1831801
Symptom: When HI check fails, a client in quarantine is unable to access the .pac file (configurable script for IE proxy settings).
Solution: Added missing user-class option to IMFORM packets.
On-Demand module on enforcer does not connect to the policy manager
Fix ID: 1838662
Symptom: On-Demand module on enforcer does not connect to the policy manager caused by failed initialization encryption module.
Solution: Fixed initialization errors in encryption module.
Clients are resent to Quarantine IP until boot process has completed
Fix ID: 1828894
Symptom: During boot up, clients are being resent to the Quarantine server until the boot process completes.
Solution: Delay sending 39999 after forwarding ACK packet to client and additional checks to send DHCP packet to normal server.
Clients are switched to quarantine after lease time expires
Fix ID: 1889503
Symptom: DHCP inform packets interrupt lease status causing clients to switch to Quarantine IP after lease time expires.
Solution: Inform packets will trigger a 39999 force-renew on agent to trigger client renew request.
Failover Enforcers become active/active
Fix ID: 1890869
Symptom: Enforcers becomes active/active at the same time which may cause an ARP broadcast storm.
Solution: Changed to use Enforcer start time (GMT) instead of up time to determine mastership.
Enforcer kernel panic with trunking is enabled
Fix ID: 1940369
Symptom: An Enforcer kernel panic will occur with trunking enabled and a client is attempting to authenticate.
Solution: Improved memory checking to avoid Enforcer kernel panic.
HI configurations file corruption seen in Security Log
Fix ID: 1739980
Symptom: Two HI engines are running HI checks at the same time causing HI result to report as corrupted.
Solution: Added restrictions to allow only one HI engine to run at once.
Symantec Network Access Control DHCP Plug-in fixes
Fix ID: 1920822
Symptom: Plug-in Enforcer does not initiate an authentication session when it receives DISCOVER packet
Solution: Initiate authentication session for DISCOVER packet.
Symantec NAP client will be sent to Quarantine VLAN even when HI passes
Fix ID: 1833474
Symptom: When an administrator logs off the system, Symantec NAP client will be sent to quarantine VLAN even if HI passes.
Solution: Corrected 'Run As' permission for a Symantec Enforcer module.
Wireless access points are being rejected by Integrated DHCP enforcer
Fix ID: 1903745
Symptom: If 'Allow All' mode is used with trusted vendor or MAC, 'rejected' logs will show up even if the trusted devices have the correct/normal IP address.
Solution: Clients are checked against the trust vendor and MAC list before setting "Allow All" tag.
"Symantec Agent is not running or running an incompatible version" error on Symantec Network Access Control client
Fix ID: 1787373
Symptom: "Symantec Agent is not running or running an incompatible version" error on Symantec Network Access Control client when Symantec Network Access Control service is delayed during startup.
Solution: Moved the Symantec Network Access Control service to earlier startup sequence.
Release Update 5 (RU5)
What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.
Symantec Endpoint Protection Manager now supports the following operating systems:
- Microsoft Windows Server 2008 Service Pack 2 (all editions except for Itanium)
- Microsoft Windows Server 2008 R2 (all editions except for Itanium)
Symantec Endpoint Protection Manager can now be used with Microsoft SQL Server 2008.
The Symantec Endpoint Protection or Symantec Network Access Control client now supports:
- Microsoft Windows 7 (all editions except for Itanium)
- Microsoft Windows Server 2008 R2 (all editions except for Itanium)
- Microsoft Windows Vista Service Pack 2
The size of the client upgrade package used for auto-upgrading has been significantly reduced.
This reduces the amount of traffic that is sent to the clients when you auto-upgrade them. The auto-upgrade process is faster and conserves network bandwidth.
You can configure the following features for the Group Update Provider:
- Limit the amount of bandwidth that the Group Update Provider can use when the Group Update Provider downloads content from the management server.
- You can define a Group Update Provider by using rules and conditions, such as an IP address or host name. You can configure a single Group Update Provider in a single LiveUpdate Policy that applies across multiple groups for multiple clients.
- Define clients to connect to a Group Update Provider within the same site to improve performance.
- Identify which clients act as Group Update Providers.
The client now includes a Download Support Tool command on the Help and Support menu.
- Users on the client can download a support tool from the Support Web site that helps to diagnose the common issues that they might encounter on the client.
Symantec Network Access Control includes the following enhancements:
- New Host Integrity templates support Altiris 7, BigFix Enterprise Suite, and new versions of additional third-party products.
- End users with a valid RADIUS logon but a computer with no client installed can be blocked from your company's network.
- You can configure when the command-line interface on the Enforcer times out.
Components included in this version
|
Component
|
Version
|
|
Symantec Endpoint Protection
|
11.0.5002
|
|
Symantec Network Access Control
|
11.0.5002
|
|
Auto-Protect
|
10.3.0.15
|
|
Avengine
|
20081.1.1
|
|
Behavior Blocking
|
3.3.0.015
|
|
ccEraser
|
2007.0.1.6
|
|
COH
|
6.1.9.44
|
|
Common Client
|
106.5.0.10
|
|
DecABI
|
1.2.5.130
|
|
Defutils
|
4.1.1
|
|
ECOM
|
81.3.0.13
|
|
VxMS (MS Light)
|
5.2.0.4
|
|
LiveUpdate
|
3.3.0.92
|
|
LiveUpdateAdmin
|
2.2.1.16
|
|
Microdefs
|
2.7.0.13
|
|
QServer
|
3.6.20
|
|
WpsHelper
|
12.0.1.41
|
|
SyKnAppS
|
3.0.3.3
|
|
SymEvent
|
12.8.0.11
|
|
SymNetDrv
|
7.2.5.9
|
|
Teefer2
|
11.0.5
|
Product fixes by category
Symantec Endpoint Protection Antivirus and Antispyware
This section describes the customer fixes for Antivirus and Antispyware since the release of MR4 MP2 (11.0.4.4200).
Fix ID: 1128048
Symptom: Under the guest account, Symantec Endpoint Protection clients report that Antivirus and Antispyware Protection does not function correctly.
Solution: Corrected status query to accommodate guest (minimal) privileges.
