New features and fixes for Symantec Endpoint Protection 11

Article:TECH103087  |  Created: 2007-01-12  |  Updated: 2014-11-21  |  Article URL http://www.symantec.com/docs/TECH103087
Article Type
Technical Solution


Subject

Issue



 This article describes the new features and fixes in each update of Symantec Endpoint Protection 11 and Symantec Network Access Control 11.


Solution



As updates to Symantec Endpoint Protection are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top.

Note: To download the latest release of Symantec Endpoint Protection, read the following document: Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control.

  This document contains information for the following versions:

 This document should be read in conjunction with the appropriate Readme files:

  • Readme_SEP.txt
  • Readme_SNAC.txt
  • Readme_appliance.txt
  • Readme_trialware.txt 

 

Release Update 7 Maintenance Patch 4 (RU7 MP4)

[Back to top]

For complete information on new features and known issues in this release, see the Release Notes. For new fixes and component versions, see below.

 

Blue screen crash caused by teefer3.sys on Windows Vista

Fix ID: 2387830

Symptom: The computer crashes with stop code D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL). The stop screen references the teefer3.sys driver. The Teefer driver crashes due to binding or unbinding the network adapter during a large data transfer.

Solution: Modified the Teefer driver code to resolve this crash.

 

Error generated by securitynotifytask: "Intermittent Authentication failure. Please try again."

Fix ID: 2763318

Symptom: The Symantec Endpoint Protection Manager console activity log (typically, scm-server-0.log) displays the following error:

SEVERE: Authentication Failure. Please try again. in: com.sygate.scm.server.task.SecurityAlertNotifyTask

Solution: Resolved an issue where the server state could become out of date, resulting in the Symantec Endpoint Protection Manager console regarding the local server as offline.

 

Symantec Endpoint Protection Manager console is slow to load client groups

Fix ID: 2793951

Symptom: The Symantec Endpoint Protection Manager console experiences degraded performance when loading client group data.

Solution: Optimized a SQL query to increase performance for domain admin users.

  

"Japanese" displays multiple times for LiveUpdate Content Languages

Fix ID: 2844897

Symptom: After you install a replication partner, the second Symantec Endpoint Protection Manager console displays "Japanese" multiple times on the Download LiveUpdate Content screen.

Solution: Modified Symantec Endpoint Protection Manager to verify whether the language already exists before adding "LiveUpdate supported language" to the replication partner.

 

Traffic log shows incorrect information about blocked packets

Fix ID: 2867420

Symptom: The Symantec Endpoint Protection traffic log incorrectly displays packets as Ethernet Type 0x0.

Solution: Modified the logging code to display the correct packet type.

 

Symantec Endpoint Protection Manager port scan report from Windows 7 shows incorrect data

Fix ID:  2914500

Symptom: A false positive port scan detection appears in the security log when a port scan executes from a Windows 7 machine.

Solution: Modified the port scan report to correctly detect packets on the loopback adapter of the client.

 

Explorer.exe process stops responding after installing the Symantec Endpoint Protection client           

Fix ID:  2916250 

Symptom: After you install Symantec Endpoint Protection, Explorer.exe stops responding and locks up the computer.

Solution: Modified the Sysplant.sys driver to correct a suspended thread.

 

Computer becomes unresponsive after installing Symantec Endpoint Protection client

Fix ID:  2919278

Symptom: After you install Symantec Endpoint Protection, the computermay become unresponsive due to the wpsdrvnt.sys driver .

Solution: Modified the wpsdrvnt.sys driver to prevent a memory access condition.

 

Risk Type "APPLICATION_DETECTION_TYPE_-1_0" in Symantec Endpoint Protection Manager logs for Macintosh clients

Fix ID:  2935579

Symptom: The Symantec Endpoint Protection Manager report displays the following risk type for a Macintosh client:

"(None) APPLICATION_DETECTION_TYPE_-1_0" 

Solution: Added the proper identifier type to the Symantec Endpoint Protection Manager resource file.

 

"Administrator not found" error when logging onto Symantec Endpoint Protection Manager

Fix ID:  2938977

Symptom: When you attempt to log on to the Symantec Endpoint Protection Manager console, an "Administrator not found" error appears, and the console immediately logs out. The SCM-UI.err log displays the following message:

“com.sygate.scm.console.util.ConsoleException: Administrator not found [0x11010000]”

Solution: Resolved an issue in Symantec Endpoint Protection Manager where the Symantec Network Access Control enforcer caused a deadlock when it connected to the server.

 

Custom scan scans files twice if the selected scan target does not display the plus sign (+)

Fix ID: 2939056

Symptom: When you create a custom scan and make a selection of drives or folders that result in only a checkmark next to your selections, the scan scans the files twice and therefore takes longer to finish. Custom scan selections that display a plus sign (+) with a checkmark scan normally.

Solution: Modified the state of the folders to have the proper “check”, “check plus”, or “empty” selection.

 

Repeated Full.zip downloads when free disk space is between 700 and 900 MB

Fix ID:  2947400

Symptom: The Symantec Endpoint Protection client repeatedly downloads full.zip files from the server when the client is low on disk space.

Solution: The default required disk space estimate was updated to the current definition size.

 

Forced TruScan proactive threat detections are logged as Trojan Worm

Fix ID:  2948103

Symptom: A forced TruScan proactive threat detection appears as Trojan Worm in the Symantec Endpoint Protection Manager log. The application type for some of these detections may list "tracking cookie." The procedure describing how to force this detection appears in the Knowledge Base article Configuring an exception to force TruScan proactive threat scans to detect a process.

Solution: Resolved an issue where the application type and detection type could both be 0. The new application type will be "Heuristic application."

 

Scheduled/Quick Report filters only saves 255 characters for the Group field

Fix ID:  2953711

Symptom: When you create a saved filter and use the "select" popup for the group filter, the group filter list can be greater than 255 characters. After you save the filter, the list truncates to 255 characters.

Solution: Limited the group filter list to 255 characters. Symantec Endpoint Protection Manager displays an error message if the group filter list is greater than 255 characters.

 

Duplicate entries are not generated in the Symantec Endpoint Protection Manager, despite a change of the hardware ID (HWID)

Fix ID: 2973571

Symptom: Active Directory domain migration can cause a regeneration of the hardware ID (HWID). The HWID value change may not create duplicate entries in Symantec Endpoint Protection Manager as expected.

Solution: Modified the client to resolve an issue when sending a hardware ID update request.

 

LastScannedVersionCheck property added to Lotus Notes documents

Fix ID: 3060147

Symptom: After Lotus Notes Auto-Protect scans an attachment, it adds the LastScannedVersionCheck document property to the attachment, even if you enable the Symantec Endpoint Protection option “NotLeaveScanRecord”.

Solution: Modified the Symantec Endpoint Protection client to properly honor the NotLeaveScanRecord option when enabled.

 

SMC.exe process terminates unexpectedly

Fix ID: 3067417

Symptom: The SMC.exe process terminates unexpectedly with code C0000005 (ACCESS_VIOLATION) when Symantec Endpoint Protection debugging is enabled.

Solution: Resolved an issue in the client debug logging to prevent this crash.

 

Symantec Endpoint Protection recovers only once from a corrupted sdi.dat

Fix ID: 3087001

Symptom: Symantec Endpoint Protection can only recover once from corruption of the SDI.dat file. Symantec Endpoint Protection cannot recover after subsequent occurrences of SDI.dat file corruption.

Solution: Modified the Symantec Endpoint Protection code to restore SDI.dat from SDI.bak if corruption is detected.

 

Scan log incorrectly displays a Scheduled Scan as a Manual Scan

Fix ID: 3093421

Symptom: The scan log incorrectly shows a Scheduled Scan type listed as a Manual Scan type.  

Solution: Updated the logger type in the registry to display the proper scan type.

 

GFValidate.exe process terminates unexpectedly

Fix ID: 3146457

Symptom: The GFValidate.exe process terminates unexpectedly. The Windows event log displays the following message:

"Event ID 1000: Faulting application: GFValidate.exe"

Solution: Modified Symantec Endpoint Protection Manager to handle an exception to prevent the application from terminating unexpectedly.

 

SMC.exe service terminates unexpectedly on designated GUP systems

Fix ID: 3183935

Symptom: On a Symantec Endpoint Protection client computer designated as a Group Update Provider (GUP), the SMC.exe process becomes unresponsive or terminates unexpectedly.

Solution: Modified the SMC code to prevent an unhandled exception. 


Valid ping triggers false positive for "Smurf" attack

Fix ID: 3187443

Symptom: A ping from any computer with an IP address ending in .0 or .255 triggers a false positive detection for a "Smurf" attack.

Solution: Modified the firewall to detect a broadcast address correctly in this situation.


IllegalThreadStateException in AgentLogCollector task

Fix ID: 3210577

Symptom: The Symantec Endpoint Protection Manager log (scm-server-0.log) references an unknown exception in com.sygate.scm.server.task.AgentLogCollector and provides the following additional details:

SEVERE: Unknown Exception in: com.sygate.scm.server.task.AgentLogCollector
java.lang.IllegalThreadStateException: process has not exited

Solution: Modified Symantec Endpoint Protection Manager to catch an exception and record an appropriate log message. 

 

Whitelisted application is detected by File System Auto-Protect

Fix ID: 3244632

Symptom: File System Auto-Protect detects and quarantines a custom application. The custom application is on the whitelist. 

Solution: Modified the File System Auto-Protect driver to resolve this issue.

SMC.exe process terminates unexpectedly

Fix ID:  3257412

Symptom: The SMC.exe process consumes a large amount of memory and terminates unexpectedly.

Solution: Resolved an issue where the SMC.exe process did not close a handle while querying for the Windows Firewall status from Windows System Center.

Firewall does not detect outbound traffic on Windows XP

Fix ID: 3304422

Symptom: The Symantec Endpoint Protection firewall does not detect outbound traffic on Windows XP. Disabling the QoS Packet Scheduler resolves the issue.

Solution: Resolved a compatibility issue between Symantec Endpoint Protection and the QoS Packet Scheduler to allow Symantec Endpoint Protection to filter outbound traffic correctly.

Symantec Endpoint Protection Manager fails to process 64-bit definitions

Fix ID: 3337423

Symptom: Symantec Endpoint Protection Manager downloads the full.zip for 64-bit antivirus definition content but fails to extract it to the “full” directory. You configured Symantec Endpoint Protection Manager to use a Microsoft SQL Server database.

Solution: Resolved an issue where the antivirus content became too large to upload to a Microsoft SQL Server database.

 

Component versions in RU7 MP4

Component Version
Autoprotect
10.3.8.7
Behaviour Blocking
3.5.3.004
CCEraser
20072.0.1.6
COH
6.1.16.2
Common Client
106.5.7.006
DecABI
1.2.7.1
Defutils
4.1.5.4
ECOM
61.3.0.17
Intelligent Updater
1.0.1.6
LiveUpdate
3.3.0.115
LiveUpdateAdmin
2.3.2
MAC Client
11.0.6970.236
Microdefs
2.7.0.13
QServer
3.6.7300.68
SAV
11.0.7300.228
SNAC
11.0.7300.183
SyKnAppS
3.0.3.3
SymEvent
12.8.6.38
SymNetDrv
7.2.6.1
SymProtect(Tamper Protection)
3.5.1.3
Teefer2
11.0.6970.32
Teefer3
11.0.5602.49
VxMS (MSLight )
5.2.1.3
WpsHelper *
12.4.0.23
PHP
5.3.16.0
SAVFL
1.0.14
JRE
1.7.0.25
TomCat
7.0.42
Boost
1.53.0
LibPNG
1.5.15
LibXML
2.9.1
OpenSSL
1.0.1e
cURL
7.31.0

 

 

Release Update 7 Maintenance Patch 3 (RU7 MP3)

[Back to top]

For complete information on new features in this release, system requirements, and known issues, see this document. For new fixes and component versions, see below.

The LiveUpdate log file size does not save the default size setting in the settings.liveupdate file
Fix ID:
2516181
Symptom:
As the size of file log.liveupdate increases, the default size setting is not saved in the settings.liveupdate file.
Solution: Fixed a cleanup call that was not invoked correctly.

Updating Symantec Endpoint Protection Manager from RU5 to RU7 fails
Fix ID:
2565649
Symptom:
After you download the RU7 LiveUpdate definitions, event IDs 11328 and 1023 appear in the Symantec Endpoint Protection Manager log.
Solution: Older versions of MSIMSP sometimes create incompatible patches. Updated MSIMSP to the correct version.

Heuristic scans detect and block the application
Fix ID:
2587958
Symptom:
A streamed virtualized application does not launch on the client. You can see an incorrect hash value for that application in the Symantec Endpoint Protection Manager log.
Solution: Fixed the issue by making sure that scans now correctly detect and allow a virtual application.

Symantec Endpoint Protection takes a long time to compile the profile for client groups
Fix ID:
2607064
Symptom:
PackageTask takes a long time to compile the profile for client groups.
Solution: Improved the performance of XML serialization and handling multiple threads.

An email message that is based on a saved email is replaced by a draft email message
Fix ID:
2635881
Symptom:
After users send a previously saved and scanned email that includes an attachment, the saved email is deleted and replaced by an identical draft of the saved email message.
Solution: The problem was caused by properties being added after the saved email was scanned. The properties caused the saved email to be unrecognized. Corrected.

Large database files are cloned for scans
Fix ID:
2642450
Symptom:
Server becomes unresponsive or is brought down after scheduled scan leaves behind large number of .tmp files.
Solution: Fixed the issue by changing when database files are cloned.

Threats delivered through email in a non-modifiable container are not deleted
Fix ID:
2646790
Symptom: A threat that is delivered through email in a non-modifiable container, such as .rar or .cab, is detected but not deleted, regardless of the Antivirus and Spyware policy action for the threat. You can only clean the threat after you save and unzip it to the hard disk.
Solution: Fixed the issue by quarantining the email.

The Symantec Endpoint Protection firewall interferes with Microsoft Direct Access
Fix ID:
2653542
Symptom:
Microsoft Direct Access does not work after you upgrade to Symantec Endpoint Protection RU7 (11.0.7000.975).
Solution: Fixed the issue by appending an Ethernet header into that packet.

Windows Firewall messages are not disabled in the Symantec Endpoint Protection Manager System log
Fix ID:
2656231
Symptom: The System log contains messages about the Windows Firewall, even after logging is disabled. The Windows Firewall service starts after the smc service starts. Therefore, the smc service cannot find the Windows Firewall server, and considers the Windows Firewall to be disabled.
Solution: Fixed the issue by having the smc service wait for the Windows Firewall service to start.

Client downloads content from Symantec Endpoint Protection Manager even when policy indicates it should obtain content from the Group Update Provider (GUP)
Fix ID:
2660859
Symptom: When the client switches from a GUP location to an external LiveUpdate location, sylink.xml tries to download content from Symantec Endpoint Protection Manager.
Solution: Before content is downloaded, the LiveUpdate thread in sylink.xml checks whether the "SEPM channel" has been disabled. If disabled, the moniker is deleted from the queue.

The time stamp changes on restored quarantined files
Fix ID:
2661232
Symptom: The original time stamp on a file changes after being restored from the quarantine.
Solution: Fixed an issue where the time stamp and the attribute of a file are modified after being restored from the quarantine.

Mismatch between reported clients in the Unmanaged Detector report
Fix ID:
2663136
Symptom: The total number of clients on an Unmanaged Detector report does not match the actual number of devices listed.
Solution: The Unmanaged Detector report now includes the total number of detected unknown devices and the unique number of unknown devices.

Reporting server hangs
Fix ID:
2697341
Symptom: Accessing the reporting server from a web browser hangs.
Solution: The problem is caused because Internet Explorer cannot find the HTML body before the web page is loaded. Fixed the issue by modifying the body-checking mechanism, which results in lower CPU consumption.

Server logs show that the Antivirus and Spyware policy was corrupt after migration from SAV 10.x
Fix ID:
2699388
Symptom: The log file states that the Antivirus and Spyware policy is corrupt when it is not.
Solution: Fixed the issue, which was caused because some Antivirus and Spyware policies did not have the necessary Auto-Protect actions. This generated a log entry in Symantec Endpoint Protection Manager.

Time lag in copying Risk log
Fix ID:
2702682
Symptom:
Risk logs are transferred to the external Syslog Server with a delay of between 15 minutes to 2 hours.
Solution: Fixed the code that caused the delay.

The management server does not remove the database backup files
Fix ID:
2703417
Symptom: The "Remove the database backup files during uninstall" feature doesn't work if the server data folder has been moved.
Solution: Fixed by deleting the current data area in conf.properties when the data and backup folders are deleted.

Errors are generated due to disabled loopback adapter
Fix ID:
2704835
Symptom: "Authentication failure. Please try again" errors are generated by securitynotifytask or scheduledreportingtask when the owner/creator of the notification or report is valid.
Solution: Fixed the code to allow the IP request from the local computer.

Folder exclusions for scans does not work
Fix ID:
2705877
Symptom: Exclusions for a folder in the format of \foldername works for Auto-Protect but fails for manual and scheduled scans.
Solution: Fixed by expanding the folder exclusions for all possible drives. Folder exclusions now work for manual scans.

Notification not logged in notification view
Fix ID:
2712563
Symptom: "Single Risk Event" notification is not logged in the notification view in Symantec Endpoint Protection Manager when the event was triggered.
Solution: When a single risk event occurs, Symantec Endpoint Protection Manager now writes it to the database, where you can view it by clicking Notifications > View notifications.

Connection pool timeout on Symantec Endpoint Protection Manager
Fix ID:
2713908
Symptom: Cannot connect the Symantec Endpoint Protection Manager console with the database.
Solution: Deleted the unnecessary database connections that do not close.

Clients do not update definitions downloaded from Symantec Endpoint Protection Manager
Fix ID:
2715989
Symptom: After the clients come out of standby, the definitions are not updated until after Symantec Endpoint Protection Manager is restarted.
Solution: Fixed so that LiveUpdate restarts after the client computer recovers from standby.

"Definitions out of date" notification is not triggered
Fix ID:
2726085
Symptom: The notifications for "Definitions out of date" do not trigger if the "Computer name" filter is applied.
Solution: Fixed an issue where the SQL parameter "Computer name" was not set.

Virus definitions use too much disk space
Fix ID:
2733222
Symptom: Virus definitions are not removed after updates, which use a large amount of disk space.
Solution: Cleaned up definitions directories that were caused by a failure from integrating definitions.

Registry value not cleaned up
Fix ID:
2733251
Symptom: Some registry keys were left behind after uninstalling the client.
Solution: Fixed by deleting the registry keys that were added after initial installation.

Some system files are not visible in the unmanaged client user interface
Fix ID:
2740080
Symptom: Unable to exclude VMMS.EXE and VMWP.EXE in W2K8R2 in an unmanaged SEP 11.0 RU7 MP1 client.
Solution: Fixed the issue by calling an API that allows the viewing of all system files.

Remote push install of Symantec Endpoint Protection 11 RU7 MP1 with Lotus Notes email plug-in displays an error
Fix ID:
2743085
Symptom: When other users attempt to log on to the computer during a remote push of the client with the Lotus Notes plug-in, the following error message appears: "The User Profile Service failed the logon user profile cannot be loaded."
Solution: Added an API to retrieve the correct environment variable to correctly set the path in the registry key.

With Lotus Notes plug-in, the existing user can log on but new user gets error message
Fix ID:
2757734
Symptom: Limited admins can log on to the management server, but get the following error message: "Symantec Antivirus has stopped working." The nlnvp.dll is not loaded in nlnotes.exe and is not included in notes.ini file.
Solution: Fixed an issue that was not making the correct calls.

Older definitions are not removed
Fix ID:
2765535
Symptom: Virus definitions are sometimes not removed after being updated.
Solution: Fixed by allowing the removal of older definitions per customer settings.

.err files are not cleaned up
Fix ID:
2767546
Symptom: Files with the .err extension are produced but not cleaned up. This causes the parsing of events to be missed by Symantec Endpoint Protection Manager.
Solution: Fixed the code to bypass the error. Symantec Endpoint Protection Manager will continue to process the log and log the error line.

Limited admins cannot see LiveUpdate policy
Fix ID:
2770776
Symptom: The LiveUpdate policy does not appear correctly for limited administrators.
Solution: Fixed the issue by displaying the user selection for the limited administrator even if the checkbox is read-only.

Many *.tmp files are created under Common Client folder
Fix ID:
2775251
Symptom: After an Auto-Protect remediation and client restart, some .tmp files may remain in the \alluser\symantec\CommonClient folder.
Solution: Fixed the issue by adding a registry key to control the Auto-Protect thread exit time threshed (60 seconds by default).

Smc service crashes when using the Group Update Provider (GUP)
Fix ID:
2777440
Symptom: The GUP crashes in an environment without the bypass list in the current user's proxy settings.
Solution: Fixed by adding a null pointer check when copying the settings.

Symantec Endpoint Protection Manager Scan log status is not updated
Fix ID:
2778391
Symptom: The scan status of the Scan log doesn't get updated when an administrator-defined scheduled scan is suspended and then completed.
Solution: Fixed by adding the suspended event into a list of known events that the management server will process.

Scan time is not reported
Fix ID:
2782191
Symptom: The Symantec AntiVirus for Linux client does not report the last scan time to Symantec Endpoint Protection Manager.
Solution: Fixed by updating the LAST_SCAN_TIME in the table when processing the Security log from the Symantec AntiVirus Linux client.

Incorrect grouping in Symantec Endpoint Protection Manager reports
Fix ID:
2783830
Symptom: The Group by field in Symantec Endpoint Protection Manager reports always groups by the "Risk Severity" category. The correct Group by appears in edit mode.
Solution: Fixed by correcting the "group_by" string values.

RADIUS settings not saved for the Enforcer
Fix ID:
2791090
Symptom: The management server does not save the Enforcer RADIUS settings.
Solution: Fixed by removing a broken or unused management server list. When you edit the Enforcer properties, the broken or unused management server list is now skipped.

File or folder exclusions do not appear in the client
Fix ID:
2798801
Symptom: With Windows Server 2008 R2 Core and Symantec Endpoint Protection 11 RU7 MP1 or MP2, you could not add a folder or file exception in the Symantec Endpoint Protection client.
Solution: Fixed the issue by removing the flag that displays the browse dialog correctly.

Unmanaged client appears in the Symantec Endpoint Protection Manager console
Fix ID:
2800124
Symptom: When you create and deploy a client installation package using the default group policy settings but with the Use Group Communication Settings setting turned off, an unmanaged client is installed.
Solution: Fixed an issue to remove the location-level communication settings in the exported package.

Symantec AntiVirus for Linux logs are not replicated
Fix ID:
2804484, 2915591
Symptom: Symantec AntiVirus for Linux logs do not get replicated to remote sites.
Solution: Fixed an issue where legacy clients were deleted from some tables during replication.

Replication failed
Fix ID:
2810324
Symptom: The replication fails continuously. The data.zip file is generated and transferred, but replication is not successful.
Solution: Fixed this issue by cloning the default management server list in the Enforcer's policy.

End user can stop administrator-defined scans
Fix ID:
2823247
Symptom: Normally, when an administrator-defined scan runs and the scan dialog appears, users are not allowed to stop the scan. However, users can still stop the scan by pressing the Return key.
Solution: Fixed so that the admin setting is correctly processed if a user tries to stop a scan.

Clients do not communicate with Symantec Endpoint Protection Manager after a failed migration
Fix ID:
2823318
Symptom: After a failed migration from a 32-bit management server to a 64-bit management server, some clients stop communicating with the management server. To work around this issue, you could reimport the sylink file.
Solution: Fixed the issue by synchronizing the certificate between the database and the disk.

GUP list is reset
Fix ID:
2823881
Symptom: The GUP list is reset at midnight during database maintenance.
Solution: Fixed an incorrectly used operator in the SQL query.

Cannot log filename or directory name with "L SC" option
Fix ID:
2825062
Symptom: vpdebug.log cannot log the .dbcs file name and directory name with the "L SC" option. This happens on files or folders that contain unicode characters.
Solution: Fixed the issue by converting the unicode character to a multi-byte character in the function.

Lotus Notes scan records are left on the client computer
Fix ID:
2834021
Symptom: The default behavior is for scan records for Lotus Notes to remain on the client computer. You had to change the default value on each computer manually.
Solution: The default setting in the registry for Lotus Notes Auto-Protect is now "NotLeaveScanRecords=1."

OEMxx.inf files are deleted
Fix ID:
2838172
Symptom: The oem13.inf and oem14.inf files are deleted when uninstalling the client.
Solution: Fixed the issue by checking whether files are Symantec drivers before the files are deleted.

When Application and Device Control is enabled, Firefox hangs when user accesses pages with Flash content
Fix ID:
2877820
Symptom: When Application and Device Control is enabled, and the user accesses Flash-based content with Firefox 13.0.1 and the Flash player plug-in 11.3.300.242, the browser hangs and the user must kill the process manually.
Solution: Fixed the issue that caused the hang.

The Symantec Endpoint Protection Manager service crashes
Fix ID:
2883310
Symptom: The management server service crashes when you use a different version of the Java remote console.
Solution: Fixed the issue by adding a product version check (excluding the build number) between the console and the management server.

Performance impact with Limited Admin rights
Fix ID:
2885818
Symptom: The Home page and the client groups take a long time to load in the Symantec Endpoint Protection Manager Java remote console when you are logged on with a limited administrator account.
Solution: Improved the limited administrator performance issues and reduced the number of times the administrator context is reloaded.

Scan status in the Scan log is not getting updated
Fix ID:
2887476
Symptom: Scan status in the Scan log doesn't get updated when an administrator-defined scheduled scan is suspended and then completed.
Solution: Fixed an issue where the suspended status and scan complete info was not recorded correctly.

Pie chart rendering failure with error ezcGraphInvalidDataException
Fix ID:
2898439
Symptom: There is a pie chart rendering failure on the Symantec Endpoint Protection Manager Monitor tab > Comprehensive Risk Report > Risk Distribution graph.
Solution: Fixed an issue to deal with the computed percent value if it is < 0.
 

Component versions

Component Version
AutoProtect 10.3.8.7
Behavior Blocking 3.5.3.004
CCEraser 20072.0.1.6
COH 6.1.16.2
Common Client 106.5.7.006
DecABI 1.2.7.1
Defutils 4.1.5.4
ECOM 61.3.0.17
Intelligent Updater 1.0.1.6
LiveUpdate 3.3.0.115
LiveUpdateAdmin 2.3.1
MAC Client 11.0.6970.236
Microdefs 2.7.0.13
QServer 3.6.7300.64
SAV 11.0.7300.228
SNAC 11.0.7300.183
SyKnAppS 3.0.3.3
SymEvent 12.8.6.38
SymNetDrv 7.2.6.1
SymProtect (Tamper Protection) 3.5.1.3
Teefer2 11.0.6970.30
Teefer3 11.0.5602.47
VxMS (MSLight ) 5.2.1.3
WpsHelper* 12.4.0.23
PHP 5.3.14.0
SAVFL 1.0.14
JRE 1.7.08
TomCat 7.0.27
Boost 1.49
LibPNG 1.2.47
LibXML 2.7.8
OpenSSL 0.9.8x
cURL 7.26.0

 *WPSHelper updates to the latest available version when LiveUpdate runs successfully.

 
 

Release Update 7 Maintenance Patch 2 (RU7 MP2)

[Back to top]

For complete information on new features in this release, system requirements, and known issues, see this document. For new fixes and component versions, see below.

New fixes in this version

Auto-Protect and Scheduled Scan (ERASER) behave differently on risk detection
Fix ID: 2030979
Symptom: When scan actions are set to first "Clean Risk" and second "Quarantine", a scheduled scan Quarantines risks while Auto-Protect deletes them.
Solution: Actions taken by Auto-Protect are now the same as the actions taken by a manual or scheduled scan.

Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.

Client Security Alert Notifications do not contain data
Fix ID: 2100605
Symptom: Client Security Alert Notifications appear with no data.
Solution: Expected data was not returned upon a query. Fixed the query.

Cluster Server becomes non-responsive
Fix ID:
2228502
Symptom: Cluster Server becomes non-responsive when the server transitions from one node to another.
Solution: Moved the query of the mounted directory of the module out of the network traffic data checking cycle.

smc.exe crashes when large number of locations are configured
Fix ID:
2235166
Symptom: smc.exe crashes while doing autolocation switch by accessing invalid address within released object.
Solution: Fixed the problem maintaining the hash table of DNS host entries.

Database becomes corrupted
Fix ID:
2248662
Symptom: Database becomes corrupted after replication.
Solution: If an exception occurs while adding a group in the User interface, SEPM removes the group from Cache before the next save.

Cancelling sending Internet email with a large attachment file when Internet Email Auto-Protect is enabled causes the attachment file to be broken
Fix ID:
2249511
Symptom: When a user cancels sending email with Internet Email Auto-Protect enabled from Windows Mail (SMTP/POP3 mailer) while the mailer is sending the message, the message gets sent to the address although it is cancelled. If the mail has attachment files of large size, the attachment arrives broken.
Solution: Changed to correctly handle the situation when a cancel command comes in while data is being prepared.

Differences in number of scanned files between Administrator and Users
Fix ID:
2282822
Symptom: The number of files scanned as Domain Administrator and Domain User is different.
Solution: Created a new folder, DecTemp, with rights to everyone so that the compressed files can be scanned via Decomposer.

APQxxxx.tmp files are being re-detected by scheduled or manual scan.
Fix ID:
2326228
Symptom: Threats detected by Auto-Protect are not added to Quarantine, and an infected APQxxxx.TMP file is left behind.
Solution: Corrected the error handling when failure occurs.

Error handling in case of Auto-Protect detected threats
Fix ID:
2344862
Symptom: If Quarantine folder access is blocked, scan results say Quarantine Successful, and (infected) APQxxxx.TMP file is left behind.
Solution: Detect the problem, log the related information, and delete the APQxxxx.TMP file.

SEPM does not create deltas in time
Fix ID:
2379262
Symptom: SEPM cannot create deltas quickly enough to satisfy large numbers of requests. The server gets multiple requests for the same delta, causing it to spend more time handling these requests. This takes away from actually creating the delta.
Solution: Added a delta request hash table to Secars. It will hold a list of pending requests and only send new requests to SEPM.

Clients cannot connect to server after performing threat tests
Fix ID:
2380290
Symptom: Server connectivity is lost after performing tests.
Solution: Reset the blocking flag after a connection is closed and set a limitation to SEP firewall TCP and UDP session.

Live Update fails
Fix ID:
2401024
Symptom: Event 1001 & 1004 occur, and LiveUpdate fails after deleting the old data folder.
Solution: Fixed a problem involving the Windows registry caused by the Windows Installer health check and self-repair.

'Scheduled Scan when user not logged in' is performed even after Administrator disallows it
Fix ID:
2407550
Symptom: The user-defined scheduled scan when no users are logged in is performed even when it is disabled through Anti policy.
Solution: Disable the corresponding “Perform the scheduled scan even when no users are logged on” option in UI.

Scan runs twice
Fix ID:
2409368
Symptom: Schedule scan runs 3 minutes after the last missed scheduled scan completes.
Solution: Fixed an issue where incorrect information was added into the registry key.

Quarantine server fails to connect to gateway.dis.symantec.com to submit files or download new definitions
Fix ID:
2419298
Symptom: Quarantine server 3.6 does not pass credentials for firewall/proxy that is configured in quarantine server console.
Solution: Added additional code to handle authentication needed by proxy (resolves error 407).

SEP cannot control Windows Firewall
Fix ID:
2419842
Symptom: Windows Firewall is enabled if IP address is renewed/released.
Solution: Added code to detect whether SEP firewall has been enabled on Win7/2008R2 and if not will retry to enable it. Also added code to deal with a very rare case where a call failed on Win7/2008R2 if the network service is not ready and the call returns a non-failure code.

PTP is off with "Waiting for updates" status
Fix ID:
2426074
Symptom: When updating the PTP definition, RUNDLL32.EXE fails to find the "Documents and Settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll" path.
Solution: Enhanced DIS engine to check for Short File Name to Long File Name conversion behavior setting.

Scan of USB drive does not pop up with scan window
Fix ID:
2438735
Symptom: If a USB drive is attached to the system and the file system within it is empty, the right click scan does not do anything.
Solution: Added error handling to deal with this case and show appropriate error dialog window.

Client cannot communicate with SEPM because SMC hangs
Fix ID:
2441903
Symptom: SMC hangs when receiving new AV commands, if it is processing some AV commands at the time.
Solution: Make a local copy of command list before releasing a plug-in lock. This prevents the hang.

Cisco's VPN does not work when selected
Fix ID:
2450673
Symptom: When Location Criteria > Network Connection Type is set to [Cisco VPN], Cisco's VPN does not work.
Solution: There is a known limitation where "connection type = Cisco VPN" doesn't work with Cisco AnyConnect. The customer can use "NIC description" and "DNS suffix rule" as a workaround to this limitation.

Script error message appears in Java remote console
Fix ID:
2486836
Symptom: In French language SEPM, a script error message appears in Java remote console > Monitors > Logs/Reports.
Solution: Escape all single quotes in a text message passed as an input parameter to a JavaScript function.

Location specific Liveupdate policies are not correctly set
Fix ID:
2488603
Symptom: When "Remember Last Location" is disabled, location-specific Liveupdate policies are not correctly set at boot time.
Solution: First do checking, comparing and updating of the policy hash. After that, if it is the first time, force a policy update. Otherwise, perform the update based on the return value of the initial checking.

Scheduled report of Application and Device Control shows no data
Fix ID:
2510697
Symptom: When SEPM sends the Scheduled Report for Application and Device Control, only the "Default" filter shows data. When using the "Custom" filter, the data is reported as "No Data."
Solution: An incorrect filter was used when using customized filter. Fixed it.

Installation of SEP 11 causes Lotus Notes plug-in to crash
Fix ID:
2513096
Symptom: Lotus Notes Plug-in crashes causing user-specific Notes data directories not to be created.
Solution: Some internal pointers were not correctly initialized. Fixing this resolves the issue.

SEPM "unknown exception: 0x10010000" error: com.sygate.scm.server.task.TelemetrydataTask, referencing HTTP 409 conflict
Fix ID:
2513174
Symptom: SEPM generates this error frequently: "unknown exception: 0x10010000".
Solution: Provide an exception handler for a HTTP error that was previously not handled correctly.

Windows Security Center reports that virus protection is Off
Fix ID:
2517760
Symptom: Windows Security Center reports that virus protection is off when definitions are loaded.
Solution: During the definition update, the 'Virus Protection' status is not updated. Fixed.

Java app loses connection with SEP installed
Fix ID:
2519427
Symptom: The application downloads .jar files on startup to function. Downloads are never completed.
Solution: Increased the internal buffer cache to avoid this issue.

SMC Fault : IdsTrafficPipe!ParseString
Fix ID:
2525143
Symptom: Smc.exe crashes when applying a new custom IPS library.
Solution: Changed code to safely exit the string delimiter when reaching the end of the string.

Web console does not work correctly when using SSL and Self-signed certificates
Fix ID:
2525234
Symptom: Host name is converted to IP Address in web console upon login.
Solution: Removed the code that specifically converted hostname to IP address for web console during login.

Configured scans are not printed correctly
Fix ID:
2525405
Symptom: The "doscan /list" command does not print the configured scans correctly.
Solution: Set Locale correctly and convert the Unicode scan name data to the appropriate character set.

Smc.exe takes up CPU during idle time
Fix ID:
2525510
Symptom: Very high CPU usage on any computer with many TDI connections known to wpsdrvnt.
Solution: Optimize the code to improve performance.

"Security Risk found" message is not recorded in Windows application event log
Fix ID:
2525521
Symptom: When an infected file within a zip archive is scanned and the file path length is more than 26 bytes, an event ID 51 "Security Risk Found!" is not recorded in the Windows application event log.
Solution: Fixed the parsing of the log events before it adds the entry to the event log.

User-specific notes directories are not created
Fix ID:
2526318
Symptom: Lotus Notes Plug-in crashes, causing user-specific Notes data directories not to be created.
Solution: Some Internal pointers were not properly initialized. Fixing this resolves the issue.

Unable to install SEP
Fix ID:
2527479
Symptom: Installation rolls back during the configuring services stage.
Solution: Fixed the error with buffer overrun that causes installation to be rolled back.

Client can't come back to the previous Group Update Provider (GUP) if it has already been shut down
Fix ID:
2531477
Symptom: If there are two GUPs, A and B, where A is off and B is on, clients will download from GUP B. iF B is turned off and A is turned on, the client insists on downloading from B and does not try A again.
Solution: If the end of the list is reached, reset the GUP to "NO_RESPONSE" status. Then in the next try, Sylink will iterate from the start.

Modification date of Notes document is changed while Notes Auto-Protect is enabled
Fix ID:
2534512
Symptom: When an attachment file is opened, it is scanned, even though the Notes document has not been updated or the virus definition has not been updated since the last scan for the temporary file.
Solution: Improved the bookkeeping function on when an attachment is scanned, so that the plug-in skips the file next time if it remains unchanged.

Enforcer groups become corrupted after a policy export/import, if replication is used
Fix ID:
2536571
Symptom: Enforcer groups become corrupted after policy export/import and replication, with an "unexpected exception" error. DBvalidator errors exist.
Solution: Use the existing Enforcer policy object reference when importing the policy, since the same object reference exists in the remote partner.

Error message after upgrading from SEP11
Fix ID:
2551819
Symptom: Issues when restarting the system. Error message "The Extend WG Protocol Driver service failed to start due to the following error: The system cannot find the file specified."
Solution: Fixed an issue with updating a registry entry (both 32bit and 64bit).

SEP Firewall blocks USB-over-wireless traffic
Fix ID:
2556466
Symptom: Wireless mouse interoperability problem with SEP Firewall.
Solution: Added default firewall rules to allow for client control mode and USB over IEEE802.

Sustained SMC.exe CPU utilization on virtualized Windows 2003 32-Bit Citrix XenApp terminal
Fix ID:
2559467
Symptom: Very high CPU usage on any machine with many TDI connections known to wpsdrvnt.
Solution: Better handling of how simultaneous calls are prioritized and processed.

Custom Application Control rule in place with test mode causes blue screen crash
Fix ID:
2559560
Symptom: Enabling a custom rule to block access to VPN configuration files in test mode only causes random crashes.
Solution: The process information list was damaged. The issue was resolved by adding a lock when doing process information updates.

Incorrect count of computers with out-of-date IPS and total computer count
Fix ID:
2559712
Symptom: From the Security status detail, the count of IPS out-of-date is more than the SEP endpoints that included the NTP feature.
Solution: Clients that do not have the Firewall feature are excluded.

ScanDuration DWORD value is not removed from registry when disabled through policy
Fix ID:
2561077
Symptom: Full system scans scheduled weekly with missed events, scanning limit and scan start randomization enabled fail to complete. They are logged as "scan suspended" after a few minutes of scanning
Solution: Fixed the issue that SEPM was not updating the default profile correctly.

Firewall malfunctions after migrating unmanaged client from SEP 11.0 RU7 to SEP 12.1
Fix ID:
2567235
Symptom: Firewall malfunctions after migrating unmanaged client from SEP 11.0 RU7 to SEP 12.1. The issue is temporarily fixed after reinstall but then fails.
Solution: The order of deleting a particular registry key and system file has been corrected.

SEPM sends notifications related to "The root cannot be deleted"
Fix ID:
2570868
Symptom: "The root cannot be deleted" appears when the querying ID contains an invalid character.
Solution: Changed the code related to the relevant error message.

Volume Shadow copies fail to be created in a clustered environment after a scheduled scan
Fix ID:
2575285
Symptom: After a scheduled scan, the VSS service can no longer create shadow copies on the mount drive for the mounted volume.
Solution: A problem in how ccScan is integrated with Windows Single-Instance Store (SIS) and its backup was corrected.

PSLucomServer_3_3.DLL is missing from 11.0.6 clients that repeatedly download TruScan definitions
Fix ID:
2575446
Symptom: The file is missing after rebooting the computer.
Solution: Fixed an issue where a file was deleted but the registry key was not cleaned up.

Application rule to allow traffic does not function
Fix ID:
2575698
Symptom: SEP Firewall blocks traffic to an application despite a rule allowing the application by file name and path.
Solution: Fixed an issue in teefer3 that caused a "\" character to be removed in the path.

Installing Network Threat Protection (NTP) causes loss in communication
Fix ID:
2575843
Symptom: Installing SEP with NTP causes the client to lose all communications with SEPM. All other network traffic remains unaffected.
Solution: Fixed the issue where a needed attribute was missing from a specific dll.

Process SecurityMiningTask can not lock the process status table
Fix ID:
2576036
Symptom: There are two symptoms for this.

  • There is a repeated message in the server console: "process SecurityMiningTask cannot lock the process statustable. The process status has been locked by the server"
  • In the server log there are related lines: "FINEST: Blob data: Host Integrity check failed to complete because the configuration file is not complete or has been corrupted".

Solution: Started filtering old security logs that are already processed and added a setting to avoid missing records.

Unexpected behavior when out of space for definitions on SEPM
Fix ID:
2582206
Symptom: When SEPM runs of disk space to store definitions, unexpected behavior occurs.
Solution: SEPM now checks disk space on functions that require writing to disk. Two new settings are added in conf.properties file:

  • scm.server.diskspace.warning=1024
  • scm.server.diskspace.severe=512

Units are in MB, and default values are as noted above.

A newly added group is broken
Fix ID:
2585686
Symptom: Exceptions happen while adding a group. Consequently, SemClientGroupTree modification and SemGroupPolicy inserting also fail.
Solution: Remove the group when exception happens during "add a new group" in UI.

Incorrect date and time while running Comprehensive scheduled reports
Fix ID:
2593263
Symptom: The "Risk comprehensive scheduled reports" do not update the time range even if the scheduled report is run repeatedly.
Solution: A field was added. Another issue was fixed with legacy data table settings.

After upgrading SEPM to RU7, Java Heap space errors and "OutOfMemoryError: GC overhead limit exceeded" error when replication is triggered
Fix ID:
2595106
Symptom: The size of the object that records site information keeps growing.
Solution: Corrected the mechanism that records the site information such that it does not cause memory issues.

Error: "Unexpected console error 0x80010000" and broken links on SEPM group policy
Fix ID:
2597044
Symptom: After a failed replication, the following message is seen on SEPM: "Unexpected console error 0x80010000"
Solution: Remove the group when an exception happens while adding a new group in the UI.

On a computer low in resources, blue screen error may occur while running a vulnerability scan
Fix ID:
2598652
Symptom: Blue screen error occurs on some computers after upgrading to RU7 and running vulnerability scans.
Solution: Fixed an issue where an access is made without checking the validity of the data.

Client count in SEPM computer status report doesn't match count in group details tab
Fix ID:
2600601
Symptom: SEPM Computer Status report has a different client count than the Clients tab.
Solution: Use the same logic to query registered computer and user count between client details, client properties and computer status report.

SMC crashes periodically
Fix ID:
2606596
Symptom: GUPs experience periodic crashes on application Smc.exe. Fault address 0x00014eee.
Solution: Fixed an issue where memory used by cache list wasn't released after memory allocation failure when loading content. Another issue was fixed as a result of which if the cache file of a valid cache entry is removed from disk, the status of the entry is reset and the file is downloaded again.

Clients are not blocking as expected when using the blacklisting feature
Fix ID:
2608450
Symptom: Blacklist policies are not effective.
Solution: Fixed an issue where the policy parsing the function does not download the protectionxx.dat file correctly.

An administrator account with space in the name cannot be deleted if it owns a scheduled scan
Fix ID:
2612812
Symptom: The following message appears: "Unexpected server error [0x10010000]"
Solution: Encoded the owner name in the URL request string.

SEPM service crashes when accessed by incorrect console
Fix ID:
2614798
Symptom: In the local console of RU7 SEPM, if server field is changed from localhost to point to an RU6 MP3 SEPM, then by logging in as SEPM administrator and clicking on client tab, RU6-MP3 SEPM service crashes.
Solution: Fixed SEPM to log the exception at both client and server console and server.

Removal of a policy removes all related historical activity entry of that policy
Fix ID:
2614962
Symptom: If the policy is removed, all of the related historical activity pertaining to that policy is also removed even though in Monitors > Logs >Audit, the historical entry is still present.
Solution: Fixed such that for policy and policy components, all the logs belong to the domain and same object type will be shown.

SEPM risk reports do not show anything after TruScan Risk log filter is enabled
Fix ID:
2620537
Symptom: There are options under Advanced filter settings for Risk logs for PTP events in scan type filter (Truscan). Therefore it is expected that PTP events in Risk Logs will be seen.
Solution: Truscan related options are removed from event type on risk log pages.

During upgrade of Hummingbird Exceed V.14 on systems with the SEP client, the install fails
Fix ID:
2622110
Symptom: During upgrade of Hummingbird Exceed V.14 on SEP client the install fails with the following error: "Open Text Exceed 14 -- Error 1406.Could not write value to key \Xstart.XstartCom.1\CLSID. System error Verify that you have sufficient access to that key, or contact your support personnel."
Solution: Rolled back an earlier fix that caused this issue.

"OutOfMemoryError: GC overhead limit exceeded" errors
Fix ID:
2623401
Symptom: Messages appear that indicate out of memory on SEPM.
Solution: Added a limitation on the minimum value of date filtering to avoid querying records that are old. The configuration in conf.properties is: scm.securityalertnotifytask.analyzetimerange.deltaforminimum

Out of Memory Messages
Fix ID:
2628941
Symptom: Many login requests in a short amount of time result in out of memory message.
Solution: There were two changes made to fix this issue.

  • The cookie was saved correctly after login to tomcat in notification task. This allowed terminating the session properly after logoff.
  • Session info is now recorded in the log file owned by thread.

Searching for invalid client ID causes an exception
Fix ID:
2634470
Symptom: While searching for Client by computer ID, entering an invalid ID causes an exception.
Solution: This action is by design. To improve the error handling, the blank spaces in "Logon User Name" and "Computer Name" are now not trimmed, but the blank spaces in "Computer ID" are now trimmed.

"Authentication failure" errors
Fix ID:
2635104
Symptom: Repeated "authentication failure" errors are seen on the Admin > Servers page in the SEPM. The System Server Activity Logs show many errors and the error type reads "An unexpected exception has occurred".
Solution: This issue is seen when the owner of a report is deleted. The fix is to allow a notification to be generated and to allow changing the ownership of the report.

Internal LiveUpdate server fails to connect when double byte characters are used in Server name
Fix ID:
2635398
Symptom: SEP client is unable to connect to internal LiveUpdate server with authentication information (user ID/password) supplied by a LiveUpdate policy, if the "Server name:" field in the LiveUpdate policy includes MBCS character string.
Solution: Provide the right data so that decryption key can be correctly generated.

The duration for weekly scan retry time changes
Fix ID:
2637991, 2647871
Symptom: The upper limit for weekly scheduled scans is seven (7) days. It shows up as three (3) instead.
Solution: Fixed the issue where the maximum duration was incorrectly showing as three (3) days.

Interrupted Active Directory Sync results in widespread client group deletion
Fix ID:
2638516
Symptom: SEPM drops or deletes a large number of Active Directory synchronized client groups from the SEPM.
Solution: The issue was with Active Directory synchronization continuing to run even when a communication exception occurred. This is now fixed and Active Directory synchronization is now interrupted.

Adding PTP feature using Auto-Upgrade does not follow update schedule
Fix ID:
2639011
Symptom: The upgrade starts immediately and does not follow the upgrade schedule. This happens if the upgrade package version is the same as the installed client version and auto-upgrade function is used to update client features.
Solution: Added a specific return code to handle this scenario. SMC returns this code to indicate that the upgrade package is needed, but it does not have to be downloaded. The upgrade schedule and user notification are controlled. When there is a request for upgrade it is fulfilled from the cache. If applying new features with cached installer fails, a full package is downloaded from the server.

Modification date of Lotus Notes document is changed while Lotus Notes Auto-Protect is enabled
Fix ID:
2641800
Symptom: When Lotus Notes Auto-Protect scans attachments of a Lotus Notes Journal Document, it records some text properties to the document. This is done so Lotus Notes Auto-Protect can determine whether it's necessary to scan the attachments when it is opened. This reduces the number of scanning for attachments, and improves the system performance. However, after the scan runs for attachments, the Lotus Notes GUI shows that the document has been updated.
Solution: Added the following registry value. If this registry value exists and is set to 1, Lotus Notes Auto-Protect does not leave the records after scanning attachments.

  • Registry Key: (for x86) HKLM\Software\Symantec\Symantec Endpoint Protection\AV\Storages\LotusNotes (for x64) HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\LotusNotes
    Registry Value: NotLeaveScanRecords
    Type: REG_DWORD
    Data: 1 (not to leave the records after scanning attachments), or other

Note: Setting the registry value to 1 may cause performance impact as attachments are scanned every time they are opened.

Sysfer injection causes the "M-Files" application to stop responding
Fix ID:
2643257
Symptom: The M-Files application hangs when a new file or document is created.
Solution: The presence of sysver.dll module causes the mfclient.exe process to stop responding when a new document or file is created. The fix is to use an extra critical section and separate the code to avoid calling Kernel32 API after obtaining the lock.

Clients do not communicate with the Symantec Endpoint Protection Manager (SEPM)
Fix ID:
2657985
Symptom: The policy serial number is blank and database validation fails after configuring replication.
Solution: Added broken link check in SEPM publishing area.

Policy serial number is blank and database validation fails
Fix ID:
2662405
Symptom: After configuring replication, the Policy serial number is blank and there are Prolog errors in the Admin - Server site. Further, client packages cannot be exported and the clients do not report the replication parter.
Solution: The issue was casued by the presence of a "-->" string. This string in the description of metadata marks the replicated XML content as broken and creates exceptions. This was fixed by reading the last "-->" as the end of description for replication.

Clients bypass recently promoted GUP in favor of SEPM
Fix ID:
2673894
Symptom: Sometimes the clients will bypass a newly promoted GUP and connect directly to SEPM even though the GUP is set to "never bypass".
Solution: Fixed an issue where if the GUP list was empty, the client would bypass to SEPM even if the policy did not allow it.

A lot of temp files are kept in tomcat\temp directory
Fix ID:
2675567
Symptom: Many jtdsxxxx.tmp files including Java Heap Dump [semsvc_heap.hprof] build up in the tomcat\temp directory.
Solution: Developed a cleanup mechanism in a separate task to clean up old accumulated JTDS tmp files.

Add 'Sophos version 9.0', 'Trend Micro version 10.0', and 'AVG version 9.0' support for Host Integrity template
Fix ID:
2677531, 2677532, 2677534
Symptom: Host Integrity cannot detect the AV signature correctly.
Solution: Added support to the Host Integrity template

The date of the next scheduled scan is incorrectly shown when the scheduled scan is aborted
Fix ID:
2679293
Symptom: If a scheduled scan starts and is aborted mid run, the next scheduled scan time is shown as double the expectation.
Solution: Fixed the issue where the time for next scheduled scan was being incorrectly calculated. This happened because the time for next scan got incorrectly added to the last scheduled scan time.

Error: BugCheck_STR: 0x8E referencing sysplant
Fix ID:
2688234
Symptom: Application and Device Control feature causes blue screen error when the machine enters hibernation.
Solution: Added a hook to link to the library only once and improved error handling.

 

 Component versions

Component Version
AutoProtect 10.3.8.7
Behavior Blocking 3.5.3.004
CCEraser 20072.0.1.6
COH 6.1.15.3
Common Client 106.5.6.002
DecABI 1.2.7.1
Defutils 4.1.4.3
ECOM 61.3.0.17
Intelligent Updater 1.0.1.6
LiveUpdate 3.3.0.115
LiveUpdateAdmin 2.3.1
MAC Client 11.0.6970.236
Microdefs 2.7.0.13
QServer 3.6.7180.64
SNAC Scanner 5.1.5.94
SyKnAppS 3.0.3.3
SymEvent 12.8.6.38
SymNetDrv 7.2.6.1
SymProtect(Tamper Protection) 3.5.1.3
Teefer2 11.0.6970.30
Teefer3 11.0.5602.45
VxMS (MSLight ) 5.2.1.3
WpsHelper 12.3.0.4
PHP 5.3.10.0
SAVFL 1.0.13.16
JRE 1.6.0_31
TomCat 6.0.35
Boost 1.49
LinPNG 1.2.47
LinXML 2.7.8
OpenSSL 0.9.8t
cURL 7.24.0

    

Release Update 7 Maintenance Patch 1 (RU7 MP1)

What's new in this release
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use:

Administrator-defined scan extensions increased to 12 characters
Fix ID: 2337151
Previous behavior: The Symantec Endpoint Protection Manager administrator could not add more than four characters when specifying file extensions to scan during an administrator-defined scan.
Enhancement: The file extension limit was increased from 4 to 12 characters.

Quarantine dialog allows full path entry
Fix ID: 2362970
Previous behavior: In Symantec Endpoint Protection 11.0 RU6 MP1 or earlier, the Quarantine dialog allowed the user to enter or browse to a file path. In RU6 MP2 and later, this dialog was modified to show folders only. The user would like to return to the original file path behavior.
Solution: A flag to a Microsoft API was added to allow the user to browse to a full file path in the quarantine dialog.

 

Top impacting problems resolved in RU7 MP1

SMC.exe handle count on a GUP computer increases over time
Fix ID: 2399799
Symptom: On a client configured as a GUP, the handle count of SMC.exe increases over time, and eventually the computer becomes unresponsive.
Solution: SMC.exe was modified to prevent the handle leak.

Perl application in Cygwin terminates with fatal error "couldn't allocate heap"
Fix ID:
2241805
Symptom: CygWin terminates with fatal error "couldn't allocate heap" when running a Perl script with an active Application and Device Control policy.
Solution: The Application and Device Control driver (sysplant.sys) memory allocation routine was modified to prevent this crash.

SMC.exe process terminates unexpectedly
Fix ID: 2326986
Symptom: The SMC.exe process terminates unexpectedly when retrieving the system default proxy configuration. This occurs when the user selects "Update Policy" from the tray icon.
Solution: SMC.exe was modified to process the proxy name and bypass settings correctly when the fields are empty.

Domain controller becomes unresponsive after installation of Symantec Endpoint Protection 11.0 RU6 MP3
Fix ID:
2393251
Symptom: A domain controller may become unresponsive to RPC, authentications, replication, and file sharing after installation of Symantec Endpoint Protection 11.0 RU6-MP3. The server still answers to ping.
Solution: The AutoProtect driver (srtsp.sys) was modified to prevent a condition where calling into the mount manager could cause a deadlock.

Ports are abandoned in the CLOSE_WAIT state by GUP-to-Manager communication
Fix ID:
2413202
Symptom: Computers acting as static GUPs show a progressive performance degradation over time until they become unresponsive to network communications. The computer must be restarted to restore network connectivity.
Solution: SMC was modified to prevent the connection leak.

Symantec Endpoint Protection clients cycle through Management Server lists continuously (two solutions)
Fix ID:
2493886
Symptom: Symantec Endpoint Protection clients continually cycle through the Management Server Lists. The client will connect to one Symantec Endpoint Protection Manager, then another, and repeat.
Solution: The profile time is now converted to GMT to resolve a scenario where the profile does not match.
Fix ID: 2566167
Symptom: Symantec Endpoint Protection clients continually cycle through the Management Server Lists. The client will connect to one Symantec Endpoint Protection Manager, then another, and repeat. This occurs when clients are configured to download content from an internal LiveUpdate Administrator and the LUA policy contains a password to access the server.
Solution: Symantec Endpoint Protection was modified to ensure the encrypted password remains static when the policy is recompiled.

Computer status log shows virus definitions as "none"
Fix ID:
2023152
Symptom: When the client starts, SMC sends virus definition date information as "0" to the Symantec Endpoint Protection Manager. The computer status log in Symantec Endpoint Protection Manager shows a virus definition date as "none." The clients have the correct definitions. A workaround is to manually "Update Policy" or wait until the next heartbeat.
Solution: SMC was modified to send the correct virus definition data to the server on startup.

IPS status and numbers are incorrect in reporting
Fix ID:
2240928/2376877
Symptom: In some areas of Symantec Endpoint Protection Manager reporting, IPS signature data is inconsistent or incorrect. Affected areas include:

  • Home > Security Status > More Details > Intrusion Prevention Signature Update Failures
  • Reports > Quick Reports, where Report type = "Computer Status" and Select a report = "Intrusion Prevention Signature Distribution"

Solution: The Symantec Endpoint Protection Manager queries were modified to show the correct IPS client data.

Symantec Endpoint Protection client connects to Symantec LiveUpdate server despite being configured to use an internal LiveUpdate Administrator
Fix ID:
2267387
Symptom: On a managed Symantec Endpoint Protection client, if the local LiveUpdate settings file is corrupted, Symantec Endpoint Protection will revert to the default settings and connect to the Symantec LiveUpdate server.
Solution: To ensure the LUA server is always used, liveupdt.hst is be kept in the LiveUpdate Install folder. As a backup measure, a last known good settings file (Settings.LastGood.LiveUpdate) is created. This file is used when the original settings file is missing or zero byte.


All resolved problems in RU7 MP1

COH32.exe consumes high CPU and high memory
Fix ID:
2247120
Symptom: The process COH32.exe consumes high CPU and 500 MB+ of memory every hour. By default, COH (part of Proactive Threat Protection) scans every hour and some CPU and memory usage is normal. In some environments the COH process may consume excessively high CPU and memory.
Solution: COH32.exe was modified prevent a scenario where the scanner incorrectly identified too many processes to scan.

GUP hangs frequently, requiring a restart once every 24 hours
Fix ID:
2395985
Symptom: The SMC.exe process of a GUP computer may hang or crash unexpectedly
Solution: SMC.exe was modified to prevent a condition where one thread could delete the Sylink configuration data while another thread still needed it.

SERVER_CLIENT_LOG EVENT_ID 23 & 24 are not translated for external logging file scm_agent_act.tmp
Fix ID:
2351718
Symptom: In the Schema Reference Guide, SERVER_CLIENT_LOG EVENT_ID numbers 23 and 24 are not translated for the external logging file scm_agent_act.tmp.
Solution: For reference, the following text was added to the readme.html:
Event ID 23 = Client has downloaded globalindex.dax
Event ID 24 = Client has downloaded GUP list

Data is missing in the "Infected Only" compliance report
Fix ID:
2295643
Symptom: No information is displayed for some clients in the "Infected Only" compliance report. This report can be reached via Monitors > Logs > Computer Status > Filter for "infected only."
Solution: Compressed file containers (.zip, .rar, etc.) are now excluded from the "infected only" report. Only infected file(s) from inside the container will be shown in the report.

Symantec Endpoint Protection Manager email notifications are sent repeatedly for old events
Fix ID:
2233045
Symptom: Multiple outbreak email notifications are sent during the damper period
Solution: SQL queries were modified to prevent notifications during the damper period.

Symantec Network Access Control agent receives the message "Policy manager failed to verify client's UID"
Fix ID:
2310003
Symptom: A Symantec Network Access Control agent may become rejected during a VPN session with the Gateway Enforcer. The message "Policy manager failed to verify client's UID" appears in the compliance reports. The message "Get UID verify failed from Server <ID> for client <ID>" appears in the kernel logs.
Solution: The Symantec Network Access Control agent was modified to update the hash information with Symantec Endpoint Protection Manager if the hardware request was not completed successfully.

Client installations with AntiVirus only attempt to load the IPS library file sdi.dat and the SMC.exe process may crash
Fix ID:
2379995
Symptom: Installations that do not have NTP/IPS installed are still attempting to load the IPS library file "sdi.dat." If the IPS policy file is invalid the SMC.exe process may terminate unexpectedly.
Solution: SMC.exe was modified to only load the IPS policy when NTP is installed.

The client takes one hour or more to process a policy containing a large number of host entries
Fix ID:
2252732
Symptom: A policy contains a large number (10,000+) of host entries. It takes the client 1 hour or more to process the policy file.
Solution: An algorithm was optimized to allow the client to process the policy more quickly.

Ping response times are slow on Windows 2000
Fix ID:
1939651
Symptom: Ping response times are slow on a Windows 2000 computer running Symantec Endpoint Protection 11.0
Solution: The process ID of incoming ICMP packets is set to "System" to allow the client firewall to process them more quickly.

Auto-exclusions for Exchange 2010 are lost after installing Symantec Mail Security for Microsoft Exchange
Fix ID:
2330319
Symptom: Symantec Endpoint Protection 11.0 is installed on a server and correctly auto-excludes the Microsoft Exchange directories. When Symantec Mail Security for Microsoft Exchange is installed, the auto-exclusions are lost.
Solution: Additional methods of detecting Microsoft Exchange were added to the Symantec Endpoint Protection client to allow it to find Exchange and create the auto-exclusions.

Commands run by the limited admin on a Read-only group cannot be processed
Fix ID:
2399598
Symptom: A command is run by a limited admin on a Read-only group. There is no error message and the clients do not process the request.
Solution: The message "User has insufficient rights to execute the command" will be displayed when the limited admin does not have access to run the command.

SMC.exe process consumes 25% CPU usage on Windows 2008 R2 terminal server when idle
Fix ID:
2350900
Symptom: The SMC.exe process consumes 25% or more CPU on a Windows 2008 R2 terminal server, even when sessions are idle.
Solution: The SMC.exe process was modified to improve performance on terminal servers.

SMC.exe fails to start when the policy file (serdef.dat) is corrupt
Fix ID:
2351705
Symptom: SMC.exe will fail to start when the policy file (serdef.dat) is corrupt.
Solution: SMC.exe will now use the backup.dat and server.dat instead of serdef.dat, if serdef.dat cannot be loaded.

Extra bracket "]" character in the Symantec Endpoint Protection Manager firewall rule when the protocol direction is outgoing
Fix ID:
2413452
Symptom: When new firewall policy rules are being created in Symantec Endpoint Protection Manager, there is a circumstance where an extra "]" appears in the entry in the "Content" column.
Solution: The extra character was removed.

Unapproved Application List does not populate correctly when a large number of records are present
Fix ID:
2273709
Symptom: The Unapproved Application List cannot be viewed if there are more than 20,000 entries.
Solution: The Symantec Endpoint Protection Manager console logic was fixed to handle lists greater than 20,000 entries.

Risk "Event End Date Time is earlier than the "Event Date Time" on an external log server
Fix ID:
2392324
Symptom: The Symantec Endpoint Protection Manager inadvertently sends duplicate compressed logs entries to an external log server. This results in events with end date time earlier than the date time.
Solution: Symantec Endpoint Protection Manager was modified to get the latest site state from the database before updating the external log server.

Network Threat Full Report for past three month or past one year cannot be generated
Fix ID:
2366417
Symptom: The Network Threat Full Report for the past three month or past one year cannot be generated. The report may reply with the message "The server received an invalid response from another server while attempting to fulfill the request" or "The page cannot be displayed."
Solution: A PHP file was optimized to allow the reports to run correctly.

Symantec Endpoint Protection Manager sends old entries to external log server
Fix ID:
2392317/2366479
Symptom: The Symantec Endpoint Protection Manager sends old entries to external log server. This results in duplicate log entries on the external log server.
Solution: Symantec Endpoint Protection Manager now properly tracks when logs are sent to the external log server to resolve this issue.

Scheduled or on-demand scan detects threat in Recycle Bin and nothing is logged in Application Event Log
Fix ID:
2380072
Symptom: When a scheduled or manual scan detects an infected file inside of a compressed file in a Recycle Bin, no event ID 51 is entered in the application log. If an infected file is detected on another drive an event ID 51 is logged; however, the file found in the Recycle bin is not listed in the event. The compressed file is deleted/quarantined as it should be, and the Symantec Endpoint Protection client logs all locations, but no event ID 51 is entered in the Windows Application Event log.
Solution: The Symantec Endpoint Protection client was modified to record logs directly when handling the anomaly log.

Client logs are not generated for external logging and are not sent to syslog server
Fix ID:
2390237
Symptom: In some scenarios, client logs are not generated for external logging and are not sent to the syslog server. This occurs in a replication scenario when a site is re-installed with the same name.
Solution: The external logging USN cache is now cleared when a site is added to a replication scenario.

Duplicate clients appear in Symantec Endpoint Protection Manager reports
Fix ID:
2436309
Symptom: An Active Directory-synced Symantec Endpoint Protection client that changes its Hardware ID no longer generates multiple SEM_CLIENT entries in the database. However, the leftover entries in the SEM_AGENT and SEM_COMPUTER tables affect Reporting and result in inflated client counts.
Solution: The Symantec Endpoint Protection Manager logic was fixed to re-use the computer ID when it is merged. In addition, all orphaned entries from the SEM_COMPUTER and SEM_AGENT tables are removed to avoid reporting conflicts.

Deleted groups are displayed in group selection drop down of Symantec Endpoint Protection Manager reports
Fix ID:
2033337
Symptom: Symantec Endpoint Protection Manager report filters show groups that have been deleted.
Solution: Symantec Endpoint Protection Manager now uses the deleted flag to restrict the group drop-down list to existing groups only.

GUP stops serving clients after the SMC service is restarted
Fix ID:
2349534
Symptom: When the SMC service is restarted, the client cannot open port 2967 and GUP stops delivering definitions to clients.
Solution: SMC was modified to prevent a condition where GUP would attempt to start before fully initialized.

GUP appears to fail content update and orphan a number of small files in SharedUpdates
Fix ID:
2371443
Symptom: GUP appears to fail content update and orphan a number of small files in SharedUpdates. These files contain only header information.
Solution: SMC was modified to prevent a condition where GUP state files are left on disk.

Symantec Endpoint Protection Manager services terminate unexpectedly and fail to start again. This may occur after migration to Symantec Endpoint Protection 11.0 RU7.
Fix ID:
2511715/2437330
Symptom: Symantec Endpoint Protection Manager services terminate unexpectedly and fail to start again. This may occur during or after migration to Symantec Endpoint Protection 11.0 RU7. The following message may appear in the Symantec Endpoint Protection Manager log:
SEVERE: Unexpected server error. in: com.sygate.scm.server.servlet.StartupServlet com.sygate.scm.server.metadata.MetadataException: Numeric overflow in conversion of value 2,147,485,326 to type INTEGER.
Solution: Symantec Endpoint Protection Manager was modified to resolve an integer overflow condition.

Symantec Endpoint Protection client with Internet Email AutoProtect cannot access port 465 on an SMTP server using SSL
Fix ID:
2329505
Symptom: A Symantec Endpoint Protection client with Internet Email AutoProtect enabled cannot connect to port 465 on the SMTP server with SSL enabled. The connection fails and times out.
Solution: A component of Internet Email AutoProtect (ccEmlPxy) was modified to allow use of port 465 for email submissions via SMTP tunneled over an initial SSL connection.

Scheduled scan terminates unexpectedly and may leave temporary scan data on the hard drive
Fix ID:
2315341
Symptom: A scheduled scan terminates unexpectedly and may leave temporary scan data on the hard drive. Over time this could consume all space on the drive.
Solution: A scanning component (ccScan) was modified to properly handle alternate data streams on stealthed files when the file cannot be accessed, there is a sharing violation, or the file is locked.

Auto-location switching does not work properly after upgrade to Symantec Endpoint Protection 11.0 RU6 MP2
Fix ID:
2317185
Symptom: After upgrade to Symantec Endpoint Protection 11.0 RU6 MP2 or later, auto-location switching does not work properly. The Symantec Endpoint Protection client does not switch to new locations as expected.
Solution: The Symantec Endpoint Protection client was modified to properly switch locations when the Wireless Zero Configuration Service (WZCSVC) service is stopped.

Limited admin can view data from a client group for which he does not have access
Fix ID:
2269664
Symptom: A limited admin can view unmanaged detector data from a client group where the admin has no access.
Solution: SQL queries were modified to enforce group access in Reporting Security Status 'More Details' and 'Find Unmanaged Computers'.

Event log error 11706, 1001, and 1004 after uninstallation of Symantec Endpoint Protection client from a Symantec Endpoint Protection Manager
Fix ID:
2173616
Symptom: The Symantec Endpoint Protection client software has been installed alongside Symantec Endpoint Protection Manager on the same computer. When the Symantec Endpoint Protection client is uninstalled, Symantec Endpoint Protection Manager's MSI resiliency detects a change and logs an error. Event log errors may include:

Event Type: Warning
Event Source: MsiInstaller
Event ID: 11706
No valid source could be found for product Symantec Endpoint Protection Manager.
Try the installation again using a valid copy of the installation package
'Symantec Endpoint Protection Manager.msi'

Event Type: Warning
Event Source: MsiInstaller
Event ID: 1001
Detection of product '{EAD22945-6D46-4073-8353-803523E9936B}, feature 'Bin' failed during request for component '{40B71840-0B33-42C7-A11D-EBDD5F3ACB63}'

Event Type: Warning
Event Source: MsiInstaller
Event ID: 1004
Detection of product '{EAD22945-6D46-4073-8353-803523E9936B}', feature 'Bin', component '{711CBE62-401D-47AC-8919-4C0029EC66DD}' failed. The resource 'C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\temp\UploadTemp\' does not exist.

Solution: The Symantec Endpoint Protection uninstaller was modified to keep a LiveUpdate registry key that is common to Symantec Endpoint Protection Manager, if the registry key is in use.

Symantec Endpoint Protection Manager web console does not allow a client install package to be fully configured
Fix ID:
2322366
Symptom: When logged into the Symantec Endpoint Protection Manager web console, edit the Client Install Package Properties. For "Client Features" the only option is "All features of Symantec Endpoint Protection." It is not possible to select other features.
Solution: The Symantec Endpoint Protection Manager web console was modified to allow the administrator to select other feature sets.

SymcorpUI.exe terminates unexpectedly
Fix ID:
2310799
Symptom: SymcorpUI.exe terminates unexpectedly with exception 0xc0000005.
Solution: SymcorpUI.exe was modified to prevent this crash.

Unmanaged client cannot perform a scheduled LiveUpdate on Windows 2000
Fix ID:
2329484
Symptom: An unmanaged client cannot perform a scheduled LiveUpdate on Windows 2000. Manually launching LiveUpdate is successful.
Solution: Symantec Endpoint Protection was modified to correctly handle a user token on Windows 2000.

Pressing Ctrl+Alt+Del causes blue screen error
Fix ID:
1848861
Symptom: Pressing Ctrl+Alt+Del causes a blue screen error with stop code 50.
Solution: The AutoProtect driver (srtsp.sys) was modified to prevent a condition where a scan could occur before the system volume was ready.

Custom scan cannot process files and folders
Fix ID:
2406379
Symptom: A custom scan may be unable to scan files and folders through a junction point on an NTFS volume.
Solution: A scanning component (ccScan) was modified to strip a trailing backslash from a junction point before a scan.

Manual scan terminates unexpectedly on Windows XP 64-bit
Fix ID:
2054028
Symptom: A manual scan does not complete and terminates unexpectedly on Windows XP SP2 64-bit.
Solution: Rtvscan was modified to prevent a crash during scanning on this operating system.

Installation of Symantec Endpoint Protection client causes Windows Defender to be set to "Manual" instead of "Disabled" on Windows 7
Fix ID:
2414274
Symptom: On Windows 7, Windows Defender service gets stopped and the service is set to Manual instead of "Disabled" after installing Symantec Endpoint Protection 11.0 RU6 MP3. On Windows XP and Windows Vista, the Windows Defender service is set to "Disabled" during the installation of the Symantec Endpoint Protection client.
Solution: The Symantec Endpoint Protection client installer was modified to properly set the Windows Defender status on Windows 7.

Symantec Endpoint Protection client content updates results in high I/O on SAN in a virtualized environment
Fix ID:
2399592
Symptom: The Storage Area Network (SAN) encounters high I/O utilization in a virtualized environment when clients download content.
Solution: The Symantec Endpoint Protection client was modified to prevent a scenario where the download randomization setting was ignored.

Client running Nortel VPN client freezes after establishing VPN tunnel
Fix ID:
2378999
Symptom: Client computers running the Nortel VPN client may freeze within 20 minutes of establishing a VPN tunnel. This issue occurs when Network Threat Protection is installed.
Solution: The Symantec Endpoint Protection firewall was modified to prevent a deadlock when querying process information.

Traffic log shows thousands of "Allow" entries for the rule "Allows NetBIOS UDP protocols in LAN subnet"
Fix ID:
2403041
Symptom: With Symantec Endpoint Protection in client control mode, the traffic log shows thousands of "Allow" entries for the rule "Allows NetBIOS UDP protocols in LAN subnet."
Solution: Default logging of the "Allows NetBIOS UDP protocols in LAN subnet" rule is now disabled in unmanaged or client control mode.

IPS exclusion by IP range does not work properly if remote IP is on the boundary of the range
Fix ID:
2336330
Symptom: Excluding IPS hosts by IP range does not work properly if the remote IP is on the boundary of the exclusion range. The remote IP is not excluded.
Solution: The IP range check was modified to properly exclude hosts.

SecurityNotifyTask hangs when multiple notifications are sent simultaneously
Fix ID:
2343856
Symptom: The SecurityNotifyTask hangs when multiple notifications are sent simultaneously from a batch file. The SecurityNotifyTask-0.log file no longer shows new entries.
Solution: Input and error streams are now merged and the combined stream is used to determine if the batch file is still running.

Computer status log data cannot be exported to CSV format if a field contains a comma
Fix ID:
2398707/2412310
Symptom: If data within a particular column of the computer status log contains a comma, and such report is exported to CSV, the columns for that row are disturbed when viewed in Excel.
Solution: All data in Computer Status Logs are now exported in double quotes.

Host Integrity Failed report shows client data that is out of the specified date range
Fix ID:
2353594
Symptom: The Host Integrity Failed report shows older client data that is out of range of the report.
Solution: A SQL query was modified to ensure Host Integrity data falls within the specified range.

W3WP service (w3wp.exe) terminates unexpectedly
Fix ID:
2226770
Symptom: The W3WP service (w3wp.exe) terminates unexpectedly due to secars.dll. This issue occurs when a tech extension directory does not exist.
Solution: Secars.dll was modified to prevent this crash.

After logging out of the Symantec Endpoint Protection Manager web console, admin accounts still show online and Java.exe memory usage does not decrease
Fix ID:
2217355
Symptom: After logging out of the Symantec Endpoint Protection Manager web console, administrator accounts continue to show online. Java.exe (JVM/AjaxSwing) memory usage does not decrease as expected.
Solution: The AjaxSwing default configuration (default.properties) was changed to resolve this issue, as follows:

router.clientsPerJVM=1
router.retireJVMAfterClients=1

Symantec Endpoint Protection Manager Monitors "last update time" does not reflect the current system time
Fix ID:
2418608
Symptom: The "last update time" on the Symantec Endpoint Protection Manager Monitors page is ahead by one hour if the time zone has a daylight savings setting but the setting has been disabled
Solution: Symantec Endpoint Protection Manager now handles the date and time when transferring from local (both regular and DST) time to GMT time. The logic was corrected to check for DST time.

Symantec Endpoint Protection scan report shows incorrect data
Fix ID:
2405910
Symptom: The Symantec Endpoint Protection scan report shows more clients when compared to a raw query (select * from sem5.sem5.scans).
Solution: The SQL query used in the report was corrected to accurately show the client data.

Client fails to communicate with Symantec Endpoint Protection Manager if the client has a large number of network interface cards or loopback adapters
Fix ID:
2218255
Symptom: With a large number of network interface cards or loopback adapters, the client fails to communicate with Symantec Endpoint Protection Manager because the HWID key fails to generate.
Solution: The client was corrected to account for a large number of NICs or loopback adapters.

Symantec Endpoint Protection Manager 'Policy edited' event fails to record individual 'Edit Location' events when multiple locations are edited
Fix ID:
2321593
Symptom: When multiple locations are edited in a Symantec Endpoint Protection Manager policy, the 'Policy edited' log event fails to record the individual 'Edit Location' events.
Solution: An Edit Location event is now logged when enabling/disabling the location or setting the location as default.

Replication fails after migrating to Symantec Endpoint Protection Manager 11.0 RU7
Fix ID:
2556217
Symptom: Replication fails after migrating Symantec Endpoint Protection Manager to 11.0 RU7.
Solution: The Symantec Endpoint Protection Manager migration wizard was modified to use the correct body encoding for URI during a fresh install or database schema upgrade.

Weekly reports in Symantec Endpoint Protection Manager are blank from one site
Fix ID:
2404695
Symptom: Weekly reports in Symantec Endpoint Protection Manager are blank from one site
Solution: Symantec Endpoint Protection Manager reporting was modified to correctly handle data inconsistency between replicated sites

C++ runtime error and DCOM encountered on Windows 2008 R2 server
Fix ID:
2347138
Symptom: After installing Symantec Endpoint Protection 11.0 on a Windows 2008 R2 server, the user encounters an error:

Microsoft Visual C++ Runtime Library
R6025 - pure virtual call

In addition, the System event log contains the following DCOM errors:

Source: Microsoft-Windows-DistributedCOM
Event ID: 10010
Level: Error
Description: The server {EE68EAFC-BF28-4017-8A92-D17DACF0B459} did not register with DCOM within the required timeout.
Source: Microsoft-Windows-DistributedCOM
Event ID: 10000
Level: Error
Description: Unable to start a DCOM Server: {EE68EAFC-BF28-4017-8A92-D17DACF0B459}. The error: "5" Happened while starting this command: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe {EE68EAFC-BF28-4017-8A92-D17DACF0B459} -Embedding

Solution: The ProtectionUtilSurrogate.exe process was corrected to wait until the process exits.

.DAT files accumulate in Inbox and are processed slower after moving from SQL 2005 to SQL 2008
Fix ID:
2428767
Symptom: After moving from SQL 2005 to SQL 2008, .DAT files accumulate in the Inbox and are processed more slowly.
Solution: The parameter "-C 65001" is now disabled for SQL Server 2008. This ensures that Symantec Endpoint Protection Manager will use BCP to insert logs.

SMC.exe process terminates unexpectedly
Fix ID:
2231076
Symptom: The SMC.exe process terminates unexpectedly in TfMan.dll when disconnecting from a VPN.
Solution: The Symantec Endpoint Protection firewall rule manager (TfMan.dll) was modified to resolve this crash.

Traffic logs are truncated on disk when opened in the Symantec Endpoint Protection UI
Fix ID:
2349055
Symptom: When a traffic log grows to the maximum size (specified by policy), viewing the traffic log in the Symantec Endpoint Protection UI incorrectly truncates the file on disk.
Solution: Corrected an issue in the Symantec Endpoint Protection log processor to prevent logs from being written while the log is loading into the UI.

Symantec Endpoint Protection Manager help file documentation (Glossary) for the Mac Centralized Exceptions pre-defined variables is incorrect
Fix ID:
2115714
Symptom: Prefix variables for centralized exceptions for Macs do not appear in the glossary.
Solution: The following entry was added to the readme file:

Prefix variables for centralized exceptions for Macs do not appear in the glossary
If you add a centralized exception for a security risk file or folder for Mac, the glossary for the prefix variables incorrectly displays an explanation of the prefix variables for Windows exceptions. The prefix variables for Mac exceptions are None, Home, Application, Library. The prefix variables are the top-level folders. You can specify sub-folders or specific files in the File or folder text box.

 

Release Update 7 (RU7)

[Back to top]
 

What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use:
  • Certified support for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1
  • Firewall support for mobile broadband adapters
 
New fixes in this version
 
TPM device does not display in Symantec Endpoint Protection Manager
Fix ID: 1536046
Symptom: Symantec Endpoint Protection Manager displays the message "No TPM device" when the client is installed on certain computers with newer TPM hardware types.
Solution: The Broadcom TPM chipset is now supported.
 
Manual scan aborts prematurely
Fix ID: 1810080
Symptom: When virus definitions are reloaded during a manual scan or a scheduled scan, the scan aborts prematurely.
Solution: ccScan (Common Client) was modified to update definitions properly while a scan is in progress.
 
The firewall does not detect traffic on mobile broadband interfaces
Fix ID: 1928964
Symptom: The Symantec Endpoint Protection firewall does not detect traffic on a mobile broadband adapter. In addition, the adapter does not display Teefer2 Miniport entries in the device manager.
Solution: A new Teefer3 firewall driver was created to detect and monitor mobile broadband interfaces.Teefer3 provides better compatibility with other NDIS6 interfaces. Symantec Endpoint protection installs the new driver, Teefer3.sys, only on NDIS6-based operating systems (Windows Vista and above). The Teefer2.sys driver installs on legacy operating systems.
 
Lotus Notes email scanning performance
Fix ID: 1990686>
Symptom: Lotus Notes email performance is slow when Lotus Notes email protection is enabled.
Solution: Lotus Notes email scanning performance is improved by caching the scan results. In this case, the attachment is not rescanned if it has not changed. In addition, emails with multiple attachments are now passed to the virus scanner in one batch transaction.
 
Virus definitions out-of-date notification is not accurate
Fix ID: 1998671
Symptom: The Virus definitions out-of-date notification does not correctly reflect the filter condition "include only clients which are currently online." This causes more clients than expected to display.
Solution: The client time stamp in the database was updated when a client is offline. In addition, replication of this state has been improved between servers.
 
A manual or scheduled scan causes de-migration of offline files
Fix ID: 2000976
Symptom: In conjunction with some file storage solutions, a manual or scheduled scan results in de-migration of offline files.
Solution: Symantec Endpoint Protection was modified to detect the file attribute FILE_ATTRIBUTE_REPARSE_POINT and to handle it correctly.
 
Client installation rolls back if downloaded through LiveUpdate
Fix ID: 2006121
Symptom: Client installation on Windows 2008 R2 and Windows 7 rolls back if the package was downloaded by the server using LiveUpdate. The version of LiveUpdate (lusetup.exe) in Symantec Endpoint Protection 11.0 prior to RU5 is not compatible with Windows 7 and Windows 2008 R2. When the server downloads RU5 patches from LiveUpdate, the patch does not include lusetup.exe and Symantec Endpoint Protection Manager uses the existing lusetup.exe from the database. This combined package of new RU5 + older lusetup.exe fails to install on Windows 7 and Windows 2008 R2.
Solution: Lusetup.exe is now included in the MSI installer file. It will also be included in future patches deployed through LiveUpdate.
 
BugCheck 50 (PAGE_FAULT_IN_NONPAGED_AREA) references SysPlant.sys
Fix ID: 2028463
Symptom: The computer crashes with BugCheck 50, {b12c8b80, 0, f8132ec2, 0} PAGE_FAULT_IN_NONPAGED_AREA (50) when Symantec Endpoint Protection 11.0 RU5 is installed. The blue screen error references sysplant.sys.
Solution: The sysplant.sys driver was receiving an incorrect image size from the executable PE header. The driver was modified to prevent the crash.
 
Tamper protection and POP3 email scanner features are not documented as 32- bit only
Fix ID: 2037006
Symptom: The tamper protection and POP3 email scanner features are not documented as 32-bit only.
Solution: The "Read Me.html" file contains an update for this issue:
Some features and MSI codes are only available on 32-bit systems. The table on page 194 of the Installation Guide for Symantec™ Endpoint Protection and Symantec Network Access Control, entitled Symantec Endpoint Protection client features, has omissions. It fails to specify that the following capabilities are only available on 32-bit systems:
• SymProtectManifest
• POP3SMTP
 
Centralized exceptions for the file/folder window do not always appear on 64-bit computers
Fix ID: 2038170
Symptom: When adding a security risk exception, the file/folder window does not appear.
Solution: The file system redirection logic was modified to display this window correctly.
 
Symantec Endpoint Protection Manager incorrectly shows that the client needs a reboot after an AntiVirus/AntiSpam-only migration
Fix ID: 2057158
Symptom: A client with only the AntiVirus/AntiSpam feature installed is migrated to a new release of Symantec Endpoint Protection. After migration, Symantec Endpoint Protection Manager displays that the client requires a reboot, when in fact, a reboot is not required.
Solution: The installation reboot logic was modified to prevent this error for AntiVirus/AntiSpam-only migrations.
 
Antivirus detection displays the message "Location: Unknown storage"
Fix ID: 2059120
Symptom: When a threat is scanned and detected, the location of a threat displays the message Unknown Storage in the notification window.
Solution: The threat detection logic was updated to display the threat location correctly in the notification window.
 
Symantec Endpoint Protection Manager encounters frequent datastore errors while it processes antivirus logs
Fix ID: 2062984
Symptom: After configuring a system event notification, you receive a large number of notifications regarding a datastore error. The scm-server.log file contains the message: SEVERE: Datastore error in: com.sygate.scm.server.task.AgentLogCollector java.lang.NullPointerException.
Solution: An issue processing PTP logs was corrected to prevent the occurrence of this error message.
 
The startup scan type changes from active scan to full scan when a user logs into the computer
Fix ID: 2073440
Symptom: When one user logs off of the computer, and a different user logs on to the computer, the startup active scan may incorrectly change to a full scan and scan all files and folders.
Solution: During the log off process, a second copy of SmcGui.exe executed incorrectly and overwrote user scan settings with the default values. This caused the next startup scan to become a full scan. SmcGui.exe was modified to disallow a second startup scan within a single session.
 
Traffic logs viewed in Symantec Endpoint Protection Manager are unresponsive or return inconsistent data
Fix ID: 2074036
Symptom: When traffic logs are viewed in Symantec Endpoint Protection Manager, the query may time out or log retrieval may take long time when there are a large number of records in the database.
Solution: The queries used for retrieving log data were optimized.
 
Broadcast traffic to 00-00-00-00-00-00 and FF-FF-FF-FF-FF-FF are blocked
Fix ID: 2076184
Symptom: Broadcast traffic to 00-00-00-00-00-00 and FF-FF-FF-FF-FF-FF are blocked for all adapters (LAN, wireless, dial-up) if there is a rule blocking all traffic on a wireless device.
Solution: Broadcast traffic to these addresses is allowed to other adapters even if there is a block all rule for one adapter.
 
The documentation for Quarantine Server supported operating systems is incorrect
Fix ID: 2076637
Symptom: The documentation for Quarantine Server supported operating systems is incorrect.
Solution: The Read Me.html file now clarifies the supported operating systems, with the following text:
 
Quarantine Server operating system support is not fully documented. The operating system requirements listed on page 16 of the Symantec™ Central Quarantine Implementation Guide have been updated as follows:
The console is supported on the following operating systems:
  • Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
  • Windows XP Professional with Service Pack 1 or later
  • Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Web Edition
Note: The Quarantine Console was not tested on 64-bit operating systems.
The server is supported on the following 32-bit operating systems:
  • Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
  • Windows XP Professional with Service Pack 1 or later
  • Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Web Edition
Note: The Quarantine Server was not tested and is not supported on 64-bit operating systems.
 
The search client performance in Symantec Endpoint Protection Manager is slow for limited administrators after upgrading to Symantec Endpoint Protection 11.0 RU6a
Fix ID: 2080254
Symptom: The search client performance in Symantec Endpoint Protection Manager is slow for limited administrators after upgrading to Symantec Endpoint Protection 11.0 RU6a.
Solution: An issue with limited administrator privileges was resolved to improve search performance.
 
Symantec Protection Center 1.0 fails to edit multiple policy options for Symantec Web Gateway
Fix ID: 2081265
Symptom: Some properties of Symantec Web Gateway policy configuration cannot be saved through Symantec Protection Center 1.0.
Solution: Content lengths longer than 8192 bytes were being truncated. The HttpServletRequest was modified to improve stream input processing.
 
The System Log as exported by the Symantec Endpoint Protection client contains incorrect event categories
Fix ID: 2082984
Symptom: When the System Log is exported to a text file, the critical event in System Log is written as Information instead of Critical.
Solution: The System Log export code was modified to correctly export the event categorySysLog.log file.
 
"Account locked" events are recorded as "Login failed" events in the Symantec Endpoint Protection Manager database
Fix ID: 2084454
Symptom: When a Symantec Endpoint Protection Manager administrator account is locked, there is no specific "account locked" log entry in the database. It is logged as the generic message: login failed event.
Solution: A specific log message, "account locked", was added for this situation.
 
Clients automatically switch from Computer mode to User mode and may automatically switch groups
Fix ID: 2084474
Symptom: A Computer-mode client is registered as a User-mode client, which may cause it to change groups inadvertently.
Solution: When a client is switched from User-mode to Computer-mode, all users associated with the record are now deleted.
 
Pause and Snooze options during a scan do not honor the setting as configured
by policy
Fix ID: 2084865
Symptom: Using the Pause and Snooze options during a scan may incorrectly display the number of remaining sleeps available.
Solution: Pause and Snooze are now treated the same and both decrement the available sleep count number.
 
Display error in the French localized version of Symantec Endpoint Protection Manager
Fix ID: 2087213
Symptom: The default client inventory report in the French localized Symantec Endpoint Protection Manager (Rapports > Inventaire Client > Par Defaut) contains a display error.
Solution: The report was modified to resolve the display error.
 
Replication fails between two sites
Fix ID: 2087986
Symptom: Replication between two sites may fail if a firewall between the two sites is configured for a low TCP idle session timeout.
Solution: A session keep-alive feature was added for replication to ensure the connection remains open for the duration of the replication.
 
The Upgrade Schedule option does not appear on the Add Client Install Packages page
Fix ID: 2092027
Symptom: The Upgrade Schedule option does not appear on the Add Client Install Packages page. If the window is resized, then the option appears.
Solution: Text components and the size of the window were modified to show all options.
 
Clients submit install data to Symantec during auto-upgrade even if the feature was disabled
Fix ID: 2093019
Symptom: After turning off data collection in the Symantec Endpoint Protection Manager, the clients continue to submit their install data to exftpp.symantec.com during auto-upgrade. This issue does not occur if the exported package is installed manually or via the Client Deployment Wizard.
Solution: The setup.ini parsing logic for the CmdLine entry was modified to correctly enable or disable install data collection per policy.
 
The "Change client view" option is global across all Symantec Endpoint Protection Manager administrators, including limited administrators
Fix ID: 2093960
Symptom: When the client view is changed, it is changed globally for all Symantec Endpoint Protection Manager administrators.
Solution: The client view settings are now saved per administrator. Each administrator can personalize the client view.
 
