This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 12.1 Release Update 6 Maintenance Pack 4 (12.1.6 MP4). This information supplements the information found in the Release Notes.
In addition to the following fixes, this release addresses Symantec Endpoint Protection Multiple Security Issues (SYM16-003).
SEP client does not install after applying Microsoft patch KB3140743
FIX ID: 3919824
Symptom: After applying the Microsoft patch Cumulative Update for Windows 10 Version 1511 (KB3140743), released March 1st, 2016, the Symantec Endpoint Protection client does not install, and then rolls back.
Solution: Fixed the interaction with Windows Defender to ensure that the installer succeeds.
SEPM service account fails to log on multiple times
FIX ID: 3711575
Symptom: The computer that runs Symantec Endpoint Protection Manager repeatedly gets Audit Failures events in the Windows Event Viewer Security log. These audit failures have event ID 4776 with error code 0xc0000064.
Solution: The proper domain name now passes to SemLaunchsvc.exe, along with the username in User Principal Name (UPN) format, to prevent these events.
When multiple network adapters are present, changing a firewall rule’s adapter type does not work as expected
FIX ID: 3799146
Symptom: On a computer with multiple network adapters, firewall rules that specify adapter type or name do not apply correctly to traffic that does not include the local computer’s MAC address or IP address. The affected traffic includes incoming multicast traffic and incoming broadcast traffic. All other rule conditions still apply correctly.
Solution: Adjusted the firewall to properly identify the interface receiving incoming traffic if it has no local identifying interface information.
ccSvcHst crashes and the SEP client shows offline in SEPM
FIX ID: 3856925
Symptom: ccSvcHst crashes randomly while downloading content from a Group Update Provider (GUP). This crash happens because asynchronous reads time out while there is pending I/O.
Solution: Fixed a coding error related to asynchronous reads.
SAV for Linux clients unexpectedly download the full definition set
FIX ID: 3866080
Symptom: Symantec AntiVirus for Linux MR14 clients download the wrong delta definition set, which results in an unexpected full definition download the next day.
Solution: Updated Java LiveUpdate (JLU) to fix a logic error.
SEPM does not update profile.xml and other policy files as expected
FIX ID: 3869825
Symptom: Symantec Endpoint Protection Manager does not publish policy files, such as profile.xml, which therefore do not update on the client. The management server file profile_cache.dat has only one entry under the ID section.
Solution: Corrected the logic so that the profile cache is never stale.
SEP client for Linux Auto-Protect is not supported on Ubuntu 12.04
FIX ID: 3873969
Symptom: The Symap and SymEV kernel modules do not load on Ubuntu 12.04, kernel 3.2.0-55-generic-pae, which results in no Auto-Protect functionality.
Solution: Added support for various versions of Ubuntu.
After an upgrade to 12.1 RU5, GUPs no longer update their own definitions
FIX ID: 3705070
Symptom: The Group Update Provider fails to allocate memory to cache the file for download, which prevents it from updating its own definitions.
Solution: Changed to allow the user to set a total amount of maximum memory used by all GUP threads. The maximum memory splits evenly between all threads (download and server). The memory usage must be between 10 - 100 MB per thread.
Large numbers of files in SymDelta folders result in out of disk space issues
FIX ID: 3872101
Symptom: Large number of files in SymDelta folders result when the definition delta merge continuously fails. Specifically, these temp folders are involved: C:\Documents and Settings\NetworkService\Local Settings\Temp or C:\Users\semsrv\AppData\Local\Temp
Solution: Delta merge files are now deleted when delta merge failure occurs. You can now also configure the number of days to keep delta merge files in conf.properties, with the value scm.delta.merge.delete.after.days.
Endpoint Status does not show Out-of-Date clients to Limited Administrators
FIX ID: 3816777
Symptom: The Endpoint Status report does not display the appropriate data for out-of-date clients to Limited Administrators. This report is available on the Symantec Endpoint Protection Manager Home tab by clicking View Details next to Endpoint Status.
Solution: Now applies the correct restrictions on reporting pages.
LiveUpdate content delta merge seems to fail with 12.1 RU6
FIX ID: 3837462
Symptom: The LiveUpdate content delta merge seems to fail. The error message only gives the brief error message, "LiveUpdate content delta merge operation unsuccessful."
Solution: Updated the error message with more details: "LiveUpdate content delta merge was canceled. The requested delta is greater than or equal to full.zip content. No delta will be provided."
SEP for Linux: "Permission denied" in sepjlu-install.log
FIX ID: 3784604
Symptom: The Java LiveUpdate (JLU) installer for Symantec Endpoint Protection for Linux fails if /tmp is mounted with the noexec option. The error message "Permission denied" appears in sepjlu-install.log.
Solution: The new JLU component corrects this issue by allowing this mount option.