Updated hardware key due to MAC address change causes Symantec Endpoint Protection client re-registration with Symantec Endpoint Protection Manager
Fix ID: 1397560
Symptom: Multiple entries for Symantec Endpoint Protection clients on the console, duplicate hardware keys for different clients, and multiple clients that share the same hardware key.
Solution: The algorithm to create the hardware key was changed so the hardware key should not change with minor hardware changes, such as the disabling of NICs.
Smcgui.exe crashes for a Restricted user
Fix ID: 1528962
Symptom: Smcgui.exe crashes when logging on as a Restricted user.
Solution: Improved object handling.
Location awareness only works when the Primary DNS suffix matches the condition
Fix ID: 1529689
Symptom: On Windows 2000, Location Awareness fails to switch when configured on a specified network interface.
Solution: Change to Location Awareness.
TPM Device not displayed in the Symantec Endpoint Protection Manager
Fix ID: 1536046
Symptom: The Symantec Endpoint Protection client was not able to correctly identify the TPM chip vendor.
Solution: Changed the client to handle failures better when attempting to retrieve the TPM chip vendor information.
Decomposer version is blank in the Symantec Endpoint Protection client user interface
Fix ID: 1540746
Symptom: Under Help and Support, the Decomposer version is blank.
Solution: Corrected the location to retrieve the Decomposer version.
Unable to disable the "Threats were detected while you were logged out" message
Fix ID: 1542336
Symptom: With all notifications disabled, if a virus is discovered as part of a scheduled scan while the user is logged out, the user is notified that threats were discovered when the user logs in.
Solution: Added an option to toggle the client-side notification of the message.
Smcgui.exe unexpectedly takes foreground focus
Fix ID: 1558158
Symptom: On Windows XP embedded computers, Smcgui.exe unexpectedly takes foreground focus.
Solution: Changed Smcgui.exe to not take foreground focus in invisible mode.
The Symantec Endpoint Protection client fails heartbeat with Error Code=87;AH or Error Code=0;AH
Fix ID: 1603851
Symptom: With a large number of IP addresses configured on the Symantec Endpoint Protection client, the registration information exceeds size limitations and the client is not able to register with the server.
Solution: Set a limit of 16 IP addresses on the client.
64-bit Symantec Endpoint Protection clients do not pass Host Integrity check
Fix ID: 1651293
Symptom: 64-bit Symantec Endpoint Protection clients connecting through Juniper VPN are blocked by the Juniper Host Checker because the Juniper Host Checker does not recognize that the client successfully passed the Host Integrity check.
Solution: Corrected the location where Host Integrity results are read.
Scheduled LiveUpdate does not run at random times as expected
Fix ID: 1651364
Symptom: Scheduled LiveUpdate does not run at random times as expected.
Solution: Fixed algorithm to randomize the start times.
Scheduled LiveUpdate still launches LuAll.exe although the "Use a LiveUpdate Server" option is unchecked
Fix ID: 1652473
Symptom: After migration, LiveUpdate still uses LuAll.exe to download content from an internal or external LU server, regardless of whether the Use a LiveUpdate Server option is checked.
Solution: Scheduled LiveUpdate settings are cleared and the Symantec Endpoint Protection client uses the LiveUpdate policy from the Symantec Endpoint Protection Manager.
Log forwarding settings for Scan Aborted, Scan Started, and Scan Stopped do not work properly
Fix ID: 1664764
Symptom: Regardless of the log forwarding setting in Symantec Endpoint Protection Manager, the Symantec Endpoint Protection clients always forward the Scan aborted, Scan started, and Scan stopped logs.
Solution: Corrected the log forwarding to not always forward Scan logs.
Eraser Engine displays Version 0.0
Fix ID: 1668299
Symptom: The Protection Content Versions report and Help show clients' Eraser Engine version as 0.0.
Solution: Removed the dependency on Proactive Threat Protection content to be present while Eraser Engine version is calculated.
LiveUpdate tries to contact external LiveUpdate Servers despite policy setting
Fix ID: 1678207
Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers.
Solution: The Use a LiveUpdate Server setting is checked before attempting to download content.
A Group Update Provider leaves TCP connections in the CLOSE_WAIT state, preventing Symantec Endpoint Protection clients from updating
Fix ID: 1679515
Symptom: With limited concurrent download connections configured, TCP connections can be exhausted if Symantec Endpoint Protection clients do not terminate sessions cleanly.
Solution: Architectural changes were made to the Group Update Provider to handle clients that do not terminate sessions cleanly.
Remediation options for Email Auto-Protect are grayed out in the Symantec Endpoint Protection client
Fix ID: 1704540
Symptom: The Remediation options for Email Auto-Protect are visible and grayed out on the Symantec Endpoint Protection client, but do not appear in the Symantec Endpoint Protection Manager.
Solution: The Remediation options for Email Auto-Protect are not configurable and have been removed.
Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account
Fix ID: 1729073
Symptom: Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account.
Solution: Enhanced error handling in Smcgui.exe on Windows 2000.
Location awareness switches based on "Primary DNS Suffix" provided by domain controller
Fix ID: 1732720
Symptom: Location awareness switches based on the Primary DNS Suffix provided by the domain controller.
Solution: Location awareness switching by DNSSuffix will only switch through the Connection-specific DNS suffix provided by DHCP.
SMC.exe uses entire CPU core and client/manager communication fails after migrating or installing the Symantec Endpoint Protection client
Fix ID: 174134
Symptom: After upgrading a Symantec Endpoint Protection client, communication with the Symantec Endpoint Protection Manager fails because the default gateway is not in the same subnet.
Solution: Enhanced the process to find the best route to the server after the gateway IP address changes.
Symantec Endpoint Protection client user interface has inconsistent behavior when restoring items displayed in Quarantine
Fix ID: 1783193
Symptom: The Restore and Delete buttons remain grayed out in the client View Quarantine windows when certain items are selected but are available in right-click context menu.
Solution: Fixed to have consistent behavior when viewing in Quarantine view and right-click context menu.
Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager
Fix ID: 1543985
Symptom: Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager.
Solution: Added a dependency relationship for SMC service and System Event Notification service at startup.
MSI Repair function reverts the Symantec Endpoint Protection Manager/IIS port to 8014 from non-default
Fix ID: 1601640
Symptom: MSI repair causes the Symantec Web server port to revert to the default value.
Solution: Added a custom Web site port setting to the conf.properties file during a repair install.
Symantec Endpoint Protection client upgrade warnings are inconsistent
Fix ID: 1638457
Symptom: Symantec Endpoint Protection client upgrade warnings on 64-bit upgrades are inconsistent with 32-bit upgrade warnings.
Solution: Changed the 64-bit upgrade warnings to be consistent with the 32-bit upgrade warnings.
Symantec Endpoint Protection Manager Home page shows the virus definition date as 1/1/1970
Fix ID: 1391394
Symptom: On a clean Symantec Endpoint Protection Manager installation before running LiveUpdate, the Symantec Endpoint Protection client virus definition date shows as 1/1/1970 on the console Home page.
Solution: The client virus definition date is properly initialized.
RTVScan.exe does not release memory until after the scan completes
Fix ID: 1427192
Symptom: When very large containers are scanned, memory continues to grow until the scan completes.
Solution: Memory usage is reduced by not storing unnecessary data during the scan.
Outlook Auto-Protect has problems with attachments containing non-ASCII letters in the file name
Fix ID: 1529690
Symptom: Attachments with non-ASCII characters cannot be opened.
Solution: Added functionality to retrieve the UNICODE file name attribute to correctly create the target file name.
Microsoft Word files are deleted as soon as they are opened on a local partition
Fix ID: 1536936
Symptom: Microsoft Word files are deleted as soon as they are opened on a local partition.
Solution: Auto-Protect was modified to do non-buffered I/O on NTFS file system.
Crash occurs during process termination with bug check 8E
Fix ID: 1545269
Symptom: System crashes during process termination with bug check 8E.
Solution: Auto-Protect was changed to better handle scans during process termination.
An application fault occurs in RTVScan.exe due to corrupted data in the registry
Fix ID: 1592186
Symptom: An application fault in RTVScan.exe occurs when it attempts to read an unexpected date value in the registry for a scheduled scan.
Solution: Checks were added to validate the date value.
Administrator scheduled scans are not running at specified times
Fix ID: 1594128
Symptom: With missed events disabled, scheduled scans are not correctly flagged as missed events.
Solution: Enhanced missed event detection to account for the user environment when detecting missed events.
Users suddenly cannot access shared files with Auto-Protect enabled
Fix ID: 1594214
Symptom: Users suddenly cannot access shared files with Auto-Protect enabled.
Solution: Enhanced Auto-Protect to better handle client file accesses to a server.
Symantec Endpoint Protection crashes in RTVscan when performing multi-threaded scan
Fix ID: 1639778
Symptom: An application crash occurs in RTVscan when run with multi-threaded or hyper-threaded options enabled.
Solution: Additional checks were added to prevent an application crash.
Symantec Endpoint Protection does not detect eicar.com when it is downloaded using Google Chrome
Fix ID: 1673766
Symptom: Using Chrome, threats are downloaded without detections while using selected file extension settings in Auto-Protect.
Solution: Added the .TMP and .PART extensions (for Firefox) to the default extension list for Auto-Protect.
Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server
Fix ID: 1675715
Symptom: Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server.
Solution: Enhanced Auto-Protect to better handle client file accesses to a network share or a mapped network drive.
Crash on Windows Vista with bug check 7f
Fix ID: 1738584
Symptom: Crash on Windows Vista with bug check 7f.
Solution: On Windows Vista, enhanced Auto-Protect to better handle situations of low kernel stack memory.
Coh32.exe has an application error with the message "The instruction at '0x044be849' referenced memory at '0x000000000'"
Fix ID: 1744359
Symptom: On Windows 2000, when running a process from a mapped drive, the Windows system cannot determine the mapped drive and causes a crash in COH32.
Solution: Additional checks were added to better handle this situation.
Symantec Endpoint Protection Email Auto-Protect does not work properly when using Secure POP3 (POP3S) port 995
Fix ID: 1509203
Symptom: Symantec Endpoint Protection Email Auto-Protect does not work properly when using POP3S port 995. The Symantec Endpoint Protection email proxy modifies SSL v2 Client Hello, preventing POP3S SSL mail connections in some cases.
Solution: Fixed the email proxy to not modify SSL v2 Client Hello.
Symantec Endpoint Protection Firewall
This section describes the customer fixes for the firewall since the release of MR4 MP2 (11.0.4.4200).
Firewall does not block traffic to or from Juniper SA Network Connect virtual NIC
Fix ID: 1262087
Symptom: Juniper SA Network Connect virtual NIC does not specify a media type, causing Teefer2 to not bind to the adapter.
Solution: Added Juniper SA Network Connect virtual NIC media type to Teefer2.
With NICs that use a TCP offload engine, Symantec Endpoint Protection with Network Threat Protection enabled causes networking problems, such as connection failures and performance degradation
Fix ID: 1389258
Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data.
Solution: Teefer2 corrected to preserve checksum data.
DNS resolution fails while connected via Microsoft VPN
Fix ID: 1442277
Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data.
Solution: Teefer2 corrected to preserve checksum data.
System crashes with STOP 7E during Symantec Endpoint Protection client installation
Fix ID: 1532340
Symptom: When Teefer2 is loaded, it accesses a list of system modules. When these system modules are changed while Teefer2 is processing them, the system crashes.
Solution: Improved handling of the system data.
Last Download Time shows an erroneous date
Fix ID: 1538048
Symptom: The "Last Download Time" that is uploaded from the Symantec Endpoint Protection client side is incorrect.
Solution: The client's Last Download Time is properly initialized.
Firewall rule unable to block application with use of DNS Host or DNS Domain types in Host Groups
Fix ID: 1540750
Symptom: When configuring the Host Group to use a DNS host name or DNS domain, the rule does not block traffic.
Solution: Additional checks were added to identify the correct IP address to use when sending RDNS packets.
Crash in sysplant.sys caused by stale data
Fix ID: 1541319
Symptom: A crash occurs when Sysplant attempts to access stale internal data.
Solution: Fixed Sysplant to properly identify and not store stale internal data.
