Target: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2100.2093.105\Data\Definitions\VirusDefs\tmp4c57.tmp\ECMSVR32.DLL
If system lockdown is fully enabled instead of in test mode, then SEP client system log may contain error stating "An update for Virus and Spyware Definitions Win32 failed to install. Error: 0xE0010001, DuResult: 60".
This is not a product issue. New definitions contain new executable binary files whose fingerprints are not in the approved files' fingerprint list, so system lockdown blocks these new binaries when they are being loaded. Take the block message from the Windows 7 x64 system above for example, ccSvcHst.exe process (which is the Symantec Endpoint Protection service process) was blocked from loading a dll file IPSFFPl.dll in the new IPS definitions.
Option 1 - Add the following 2 SEP file paths so that binaries under these paths are allowed even if they are not in the fingerprint list.
In Symantec Endpoint Protection Manager (SEPM) console
In Clients page, select the group(s) and click Policies tab in the right pane.
Click System Lockdown link under "Location-independent Policies and Settings".
Click Add button under "The following files are approved:"
Put the above 2 paths in and make sure "Use wildcard matching" is selected.
Click OK and OK again to close all dialogue windows.
Please see screen shot below for reference.
Option 2 - If security policy demands a more strict control than option 1, fingerprint list can be updated to include new binaries in the new definitions.
Prepare test computers using the baseline images with which the existing file fingerprint list was generated. The test computers should cover both 32-bit and 64-bit Operating Systems.
Place the test computers into test client group where system lockdown is not enabled.
Update the definitions on the test computers to the versions required.
Run Checksum utility to generate a fingerprint list file which includes fingerprint for all new binaries in the updated definitions.
Import the fingerprint list files at step 4 into SEPM.
Merge the new fingerprint lists with the existing fingerprint list. Now the existing fingerprint list contains fingerprint for all new binaries in the updated definitions.
Update the production computers with the same version of definitions at step 3.
For more detailed steps on how to generate fingerprint list file with checksum utility, how to import and merge fingerprint lists, please see Configuring system lockdown.
SEP system lockdown feature, in whitelist mode (which is the default mode of system lockdown), puts the most strict control on what applications can run on a computer. So usually it is expected that the executable binary files do NOT change much on the computer. These changes include software upgrade, Windows update and SEP definitions update. Due to the strict control, frequent Windows update or SEP definitions update becomes unnecessary. If it does become necessary, then careful planning and administrative overhead is usually unavoidable. Please consider carefully on which computers should have system lockdown enabled.
For a KB article describing the same issue in SEP 11.x, please see related article below.
Imported Document ID: TECH207935
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe