Release notes for Symantec Client Security 3.1.x and Symantec AntiVirus 10.1.x

Article:TECH101820  |  Created: 2006-01-03  |  Updated: 2011-01-25  |  Article URL http://www.symantec.com/docs/TECH101820
Article Type
Technical Solution


Environment

Issue



This article documents the changes and fixes in each update to Symantec AntiVirus Corporate Edition 10.1.x and Symantec Client Security 3.1.x. Symantec Client Security 3.1.x includes Symantec AntiVirus 10.1.x and Symantec Client Firewall 8.7.x.


Solution



As updates to Symantec Client Security are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top. For information about how to obtain the latest build of Symantec AntiVirus or Symantec Client Security, read the following document: Obtaining an upgrade or update for Symantec AntiVirus Corporate Edition or Symantec Client Security.

Maintenance Release 10 (MR10)
This section describes the fixes in Maintenance Release 10 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.
 
Components
 
Component Version
Symantec AntiVirus 10.1.9.9100-20
Symantec Client Firewall 8.7.4.224
QServer 3.5.116
Symantec AntiVirus Reporting 1.0.263
AMS 6.12.0.156
AntiSpam 2005.3.0.115
Auto-Protect 9.7.8.1
Behavior Blocking 2.4.1.1
Common Client 104.0.20.4
Decomposer (Windows) 3.16.5.5
Decomposer (NetWare) 3.2.14.33
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.3.0.96
NAVAPI 4.2.3
NIS Shared Components 2005.3.0.90
SymEvent 12.5.4.2
SymNetDrv 6.0.11.3
SymSentry 2.1.0.101
 
 
Symantec AntiVirus fixes
 
Unable to trace infections to the source IP address
Fix ID: 1304157
Symptom: When enabling the THREATTRACER registry value, the source computer field shows the local host instead of the correct computer.
Solution: ThreatTracer computer name and IP address were not being passed through the anomaly processor, so they were not ending up in the alerts and logs.
 
Symantec AntiVirus Full Scan does not scan network drives, even if mapped as a drive letter
Fix ID: 1425324
Symptom: Symantec AntiVirus full scan scans only the physical disks connected to the computer.
Solution: The behavior is as designed. Updated to remove references to Network Drive in the description of Full Scan.
 
Default profile is displayed instead of expected user profile
Fix ID: 1677569
Symptom: The default profile is displayed instead of the expected user profile.
Solution: Added a delay in starting user scheduled scans at service startup to prevent this problem.
 
When manually adding file to quarantine the original file remains
Fix ID: 1708444
Symptom: When a file is manually added to the quarantine, the original file remains on the disk.
Solution: Files manually added to the quarantine are now deleted.
 
Symantec Client Security uninstall removes a registry key that has the license keys for Microsoft's Visual Studio
Fix ID: 1744193
Symptom: During Symantec Client Security uninstall, the following reg keys that has the license keys for Microsoft's Visual Studio are removed HKEY_CLASSES_ROOT\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905
HKEY_CLASSES_ROOT\Licenses\ED4B87C4-9F76-11d1-8BF7-0000F8754DA1
Solution: The keys are marked permanent so that they are not removed during Symantec Client Security uninstall.
 
USB external floppy drive does not give warning that there is a floppy still in the drive
Fix ID: 1824874
Symptom: When a floppy disk is inserted into a USB Floppy Disk Drive and the drive is a boot drive, then at shutdown the floppy is not detected and no pop-up is shown.
Solution: Symantec AntiVirus was modified to check for more types of floppy drives and provide the correct prompt.
 
Excessive disk space being used by .vdb files on the SYS directory
Fix ID: 1837187
Symptom: When the registry value PatternsToKeep is created and set to 1, then no directories are deleted from the I2_LDVP.VDB directory. Also, Symantec AntiVirus leaves PatternsToKeep + 1 vdb files in the Symantec AntiVirus Home\Login directory.
Solution: Correct functionality that scans a directory for pattern files.
 
Multiple AMS alerts generated for a single event
Fix ID: 1846210
Symptom: Multiple AMS alerts are generated for a single event.
Solution: Updates to the AMS component to correct the issue.
 
Symantec AntiVirus 10.1.4 Upgrade to 10.1.9 results in corrupted run key for vptray
Fix ID: 1869718
Symptom: When Short File Name creation is disabled though the registry, \Run\Vptray contains a Long File Name without quotes.
Solution: Updated the Symantec AntiVirus installer to always generate Long File Name with quotes for the \Run\Vptray value.
 
BugCheck 50, {fffff80001610060, 0, fffffadcb87273b3, 0} possibly caused by Savrt64x86
Fix ID: 1871159
Symptom: 64-bit computer crashes (blue screen) with bug check 50 (PAGE_FAULT_IN_NONPAGED_AREA).
Solution: The Real-time Protection (File System AutoProtect) driver was modified to prevent an occurrence where it could read invalid memory.
 
RTVSCAN uses 100% of CPU for 5-60 minutes
Fix ID: 1879071
Symptom: Rtvscan.exe may consume 100% of available CPU for a period of 5-60 minutes. The issue is intermittent.
Solution: Rtvscan.exe was modified to prevent a case where the IDB processing logic could get into a loop, consuming all CPU.
 
Blue screen: PAGE_FAULT_IN_NONPAGED_AREA (50) referencing Savrt
Fix ID: 1898155
Symptom: Computer crashes (blue screen) with bug check 50 (PAGE_FAULT_IN_NONPAGED_AREA) when the File System AutoProtect "SmartScan" feature is enabled.
Solution: The Real-time Protection (File System AutoProtect) driver was modified to properly clean up an internal cache when an application terminates, leaving handles open.
 
Rtvscan.exe crashes trying to access a NULL pointer
Fix ID: 2015959
Symptom: Rtvscan.exe crashes.
Solution: Corrected the function which was causing the crash.
 
 
Reports using set specific dates for time range will not allow DD/MM/YYYY DMY format
Fix ID: 2067388
Symptom: Reports using set specific dates for time range will not allow DD/MM/YYYY DMY format.
Solution: Updated code to evaluate the days in month after evaluating the month and year.
 
AMS Configuration window is blank after installing Symantec AntiVirus and Symantec System Center from MR9
Fix ID: 2084700
Symptom: Sometimes when opening the AMS Configuration window it is populated with the Alert actions, but generally the window is blank.
Solution: The Alert Management System 2 component was modified to properly display the alert actions in the configuration window.
 
Error "Unable to Launch the Symantec Client Firewall Administrator" When attempting to launch from Symantec Security Center
Fix ID: 1715386
Symptom: The user is unable to launch Symantec Client Firewall Administrator.
Solution: The Java JRE path was updated to allow Symantec Client Firewall Administrator to run.
 

 


Maintenance Release 9 (MR9)
This section describes the fixes in Maintenance Release 9 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.

Components

    Component Version
    Symantec AntiVirus 10.1.9.9000-71
    Symantec Client Firewall 8.7.4.205
    QServer 3.5.4.101
    Symantec AntiVirus Reporting 1.0.258
    AMS 6.12.0.152
    AntiSpam 2005.3.0.115
    Auto-Protect 9.7.7
    Behavior Blocking 2.4.1
    Common Client 104.0.19.5
    Decomposer (Windows) 3.16.5.5
    Decomposer (NetWare) 3.2.14.33
    DefUtils 3.1.13.0
    ECOM 51.3.0.11
    IPS 6.2.2.2
    LiveUpdate 3.3.0.85
    NAVAPI 4.2.0.8
    NIS Shared Components 2005.3.0.90
    SymEvent 12.5.4.2
    SymNetDrv 6.0.11.3
    SymSentry 2.1.0.101



Symantec AntiVirus Fixes

    IAO.exe terminates unexpectedly
    Fix ID: 1433485
    Symptom: IAO crashes unexpectedly.
    Solution: Updated AMS.

    A primary server stops distributing virus definitions to secondary servers.
    Fix ID: 1518955
    Symptom: Virus definitions are not distributed to secondary servers.
    Solution: Resolved a deadlock issue in VDTM (Virus Definition Transport Method).

    Network scanning option "Trust" does not reduce file transfer times
    Fix ID: 1409059
    Symptom: When files are copied to a Symantec AntiVirus computer from a trusted computer, transfer times are not reduced compared to copying data from a non-trusted computer.
    Solution: Auto-Protect update.

    Symantec Antivirus service cannot be stopped and generates an application error
    Fix ID: 1416075
    Symptom: Unable to stop the Symantec Antivirus service.
    Solution: Rtvscan.exe is now properly notified when SCScomms.dll is unloaded, thereby preventing it from calling an unloaded DLL upon service shutdown.

    Computer stops responding during migration from MR5 PP1 to MR5 MP1
    Fix ID: 1459124
    Symptom: During migration from MR5 PP1 to MR5 MP1, the system may hang.
    Solution: Rtvscan.exe no longer tries to access the scanner interface after it has already been shutdown.

    Symantec AntiVirus/Symantec Client Security logon script does not recognize an already up-to-date client installation
    Fix ID: 936979
    Symptom: Client installation files are not updated, causing clients to re-run the client upgrade during every startup.
    Solution: Rtvscan.exe was updated to stop updating the VP_LOGIN.INI file, which will prevent clients from re-running the client installation when no new update is available.

    Sorting Computer Status logs by "Status" does not sort in a logical or meaningful manner
    Fix ID: 1366952
    Symptom: When sorting computer status logs by "status," the logs are not properly sorted.
    Solution: The status option was removed from the user interface for Computer status logs, since the inventory status is never displayed.

    Scheduled scan fails because the wrong user account is used for the scan
    Fix ID: 1508155
    Symptom: After initiating a scan, the following error can be found in the logs: "Could not start scan, scan engine returned error 0X20000058".
    Solution: A startup scan is skipped for interactive users that do not have a user registry. The startup scan will initiate when an actual user logs into the computer.

    Computer stops responding when a process is terminated
    Fix ID: 1278390
    Symptom: Symantec AntiVirus crashes the computer in some cases when a process is terminated. A memory dump references SAVRT.SYS, stop-code 7F or 8E.
    Solution: Auto-Protect update.

    Symantec Antivirus service crashes when moving server from group to group using the Symantec System Center console
    Fix ID: 1517743
    Symptom: The Symantec Antivirus service crashes upon moving it from group to group using the Symantec System Center console.
    Solution: Rtvscan.exe was updated to prevent it from accessing invalid memory.

    Scheduled scans occur at unscheduled times
    Fix ID: 1586711
    Symptom: Scheduled scan changes do not propagate appropriately to computers that are off-line.
    Solution: When a scan is updated, the LastStart value is set to the next immediate run time after the Created time. This will ensure that the scan will not run on the unintended schedule and that missed events are caught from the next scheduled cycle onwards.

    Unexpected crash in Rtvscan.exe
    Fix ID: 1368594
    Symptom: RTVSCAN.exe halts suddenly referencing a c0000005 error.
    Solution: Decomposer update.

    LiveUpdate cannot update virus definitions from current/monthly delta
    Fix ID: 1459345
    Symptom: Symantec AntiVirus client is unable to update to the latest virus definitions correctly which leads to full content updates.
    Solution: Rtvscan.exe update to avoid installing files in the BinHub folder.

    Process termination crash in SAVRT.SYS
    Fix ID: 1545197
    Symptom: A blue screen error occurs referencing a process termination crash, stop-code 50.
    Solution: Auto-Protect update.

    Group roaming settings do not move during the promotion of a new primary server
    Fix ID: 1411550
    Symptom: After moving the primary server role from server to server, "Client Roaming Options" are disabled.
    Solution: Changes were made to the registry so that changes are propagated correctly and group roaming settings are retained after moving the primary server role.