Disabling the Browse files and printers on the network option through Network Threat Protection has no effect
Fix ID: 1543964
Symptom: When a user disables "Browse files and printers on the network" and "Share my files and printers with others on the network" under Network Threat Protection options, the user is still able to access and share folders.
Solution: A missing default file rule was added to the policy file.
With a dial-up adapter, firewall rules are not applied while using Internet Explorer
Fix ID: 1544028
Symptom: With a dial-up adapter, network traffic is tunneled through WANARP instead of the correct application, Internet Explorer.
Solution: Fixed to identify the correct application.
The Symantec Endpoint Protection client is unable to maintain a network connection through the 802.1x enforcement after the Cisco VPN client 3.6.6 dials up
Fix ID: 1544442
Symptom: With Cisco VPN clients, EAP packets are being blocked by Network Threat Protection.
Solution: Modified Network Threat Protection to only block EAP packages when 802.1x authentication mode is set to a 3rd party supplicant.
Sysplant prevents Cygwin compiler from building code
Fix ID: 1556624
Symptom: Cygwin cannot compile source code if Symantec Endpoint Protection is installed with Application and Device Control enabled.
Solution: Resolved a conflict between the Symantec Endpoint Protection client and Cygwin.
Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring
Fix ID: 1586674
Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes.
Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length.
Host integrity configuration file is corrupted on Windows Vista
Fix ID: 1587248
Symptom: On Windows Vista, Application and Device Control causes Host Integrity checks to fail with errors in the security log, indicating that the Host Integrity configuration file is corrupt.
Solution: Application Device Control was corrected to allow Host Integrity checks to succeed.
Sysplant causes CosmoCall Agent software to crash
Fix ID: 1592206
Symptom: With Application and Device Control installed, CosmoCall Universe 4.5 software does not launch and returns the error message "CosmoCall Universe 4.5 has encountered a problem and needs to close."
Solution: Corrected compatibility issue with CosmoCall Universe.
On Windows Vista, Application and Device Control is not able to log DLL injection attempts to IExplorer.exe
Fix ID: 1653904
Symptom: A client with an Application and Device Control policy to block DLL injections blocks successfully, but does not display a notification or add an entry to the logs.
Solution: Both a notification and log entry are successfully created.
System Lockdown exclusions are not honored, which causes strange characters in file path
Fix ID: 1677455
Symptom: System Lockdown exclusions are not honored, which causes strange characters to appear in file paths, as seen in "Unapproved Applications Only" logs.
Solution: Changed how the file path is obtained to avoid strange characters.
Symantec Endpoint Protection detects Jolt2 DoS attack when Altiris agent sends large amounts of ICMP packets to the Altiris server
Fix ID: 1677459
Symptom: Symantec Endpoint Protection detects a Jolt2 DoS attack when the Altiris agent sends large amounts of ICMP packets to the Altiris server.
Solution: Symantec Endpoint Protection clients will not detect Jolt2 DoS attack with systems patched with the corresponding Microsoft update.
A crash caused by sysplant.sys, bug check 1000008E occurs
Fix ID: 1723596
Symptom: A crash caused by sysplant.sys, bug check 1000008E occurs.
Solution: Enhanced Sysplant to better handle exceptions.
Symantec Endpoint Protection Manager
This section describes the customer fixes for Symantec Endpoint Protection Manager since the release of MR4 MP2 (11.0.4.4200).
The Symantec Endpoint Protection Manager cannot use registry key (default) as a file path in a Host Integrity check
Fix ID: 1543123
Symptom: The user interface does not allow the use of the registry key (default) as a file path for a Host Integrity check.
Solution: Removed restriction that disallows the use of registry key (default).
Policy settings never update after creating a new management server list using specific Japanese strings
Fix ID: 1739908
Symptom: Policy settings never update after creating a new management server list using specific Japanese strings.
Solution: Enhanced Enforcer parser.
Home, Monitors, and Reports pages are blank on the remote console after updating Java to version 1.6 Update 11
Fix ID: 1473464
Symptom: When using a remote console, some Symantec Endpoint Protection Manager pages are blank after updating to Java 1.6 update 11.
Solution: Upgraded the version of Java Desktop Integration Components (JDIC).
Windows 2008 is identified as Vista in scm-server logs
Fix ID: 1503238
Symptom: Windows 2008 is identified as Vista in server logs.
Solution: Updated the Java version.
Replication error - violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER' occurs
Fix ID: 1534861
Symptom: Replication fails with the error "Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'."
Solution: Synchronized replication merging process, so that only one replication merging process is run at a time.
User Account Control prompt on Windows 2008 Server or Vista when using a remote console does not reflect the status of UAC
Fix ID: 1536901
Symptom: When opening the remote console for Symantec Endpoint Protection Manager on Windows 2008 Server or Vista, the user is prompted to disable UAC when UAC is already disabled.
Solution: The user prompt was changed.
IPS Exclusions do not work for DNS host and DNS Domain used with Host Groups
Fix ID: 1538126
Symptom: After creating Host Groups with DNS host and DNS domain, selecting the associated Host Groups to create IPS Host Exclusions does not work.
Solution: Defining the host by MAC address, DNS host, and DNS domain is not supported. A message was added to warn the user.
Saved filter converts commas to "*2C"
Fix ID: 1538175
Symptom: In reporting saved filters, commas are converted to"*2C".
Solution: When loading saved filters from the database, commas are no longer converted.
Replication occurs over a proxy server if a LiveUpdate proxy is defined
Fix ID: 1538199
Symptom: If a LiveUpdate proxy is defined, replication is attempted over the proxy server and fails.
Solution: Use connection-wise proxy setting instead of setting system property.
New Software Package notification email contains multiple redundant lines
Fix ID: 1539834
Symptom: When a user creates notifications for new software downloads, the email contains duplicate descriptions over a period of time.
Solution: SQL query corrected and updated email format to now include time, download description, and which server downloaded the content.
A broken link appears in the dbvalidator.log
Fix ID: 1543995
Symptom: A broken link appears in the dbvalidator.log.
Solution: Added a verification to check whether the policy is in use.
