Steps in Knowledge Base (KB) article Configuring system lockdown have been followed and system lockdown is enabled. However, Symantec Endpoint Protection (SEP) client is unable to update definitions.
If lockdown is in test mode, definitions are updated but block messages are also logged in client control log.
Depending on the type of Operating System, types and versions of definitions being updated, block messages similar but not limiting to below can be found in SEP client control log.
This is an examples from a Windows 7 64-bit system, showing the important fields only.
And an example from a Windows XP 32-bit system
If system lockdown is fully enabled instead of in test mode, then SEP client system log may contain error stating "An update for Virus and Spyware Definitions Win32 failed to install. Error: 0xE0010001, DuResult: 60".
This is not a product issue. New definitions contain new executable binary files whose fingerprints are not in the approved files' fingerprint list, so system lockdown blocks these new binaries when they are being loaded. Take the block message from the Windows 7 x64 system above for example, ccSvcHst.exe process (which is the Symantec Endpoint Protection service process) was blocked from loading a dll file IPSFFPl.dll in the new IPS definitions.
Option 1 - Add the following 2 SEP file paths so that binaries under these paths are allowed even if they are not in the fingerprint list.
#HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATA#*\*
#HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\INSTALLDIR#*\*
Steps:
In Symantec Endpoint Protection Manager (SEPM) console
Please see screen shot below for reference.
Option 2 - If security policy demands a more strict control than option 1, fingerprint list can be updated to include new binaries in the new definitions.
Steps
For more detailed steps on how to generate fingerprint list file with checksum utility, how to import and merge fingerprint lists, please see Configuring system lockdown.
Further information:
SEP system lockdown feature, in whitelist mode (which is the default mode of system lockdown), puts the most strict control on what applications can run on a computer. So usually it is expected that the executable binary files do NOT change much on the computer. These changes include software upgrade, Windows update and SEP definitions update. Due to the strict control, frequent Windows update or SEP definitions update becomes unnecessary. If it does become necessary, then careful planning and administrative overhead is usually unavoidable. Please consider carefully on which computers should have system lockdown enabled.
For a KB article describing the same issue in SEP 11.x, please see related article below.
Applies To
SEP 12.1