    Setting change propagates to clients even though Auto-Protect is not "locked" in the Symantec System Center settings
    Fix ID: 1385205
    Symptom: Setting changes to "Client Auto-Protect Options" are propagated even though these settings are not locked down which may lead to custom user "Exclude selected files and folders" settings to be overwritten.
    Solution: "Auto-Protect Options" will only be propagated when these are locked in the settings, thereby restoring the intended design of locking these options.

    Server crash with stop-code 7F referencing SAVRT.SYS
    Fix ID: 1511249
    Symptom: A blue screen error occurs with stop-code 7F on Windows 2000.
    Solution: Auto-Protect update.

    High CPU usage of Rtvscan.exe on Citrix Presentation Server
    Fix ID: 1523553
    Symptom: Rtvscan.exe CPU usage fluctuates between 0 and 40%, and possibly high memory usage.
    Solution: Rtvscan.exe update which corrects sudden spikes in CPU usage when there was no Rtvscan.exe activity.

    Netware Server abends due to RTVSCAN.NLM
    Fix ID: 1532338
    Symptom: Netware Server abends when RTVSCAN.NLM processes GRC.DAT.
    Solution: RTVSCAN.NLM was updated to restore stability while processing "Extension Exclusions" in a GRC.DAT.

    Conflict between SymTDI and network management software causes blue screen error
    Fix ID: 1669963
    Symptom: Upon installing Symantec AntiVirus and custom network management software, the computer stops responding with a blue screen.
    Solution: Auto-Protect update.

    Symantec AntiVirus Server generates excessive connections to Symantec AntiVirus client during client installation
    Fix ID: 1669780
    Symptom: Symantec AntiVirus server may attempt to reach a client on a port that is no longer in use.
    Solution: Increase of the default MaxFileMemoryFootPrint to accommodate increase of the size of virus definitions over time.

    "Quarantine" is triggered when "Cleaned" action is selected if threat is detected on a Windows File Share
    Fix ID: 1556883
    Symptom: Virus log shows that a threat was quarantined rather than cleaned by deletion.
    Solution: Auto-Protect update.

    Quarantine scan causes Auto-Protect detections in %temp% folder
    Fix ID: 1525749
    Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files.
    Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now Repairable. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them.



Symantec Client Firewall fixes

    Computer crashes when Symantec Protection Agent and Symantec Client Security are installed on the same computer
    Fix ID: 1445417
    Symptom: When Symantec Protection Agent is installed on a computer with Symantec Client Security installed, the computer crashes with stop-code 7F.
    Solution: SND update.

    After uninstalling/upgrading Symantec Client Security, port 80 is blocked until the computer restarts
    Fix ID: 1476693
    Symptom: Traffic to port 80 is blocked on Symantec Client Security until a restart after uninstalling or upgrading the product.
    Solution: Change in uninstaller so that the firewall is disabled during uninstallation. Future migrations from MR9 will benefit from this change as well.



Symantec AntiVirus Reporting

    Virus Outbreak email alert contains non-functional report link
    Fix ID: 1318048
    Symptom: After clicking on the link in the email alert, a Reporting server login screen appears.
    Solution: Reporting server update.

    10 minute CGI timeout on Reporting server Home page
    Fix ID: 1401005
    Symptom: When logging into the Reporting server homepage, the request times out after 10 minutes with the error "CGI Error - The specified CGI application misbehaved by not returning a complete set of HTTP headers."
    Solution: Virus queries on the Reporting Server Dashboard were changed to reduce the likelihood that the issue occurs.

    "Risk Reports > Auto-Protect not running" fails to apply filters over a specific time period
    Fix ID: 1544755
    Symptom: "Risk Reports > Auto-Protect not running" events are displayed even though they fall outside of the specified time range.
    Solution: Reporting queries were updated to select the correct records.

    The "Computers Not Scanned" report for the past 24 hours lists computers that were scanned in the last 24 hours
    Fix ID: 1526615
    Symptom: The "Computers Not Scanned" report for the past 24 hours lists computers that were scanned in the last 24 hours.
    Solution: Reporting server update to address this problem, along with improvements to report computers that have not scanned at all.

    Virus definition out-of-date email alert link does not link to expected clients list
    Fix ID: 1373213
    Symptom: Upon clicking the link, Reporting server will display the Computer Status logs for all computers instead of those that are out of date.
    Solution: Reporting server email alert was updated to include the correct query.

    Question mark cannot be used as wildcard in Reporting Server's Advanced options
    Fix ID: 1474412
    Symptom: When using "?" as a wildcard, reports return unexpected data.
    Solution: Reporting server was updated to return correct data when using "?" as a wildcard.

    The "Computers Not Scanned" report displays the wrong date when the Last Scan Time in the database is NULL
    Fix ID: 1317985
    Symptom: The "Computers Not Scanned" report returns data for all computers and not those computers that were not scanned during the specified period.
    Solution: The "Last Scan Time" now displays "N/A" when a computer has not been scanned.

    The "Auto-Protect not running" report does not display all computers where Auto-Protect is not running
    Fix ID: 1319587
    Symptom: The "Auto-Protect not running" report does not display all computers where Auto-Protect is not running.
    Solution: The report name was changed to "No Auto-Protect due to errors," since its true purpose is to single out problematic clients rather than all clients that have Auto-Protect disabled.

    Reporter displays incomplete information in risk and status reports
    Fix ID: 1235081
    Symptom: When the date format is configured to use anything other than the default MM/DD/YYYY, information is missing from risk and status reports.
    Solution: Reporting server update to correct date formatting issue.



README Items

    Running LiveUpdate after installation requires additional space
    Fix ID: 1234789
    Symptom: After running LiveUpdate, additional free space is required to accommodate virus definitions.
    Solution: For full details, see the readme.txt section entitled "Running LiveUpdate after installation requires additional space."



Maintenance Release 8 (MR8)
This section describes the fixes in Maintenance Release 8 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.

Components

    Component Version
    Symantec AntiVirus 10.1.8.8000
    Symantec Client Firewall 8.7.4.152
    QServer 3.5.4.79
    Symantec AntiVirus Reporting 1.0.248.0
    AMS 6.12.0.150
    AntiSpam 2005.3.0.115
    Auto-Protect 9.7.5.2
    Behavior Blocking 2.4.1
    Common Client 104.0.18.2
    Decomposer (Windows) 3.15.3.0
    Decomposer (NetWare) 3.2.14.28
    DefUtils 3.1.13.0
    ECOM 51.3.0.11
    IPS 6.2.2.2
    LiveUpdate 3.2.0.68
    NAVAPI 4.2.0.8
    NIS Shared Components 2005.3.0.90
    SymEvent 12.5.4.2
    SymNetDrv 6.0.10.2
    SymSentry 2.1.0.101


Symantec AntiVirus Fixes

    Cannot use AV Client Rollout to 64-bit systems with 32-bit operating systems
    Fix ID: 833154
    Symptom: When attempting to perform a client remote install to 64-bit systems running a 32-bit operating system, the following error message appears: "The server <server name> is not hosting any compatible Symantec Antivirus (SAV) 64 bit installers for the 64 bit client."
    Solution: Changed detection of 32-bit operating system on 64-bit systems.

    Symantec System Center displays AutoProtect tabs incorrectly
    Fix ID: 860948
    Symptom: After uninstalling an email plug-in from a client, the email plug-in tab will still exist when viewing the client's AutoProtect options from Symantec System Center.
    Solution: At startup, the client's email plug-in list is reset in the registry.

    Dell Optiplex 745 computers fail to start after installing Symantec AntiVirus
    Fix ID: 935817
    Symptom: After installing Symantec AntiVirus, the Dell computer may fail to start. Upon restart, the computer may load correctly.
    Solution: Changed volume mount tracking capabilities to overcome a conflict when monitoring write-protected volumes.

    Rtvscan.exe high CPU usage on 64-bit Citrix Servers
    Fix ID: 996183
    Symptom: Rtvscan.exe exhibits high CPU usage when installed on 64-bit Citrix servers, caused by a missing Navlogon.dll path in the registry.
    Solution: Set the Navlogon.dll correctly in the registry during install.

    Rtvscan.exe left in a hung state with 1 thread
    Fix ID: 998993
    Symptom: Viewing Rtvscan.exe in Task Manager shows a thread count of 1.
    Solution: Updated Auto-Protect exclusion offset error in Rtvscan.exe.

    Symantec AntiVirus does not skip offline files as expected
    Fix ID: 1000124
    Symptom: With the advanced setting "Skip offline and sparse files" selected, Symantec AntiVirus incorrectly scans sparse files.
    Solution: Changed logic to identify sparse files correctly.

    The Symantec Event Manager Service registry key's permissions are reset each time the service is reloaded
    Fix ID: 1027172
    Symptom: After adding custom permissions to the service's registry key and reloading the service, the custom permissions will be deleted.
    Solution: The registry key is now only recreated when changes to the key are detected.

    Settings changes made to the server group are not set on secondary servers
    Fix ID: 1032593
    Symptom: When settings changes are made to the server group while secondary servers are offline, the settings changes are never updated on the secondary servers. As designed, a message box indicates that the "changes may not properly roll out."
    Solution: The verbiage for the message box has changed to indicate the settings "will not properly roll out". You must still update the secondary servers when they become available.

    AutoProtect Error: AutoProtect is unable to block security risks
    Fix ID: 1039115
    Symptom: When failing to load a corrupt Srtpv.dat file, the error "AutoProtect Error: AutoProtect is unable to block security risks" is generated with no remediation actions.
    Solution: Error message changed to provide a more clear error description and manual steps to remediate.

    Default LiveUpdate configuration settings are not applied to client group members
    Fix ID: 1068200
    Symptom: In Symantec System Center, a new client group with unaltered LiveUpdate configuration settings fail to apply settings to clients that are moved from a client group with altered LiveUpdate configuration settings.
    Solution: Triggered the LiveUpdate configuration settings to be written even if configuration settings are not changed when created.

    Verifying Security Risk exceptions from another Symantec System Center deletes existing exceptions
    Fix ID: 1069359
    Symptom: When viewing Security Risk exceptions through Symantec System Center installed on a managed client machine, locked exceptions are removed from the primary server.
    Solution: Removed the condition which caused locked exceptions not to be written on the primary server.

    Symantec System Center crashes when rolling out Symantec Client Firewall policy
    Fix ID: 1111628
    Symptom: In Symantec System Center, selecting the Groups node and attempting to roll out a Symantec Client Firewall policy causes Symantec System Center to crash.
    Solution: Logic changed not to process the Groups node when enumerating the server list during policy rollout.

    Auto-Protect actions and exclusions under All Risks allows locked categories to be edited
    Fix ID: 1121324
    Symptom: Viewing the File System Auto-Protect Exceptions under Actions, locked exceptions can be edited if Security Risks (all categories) is selected.
    Solution: The list of exceptions has been changed not to include locked exceptions during an add operation.

    Inconsistency in default values when creating scans in the Symantec System Center
    Fix ID: 1122355
    Symptom: When creating a scheduled scan for a client group, the "Advanced Settings" will not retain their initial default values if other settings (i.e. "Notifications") are changed.
    Solution: Update to use a client group's default settings and not server group's local scan settings.

    Rtvscan.exe crashes when performing a Master Boot Record scan
    Fix ID: 1134011
    Symptom: In rare cases, Rtvscan.exe can crash if a Master Boot Record scan and virus definitions update occurs simultaneously.
    Solution: Virus definitions are locked, preventing update, when a Master Boot Record scan is in progress.

    AV Server Rollout migrating Symantec AntiVirus server to Symantec Client Security server does not preserve custom install path
    Fix ID: 1144400
    Symptom: Using AV Server Rollout to migrate Symantec AntiVirus server installed in a custom path to Symantec Client Security Server causes the install path to revert to default location path.
    Solution: In AV Server rollout, added logic to handle this installation scenario.

    Roaming profiles revert to default profiles
    Fix ID: 1150915
    Symptom: After login, Windows 2000 users receive a default profile from their domain controller.
    Solution: Moved the close registry handle to earlier in the logoff processing.

    Computer stops responding about 30 seconds after the user logs on
    Fix ID: 1194558
    Symptom: About 30 seconds after a user logs on, the client computer becomes unresponsive. A hard reboot is required to resolve the issue.
    Solution: Module signature calculation is now only performed when Component Monitoring is enabled.

    Rtvscan.exe application error when shutting down
    Fix ID: 1196950
    Symptom: During shutdown, Rtvscan.exe gets an Application error. The instruction at "0x00419201" referenced memory at "0x00000000". The memory could not be "read".
    Solution: A check was added to verify that the memory being accessed is valid.

    "Nlnhook.exe - DLL initialization failed" message during Windows shutdown
    Fix ID: 1202621
    Symptom: With Symantec AntiVirus Notes plugin installed, during shutdown or logoff NLNhook.exe receives an error indicating a failed DLL initialization (The application failed to initialize because the windows station is shutting down).
    Solution: Suppressed benign Windows error message during shutdown.

    Rtvscan.exe does not release files after it finishes scanning
    Fix ID: 1203752
    Symptom: After scanning a file with an extremely long filename, the file is not released by Rtvscan.exe
    Solution: File handles for extremely long filenames are properly closed after being scanned.

    Restoring files from quarantine server causes a Runtime error
    Fix ID: 1215087
    Symptom: After restoring files from quarantine server, exiting the Symantec AntiVirus main user interface causes a Runtime error.
    Solution: Scan engines are unloaded properly before exiting.

    The IP address in the Symantec AntiVirus debug log (vpdebug.log) may be incorrect when running under heavy load
    Fix ID: 1233347
    Symptom: When Symantec AntiVirus server is running under heavy load with hundreds or thousands of clients, the IP addresses listed in the debug log (vpdebug.log) may be incorrect. A log message may incorrectly contain the IP address of a neighboring log message.
    Solution: The Symantec AntiVirus logging code was modified to prevent this issue.

    ESX Performance issues with Symantec AntiVirus during heavy I/O events
    Fix ID: 1238639
    Symptom: VMWare sessions running on an ESX Server with Symantec AntiVirus installed perform poorly due to heavy I/O events caused by virus definitions updates on multiple sessions.
    Solution: Virus definitions updates are staggered to prevent multiple simultaneously updates.

    Secondary servers do not respond to configuration changes made through the Symantec System Center
    Fix ID: 1238908
    Symptom: In Symantec System Center, editing a server's Definition Manager settings does not take effect on the secondary server.
    Solution: Check to see whether the settings have changed and trigger the secondary server to update.

    Registry entries from Enabling Multithreaded are removed during migration
    Fix ID: 1257386
    Symptom: Registry entries created for enabling multithreaded scans are removed during a migration.
    Solution: Registry entries for multithreaded scans are saved and restored during migration.

    Symantec AntiVirus logs do not display the correct IP address
    Fix ID: 1293172
    Symptom: When Symantec AntiVirus service is started with the computer offline, events are logged with the loopback IP address (127.0.0.1) even after the computer is back online.
    Solution: During event log creation when the loopback IP address is present, try to obtain the current IP address.


    Vpstart /uninstall removes user groups even though there are other servers in context
    Fix ID: 1120029
    Symptom: If the last Symantec AntiVirus Netware server installed into a Netware NDS (Netware Directory Service) or if any server has the /remove parameter performed, the NDS groups and rights become corrupted.
    Solution: Command line parameter /REDO_NDS was added to trigger the server to verify and recreate the Symantec AntiVirus groups and update the NDS login script to point to the server on which it is run.

    Netware Servers hang with Novell Audit 2.0.2 and Symantec AntiVirus server
    Fix ID: 1234673
    Symptom: A Netware server with both Novell Audit 2.0.2 and Symantec AntiVirus 10.1.6 installed may experience a hang.
    Solution: Added a thread switch after calling "Select" to avoid a possible spin lock.

    Netware server pushes full VDB to clients instead of IDB
    Fix ID: 1295768
    Symptom: Netware server pushes out full VDB to clients instead of the expected IDB.
    Solution: Netware now uses the full path instead of the relative path to IDB files.



Symantec Reporting Server Fixes

    "Computers Not Scanned" shows computers outside the selected client group
    Fix ID: 844328
    Symptom: Restricted reporting user receives incorrect data when running "Computers not Scanned" report.
    Solution: Corrected the SQL query to produce the correct data.

    Error when creating a Full Report for All Products with Past 24 hour time range
    Fix ID: 864459
    Symptom: When creating a Full Report for All Products using a time range of Past 24 hours generates the following error: "The start date must be before the end date."
    Solution: Corrected the date validation for Select Time Range.

    Only the first of multiple "Virus definitions out- of-date" Reporting alerts is triggered
    Fix ID: 1025078, 1149877
    Symptom: If an "out-of-date" alert is triggered, no more alerts are checked for this category. The alert will be generated again after 12 hours have elapsed or there has been a change in the status of the machine(s).
    Solution: Added logic to allow multiple alerts to be processed.

    Reports emailed by Reporting Server contain non-functional links
    Fix ID: 1034999, 1191927
    Symptom: Following a link from a daily report or virus incident received from Reporting Server does not show the proper data after a successful logon.
    Solution: Corrected the encoding of links after successful logon.

    Configured virus definition alert does not run
    Fix ID: 1150795
    Symptom: Virus definition alerts via email or written to the database are not run.
    Solution: Corrected when timestamp and time zone conversion is required.

    Agent Down email notifications being sent out in error
    Fix ID: 1164910, 1267759
    Symptom: Emails indicating that an agent is down or failing are being sent out even though the agent status in the Reporting console shows green (running).
    Solution: Corrected when timestamp and time zone conversion is required.

    "Risk Type" column in exported Reporting Risk logs does not contain meaningful data
    Fix ID: 1200953
    Symptom: When exporting reports to a CSV file, "Risk Type" display only -1 or 1.
    Solution: "Risk Type" now provides the risk's virus categories, i.e. viral, malicious, heuristic, etc.

    Servers that have been taken offline still show in Reporting
    Fix ID: 1205937
    Symptom: Removed Symantec AntiVirus servers are still shown and accessible in configuration settings in Reporting.
    Solution: Updated SQL query to filter out aged (older than 30 days by default) Symantec AntiVirus servers.

    Cannot report by specific virus type in Reporting Server
    Fix ID: 1215649
    Symptom: Reporting database cannot be queried by a particular virus category because the category is not defined correctly or missing.
    Solution: Updated database schema to correctly insert virus type into the virus category table.

    1970 records created in database incorrectly when user is logged out
    Fix ID: 1226250
    Symptom: When user is logged out, a 1970 entry is added in the parent inventory log: "Error 234 in getting username." As a side effect, clients with a 1970 entry are excluded from the Computer Status Logs report, preventing the user from reporting on these clients.
    Solution: Increased the buffer used to retrieve the username.

    Incomplete scan engine information causes Error 2 in parent inventory log
    Fix ID: 1244677
    Symptom: Incomplete or corrupt scan engine information in the registry causes Error 2 in the parent inventory log. This prevents new inventory data from being inserted into the database.
    Solution: Allowed clients to be included in inventory by not logging error. Also, replaced incomplete version with 0.0.0.0 to identify client for remediation.

    Reporting Risk Logs Advanced Settings are not retained
    Fix ID: 1248949
    Symptom: When viewing logs under "Advance Setting" with a specific "Scan Type" filter, the log does not display the logs according to the scan type selected, and does not retain the value selected from the "Scan Type" filter.
    Solution: Changed logic to retain the filter selection between log views.



Symantec Client Firewall fixes

    Script error when creating General Rules with Symantec Client Firewall Administrator
    Fix ID: 843483
    Symptom: When creating General Rules with multiple locations through Symantec Client Firewall Administrator, a script error causes the user interface to hang.
    Solution: Updated the global rules count to match the count for each location correctly.

    pRules based on Size Range are not created correctly
    Fix ID: 1058457
    Symptom: Symantec Client Firewall Administrator fails to create pRules when a match criteria for size range is used.
    Solution: The size range option for pRule match criteria was removed, only single file size now available.

    When viewing Symantec Firewall Client Network Connections, unknown IP addresses appear for UDP port 137 or 138
    Fix ID: 1080903
    Symptom: From the Symantec Client Firewall user interface, viewing Network Connections under Statistics shows unknown IP addresses for UDP port 136 and/or 137 when VMware is installed on the computer.
    Solution: Corrected a problem in IP address matching which corrupted the IP address.

    Cannot access Web page with Symantec Client Security enabled
    Fix ID: 1153519
    Symptom: Users cannot access Web pages with an HTTP body containing a HTTP header termination pattern.
    Solution: HTTP processing updated to identify the offending pattern in HTTP bodies.

    Parent Server Name is rewritten on Symantec Client Firewall events, thereby overwriting IPS signature
    Fix ID: 1265671
    Symptom: When Symantec Client Firewall events are forwarded to the primary server, Intrusion Signature is overwritten by the parent server name.

Solution: Added a check for the Event type to ensure that Symantec Client Firewall events do not overwrite the IPS signature.



Maintenance Release 7 (MR7)
This section describes the fixes in Maintenance Release 7 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.
Components

Component Version
Symantec AntiVirus 10.1.7.7000
Symantec Client Firewall 8.7.4.117
QServer 3.5.4.79
Symantec AntiVirus Reporting 1.0.234.0
AMS 6.12.0.148
AntiSpam 2005.3.0.31
Auto-Protect 9.7.2.3 (a)
Behavior Blocking 2.4.1.1
Common Client 104.0.15.2
Decomposer (Windows) 3.15.3.0
Decomposer (NetWare) 3.2.14.28
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.2.0.67
NAVAPI 4.2.0.8
NIS Shared Components 2005.3.0.75
SymEvent 12.2.1.2
SymNetDrv 6.0.7.703
SymSentry 2.1.0.101



Symantec AntiVirus fixes

    Migration from 10.1.4010 to 10.1.5.5000 creates nested Symantec AntiVirus folders
    Fix ID: 808384
    Symptom: After migrating to Symantec AntiVirus 10.1 MR5, the installation path has changed to Symantec AntiVirus\Symantec AntiVirus.
    Solution: Removed extra "Symantec AntiVirus" from path in installation routine.

    Event ID 42 is not forwarded to the parent server
    Fix ID: 819124
    Symptom: Event ID 42, "Auto-Protect Error: Auto-Protect is unable to block security risks," appears in the local Windows Application log, but is not forwarded to the parent server event log.
    Solution: Event ID 42 is now forwarded and appears in Symantec Reporting Server. The report is "Risk Report/Comprehensive Reports/Auto-Protect not running".

    Symantec AntiVirus Server upgrade rollout changes original installation location
    Fix ID: 894292
    Symptom: Migrations do not maintain custom installation locations, but will install to the default \Program Files\Symantec AntiVirus installation folder.
    Solution: Corrected custom action during installation to use the correct installation path.

    DWHWizrd.exe application error
    Fix ID: 999142
    Symptom: Intermittently, when DWHWizrd.exe is called after a definition update, the user receives an application error popup indicating a "memory cannot be read" error.
    Solution: Resolved memory allocation conflict.

    Symantec AntiVirus MR5 scheduled scans are not honoring short (8.3) folder and file names in exclusions
    Fix ID: 1026031
    Symptom: When setting scan exclusions using short folder names, the exclusions are not honored when running a scheduled scan.
    Solution: Logic added to expand short path names into their long name equivalent before using them for comparison.

    Server hangs after event id 7031 is encountered
    Fix ID: 1055706
    Symptom: When certain files contain a "%20S" in the names, a scan can cause a server hang.
    Solution: Changed scan logic to handle those file types correctly.

    File restoration is slow with Veritas or ARCserve restore on NetWare
    Fix ID: 1058567
    Symptom: File restoration is very slow when doing an ARCserve restoration on NetWare 6.0 with Symantec AntiVirus 10 installed.
    Solution: Changed the way we determine if a "CLOSE FILE" notification matches the "OPEN FILE" notification.

    EMC/Legato Networker users experience full backups instead of incremental backups after Symantec AntiVirus scans run.
    Fix ID: 1059791
    Symptom: After running a virus scan, files are incorrectly marked as changed, causing files to be backed up unnecessarily.
    Solution: Ensure that the metaDataUpdateTime is not changed if the file is not changed.

    Symantec AntiVirus does not provide satisfactory error on why new definitions cannot be downloaded or processed
    Fix ID: 1066311
    Symptom: When a client is low on disk space and is unable to download the definitions, the client errors out with "definition update failed" but does not state that it is due to low disk space.
    Solution: Added check to see what the exact failure was after extraction and to log an entry stating that the failure was due to low disk space when appropriate.

    Symantec AntiVirus installs to the root of the Program Files folder after a migration
    Fix ID: 1069095
    Symptom: After migrating to Symantec AntiVirus server 10.1.6.6000 via Server Roll-out, the installed files will be in the root of the \Program Files\ folder instead of in a \Symantec AntiVirus\ installation folder.
    Solution: Changed the installation actions to verify that the INSTALLDIR property contains \Symantec AntiVirus\.

    "Unable to open system registry" error during ClientRemote Installation
    Fix ID: 901594
    Symptom: "Unable to open system registry on the remote server" error appears during ClientRemote Installation when deploying a Symantec AntiVirus/Symantec Client Security client from a NetWare parent server.
    Solution: Changed the remote registry call to allow functionality from a Netware server.

    "Minutes to delay the start of continuous LiveUpdate" does not set in Client Groups
    Fix ID: 994458
    Symptom: Changes made to the "Minutes to delay the start of continuous LiveUpdate" under the Continuous LiveUpdate settings at the Client Group's Virus Definition Manager does not write to the registry.
    Solution: The settings are now written to the registry for deployment.

    99 Character limit in the SAVRoam configuration textbox in the Symantec System Center
    Fix ID: 1003333
    Symptom: The SAVRoam parent server list is limited to 99 characters in the Symantec System Center, but the registry limit is 1024 for both fields.
    Solution: Each field has been increased to have a limit of 1024. However, if the total of both fields is over 1024 a warning appears in order to warn the user.

    Client event timestamp conversions can be incorrect when a client roams to parents in different time zones
    Fix ID: 1021364
    Symptom: Symantec AntiVirus servers convert the client's events to the local time zone. When a client does not have a correct parent field, the conversion can be incorrect.
    Solution: Corrected the conversion process to update client events.

    Manually removed ReportServerURL value in the registry is not recreated by the Symantec System Center
    Fix ID: 1059989
    Symptom: After deleting the ReportServerURL value from the registry, the Symantec System Center does not replace the value in the registry automatically.
    Solution: Updated Symantec System Center to replace the missing value.

    Scan History entries disappear from the Symantec AntiVirus console in Netware after a few minutes
    Fix ID: 1082626
    Symptom: After a manual or scheduled scan is completed, it only appears in the Symantec AntiVirus console for a short period of time.
    Solution: Updated the scan release functionality to keep the scan in the user interface for a longer period of time.



Symantec Reporting Server Fixes

    Database Maintenance Agent times out on large databases
    Fix ID: 972769
    Symptom: SQL Query Failed message appears when the Scan Table query times out. This occurs when there are over 400,000 entries.
    Solution: Updated Reporting Server to correctly delete old data in chunks of 25,000 rows.

    Reporter home page shows two agents "hanging"
    Fix ID: 1112691
    Symptom: The agents appear to be hanging on the home page, but the agents are actually running appropriately.
    Solution: Added PHP function to get the GMT (Greenwich Mean Time) date. The comparison of dates needs to be done in GMT because the date in the database is in GMT.

    DBMaint agent shows "next run" time in GMT instead of local time
    Fix ID: 1119930
    Symptom: Agent Configuration in Reporting Server console shows the DBMaint agent's "next run" in GMT time instead of the local time zone.
    Solution: Modified the PHP function to display the time in the local time zone.

    DBMaint Timeout error
    Fix ID: 1125984
    Symptom: When running DBMaint on large databases, the scan will time out before it completes.
    Solution: Set the timeout for SQL query to 30 minutes.

    "Source" field does not display accurate information in reporting
    Fix ID: 857599
    Symptom: The Source computer listed in the event does not report accurately when a log file is missing some parameters or has become corrupt.
    Solution: Updated the log reader to confirm that the log data is reported correctly.

    Clicking "more info" link for risk name in outbreak report gives multiple search results
    Fix ID: 913617
    Symptom: When clicking on the "more info" link, it doesn't go to the risk write-up, but sends the user to a search page instead.
    Solution: Updated all the links to correlate to the new Security Response site locations.

    Reporting Server displaying Last Scanned Time as 12/31/1999
    Fix ID: 924926
    Symptom: Scans that do not complete are reported into Symantec Reporting Server with a last scanned date as 12/31/1999.
    Solution: Scan times now report the scan start time instead of the scan end time.

    "Definitions out-of-date" alert email has a broken hyperlink
    Fix ID: 1024042
    Symptom: The hyperlink to the client list in a "Virus definitions out-of-date" Reporting email alert takes the user to a blank "Computer Status Logs" page.
    Solution: Updated email alert to link to the appropriate report.

    The "last date updated" in Symantec Reporting Server console does not appear to match the last run time
    Fix ID: 1040534
    Symptom: After running a report, the "last date updated" time will be a few hours outdated when compared to the local system time.
    Solution: Updated how the agent status time stamp is converted.

    LogReaderEvents agent quits unexpectedly
    Fix ID: 1051606
    Symptom: When the agent parses a corrupt or incomplete log entry, the agent may stop suddenly.
    Solution: Modified the legacy function call to parse the incomplete log data correctly.

    Cannot install Reporting with non-default settings
    Fix ID: 1058456
    Symptom: When installing Reporting server from the MR6 release, if using non-default Reporting database names or user names, the installation fails.
    Solution: Removed references to the default installation path in the schema.

    Daily report alert e-mails have broken URLs
    Fix ID: 1065817
    Symptom: When the alert e-mail is sent, the link will take the user to an authentication page or will display a DBerror page.
    Solution: Cleaned up the alert URL to properly report the correct date and time zone.

    Spaces in a Server group name cause some server group specific reports to report data incorrectly
    Fix ID: 1069214
    Symptom: Reports with an advanced filter specific to a server group are not working when spaces exist in the server group name.
    Solution: Spaces were being converted to "+" incorrectly. Corrected the PHP conversion.

    Full log export does not honor filter settings
    Fix ID: 1074153
    Symptom: When filtering certain log views and then exporting it to .CSV, the entire log is exported instead of just the filtered data.
    Solution: Added correct filters to PHP output requests.

    Scanned and Last checked-in reports are slow to generate
    Fix ID: 1095471
    Symptom: Certain reports can be extremely slow to generate, taking hours to display.
    Solution: Modified the date conversion to display the local time of the Symantec Reporting console.

    Log entry for definitions arriving on Quarantine server appears as error
    Fix ID: 913823
    Symptom: When definitions arrive on the Quarantine server, the event is logged as an error.
    Solution: Changed the event log type to be "information" instead of "error."



Symantec Client Firewall fixes

    Cannot access streaming audio through ISA proxy with Security enabled
    Fix ID: 913748
    Symptom: User is unable to access streaming audio from a website through an ISA proxy if Symantec Client Firewall is enabled.
    Solution: Updated pxyhttp.dll to allow the traffic to pass correctly.



Maintenance Patch 1 for Maintenance Release 6 (MR 6 MP 1)
This section describes the fixes in Maintenance Patch 1 for Maintenance Release 6 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.6.x or Symantec Client Security 3.1.6.x. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 6.

Components

Component Version
Symantec AntiVirus 10.1.6.6010
Symantec Client Firewall 8.7.4.112
Common Client 104.0.15.2
Decomposer 3.15.3.0
NIS Shared Components 2005.3.0.74
SymNetDrv 6.0.6.604



Symantec AntiVirus Fixes

    Lotus Notes profile created in the incorrect directory
    Fix ID: 802843
    Symptom: When a new user profile is created using the Lotus Notes configuration process, the Notes profile is created in the Local Service profile instead of the user's profile.
    Solution: The profile creation process now queries the local user first before running the API.

    RTVScan holds open user profiles after a user logs off of a session using Citrix Metaframe or Web Presentation server
    Fix ID: 860803, 983890, 983899, 983935
    Symptom: When a client logs off or disconnects a session connected to a Citrix server, the profile is not completely closed, causing possible profile locks or corruption.
    Solution: Changed how RTVScan handles session disconnects and logoffs to release NTUser.dat file in a more timely fashion. Also made changes to add better support for Seamless Windows within Citrix.

    Symantec AntiVirus Client unable to recover from corrupted definitions and accumulation of .vdb files in 7.5 folder
    Fix ID: 838436
    Symptom: A large number of corrupted .vdb files are accumulated, and the client is unable to download or install any further definitions.
    Solution: Added a definition check to ensure the definitions are downloaded correctly, and if corruption is located, the file is removed and remediation occurs.

    RTVScan error on logoff
    Fix ID: 917503
    Symptom: When logging off a client, an application error occurs, referencing "memory cannot be read."
    Solution: Changed the logoff process to ensure that disconnect calls are not made prematurely.

    Dell Optiplex 745 computers fail to start after installing Symantec AntiVirus
    Fix ID: 935817
    Symptom: After installing Symantec AntiVirus, the Dell computer may fail to start. Upon restart, the computer may load correctly.
    Solution: Changed our volume mount tracking capabilities to overcome a conflict when monitoring write protected volumes.

    Future-dated events in the Symantec AntiVirus log files are forwarded multiple times
    Fix ID: 973579
    Symptom: The same events dated in the future appear multiple times in parent server log files or in the Reporting console.
    Solution: Changed FwdStat.log file to monitor new events and not to forward any logs that have already been forwarded to the parent.

    Scheduled scans run as "missed events" after a client roams to another parent server
    Fix ID: 968729
    Symptom: After roaming to a new parent server, the client will run a scheduled scan again, and mark it as a missed event.
    Solution: Adjusted the time a client holds on to scan data to allow a new GRC.dat to be processed from the new parent server.

    Blue screen occurs when Symantec Antivirus definitions are repeatedly backdated then reapplied
    Fix ID: 1026551
    Symptom: When definitions are repeatedly backdated and reapplied to a computer, the computer crashes.
    Solution: In a very rare situation, RTVScan was not releasing a mutex, causing I2lpvp3 to hang. Fixed.

    The Symantec Event Manager service registry key's permissions are reset each time the service is reloaded
    Fix ID: 1027172
    Symptom: After adding custom permissions to the service's registry key and reloading the service, the custom permissions will be deleted.
    Solution: The registry key is now only recreated when changes to the key are detected.

    An empty GUID is reported when running Symantec AntiVirus on a computer with two network cards
    Fix ID: 1031751
    Symptom: When using a computer with multiple network cards, the client will fail to create a unique GUID, causing the client to lose connectivity with the parent server.
    Solution: Added additional checks to the MAC address requests when creating the GUID to avoid a null GUID.