SEP self-managed firewall rule does not work as expected after restart
FIX ID: 3817890
Symptom: When an unmanaged client uses the following firewall rules, system UDP packets are allowed by the first rule, but are then blocked after a computer restart:
- Allow UDP on remote port 1701
- Deny all for all protocols
Solution: Updated the client so that it correctly save the appropriate firewall flags in the policy when they are set. However, you must take an additional step after you upgrade, which applies the fix. See the corresponding knowledge base article, Unmanaged SEP custom firewall rules not honored after reboot (TECH234232).
SEPM web console does not accept lower case IPv6 addresses in the firewall policy
FIX ID: 3818683
Symptom: When accessing Symantec Endpoint Protection Manager with the web console, it does not accept some lower case IPv6 addresses added to the firewall policy.
Solution: AjaxSwing can now convert user-entered values to upper case.
SEPM notifications show events happening in the future on certain time zones
FIX ID: 3827356
Symptom: You configure a Single Risk event notification in Symantec Endpoint Protection Manager installed in an OS with a Central American time zone. However, the event time in the emailed report after processing the notification is one hour later than it should be.
Solution: Now stores the correct time zone name in the database when creating the notification condition. However, you must take an additional step after you upgrade, which applies the fix. See the corresponding knowledge base article, Endpoint Protection Manager notifications show events happening in the future for certain time zones (TECH234239).
A disabled or withdrawn firewall policy does not display as "Disabled by policy"
FIX ID: 3851934
Symptom: After disabling or withdrawing a firewall policy, the Symantec Endpoint Protection Manager reports the firewall as "Disabled" when it should say "Disabled by Policy."
Solution: Changed the logic to handle the missing key case that resulted in the report of the wrong status.
Linux system unresponsive after installing the SEP client
FIX ID: 3855434
Symptom: After installing the Symantec Endpoint Protection client for Linux, the file system becomes completely unresponsive until you restart the computer.
Solution: Adjusted Auto-Protect to prevent deadlocks with GlusterFS when both the Gluster client and Gluster server are operating on the same computer.
Scheduled LiveUpdate for LUA fails with "Revocation check failed"
FIX ID: 3858357
Symptom: After a custom SSL certificate expires on a computer that runs LiveUpdate Administrator, LiveUpdate fails to run during the retry window as expected due to a certificate revocation error, A1000013.
Solution: LiveUpdate now occurs within the retry window in this scenario.
SEP client does not stop scanning as expected
FIX ID: 3865390
Symptom: If a scan is configured for Best Application Performance or Balanced Performance, the scan does not stop after the configured scan duration as expected.
Solution: Best Application Performance and Balanced Performance scans now correctly recognize the scan duration value.
LaunchSmcGui setting does not persist after client upgrade
FIX ID: 3873567
Symptom: After an upgrade to a later version of Symantec Endpoint Protection, the value for LaunchSmcGui is always set to 1.
Solution: Added properties so that during an upgrade, the value of LaunchSmcGui persists from the earlier version.
Localized 12.1.6 MP3 client installer incorrectly extracts files by default
FIX ID: 3886422
Symptom: The localized Japanese version of the Symantec Endpoint Protection 12.1.6 MP3 client installer incorrect extracts files to the local folder instead of to a working folder, which affects the rights of other files and objects in that folder.
Solution: Self-extracting executable files (.exe) for localized client builds now extract by default to a working folder of the same name, matching the behavior of the English version.
Event Viewer is flooded with Event ID 4673
FIX ID: 3836773
Symptom: The Windows Event Viewer displays thousands of Security/Audit Failure entries with the Event ID of 4673.
Solution: Corrected the function call to prevent this event from triggering.
SEPM log places the application name in front of the host name
FIX ID: 3878721
Symptom: The Symantec Endpoint Protection Manager log displays the application name before the host name. This order of information does not follow a standard logging format, so Syslog and other applications export these logs incorrectly.
Solution: To follow this standard logging format, and to prevent confusion, the application name now follows the host name.
SEPM does not display SHA1 and MD5 values for Risk and Event log items
FIX ID: 3910824
Symptom: When viewing log details for Risk and Event items, Symantec Endpoint Protection Manager does not display SHA1 and MD5 values.
Solution: These values now appear in the Risk and Event pages so that administrators can track and identify files by file name and file hash.
Auto-Protect exclusions on one file causes other files to be excluded
FIX ID: 3853855
Symptom: When excluding the root of one mapped drive (for example, Z:\) for a remote share, threats are not detected on other mapped drives that have not been excluded (for example, Y:\) for the same remote share.
Solution: Auto-Protect now excludes only the particular mapped drive directories if there is an exclusion set for the root the mapped drive.
Intermittent crash in IRON with asynchronous HTTP
FIX ID: 3811906
Symptom: IRON 18.104.22.168 intermittently crashes when using asynchronous HTTP
Solution: IRON now handles HTTP differently due to a redesign.
Citrix server hangs on login
FIX ID: 3693487
Symptom: With Symantec Endpoint Protection installed, the Citrix provisioning server hangs during login, particularly with Auto-Protect enabled.
Solution: Auto-Protect now ensures that there are no hanging threads during login.
Component versions in Symantec Endpoint Protection 12.1.6867.6400
(Symantec Endpoint Protection Manager)