User is prompted to change Administrator password at Reporting logon when set to never expire
Fix ID: 1545139
Symptom: Although the Symantec Endpoint Protection Manager Administrator's password is set as "Password never expires," the user is prompted to change the password after 60 days.
Solution: Corrected the configuration to not request password change when set to never expire.
Negative number appears in Detection Action Summary report
Fix ID: 1555834
Symptom: The Detection Action Summary report displays negative numbers due to mismatched database records.
Solution: Corrected the data parsing to avoid mismatched database records.
French localized Symantec Endpoint Protection Manager cannot create scheduled reports due to incorrect date format
Fix ID: 1587237
Symptom: On French localized Symantec Endpoint Protection Managers, scheduled reports cannot be created due to an incorrect date format.
Solution: Specified the date format before saving the scheduled report to the database.
Sorting by date in Client Status page generates scrambled results
Fix ID: 1587874
Symptom: When trying to apply a filter/sort based on "Last Update Time," dates are not sorted correctly.
Solution: Changed the data type to date comparison sorting.
The Symantec Endpoint Protection Manager client table Sort button stops working and does not toggle
Fix ID: 1587920
Symptom: The Sort button stops working randomly when attempting to sort elements on the Symantec Endpoint Protection Manager Clients tab.
Solution: Avoid multiple mouse listeners for the same table header.
The Search Client option allows limited administrators to run commands on computers in groups with no access rights
Fix ID: 1589447
Symptom: The Search Client option shows computers in groups that limited administrators do not have permissions to access.
Solution: Only show the allowed groups to limited administrators.
Duplicate client records in the database point to groups that no longer exist, causing communication failures
Fix ID: 1589472
Symptom: Duplicate client records in the database point to groups that no longer exist, causing communication failures.
Solution: During replication, clients without a valid group ID are cleaned.
Default size of the Symantec Endpoint Protection Manager user interface does not allow all filters to be seen or selected when adding a Scheduled Report
Fix ID: 1592013
Symptom: Not all filters are visible when creating Scheduled Reports.
Solution: Added a scrollbar to the filter selection when the number of filters is greater than 7.
System Administrator Scheduled Reports inappropriately visible across Symantec Endpoint Protection Manager Domains
Fix ID: 1592959
Symptom: System administrator permissions are retained for Domain administrators, which makes previously created reports accessible.
Solution: System administrator permissions are not longer retained after logging off the Symantec Endpoint Protection Manager domain.
Learned applications paths are incorrect
Fix ID: 1593025
Symptom: The use of a backslash '\' instead of a forward slash '/' in learned application paths causes firewall rules to function incorrectly.
Solution: During profile compilation, incorrect path separation characters are corrected.
Replication fails when the password for the Symantec Endpoint Protection Manager account used for replication contains the % character
Fix ID: 1593159
Symptom: Cannot authenticate with special characters in the Symantec Endpoint Protection Manager account password, causing replication failures.
Solution: Corrected to allow authentication to succeed with the use of special characters.
Improper end time in exported scan logs
Fix ID: 1593319
Symptom: The Symantec Endpoint Protection Manager console correctly displays the start and end time but the end time is incorrectly shown in exported logs.
Solution: Avoided trimming the end date data after it is retrieved from the database.
Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash
Fix ID: 1595804
Symptom: Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash.
Solution: Corrected Symantec Endpoint Protection Manager reports to show backslashes.
Notification batch script does not finish successfully
Fix ID: 1595961
Symptom: When configuring a notification to run a batch script, the script is executed but does not complete successfully.
Solution: Allowed the server task to wait for the batch script to complete before termination.
Data truncation errors appear in the logs
Fix ID: 1597067
Symptom: Data truncation errors appear and error logs are created in the antivirus log directory.
Solution: Added more error checking to check the log session GUID for validity.
Replication fails with "Duplication of Primary key"
Fix ID: 1597521
Symptom: Replication fails with "Duplication of Primary key".
Solution: Duplicate data with the same key values are only included once.
Scheduled reports return a list of report recipients with extra space
Fix ID: 1597537
Symptom: While editing the recipient list for scheduled reports, the error message "Invalid characters have been removed from the list of emails." appears even though no changes are made.
Solution: The email recipient list is saved without additional spaces.
"No entries" in Monitors > Logs> Computer status on embedded replication partner (with SQL)
Fix ID: 1597713
Symptom: No date is shown for Computer status logs when related data is available in database.
Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time.
Unmanaged Detector does not acknowledge excluded computers and IP phones
Fix ID: 1600943
Symptom: IP address ranges that should be excluded appear in the results of unmanaged computers notifications.
Solution: Corrected data retrieval from the database to filter excluded IP ranges.
Host compliance log details are truncated when a Host Integrity policy has a large number of requirements
Fix ID: 1601779
Symptom: With a SQL database, host compliance log details are truncated when a Host Integrity policy has a large number of requirements.
Solution: Host compliance log details are no longer truncated.
A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked
Fix ID: 1631487
Symptom:A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked.
Solution: Fixed various user interfaces in the console to limit administrator access.
64-bit Windows XP in exported Computer Status Export logs is incorrect
Fix ID: 1633311
Symptom: In the Computer Status Log, Symantec Endpoint Protection clients running 64-bit Windows XP show as "Other".
Solution: Added Windows XP Professional x64 Edition in the logs.
The raw data dump from the External Logging options does not contain column header identifiers
Fix ID: 1633619
Symptom: The raw data dump from the External Logging options does not contain column header identifiers.
Solution: Added header information on all logs created by the External Logging feature.
Clients are not deleted from historical data and skew reports
Fix ID: 1639520
Symptom: Legacy clients and servers no longer on the network still show in the Security Status report with out-of-date definitions.
Solution: Added additional checks for legacy clients and servers with improper status updates.
LiveUpdate errors are listed as warnings instead of errors
Fix ID: 1652423
Symptom: In the Symantec Endpoint Protection Manager logs, LiveUpdate errors are listed as warnings instead of errors.
Solution: Changed LiveUpdate errors from Warning to Error.
Single client does not receive the commands sent from Symantec Endpoint Protection Manager
Fix ID: 1654964
Symptom: In the Symantec Endpoint Protection Manager, a command issued to a single client with a hardware key starting with 00 is not run by the client.
Solution: A hardware key starting with 00 is no longer identified as an unavailable client.
Behavior of outbreak notifications is inconsistent
Fix ID: 1656397
Symptom: Overlapping single risk and outbreak conditions do not trigger outbreak notifications when expected.
Solution: Algorithm changed to better detect overlapping risks or outbreaks.
With Simplified Chinese, garbage characters appear in attack logs
Fix ID: 1664719
Symptom: With Simplified Chinese, garbage characters appear in Symantec Endpoint Protection Manager Network Threat Protection logs.
Solution: Added UTF-8 encoding for SQL Server 2000.
Changes to the maximum number of clients displayed per page in the default view are not preserved in other views
Fix ID: 1665823
Symptom: Changes to the maximum number of clients displayed per page in the default view are not preserved in other views.
Solution: Synchronize the settings when saving display filters for each view.
Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs
Fix ID: 1669897
Symptom: Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs.
Solution: To avoid duplicates, only the shared Centralized Exception policies are displayed.
Event times are shown as "1970/01/01 08:00:00" [TimeZone:+8] in notification email
Fix ID: 1672629
Symptom: Email alerts for event notifications show as "1970/01/01..." even though the Symantec Endpoint Protection Manager console shows the correct event time.
Solution: Corrected the date and time format conversion for email notifications.
The Symantec Endpoint Protection Manager quits when displaying a large log of unapproved applications
Fix ID: 1673860
Symptom: The Symantec Endpoint Protection Manager quits due to a Java heap space error when viewing Unapproved Applications Only on the System lockdown page that exceed 290K records.
Solution: Unapproved Applications Only logs are limited to displaying the last 20,000 records. Users can still view all the logs from the Application and Device Control Logs report.
Symantec Endpoint Protection Manager client status "Last Check-in" date/time is calculated inconsistently
Fix ID: 1673951
Symptom: In the Symantec Endpoint Protection Manager, client "Last Check-in" date/time shows as Symantec Endpoint Protection Manager date/time until the client checks in as part of the regular heartbeat.
Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time.
Client status is displayed incorrectly in the Symantec Endpoint Protection Manager console
Fix ID: 1677244
Symptom: Client status is displayed incorrectly on the Home page Status Summary, but correctly on the Clients tab.
Solution: Corrected the query to retrieve client status from the database.
Moving users between OUs within Active Directory is not correctly reflected on the Symantec Endpoint Protection Manager interface
Fix ID: 1678457
Symptom: Users created with display names greater than 64 characters are truncated, causing updates to fail.
Solution: Limit the display name to 64 characters.
The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migration
Fix ID: 1679706
Symptom: The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migrating to Symantec Endpoint Protection Manager 11.0 MR4 MP2.
Solution: Fixed agent log collection.
The number of clients in an email notification and the corresponding report do not match
Fix ID: 1701459
Symptom: The number of clients in an email notification and the corresponding report do not match.
Solution: Synchronized email notification and the corresponding report.
Long policy description entries cause events to be dropped
Fix ID: 1710139
Symptom: Long policy description entries cause events to be dropped.
Solution: Set a limit of 256 characters for policy description field.
The Symantec Endpoint Protection Manager is slow to apply policy changes after importing 10,000 OUs
Fix ID: 1714092
Symptom: The Symantec Endpoint Protection Manager experiences sluggish performance when importing large numbers of OUs.
Solution: Enhanced the performance of Active Directory synchronization.
Initial replication fails with the notification "The transaction log for database 'sem5' is full"
Fix ID: 1714303
Symptom: Initial replication fails with the notification "The transaction log for database 'sem5' is full".
Solution: Increased the max database transaction log size based on the company size selected during the Symantec Endpoint Protection Manager Installation Wizard.
Bad CurrentSequenceNum registry value contributing to .dat.err file build up on MR4 MP2 Symantec Endpoint Protection Manager
Fix ID: 1716657
Symptom: Truncation errors cause the accumulation of .dat.err files in the agentinfo folder.
Solution: Fixed the truncation errors.
Virus alerts emails do not contain the file and file patch that was infected
Fix ID: 1719962
Symptom: Virus alerts emails do not contain the file and file patch that was infected.
Solution: Added information about the file and file path to virus alerts email.
The string "\r\n" in the description field on the client properties in Symantec Endpoint Protection Manager causes data truncation error when replicating
Fix ID: 1720809
Symptom: The string "\r\n" in the description field on the client properties in the Symantec Endpoint Protection Manager causes data truncation error when replicating.
Solution: Multi-line descriptions are completely read by the Symantec Endpoint Protection Manager.
Duplicate clients in the Symantec Endpoint Protection Manager
Fix ID: 1722503
Symptom: After importing Active Directory OUs, duplicate clients appear in the Symantec Endpoint Protection Manager.
Solution: Deleted duplicate clients during replication.
Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1
Fix ID: 1723779
Symptom: Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1.
Solution: If you use non-defaults in a Antivirus and Antispyware Policy for TruScan Proactive Threat Scans (that is, not Log-Only), a potential risk is considered as a Security Risk in order to trigger the single risk notification.
SystemBiosVersion registry value results in a Symantec Endpoint Protection Manager error "An invalid XML character"
Fix ID: 1725075
Symptom: An invalid XML character in the SystemBiosVersion registry value causes the client to fail to register with Symantec Endpoint Protection Manager.
Solution: Invalid characters are removed.
When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed
Fix ID: 1732819
Symptom: When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed.
Solution: Limited the maximum number of clients to display to 1000 clients.
Client search by IP address only returns the first IP address even though the computer has more than one
Fix ID: 1733240
Symptom: Client search by IP address only returns the first IP address even though the computer has more than one.
Solution: Changed to allow multiple IP address client searches.
"Unable to communicate with Reporting component" when you log onto the Symantec Endpoint Protection Manager remote console under certain conditions
Fix ID: 1740140
Symptom: With two Symantec Endpoint Protection Manager consoles set up up to use different IIS ports, remote console login does not work on the second Symantec Endpoint Protection Manager and returns the error "Unable to communicate with Reporting component".
Solution: During remote logon, the corresponding IP address and IIS port are correctly obtained.
Symantec Endpoint Protection Manager Home Page "Security Status . Attention Needed" lists old data in details
Fix ID: 1745613
Symptom: Symantec Endpoint Protection ManagerHomePage "Security Status . Attention Needed" lists old data in details.
Solution: The algorithm to create the hardware key was changed such that the hardware key should not change with minor hardware changes, such as disabling of NICs.
Symantec Endpoint Protection Manager Active Directory sync at root OU produces duplicate clients. AD sync at sub OUs produces no duplication
Fix ID: 1745722
Symptom: Symantec Endpoint Protection Manager Active Directory synchronization at root OU produces duplicate clients caused by a carriage return in the computer description.
Solution: Removed unnecessary carriage return from computer description.
Java .1 errors when installing Symantec Endpoint Protection Manager to remote database using Windows Authentication
Fix ID: 1764453
Symptom: After Symantec Endpoint Protection Manager installation using Windows Authentication, the Semsrv process does not stay started, causing console login to fail with Java .1 error.
Solution: Removed database instance name from domain name, so that the IIS anonymous account can be configured properly.
Symantec Network Access Control
This section describes the customer fixes for Symantec Network Access Control since the release of MR4 MP2 (11.0.4.4200).
Client peer to peer authentication blocks other clients' access to its share folder
Fix ID: 1483035
Symptom: Configuring the peer's address was not using the correct IP address.
Solution: Corrected to use the client's IP address.
SNAC.EXE and Services.exe take up to 40% of CPU
Fix ID: 1519912
Symptom: After boot up, SNAC.exe and Services.exe are consuming up to 40% of the CPU.
Solution: Corrected NAP service monitoring.
IP is not released when On-Demand client is exited
Fix ID: 1557687
Symptom: After the On-Demand client is exited, the client does not release the production IP.
Solution: Before exiting, the client sends a notification to all plug-ins.
User is unable to connect to the network via VPN when using the Gateway Enforcer On-Demand plug-in
Fix ID: 1638565
Symptom: User is unable to connect to the network with Jiangnan VPN via the Gateway Enforcer.
Solution: Added support for Jiangnan VPN.
Client has delayed access to network resources during the boot up sequence
Fix ID: 1640120
Symptom: A client has a quarantine IP address for about 1 minute even if Host Integrity check passes.
Solution: Use WGX to receive and send heartbeat to Gateway and DHCP Enforcer when Windows networking system is not ready.
DHCP Appliance does not supply secure mask 255.255.255.255
Fix ID: 1586761
Symptom: The Enforcer Appliance does not replace the subnet mask given out by the Microsoft DHCP server with a 32-bit mask.
Solution: Added a CLI command to enable secure.netmask in DHCP Enforcer.
Users taking considerable amount of time to switch from Quarantine to Production scope
Fix ID: 1587480
Symptom: After being placed into the Quarantine DHCP scope, users are taking a considerable amount of time to be correctly switched into the Production scope.
Solution: DHCP status is updated when authentication status changes.
The Gateway Enforcer switches continuously switches between standby and active
Fix ID: 1592129
Symptom: The Gateway Enforcer continuously switches between standby and active due to failed ARP loop detection.
Solution: Enhanced ARP loop detection on the Gateway Enforcer.
The Enforcer loses trunking function after self reboot
Fix ID: 1600101
Symptom: The Enforcer loses the trunking function after a self reboot.
Solution: Trunking status is set to enable when failopen is enabled after a reboot.
Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen
Fix ID: 1708592
Symptom: Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen.
Solution: Fixed compatibility issue with CheckPoint VPN.
Guest Access does not work when using MAB & Transparent mode
Fix ID: 1511304
Symptom:When in transparent mode with MAB enabled, guests are not allowed on the production network.
Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request.
RADIUS server rejects the user before PEAP authentication
Fix ID: 1630710
Symptom: RADIUS server rejects the user before PEAP authentication.
Solution: LAN Enforcer continues to PEAP authentication to mimic a RADIUS server.
LAN Enforcer does not communicate with Great Bay scanning device correctly
Fix ID: 1740074
Symptom: After deleting client MAC addresses from the Great Bay device, the client cannot authenticate using MAB (Dot1x).
Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request.
Unable to connect to wireless, no Symantec Network Access Control, over PEAP authentication
Fix ID: 1788308
Symptom: With Symantec Network Access Control in transparent mode over PEAP authentication, a client is unable to connect to wireless.
Solution: Fixed to not handle PEAP packets when Symantec Network Access Control is set to transparent mode.
Maintenance Release 4 Maintenance Pack 2 (MR4 MP2)
This section describes the new features and fixes included in Maintenance Release 4 Maintenance Patch 2 (MR4 MP2) of Symantec Endpoint Protection 11.0 (also known as version 11.0.4202). This maintenance pack cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to MR4. It must be installed over Maintenance Release 4 (MR4), (MR4-MP1), or (MR4-MP1a).
What's in this release
This maintenance patch resolves in-field reported issues within Symantec Endpoint Protection client, Symantec Endpoint Protection Manager. These release notes also list updated and new Readme items for this release.
Note: The latest available release of Symantec Network Access Control is MR4 MP1. There have been no customer fixes since the release of Symantec Network Access Control MR4 MP1.
|
Component
|
Version
|
|
Symantec Endpoint Protection
|
11.0.4202
|
|
Symantec Network Access Control
|
11.0.4010
|
|
AutoProtect
|
10.2.10.2
|
|
Avengine
|
20081.2
|
|
Behavior Blocking
|
3.3.7.15
|
|
ccEraser
|
2007.0.1.6
|
|
COH
|
6.1.8.8
|
|
Common Client
|
6.3.8.004
|
|
DecABI
|
1.1.1.39
|
|
Defutils
|
4.1.0.19
|
|
ECOM
|
61.3.0.17
|
|
VxMS (MS Light)
|
5.2.0
|
|
LiveUpdate
|
3.3.0.85
|
|
LiveUpdateAdmin
|
2.2.1.13
|
|
Microdefs
|
2.5.37.0
|
|
QServer
|
3.6.16
|
|
WpsHelper
|
11.0.717.804
|
|
SyKnAppS
|
2.5.12
|
|
SymEvent
|
12.5.3.2
|
|
SymNetDrv
|
7.2.3.302
|
|
Teefer2
|
11.0.697
|
Product Fixes by category
Symantec Endpoint Protection: Antivirus/Antispyware
RTVScan.EXE terminates unexpectedly when initiating a scheduled scan
Fix ID: 1523740
Symptom: RTVScan.exe terminates unexpectedly when initiating a scheduled scan.
Solution: A common client component, MSL, was updated to prevent the crash.
Quarantine scan causes Auto-Protect detections in %temp% folder
Fix ID: 1525749
Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files.
Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now REPAIRABLE. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them.
Intermittent Outlook crashes
Fix ID: 1511242
Symptom: Outlook exits unexpectedly when using "Previous Item" or "Next Item" option.
Solution: The Outlook plug-in was changed to keep track of the most recent ExchangeCallback Pointer correctly.
Sysfer crashes Adobe Elements
Fix ID: 1522283
Symptom: Sysfer crashes Adobe Elements when using context to convert .doc(x) files to PDF format.
Solution: Changed a function to read a string-type parameter correctly so that the memory address is properly accessed.
Windows 2008 x64 share connectivity problems
Fix ID: 1442447
Symptom: After a period of time (hours to a day or so) file shares become unresponsive on Windows 2008 x64.
Solution: Auto-Protect update.
TempProfile_Nlnhook is created for each user that logs into a multi-user Lotus Notes installation
Fix ID: 1519913
Symptom: A directory named "TempProfile_Nlnhook" is created in customer's Citrix Presentation Server environment under the user profile folder (%USERPROFILE%).
Solution: Changed to use the CAccessToken class to get the currently logged in user name from the access token, and to send it to the LoadUserProfile () instead of the temporary directory name.
CleanWipe fails to properly remove Symantec AntiVirus 10.2 from a 64-bit operating system
Fix ID: 1532299
Symptom: Symantec AntiVirus still appears in Add/Remove Programs, the CleanWipe log will show various deletion errors, and key folders and files are left behind after using CleanWipe to remove Symantec AntiVirus 10.2.
Solution: A different API is used to detect that Symantec AntiVirus 10.2 is installed on a 64-bit operating system.
Proactive Threat Protection displays the status "Waiting for Update" after a client migration
Fix ID: 1456698
Symptom: Proactive Threat Protection displays the status "Waiting for Update" after a client migration.
Solution: After migration, Proactive Threat Protection should be "on" and should display the latest version.
Antivirus performance is slow when scanning the procmail.log
Fix ID: 1415668
Symptom: It may take a few minutes to scan the procmail.log file. Rtvscan.exe CPU usage increases up to 99%.
Solution: Decomposer engine update.
The Symantec Endpoint Protection installation fails with a "Return value 2" when CP_USASCII is disabled
Fix ID: 1499625
Symptom: The Symantec Endpoint Protection installation fails.
Solution: Symantec Endpoint Protection now uses CP_ACP instead of CP_USASCII when the installation path is validated during installation.
CLT_INST temp folder is left behind whenever a remote install is done (through wizard or Find Unmanaged)
Fix ID: 1527791
Symptom: A CLT_INST folder is left behind after installation.
Solution: VPREMOTE now marks the CLT_INST folder for deletion upon next reboot.
During migration from Symantec AntiVirus 10 MR 7 to Symantec Endpoint Protection 11 MR4 the installation removes all log-files from C:\Temp\Logs
Fix ID: 1509069
Symptom: Upon completion of the installation, the log files are moved to %ALLUSERSPROFILE%\Symantec\Symantec Endpoint Protection\Logs.
Solution: Updated the installer to use a unique temporary folder to store the Symantec logs.
SMCGUI.exe causes users to lose windows focus
Fix ID: 1460045
Symptom: SMCGUI.exe often stops and starts, causing a user to lose window focus.
Solution: When loading a profile, a return value is checked to see if it is NULL upon calling a specific function.
High paged pool memory usage for Auto-Protect
Fix ID: 1511152
Symptom: Pool monitor shows high memory usage for SavE and SaEe pooltags.
Solution: AV engine update.
Stand-alone Quarantine Console installation cannot connect to any remote Quarantine Server
Fix ID: 1506385
Symptom: Trying to connect to selected server fails with the following error message: Cannot connect to server <SERVER NAME>.
Solution: The installer was changed to make the installation directory available to post-install script functions.
A Defwatch scan does not run on Microsoft Windows Vista if no user is logged on to the computer
Fix ID: 1508276
Symptom: The Defwatch scan does not run on Microsoft Windows Vista unless a user is logged on.
Solution: If no user is logged on, an elevated access token is used to run the Defwatch scan.
Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan
Fix ID: 1486799
Symptom: Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan.
Solution: Symantec Endpoint Protection was modified to allow the product to query the Windows Security Center information correctly.
Users with local administrator privilege can bypass the Symantec Endpoint Protection uninstall password
Fix ID: 1515363
Symptom: A user is able to bypass the uninstall password by using an undisclosed procedure.
Solution: The MSI file was updated to prevent administrators from bypassing the uninstall password.
While running CleanWipe (RunCleanWipe.bat) with the -silent switch, a dialog box prevents uninstallation from completing
Fix ID: 1588132
Symptom: A modal dialog box appears indicating the Symantec AntiVirus has been uninstalled, and prevents the uninstallation from completing.
Solution: Modified the MSIUnst.bat file to change a command line switch to MsiExec that removed the modal dialog.
Auto-resume of content-package does not resume across reboots or restart of SMC.exe
Fix ID: 1557479
Symptom: Content package download does not resume after either the computer or SMC.exe is restarted.
Solution: Preserve the partially downloaded files and use the HTTP range header information to download the remaining bytes from Symantec Endpoint Protection Manager.
Clients cannot download content from Group Update Provider (GUP)
Fix ID: 1588869
Symptom: Clients attempt to connect to the GUP to download content, but the clients are rejected. The sylink.log shows "<GetLUFileRequest:>
Legacy ID
Imported Document Id
Terms of use for this information are found in Legal Notices.