    While logging on the computer, a new user profile is created
    Fix ID: 994915
    Symptom: When logging on to a computer, a user profile may appear to be locked, so the system creates a new user profile for the user.
    Solution: Eliminated an unnecessary delay during the logon process to alleviate some of the load on the thread that processes logging on and off.


Symantec Client Firewall Fixes


    Script error when viewing Symantec Client Firewall logs with Internet Explorer 7 installed
    Fix ID: 865944
    Symptom: If Internet Explorer 7 is installed, when viewing the Symantec Client Firewall logs, a script error appears.
    Solution: Modified scripts to work with Internet Explorer 7.



Maintenance Release 6 (MR 6)
This section describes the fixes in Maintenance Release 6 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.

Components

Component Version
Symantec AntiVirus 10.1.6.6000
Symantec Client Firewall 8.7.4.110
QServer 3.5.4.71
Symantec AntiVirus Reporting 1.0.223.0
AMS 6.12.0.147
AntiSpam 2005.3.0.31
Auto-Protect 9.7.2.3 (a)
Behavior Blocking 2.3.0.2
Common Client 104.0.13.2
Decomposer 3.2.14.26
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.1.0.99
NAVAPI 4.2.0.8
NIS Shared Components 2005.3.0.71
SymEvent 12.2.1.2
SymNetDrv 6.0.5.506
SymSentry 2.1.0.101



Symantec AntiVirus Fixes

    Using the login scripts for migration does not force a reboot
    Fix ID: 801961
    Symptoms: You migrate a client by using a login script that is set to restart the client when the installation is complete. The client does not restart after the installation is complete.
    Solution: Made a fix to ensure that a user-configured Vplogon.ini file is not overwritten when the Symantec AntiVirus service restarts.

    Continuous LiveUpdate window in Symantec System Center does not reflect current configuration
    Fix ID: 837165
    Symptoms: You open the Continuous LiveUpdate window from the Virus Definition Manager window in Symantec System Center. The settings in the Continuous LiveUpdate window do not reflect the Continuous LiveUpdate settings that are in effect.
    Solution: Updated the user interface to reflect the most recent configuration.

    AntiVirus Server Rollout does not find computers across a VLAN
    Fix ID: 846234
    Symptoms: You run AntiVirus Server Rollout in Symantec System Center to deploy Symantec AntiVirus server. When you view your network in the Select Computers dialog box, computers across a VLAN do not appear.
    Solution: Changed the discovery process to correct a failed "Open Mutex" call.

    ClientRemote installs Symantec AntiVirus server instead of client during migration
    Fix ID: 852987
    Symptoms: When you migrate a client by using ClientRemote Install in the Symantec System Center, the migration deploys Symantec AntiVirus server instead of the client.
    Solution: Modified SAV_Server_mm.ism to copy all files except Vpremote.dat to the CLT-INST folder.

    Symantec AntiVirus server does not provide Symantec AntiVirus for Handhelds definitions to clients
    Fix ID: 858821
    Symptoms: Symantec AntiVirus server does not distribute definitions for Symantec AntiVirus for Handhelds to clients.
    Solution: Updated the server so that it includes the Symantec AntiVirus for Handhelds definitions in its definition package creation.

    NetWare server shows an "out of memory" message after running a scheduled scan
    Fix ID: 864360
    Symptoms: After a scheduled scan runs on a NetWare server, the NetWare Console shows the message "Cache memory allocator out of available memory."
    Solution: Changed the code that completes directory lookups.

    Symevent is uninstalled and Auto-Protect disabled after migration
    Fix ID: 865236
    Symptoms: After you migrate to a new build of Symantec AntiVirus and restart the computer, Symevent is no longer installed and Auto-Protect is disabled.
    Solution: Updated the installer sequence to recognize newer versions of Symevent .

    NetWare server abends when scanning .gsh files
    Fix ID: 898183
    Symptoms: On a NetWare server, after Symantec AntiVirus scans .gsh files during a scheduled scan, the server abends.
    Solution: Fixed in the latest decomposer update.

    Symantec AntiVirus excludes infected files on read-only media
    Fix ID: 900050
    Symptoms: After Symantec AntiVirus detects an infected file on a read -only memory source, Symantec AntiVirus excludes the file from detection on that source for the rest of the Windows session.
    Solution: Added a check to prevent the exclusion of these files after detection.

    OpenScanningMode=0 registry value disappears from Symantec AntiVirus clients
    Fix ID: 990596
    Symptom: After you click "Reset All" in the Client Auto-Protect configuration window in Symantec System Center, the OpenScanningMode registry value disappears from managed clients.
    Solution: Made the registry keys part of the Symantec AntiVirus server installation defaults so that they are not removed from the client.

    Scheduled Scan deletes the SID's shell folder startup registry value
    Fix ID: 647987
    Symptom: You create a scheduled scan in Symantec System Center. When that scan runs, the HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup value is removed from the local computer.
    Solution: Fixed in the new build of Eraser.

    Duplicate domain GUIDs on NetWare servers
    Fix ID: 796373
    Symptom: Server groups that have a NetWare primary server have the same root certificate name.
    Solution: Made a change that ensures that GUIDs are always created randomly.

    Quarantine Server version changes after migrating to Symantec AntiVirus 10.1 MR4 MP1
    Fix ID:
    819184
    Symptom: After you install Symantec AntiVirus 10.1 MR4 MP1 to the Quarantine Server, the version of the Qserver.exe file appears to be updated.
    Solution: Updated the Quarantine Server build scripts to show the correct version information.


    Entries for Completed Scans disappear from Scan History after refreshing the NetWare Symantec AntiVirus console
    Fix ID: 644997
    Symptom: When you refresh the NetWare Symantec AntiVirus console, the entries for Complete scans disappear from the Scan History window.
    Solution: Made the history window full size so it doesn't change and fixed the cursor so that it doesn't disappear.

    NetWare login script fails on Tablet PCs
    Fix ID: 898197
    Symptom: When you use a NetWare login script to install Symantec AntiVirus on a Tablet PC, the installation ceases to respond and does not complete.
    Solution: Added a pause to VP_Log32.exe to allow for a WM_Close command to complete.


Symantec Client Firewall Fixes


    Multicast packets use default rule set
    Fix ID: 923474
    Symptom: When you use a program that sends multicast packets, the connection uses the default rule set instead of the rules for the active location.
    Solution: Fixed in the new SymNetDrive build.


Reporting Server Fixes


    Cannot view details about a computer that shows as infected in computer status logs
    Fix ID: 629701
    Symptom: When you view the details of a "Still Infected" query on the Reporting Server home page, no clients appear.
    Solution: Added an option to "also delete infected events" that deletes uncleared infection events after the configured interval (400 days default). This option also clears the infection status for the corresponding computers in the inventory table.

    Only one email sent for multiple virus events
    Fix ID: 802717
    Symptom: The same virus event on multiple computers triggers only one Email notification.
    Solution: Changed the event check to recognize the same event from different computers and trigger the appropriate email notifications.

    Reporting Agent Status window reports shows a date in the future
    Fix ID: 838870
    Symptom: When you run agents in multiple time zones, the Reporting Agent Status window shows a future date/time stamp.
    Solution: Corrected the time zone conversion method.

    Database backup agent error shows incorrect path when using a remote SQL server
    Fix ID: 788260
    Symptom: When the Reporting Server database runs on a remote SQL server, the Database Backup Agent shows an error message with an incorrect path for the Backup.dat file.
    Solution: Changed error path from "C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32 \Backup\BACKUP_xxxxx/backup.dat" to reflect the correct path to the Backup.dat file.


Maintenance Patch 1 for Maintenance Release 5 (MR 5 MP 1)
This section describes the fixes in Maintenance Patch 1 for Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.5.x or Symantec Client Security 3.1.5.x. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 5.

Components

Component Version
Symantec AntiVirus 10.1.5.5010
Symantec Client Firewall 8.7.4.104
QServer 3.5.5.57
Symantec AntiVirus Reporting 1.0.207
AMS 6.12.0.142
AntiSpam 2005.3.0.31
Auto-Protect 9.7.2.3
Behavior Blocking 2.2.0.7
Common Client 104.0.13.2
Decomposer 3.2.14.26
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.1.0.90
NAVAPI 4.2.0.8
NIS Shared Components 2005.3.0.66
SymEvent 12.2.1.2
SymNetDrv 6.0.4.402
SymSentry 2.1.0.101



Symantec AntiVirus Fixes


    "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll..." appears after installing Symantec AntiVirus 10.1.5.5000
    Fix ID: 833133
    Symptom: After you install Symantec AntiVirus 10.1.5, you see the error "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll, version 10.1.5.5000, fault address 0x000056ab."
    Solution: Changed the code to prevent the null pointer access that causes the application fault. A workaround for this problem is to run LiveUpdate after you install a Symantec AntiVirus server before you add clients to the server group.

    Symantec AntiVirus clients do not appear in Symantec System Center after applying the SYM06-010 point patch
    Fix ID: 1-5ZMW9N
    Symptom: You apply the SYM06-010 point patch to a managed client that runs Symantec AntiVirus Maintenance Release 2 with Maintenance Patch 2 (Symantec AntiVirus 10.0.2.2020). If you originally installed this client as an unmanaged client, the client no longer appears in Symantec System Center after you apply the SYM06-010 point patch.
    Solution: Properly migrated the "Connected" and "ClientType" registry values during the patch installation.

    Event ID 7009 or Event ID 7011: "Timeout (30000ms) waiting for a transaction response from the SAV service"
    Fix ID: 649697
    Symptom: After you remotely log on to a computer that runs Symantec AntiVirus 10.1, you see the message "Timeout (30000ms) waiting for a transaction response from the SAV service" in the System Event log.
    Solution: Lowered the timeout value that the Symantec AntiVirus service waits before creating the Custom Tasks registry key.

    Symantec AntiVirus service fails to start when using network paths
    Fix ID: 792579
    Symptom: The Symantec AntiVirus service fails to load automatically when it runs on a computer with a network path in the Path variable.
    Solution: Added additional MFC resource .dll files to our installation package.

    Roaming Profiles are not deleted on a Windows 2003 Terminal Server
    Fix ID: 704930/630516
    Symptom: After you install Symantec AntiVirus to a Terminal Server, roaming profiles are not deleted when the user logs off.
    Solution: Change the code to notify Rtvscan.exe of ending remote sessions before the user profile is unloaded.

    SAVRoam service not restarted after applying a Maintenance Patch
    Fix ID: 632306
    Symptom: After you deploy a Maintenance Patch, the SAVRoam service is not restarted.
    Solution: Added a condition to the patch installer to start the SAVRoam process after the patch installation is finished.

    Defwatch Quick Scan no longer runs after installing Symantec AntiVirus 10.1 Maintenance Release 4
    Fix ID: 632605
    Symptom: After you install Symantec AntiVirus 10.1.4.4000, you notice that the Quick Scan no longer runs when new virus definitions arrive.
    Solution: Changed the installation to migrate the \ApplicationCache\{PARENT.EN_US} registry key information.

    SAVRoam fails when the parent server is unavailable
    Fix ID: 1-5ZPJXD
    Symptom: When you install Symantec AntiVirus client to a computer whose parent server is unavailable, the client cannot successfully roam to a different parent server in the list.
    Solution: Added a delay to SAVRoam.exe start to allow the Grc.dat file to complete processing.

    VPRemote install log file path is hard-coded
    Fix ID: 1-5ZU6L9
    Symptom: When you install Symantec AntiVirus from Symantec System Center, the install log file location is hard-coded.
    Solution: The installation now reads the log file path from the command line. If a log file path isn't specified, the log file is saved to the temp directory.

    Installation of Symantec AntiVirus fails when using HP's Radia deployment software
    Fix ID: 642943
    Symptom: When you install Symantec AntiVirus with HP's Radia deployment software, the installation fails due to long file names.
    Solution: Added short file name of DefFileChanges.dll to the FileTable.

    Symantec AntiVirus server does not purge logs after 30 days
    Fix ID: 778875
    Symptom: Symantec AntiVirus server does not purge log files after 30 days until you change the setting in Configure History.
    Solution: Added an entry in Symantec AntiVirus Server install script to add the LogFileRollOverDay value to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDESK\VirusProtect6\CurrentVersion.


Symantec Client Firewall Fixes

    Symantec Client Firewall permissions are not used when running a Program Scan
    Fix ID: 1-5EYURL
    Symptom: A user can run a Program Scan and automatically create rules, even if the client permissions are set to deny the user the ability to create rules.
    Solution: Added a check for the user permissions before allowing the user to create rules through a Program scan.



Point Patch 1 for Maintenance Release 5 (MR 5 PP 1)
This section describes the fixes in Point Patch 1 for Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.5.5000 or Symantec Client Security 3.1.5.5000. To learn how to obtain and apply the patch, read Applying Point Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 5.

Components

Component Version
Symantec AntiVirus 10.1.5.5001
Symantec Client Firewall 8.7.4.97
QServer 3.5.5.57
Symantec AntiVirus Reporting 1.0.207
AMS 6.12.0.142
AntiSpam 2005.3.0.31
Auto-Protect 9.7.2.3
Behavior Blocking 2.2.0.7
Common Client 104.0.11.1
Decomposer 3.2.14.10
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.1.0.90
NAVAPI 4.2.0.8
NIS Shared Components 2005.3.0.58
SymEvent 12.1.2.1
SymNetDrv 6.0.4.402
SymSentry 2.1.0.101



Symantec AntiVirus Fixes


    "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll..." appears after installing Symantec AntiVirus 10.1.5.5000
    Fix ID: 833133
    Symptom: After you install Symantec AntiVirus 10.1.5, you see the error "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll, version 10.1.5.5000, fault address 0x000056ab."
    Solution: Changed the code to to prevent the null pointer access that causes the application fault. A workaround for this problem is to run LiveUpdate after you install a Symantec AntiVirus server before you add clients to the server group.


Symantec Client Firewall Fixes
No fixes for Symantec Client Firewall are included in this patch.


Maintenance Release 5 (MR 5)
This section describes the fixes in Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.

Components

Component Version
Symantec AntiVirus 10.1.5.5000
Symantec Client Firewall 8.7.4.97
QServer 3.5.5.57
Symantec AntiVirus Reporting 1.0.207
AMS 6.12.0.142
AntiSpam 2005.3.0.31
Auto-Protect 9.7.2.3
Behavior Blocking 2.2.0.7
Common Client 104.0.11.1
Decomposer 3.2.14.10
DefUtils 3.1.13.0
ECOM 51.3.0.11
IPS 6.2.2.2
LiveUpdate 3.1.0.90
NAVAPI 4.2.0.8
NIS Shared Components 2005.3.0.58
SymEvent 12.1.2.1
SymNetDrv 6.0.4.402
SymSentry 2.1.0.101



Symantec AntiVirus Fixes

    NetWare server abends when unloading Symantec AntiVirus on a parent with a large number of clients
    Fix ID: 1-51KJLX
    Symptom: When you unload Symantec AntiVirus on a NetWare server that manages a large number of clients, the server abends.
    Solution: Added a check to verify that the SystemRunning flag is still active before accepting a keep alive packet.

    Imaged computer cannot join a domain after using Sysprep
    Fix ID: 1-5ZBQA6
    Symptom: After running Sysprep 1.0 or 1.1 on Windows 2000 Pro with the Symantec AntiVirus 10.1 client installed, upon restarting the computer, the computer will not join the domain automatically.
    Solution: This problem is fixed in Symevent 12.1.

    Drive not spinning down with Rtvscan.exe running
    Fix ID: 1-606ZV3
    Symptom: RTVScan.exe does not allow the hard drive to spin down due to frequent updates to the Windows Security Center.
    Solution: The fix was to reduce the frequency of updates to the Windows Security Center. RTVScan.exe only updates the Windows Security Center when the state of Symantec AntiVirus has changed.

    High memory utilization with SAEX
    Fix ID: 1-5NV0LV, 536701, 769405
    Symptom: High memory utilization was seen on a Symantec AntiVirus client with the SAEX tag set.
    Solution: Fixed a memory leak in Auto-Protect. The fix was included with Auto-Protect version 9.4.6.

    UDP rules applied to all locations
    Fix ID: 1-5J7I93
    Symptom: When a UDP rule is created for Symantec Client Firewall and applied to the DEFAULT location, the rule is also applied to other locations.
    Solution: This was fixed in SymNetDrv 6.0.4.

    When "PluginInstalledOnlyOnPrimary" is set to 0 for the SCFsesa plugin, no events are sent from parent
    Fix ID: 1-5Z1NLP
    Symptom: Settting "PluginInstalledOnlyOnPrimary" is set to 0, which is required if collecting from all servers (as opposed to collecting from the primary server only), causes the local client events to be omitted from reports.
    Solution: When forwarding events, ensure that the EB_FROM_CLIENT value is set for clients.

    Server Group server tuning options are not shared with other servers
    Fix ID: 1-5R7DVU
    Symptom: After creating a primary server and enabling legacy support at the server group level, the settings do not propagate to secondary servers.
    Solution: This is a rework of the original fix in MR4 MP1. The settings were not captured in the GRCSrv.dat file, which is distributed to the secondary servers. The fix added these settings to the GRCSrv.dat file.

    Application error against NLNHook.exe
    Fix ID: 631405
    Symptom: After installing Symantec AntiVirus, then logging on as a restricted user, an application error is generated against NLNHook.exe.
    Solution: Added a check of the return code from the NotesInitExtended call. If Notes has not yet been configured for this user, do not try to add the hook to Notes.ini.

    Disconnecting and reconnecting a computer to the network does not recognize network change
    Fix ID: 628762
    Symptom: Symantec Secure Port will not detect network changes when they occur frequently and within seconds of each other. When using Symantec AntiVirus Parent Netspec, this will cause the location not to switch correctly.
    Solution: Once a network change is detected, Symantec Secure Port would not monitor network changes until processing of the current network change has completed. Changed behavior to return to monitoring for network changes immediately while the current network change is being processed.

    Windows and NetWare Logon Scripts fail when using Symantec Client Security 3.1
    Fix ID: 1-5P3ZER
    Symptom: Installing Symantec AntiVirus 10.x or Symantec Client Security 3.x clients by using a logon script fails.
    Solution: A correction was made to a bad path found in a Symantec application used during this process.

    Scheduled LiveUpdate is not removed when moving client groups
    Fix ID: 1-5UMKE6
    Symptom: When moving a client from one group with a scheduled LiveUpdate to another group without a scheduled LiveUpdate, the scheduled LiveUpdate is not removed.
    Solution: The LiveUpdate schedule settings are now locked in the registry and GRC.dat upon server installation because the setting "Do not allow client to modify LiveUpdate schedule" is now checked by default. If the setting is not locked, the client ignores them.

    AMS does not alert on certain events
    Fix ID: 1-5W5T0C
    Symptom: AMS does not forward the event GL_EVENT_ANOMALY_START which is added with Symantec AntiVirus 10.x
    Solution: Added the case to support event ID GL_EVENT_ANOMALY_START. Also changed the alert string from "Risk repaired" to "Risk Found/Repaired" for both the start and finish events for anomalies.

    When threat status indicates Adware/Spyware, Audit Network feature no longer displays correct client type
    Fix ID: 1-5AJ197
    Symptom: When a client has a status indicating that Adware/Spyware has been detected, the Audit Network feature shows the client type as Unknown.
    Solution: The new computer type I_CLIENT_GREYWARE and I_SERVER_GREYWARE are now used to display the computer type of the greyware-affected computers.

    Installing Symantec AntiVirus 10.01 server to an existing server group from a command line creates a duplicate group
    Fix ID: 1-4OXYCN
    Symptom: Duplicate server groups are created when installing a Symantec AntiVirus 10.1 server to an existing server group from a command line installation.
    Solution: The custom action ValidateServerGroup is not executed while using the qb! switch, for which the UILevel is 3. The fix is to update the settings for the custom action ValidateServerGroup to make it run at UILevel 3.

    Liveupdate fails to run when installing Symantec AntiVirus from a command line
    Fix ID: 1-5QG4EQ
    Symptom: LiveUpdate fails to run during a command line installation while upgrading a managed client, regardless of the administrator setting to allow or disallow the user to run LiveUpdate.
    Solution: Changed behavior to allow the RUNLIVEUPDATE flag to take precedence in case of a full installation (not a migration or a patch install).

    SavRoam for Enterprise Security Manager fails with Enterprise Security Manager 6.5 installed
    Fix ID: 1-65A7D5
    Symptom: SavRoam for Enterprise Security Manager, fails with Enterprise Security Manager 6.5 installed
    Solution: Enterprise Security Manager 6.5 includes register.exe, instead of reg.exe. Added the support to handle register.exe if reg.exe is not present.

    Global Security Exclusion settings are not propagated to client groups when changes are made from the server group level
    Fix ID: 1-5U1BNL
    Symptom: Global Security Exclusion settings are not propagated to client groups when changes are made from the server group level.
    Solution: Changed behavior to update client groups while changes are made at server group level.

    Symantec System Center sometimes crashes when security risks are repeatedly added to Global Security Risk Exclusions
    Fix ID: 1-5PD143
    Symptom: Symantec System Center sometimes crashes when security risks are repeatedly added to Global Security Risk Exclusions.
    Solution: Changes to properly initialize certain pointer variables.

    Symantec AntiVirus on NetWare causes errors scanning long filenames
    Fix ID: 772476
    Symptom: Symantec AntiVirus fails to scan files with filenames longer than 127, and ABENDs on some long filenames.
    Solution: Fixed handling of long filename strings.

    Symantec AntiVirus 10.0.2 ABENDs
    Fix ID: 1-5MJYG1
    Symptom: Symantec AntiVirus causes NetWare to ABEND in VPReg.NLM.
    Solution: Improved the thread-safe code in the VPReg.nlm library.

    Symantec AntiVirus ABENDs in VPStart.nlm
    Fix ID: 1-5WDW6A
    Symptom: NetWare ABENDs when loading Symantec AntiVirus using VPStart.ncf.
    Solution: Reworked code dealing with imported variables from VPReg.nlm.

    NetWare login scripts do not fill in the $FILE_SERVER$ variable correctly
    Fix ID: 1-4D8RGN
    Symptom: Clients logging into a NetWare server are not updated or installed correctly in certain cases.
    Solution: Changed the installation module to use the correct environmental variable on installation.

    Long directory names cannot be viewed on NetWare Servers
    Fix ID: 1-4GFHQ7
    Symptom: Directories with long names appear empty when viewed from Symantec System Center.
    Solution: Added long name functionality to FindFirstFile and FindNextFile functions.

    Continuous LiveUpdate settings revert to default settings
    Fix ID: 1-5WLWPO
    Symptom: In the Configure Primary Server Updates dialog, setting the values in the order Source, Continuous LiveUpdate Configure... is different than setting the values in the order Continuous LiveUpdate Configure, Source.
    Solution: Changed code to allow for consistency.

    Cannot see server groups across VLANs during remote server deployment
    Fix ID: 785939
    Symptom: Cannot see server groups across different VLANs when trying to install a secondary server.
    Solution: Added code in AV Server Rollout which involves copying over the DomainGUID and updating registry keys to contain the address cache of the secondary server.

    CPU spike when installing with Terminal Services disabled
    Fix ID: 1-5OTPUD
    Symptom: High CPU usage after installing Symantec AntiVirus server and Terminal Services in remote adminstration mode.
    Solution: Changed code to prevent an infinite loop.

    Client tracking is not turned off by default
    Fix ID: 1-5LBW4N
    Symptom: Client tracking check box is enabled by default.
    Solution: Changed check box to be disabled by default.

    Scan histories from different levels in Symantec System Center do not match up
    Fix ID: 633623
    Symptom: Using Symantec System Center to view scan histories, scanned/infected file numbers are incorrect at client/server level.
    Solution: Added functionality to check for successful parsing of Event data.

    NetWare 6.5 SP 5 server abends when Symantec AntiVirus 10.1.4 runs a scheduled scan
    Fix ID: 772645
    Symptom: When you run a scheduled scan with Symantec AntiVirus 10.1.4.4000 on a computer that runs NetWare 6.5 Service Pack 5, the server abends. The Abend.log file shows that Rtvscan.nlm owns the process that caused the abend.
    Solution: This problem no longer occurs in Symantec AntiVirus 10.1.5.



Symantec Client Firewall fixes

    Cannot import policy after importing a specific set of rules
    Fix ID: 1-5M19C7
    Symptom: When applying a Symantec firewall policy file containing a large number of rules and settings to a legacy Symantec Client Security client (9.x or below), it will cause the client to fail to accept any future firewall policies.
    Solution: Symantec Client Firewall Administrator now warns the user of the firewall policy size restrictions for legacy Symantec Client Security clients when a firewall policy reaches the size limitations for rules and settings.

    Phantom IP address is reported in Symantec Client Firewall log
    Fix ID: 1-5VO3N8
    Symptom: The log entry line, "Details: Rule "Microsoft Internet Explorer" permitted (x.x.x.x,http(80))" contains an incorrect IP address.
    Solution: The IP parameters to reportEvent has been fixed. Also fixed the corresponding alert log entry.

    Clients managed by secondary servers do not receive a policy file when you deploy a policy at the client group level
    Fix ID: 809180
    Symptom: In Symantec System Center, you deploy a Symantec Client Firewall policy at the client group level. Some clients do not receive the policy file. This problem only happens to clients whose parents are secondary servers that run Symantec AntiVirus 10.1.4.4010 or Symantec Client Security 3.1.4010. The problem does not happen to clients whose parent server is the primary server, regardless of the product version.
    Solution: This problem no longer occurs in Symantec Client Security 3.1.5.



Symantec AntiVirus Reporting


    Custom virus search links in Reporting are invalid due to Symantec Web site change
    Fix ID: 647851
    Symptom: Three custom virus search links in Reporting are invalid due to a change to the Symantec Web site.
    Solution: Removed the broken links and replaced them with the new links.

    Reporting is slow to transfer data to the database
    Fix ID: 1-5WEKF6
    Symptom: Incoming inventory and event logs from parent server to reporting server accumulate in the upload directory and Temp.LogReader directory. Eventually, these slow the agents considerably and may fill the volume.
    Solution: Overall performance for log and inventory data processing functionalities for Reporting were enhanced, and a new configuration option was introduced to discard security data that is not relevant for typical usage scenario.

    Reporting does not work correctly with a proxy connection
    Fix ID: 1-5WX8JV
    Symptom: If the proxy connection configured for virus category agent is authenticated by a domain user login, then the agent fails to connect to the proxy server. No virus category data is downloaded.
    Solution: This was caused by incorrect handling of special characters in the proxy address. Fixed by using a different authentication API in Perl that was capable of handling the username correctly.

    Reporting requires local user account on Reporting Server
    Fix ID: 1-5REVC7
    Symptom: Reporting requires C:\Program Files\Symantec\Reporter\Temp folder to have Everyone granted full control.
    Solution: Added IIS user IUSR_[MACHINENAME] and Administrators to the User column for TEMPDIR folder.


Maintenance Patch 1 for Maintenance Release 4 (MR 4 MP 1)
This section describes the fixes in Maintenance Patch 1 for Maintenance Release 4 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. This patch can be applied only to computers that run Symantec AntiVirus 10.1.4 or Symantec Client Security 3.1.4. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 4.

Symantec AntiVirus Corporate Edition 10.1.4.4010-1

    Shared Components

    Shared Component Version Build
    Symantec AntiVirus 10.1.4 4010-1
    Quarantine Server 3.5.4 56
    AMS 6.12.0 142
    Auto-Protect 9.7.1 4
    Behavior Blocking 2.2.0 7
    Decomposer 3.2.14 10
    LiveUpdate 3.0.0 160
    NAVAPI 4.2.0 8
    SymEvent 12.0.3 1
    Common Client 104.0.11 1

 

    New fixes

    Server Group Server Tuning Options do not propagate to secondary servers
    Fix ID: 1-5R7DVU
    Symptom: After you create a primary server and enable legacy support at the server group level, the settings do not propagate to secondary servers.
    Resolution: Added the Server Tuning Options settings to the GRCSrv.dat file, which is distributed to secondary servers.

    Virus definitions do not update until the Symantec AntiVirus service restarts
    Fix ID: 642963
    Symptom: After LiveUpdate runs, the Definfo.dat file is updated, but the Usage.dat file is not updated until the Symantec AntiVirus service restarts.
    Resolution: Minor change to the code to correct this issue.

    Symantec AntiVirus service (Rtvscan.exe) does not start
    Fix ID: 631839
    Symptom: In some specific environments, the Symantec AntiVirus service (Rtvscan.exe) does not start.
    Resolution: Fixed in Common Client 104.0.11.1.

    Improved handling of Rapid Release definitions
    Fix ID: 769756
    Symptom: You apply Rapid Release virus definitions to a Symantec AntiVirus server. After the server pushes the new virus definitions to its clients, the server then pushes a full virus definition set to its clients. The use of Rapid Release virus definitions requires more network traffic than the use of other virus definitions.
    Resolution: Symantec AntiVirus servers can now deploy Rapid Release virus definitions without pushing a full virus definition set to clients. This change reduces the amount of network traffic that is needed to use Rapid Release virus definitions in a managed environment.

    Roaming between parent servers starts a scheduled scan
    Fix ID: 1-606ZZ5
    Symptom: When a Symantec AntiVirus client uses the SAV Roam feature and connects to a new parent server, a scheduled scan starts on the client.
    Resolution: Changed the code that writes and reads the new scheduled scan settings after a client connects to a new parent server. These changes ensure that all of the new scheduled scan settings are present before the code checks whether a scan is needed.


Symantec Client Security 3.1.4.4010-1

    Shared Components

    Shared Component Version Build
    Symantec Client Security 3.1.4 4010-1
    Symantec Client Firewall 8.7.4 84
    Symantec Client Firewall Administrator 8.7.4 84
    Ad Blocking 2005.3.0 30
    SymNetDrv 6.0.3 303
    SymSentry 2.1.0 101
    IPS (SymIDSCo) 6.2.2 2


    New fixes

    User permissions are not applied to ALEScan
    Fix ID: 1-5EOPZ5
    Symptom: Restricted users can run ALEScan. A restricted user should not be able to run ALEScan.
    Resolution: Changed the code to check user permissions when ALEScan runs. A restricted user sees the alert, "You do not have privileges to run this program."

    Messaging for Exchange does not work properly with Symantec Client Firewall
    Fix ID: 1-5LB0S3
    Symptom: When you use MSN 2.x to send messages to another MSN 2.x client through an Exchange 2000 server, the messages do not arrive.
    Resolution: SymNetDrv filters the port that MSN uses to log on and prevents the completion of the logon process. Fixed in SymNetDrv version 6.0.3.

    New clients do not apply policy files from the parent server
    Fix ID: 1-5V1707
    Symptom: When a Symantec Client Security 3.1 client checks in with its parent server for the first time, the client does not automatically apply the policy file after the first reboot.
    Resolution: Changed the code to allow the policy file to be applied under a certain set of conditions which were previously causing the client update to fail.

    SSIM SMNP traps sometimes do not have the MAC and/or IP addresses for Symantec Client Firewall events
    Fix ID: 632290/ 632271
    Symptom: The MAC and/or IP address sometimes does not appear in the event information that the client sends to the SSIM appliance.
    Resolution: Added additional methods to obtain the MAC address and IP address to ensure that the addresses are always discovered and sent with the event.



Maintenance Release 4 (MR4)
This section describes the fixes in Maintenance Release 4 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1.

Symantec AntiVirus Corporate Edition 10.1.4.4000

    Shared Components

    Shared Component Version Build
    Symantec AntiVirus 10.1.4 4000
    Quarantine Server 3.5.4 55
    AMS 6.12.0 142
    Auto-Protect 9.7.1 4
    Behavior Blocking 2.2.0 7
    Decomposer 3.2.14 8
    LiveUpdate 3.0.0 160
    NAVAPI 4.2.0 8
    SymEvent 12.0.2 1
    Common Client 104.0.8 3

 

    New fixes
    Symantec Client Security and Symantec AntiVirus Elevation of Privilege vulnerability (SYM06-010)
    Maintenance Release 4 includes a fix for the Symantec Client Security and Symantec AntiVirus Elevation of Privilege vulnerability. You do not need to apply the patch for the vulnerability if you migrate to Maintenance Release 4. For information about the vulnerability, read the advisory.

    Restricted Users cannot run LiveUpdate
    Fix ID: 1-5QFYNN
    Symptom: LiveUpdate 3.0 requires Power User or Administrator rights for the user to run locally. The EnableAllUsers registry key no longer allows all users to run LiveUpdate 3.0.
    Resolution: Changed the code so that restricted users can run LiveUpdate.

    Files copied to floppy/USB drive not encrypted when using Hitachi Hibun encryption software
    Fix ID: 1-5QI8Z7
    Symptom: Hitachi Hibun encryption software is installed with SAV 10.1 (which includes SymEvent 12.0.2.1), and Hibun is used to encrypt files. When an encrypted file is copied to a FAT-formatted disk or USB key, the file does not appear encrypted on the disk.
    Resolution: The issue was caused by the delayed load feature of SymEvent. SymEvent 12.0.3.1 includes a fix for this issue and is included in this release.

    When using .mbox format for storing electronic mail, the inbox file is quarantined when a virus is found
    Fix ID: 1-5PL4Z5
    Symptom: When a threat is found within an .mbox mail file, the entire mail file is quarantined.
    Resolution: Changed the code to utilize the file decomposer engine to determine mbox container settings. Symantec AntiVirus now quarantines risks individually rather than the entire .mbox file.

    AMS reports the action taken as "undefined"
    Fix ID: 1-5UJHS2
    Symptom: AMS reports the action taken as "undefined" when the Symantec AntiVirus Side Effects Engine examines a risk.
    Resolution: Added additional action strings to increase the number of actions that AMS can report.



Symantec Client Security 3.1.4.4000

    Shared Components

    Shared Component Version Build
    Symantec Client Security 3.1.4 4000
    Symantec Client Firewall 8.7.4 79
    Symantec Client Firewall Administrator 8.7.4 79
    Ad Blocking 2005.3.0 30
    SymNetDrv 6.0.2 211
    SymSentry 2.1.0 101
    IPS (SymIDSCo) 6.2.2 2


    New fixes
    Symantec Client Security server migration hangs during a migration from Symantec Client Security 3.0.2 to Symantec Client Security 3.1
    Fix ID: 1-5NTR1B
    Symptoms: During a migration from Symantec Client Security 3.0.2 to Symantec Client Security 3.1, the following error message appears: "Setup has not received an update status from <ServerName>. The server may still be updating or an error occurred on the server. Do you want to continue waiting for server status?" The Symantec Client Security server is left in a non-functional state because many of the files are missing.
    Resolution: Changed the installation modules to prevent the timeout.

    The SAV Parent Netspec does not reapply itself after a network change
    Fix ID: 1-5TDHI8
    Symptom: When disconnecting and then reconnecting a client to the network, Symantec Client Firewall does not always reapply the SAV Parent Netspec.
    Resolution: Changed the communication code to allow more time for communications between client and server. These changes greatly reduce the instances of this problem occurring.

    Symantec SecurePort service fails randomly
    Fix ID: 1-4Z45SL, 1-5NAZ08
    Symptom: The Symantec SecurePort service fails with the error message "SymSecure Port has encountered a problem and needs to close."
    Resolution: Changed the code to handle the case where a network connection is set up with a NULL device name.



Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1
Versions of this patch are available for installation over Symantec Client Security 3.1 or Symantec AntiVirus 10.1.

Unable to enter Standby with Symantec AntiVirus service enabled
Fix ID: 1-4XG3PT
Symptom: The computer will not enter Standby mode while the Symantec AntiVirus services are still running.
Resolution: The Symantec AntiVirus service was preventing Standby mode by calling the DefUtils library unnecessarily. Changed it to call DefUtils only when there are new virus definitions.

Scan engine failure during manual scan
Fix ID: 1-5J7F4G
Symptom: While running a manual scan, a scan engine failure occurs. The error reported is 0x20000058.
Resolution: The scan was trying to run before it got the login account of the user, so it would fail for permissions reasons. Changed code to wait (approximately 60 seconds maximum) to get the login account so that manual scans are successful.

Auto-Protect does not give warning when it cannot use definitions
Fix ID: 1-58FE31
Symptom: If definitions are deleted and new definitions are pushed to the client, Auto-Protect will not reload definitions until the computer restarts.
Resolution: Added check for valid definitions. Auto-Protect now loads the new definitions without requiring a restart.

Roaming profiles are not saved at shutdown
Fix ID: 1-581TK3
Symptom: When Symantec AntiVirus 10.x is installed, roaming profiles are not saved when the computer shuts down.
Resolution: Added code to allow the roaming profiles data to be saved.

Repeating entries in Wbemprox.log
Fix ID: 1-4LW4BQ
Symptom: Large numbers of errors are logged in the Wbemprox.log file.
Resolution: Connecting to Windows Security Center results in an error when run on Windows 2000. The fix was to avoid updating the Windows Security Center unless running on Windows XP or a later version. The logging errors stop after the Symantec AntiVirus service starts.

Cannot scan with PointSec Media Encryption installed
Fix ID: 1-4SCR15
Symptom: With PointSec Media Encryption installed, Symantec AntiVirus can not perform a scan.
Resolution: When there is a gap of about 60 seconds or more between the Windows login and the PointSec Media application login, the manual scan fails. When the PointSec Media application prompts for login, the shell is not initialized, and the user is still logging in. Fixed by having Symantec AntiVirus process the log again after VPTray is loaded.

SymSPort fails
Fix ID: 1-5NAZ08
Symptom: If a network connection with a NULL device name exists on the system, SymSPort crashes.
Resolution: Made changes to handle network connections with NULL device names.

Symantec AntiVirus 10.x changes the Last Accessed date after scheduled or manual scan
Fix ID: 1-5G86I8
Symptom: Manual or scheduled scans change the Last Accessed date on files that are not protected by Windows File Protection or read-only, which triggers backup applications to back up the files unnecessarily.
Resolution: Code changes made to preserve the Last Accessed Date on scanned files.

Extension exclusions are not propagated under same circumstances as folder exclusions
Fix ID: 1-4NHFUX
Symptom: When a folder exclusion is set at the server group level, the setting is automatically propagated to the clients. When an extension exclusion is set at the server group level, the setting is not automatically propagated to the clients.
Resolution: Added fix to always update exclusions on clients when new changes are present.

Without the Ad Blocking component, error "SymAdBlockinUI is null or not an object" occurs
Fix ID: 1-503XY4
Symptom: On a Symantec Client Security client installed without the Ad Blocking component, the error "SymAdBlockinUI is null or not an object" occurs if the user interface is open while a policy is pushed to the client.
Resolution: Added validation code to check whether Ad Blocking is enabled. This prevents the error from occurring.


Symantec Client Security 3.1 and Symantec AntiVirus 10.1 (includes Maintenance Release 3)
This section describes the fixes in the first release of Symantec Client Security 3.1 and Symantec AntiVirus 10.1. For a list of new product features, read What's new in Symantec Client Security 3.1 or What's new in Symantec AntiVirus Corporate Edition 10.1.

Symantec AntiVirus Corporate Edition 10.1.0.394

    Shared Components

    Shared Component Version Build
    Symantec AntiVirus 10.1.0 394
    Quarantine Server 3.5.0 52
    AMS 6.12.0 142
    Auto-Protect 9.7.1 4
    Behavior Blocking 2.2.0 7
    Decomposer 3.2.14 8
    LiveUpdate 3.0.0 160
    NAVAPI 4.2.0 8
    SymEvent 12.0.2 1
    Common Client 104.0.7 3


    New fixes
    Symantec System Center 10.0 slow to retrieve log files from legacy servers
    Fix ID: 1-4JKGJI
    Symptom: You use Symantec System Center 10.0 to view log files from legacy (version 9.x or earlier) servers or from legacy clients. When you view legacy client log files, the process takes significantly longer than when you view Symantec AntiVirus 10.0 client log files.
    Resolution: Updated the code to improve performance.

    Manual or scheduled scan on NetWare sets Meta Data archive bit
    Fix ID: 1-4HCKDZ
    Symptom: During a manual or scheduled scan on a Novell NetWare server, Symantec AntiVirus incorrectly sets the Meta Data archive bit to On. This causes backup software to perform full backups rather than incremental backups.
    Resolution: Symantec AntiVirus no longer sets the Meta Data archive bit.

    Clients show offline in Symantec System Center when they're still online
    Fix ID: 1-5FDXJV
    Symptom: In Symantec System Center, managed clients show an incorrect status of "offline."
    Resolution: To the Symantec System Center Console Options screen, added a "Indicate when clients are offline more than x minutes" parameter to reduce communication discrepancies.

    NetWare server abends after upgrading NetWare 6.5 to Support Pack 5 with Symantec AntiVirus 10.0 installed
    Fix ID: 1-5FP7NB
    Symptom: Symantec AntiVirus 10.0 is installed on your NetWare 6.5/6.0 server. You upgrade Novell NetWare 6.5 to Support Pack 5. The NetWare server abends.
    Resolution: Symantec AntiVirus 10.1 is fully compatible with NetWare 6.5 to Support Pack 5.

    Error: "The wizard was interrupted..." with "WriteCCSettingsTables" error in the install log
    Fix ID: 1-4PLT45
    Symptom: You install Symantec AntiVirus 10.0.x. The installation fails and rolls back. In some cases, the installation may stop at the "Starting Services" message. In the installation log, you find a message referring to errors in "WriteCCSettingsTables."
    Resolution: Fixed a problem in the installer to prevent this error.

    Error: "Loader cannot find public symbol: netdbgethostbyname for module VPSTART.NLM" when installing Symantec AntiVirus 10.0 to NetWare
    Fix ID: 1-4GLAH3
    Symptom: You install Symantec AntiVirus 10.0 to a computer that runs NetWare 6.5 Service Pack 3. The installation does not finish, and you see the error message "Cannot find public symbol: netdbgethostbyname for module VPSTART.NLM." You may also see error messages similar to "000000020016777216,server\netware\pki\roots\,InstallPKITemp\pki\roots\,*.*" or "Loading Module VPSTART.NLM [ UNRESOLVED ]"
    Resolution: Set Netdb.nlm to load automatically when Vpstart.nlm and Rtvscan.nlm run.

    Odd Central Quarantine Event entries under the Event Actions configuration menu
    Fix ID: 1-5MPZAQ
    Symptom: When you configure Central Quarantine Events and expand the Central Quarantine Alert Actions, you see the letters C, D, N, T, U and W. These letters appear to be alert action entries.
    Resolution: This problem no longer happens with Symantec AntiVirus 10.1 and later.

    ADDLOCAL= in Vpremote.dat causes Symantec AntiVirus 10.0.2 client installations to fail
    Fix ID: 1-54CVNH
    Symptom: You edit the Vpremote.dat file with custom command-line switches in order to deploy Symantec AntiVirus 10.0.2 clients through ClientRemote Install. The command-line switches that you added include ADDLOCAL=. When you use ClientRemote Install to deploy clients, the installations fail.
    Resolution: Fixed a problem in the installer to prevent this error.

    Security Risk exceptions are not available in Symantec System Center if the parent server is NetWare
    Fix ID: 1-45L5VS
    Symptom: You try to configure Security Risk exceptions in the Symantec System Center for clients that are managed by a Novell NetWare parent server. The exceptions list is blank, and you cannot configure exceptions.
    Resolution: Updated the code so that NetWare primary servers can better distinguish between security risk types.




Symantec Client Security 3.1.0.394

    Shared Components

    Shared Component Version Build
    Symantec Client Security 3.1.0 394
    Symantec Client Firewall 8.7.0 58
    Symantec Client Firewall Administrator 8.7.0 58
    Ad Blocking 2005.3.0 30
    SymNetDrv 6.0.2 211
    SymSentry 2.1.0 101
    IPS (SymIDSCo) 6.2.2 2


    New fixes
    Policy file is not applied when migrating from Symantec AntiVirus to Symantec Client Security
    Fix ID: 1-4OFQJN
    Symptom: You migrate from Symantec AntiVirus to a later version of Symantec Client Security. During this process, the policy file (Cpolicy.xml) is not applied.
    Resolution: Made changes in the installer to check whether the installed program is Symantec AntiVirus or Symantec Client Security.

    Using IP Address in a pRule does not function properly
    Fix ID: 1-4FVO5Y
    Symptom: You create a pRule with a single rule for a specific remote IP address. When you open the program, you are prompted with a security alert or the action is blocked entirely. You use a required digest and want the program rule to be created automatically. If you set the rule to Any Computer, the pRule seems to function properly.
    Resolution: Changed the code in Common Client to fix this problem.

    Unlocked rules on a Symantec Client Firewall client are deleted after deploying a policy file
    Fix ID: 1-4SCVWT
    Symptom: You edit a Symantec Client Firewall policy file in Symantec Client Firewall Administrator. On the Settings tab in Symantec Client Firewall Administrator, you uncheck "Delete unlocked rules on policy integration." After you deploy the policy file to a client, any existing unlocked rules on the client are deleted.
    Resolution: Updated the code so that unlocked rules are no longer deleted.

    Secure Port and ISservice fail to load at startup
    Fix ID: 1-5C5XCC
    Symptom: You install Symantec Client Security 3.0. When you start the computer, the Symantec Secure Port service and the IS Service service do not load. You can start the services manually without errors.
    Resolution: The problem no longer occurs with Symantec Client Security 3.1. You must defragment the hard drive of any affected computers before you migrate to Symantec Client Security 3.1.

    "Any Version" in Prule creation continues to prompt for user action
    Fix ID: 1-3L5TQY
    Symptom: In Symantec Client Firewall Administrator, you create or edit a new pRule that uses only the criteria for the file name and "Any Version" to match a network-aware application. You export this rule set to your clients and try to run the network-aware application. A Low Security Risk pop-up appears and asks which action to take for this alert.
    Resolution: The "Any Version" parameter now works as expected.

    SSL E-mail does not work with Privacy Control
    Fix ID: 1-4CZ69T, 1-5A5MHR, 1-4LE64H
    Symptom: Your email client uses SSL to send email. After you install Symantec Client Security, you send email and you see the message "An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email." The numbers 1003,14 appear in the lower-left corner of the dialog box. The email message is not sent. The problem persists after you disable Internet E-mail Auto-Protect.
    Resolution: The problem no longer occurs with Symantec Client Security 3.1.




 



Legacy ID



2006050314483048


Article URL http://www.symantec.com/docs/TECH101820


Terms of use for this information are found in Legal Notices