Changing the LiveUpdate content policy does not create an entry in the SERVER_POLICY.LOG
Fix ID: 2097325
Symptom: Changing the LiveUpdate content policy does not create an entry in the SERVER_POLICY.LOG. Other policy modifications are logged correctly.
Solution: A log entry was added to record when the LiveUpdate content policy is changed.
 
Symantec Endpoint Protection Manager logs an invalid log record error when processing PTP commercial application detections
Fix ID: 2097874
Symptom: PTP detects a commercial remote control application (for example Winvnc.exe), which is quarantined per administrator policy. The remediation of this application requires a restart to remove related registry information. After reboot, the ERASER reboot processing attempts to log the threat data but, because the file is in quarantine, ERASER is unable to calculate certain details (file size, hash, etc.) and logs them as empty. The empty log data results in the message "invalid log record."
Solution: The application properties are saved before quarantine and reboot. After reboot, the properties are restored and logged correctly.
 
Antivirus log data is not transferred to Symantec Endpoint Protection Manager from AVMan.log
Fix ID: 2098023
Symptom: Antivirus log data is not transferred to Symantec Endpoint Protection Manager from AVMan.log.
Solution: Symantec Endpoint Protection 11.0 clients prior to MR4-MP2 could, in some instances, write very large entries to the AVMan.log file. The client was modified to skip the invalid log entry and to resume processing the next entry.
 
Symantec Endpoint Protection Manager console performance is degraded when viewing groups with a large number of clients
Fix ID: 2099312
Symptom: When the default filter is set to 1000 clients per page, the console takes a long time to display the results.
Solution: The client query was optimized to enhance performance of the client view.
 
Administrators with full rights or policy management rights cannot edit or create policies
Fix ID: 2100572
Symptom: Administrators with full rights or policy management rights cannot edit or create policies.
Solution: An internal setting to determine whether the policy is read-only was not correctly set. Symantec Endpoint Protection Manager was modified to resolve this condition.
 
Access to network files is slow when Application and Device Control is enabled
Fix ID: 2100901
Symptom: Access to files on network shares, whether mapped or accessed through UNC paths, is slow when the Device Access Check feature of Application and Device Control is enabled.
Solution: Symantec Endpoint Protection was modified to check whether the path is a remote drive before accessing certain device parameters.
 
Unexpected scheduled scans after client migration
Fix ID: 2108139
Symptom: After migrating from Symantec Endpoint Protection 11.0 RU5 to RU6, an unexpected scheduled scan starts.
Solution: The migration process correctly invalidates scan randomization values if migrating from a version that does not support the feature.
 
The registry value AllowManualLiveupdate is not restored to match the applied policy on Symantec Endpoint Protection restart
Fix ID: 2109675
Symptom: The registry value AllowManualLiveupdate is changed when the computer is restarted, and is not restored to match the policy.
Solution: Symantec Endpoint Protection was restoring this key only when the policy changed. Symantec Endpoint Protection now restores this key on every start.
 
Issuing command from Symantec Endpoint Protection Manager to a single client results in a "null error"
Fix ID: 2109735
Symptom: When logged in to Symantec Endpoint Protection Manager as a Limited Administrator, an attempt to run a command on a specific client results in a "null error." After acknowledging the error, a success dialog box appears, but the command is not executed or displayed on the Monitors page. The Symantec Endpoint Protection Manager log may show the following errors:” duplicated primary key"(SQL Server) or "Primary key is not unique" (embedded DB) or "SEVERE: Command [ScanNow_Quick] doesn't contain hardware keys".
Solution: This error occurred when two clients had the same hardware key, or when a group had a stale deleted entry in the database. Symantec Endpoint Protection Manager now prevents the error by removing the duplicate hardware key or by correctly marking the group as deleted.
 
Juniper SSL VPN connection is not detected correctly by location awareness
Fix ID: 2114448
Symptom: The client switches to an incorrect location when connected via Juniper SSL VPN.
Solution: Juniper SSL VPN is no longer treated as Ethernet. It is now correctly filtered by description.
 
Auto-upgrade fails after day 1 of a multi-day schedule
Fix ID: 2114757
Symptom: Auto-upgrade stops after the first day of a multiday schedule, after which clients fail to process the upgrade package.
Solution: Symantec Endpoint Protection Manager was incorrectly regenerating client packages and deltas if it was restarted during the multi-day schedule. This caused clients to download incorrect deltas that failed to apply correctly. Symantec Endpoint Protection Manager no longer modifies packages and deltas on restart, unless the install data collection setting is changed. In addition, the client now checks to see if the download package is larger than expected. If this occurs, the client requests a new download.
 
Unable to view packet data in the traffic logs. The raw packet log information is not displayed in the packet log details
Fix ID: 2118054
Symptom: Log onto the Symantec Endpoint Protection Manager console, go to Monitors - Logs Network Threat Protection - Packet Logs. View the details of one of the records. All content from the Packet Viewer and below is missing when you view the details.
Solution: Symantec Endpoint Protection Manager uses ODBC functions to retrieve binary data from SQL server database. In some environments the ODBC functions fail. In this case, the administrator can configure the Microsoft PHP driver for SQL Server instead of ODBC. When the PHP driver (extension "sqlsrv") is enabled, Symantec Endpoint Protection Manager uses the new driver to access the database.
 
To enable the new driver
  1. Install the Microsoft SQL Server 2008 Native Client:
    For X86 OS: http://go.microsoft.com/fwlink/?LinkID=188400&clcid=0x409
    For X64 OS: http://go.microsoft.com/fwlink/?LinkID=188401&clcid=0x409
  2. Download the Microsoft Drivers for PHP for SQL Server:
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=80e44913-24b4-4113-8807-caae6cf2ca05
  3. Unzip SQLSRV20.exe and copy “php_sqlsrv_53_ts_vc6.dll” and “php_sqlsrv_53_nts_vc6.dll” to the directory <Symantec Endpoint Protection Manager installation folder>\Php\ext
  4. Open <Symantec Endpoint Protection Manager installation folder>\Php\Php.ini and add the following two lines:
    extension=php_sqlsrv_53_ts_vc6.dll
    extension=php_sqlsrv_53_nts_vc6.dll
  5. Restart the Symantec Endpoint Protection Manager service.
 
Ping Flood DoS detection on valid application traffic
Fix ID: 2118136
Symptom: False positive ping flood attack.
Solution: The ICMP packet rate and length were increased to avoid Ping Flood Attack false positives.
 
Saved Outlook attachments result in 0-byte files
Fix ID: 2118585
Symptom: File attachments with certain characters are saved with a size of 0 kB. This occurs when a message is sent from a Chinese simplified computer to a Japanese or Chinese traditional computer.
Solution: A check was added for certain characters in the file name to prevent 0-byte files from being created.
 
Syslog risk events are missing source IP address for infected client computers
Fix ID: 2119243
Symptom: Syslog risk events have missing source IP address, or the source IP address is 0.0.0.0.
Solution: When the IP address cannot be determined, or is reported as 0.0.0.0, it is replaced with a blank string.
 
The Next Scheduled Scan date is displayed incorrectly
Fix ID: 2119571
Symptom: If a scheduled scan retry window is set to seven days, and the scan starts but is aborted, the Next Scheduled Scan date is shown as two weeks later.
Solution: The upper limit for the weekly scan retry time is three days. A value greater than three is not permitted. This limit is now enforced.
 
Infected and at-risk computers report is empty
Fix ID: 2125633
Symptom: When filtering the Infected and at-risk computers report by  Action Taken = Quarantine, the resulting report is empty.
Solution: The underlying SQL query was modified to resolve this issue.
 
Commas in risk names or directory paths will corrupt exported .csv reports
Fix ID: 2132922
Symptom: If a risk name or directory path contains a comma, the exported .csv file is corrupt.
Solution: Risk name and directory path data is now sanitized correctly.
 
Symantec Network Access Control Enforcer cannot register with Symantec Endpoint Protection Manager
Fix ID: 2137544
Symptom: When the Symantec Endpoint Protection Manager server CPU usage is high, the Symantec Network Access Control Enforcer fails to register with Symantec Endpoint Protection Manager.
Solution: The algorithm used for Symantec Network Access Control Enforcer registration was improved.
 
DevViewer copy function does not work
Fix ID: 2137606
Symptom: When using the DevViewer tool from the Unsupported folder of the Symantec Endpoint Protection DVD, the Copy command does not function correctly and the string is not copied to the clipboard.
Solution: The DevViewer tool copy function was corrected.
 
Continuous LiveUpdate results in a random server running LiveUpdate
Fix ID: 2138882
Symptom: When there are multiple Symantec Endpoint Protection Manager servers in a single site and Continuous LiveUpdate is enabled, a random server runs LiveUpdate.
Solution: It is by design that a random server runs LiveUpdate when there are multiple servers in a single site. As a workaround, a new configuration option has been added to con.properties:
 
scm.server.liveupdate.disabled=<value>
 
If <value> is "1", "y", "true", or "yes," then LiveUpdate on that server is disabled. A customer can employ this workaround on multiple servers to ensure that LiveUpdate runs on the desired server.
 
Restricted users see instructions to click the Fix button in the Symantec Endpoint Protection client UI when there is no Fix button
Fix ID: 2138998
Symptom: A feature of Symantec Endpoint Protection is disabled, or definitions are out of date. The Symantec Endpoint Protection client UI prompts the user to click the Fix button. However, for a restricted Windows user, the Fix button is hidden.
Solution: If the user is restricted, the Fix button is not shown because the user does not have the necessary file and registry permissions to make changes to Symantec Endpoint Protection. Symantec Endpoint Protection no longer asks the user to click the Fix button if the Fix button is hidden.
 
Symantec Endpoint Protection Manager query for clients with out-of-date virus definitions returns Macintosh clients that have current definitions
Fix ID: 2140795
Symptom: The Virus Definition Distribution quick report for clients with out-of-date virus definitions returns Macintosh clients that have current defs. The Windows client results are correct.
Solution: The underlying SQL query was modified to resolve this issue.
 
Commands initiated from Symantec Endpoint Protection Manager fail to run when executed against a group that contains User-mode clients
Fix ID: 2141332
Symptom: A command from Symantec Endpoint Protection Manager is initiated to a group that contains User-mode clients. The command fails to run.
Solution: A primary key issue was corrected to resolve this issue.
 
The Symantec Endpoint Protection Manager Home page reports that All systems are unprotected from W32.Imsolk.B@mm
Fix ID: 2141975
Symptom: The Symantec Endpoint Protection Manager Home page reports that All systems are unprotected from W32.Imsolk.B@mm.
Solution: A string format issue in the virus definition revision caused Symantec Endpoint Protection Manager to report that clients were unprotected. The string format issue was corrected.
 
The export of a client package using the Symantec Endpoint Protection Manager Web Console fails with the error: AjaxSwing error Internal Error
Fix ID: 2145546
Symptom: Exporting a client install package via the Symantec Endpoint Protection Manager Web Console fails with the following error: "AjaxSwing error Internal Error: Check log file for details and the stack trace..." The Symantec Endpoint Protection Manager Java Console is not affected by this issue.
Solution: The Symantec Endpoint Protection Manager Web Console was modified to resolve this issue.
 
The Group drop-down menu in logs and reports includes groups that no longer exist
Fix ID: 2146940
Symptom: The Group drop-down menu in logs and reports includes groups that no longer exist.
Solution: Symantec Endpoint Protection Manager was modified to correctly delete OU groups and sub-OU groups. Deleted groups no longer appear in the drop-down list.
 
Email notification body conflicts with the attached report
Fix ID: 2147037
Symptom: An email notification contains an attached report (.mht) with different computer totals than indicated in the email body.
Solution: Java and PHP queries were synchronized so that the notification body now matches the attachment.
 
Rtvscan.exe process terminates unexpectedly with exception code 40000015
Fix ID: 2147234
Symptom: Rtvscan.exe process terminates unexpectedly with exception code 40000015.
Solution: Rtvscan was modified to prevent the crash.
 
Quarantine Server returns missing content length error when files are submitted
Fix ID: 2148241
Symptom: The Quarantine console shows the status of submitted samples as Error, with the reason Missing Content-Length.
Solution: A redirection issue in WinHTTP was resolved to prevent this issue.
 
Excessive number of COH32.exe processes
Fix ID: 2152553
Symptom: Task Manager shows a large number of running or stuck COH32.exe processes.
Solution: Rtvscan was modified to prevent the launching of duplicate COH32.exe processes.
 
Some events may be omitted from Symantec Endpoint Protection Manager external logging
Fix ID: 2152670
Symptom: Some events may be omitted in external logging from the Symantec Endpoint Protection Manager. For example, only the first of a series of different risk detection events in a short time span may be listed in syslog or dump files, even though all events can be seen in the risk logs when viewed in the Symantec Endpoint Protection Manager.
Solution: SQL queries were modified to prevent data loss.
 
ClientRemote.exe process terminates unexpectedly with the special exception code c000000d
Fix ID: 2158061
Symptom: ClientRemote.exe process terminates unexpectedly with the special exception code c000000d.
Solution: A string format issue in ClientRemote.exe was corrected to prevent this crash.
 
The Virus Definitions Distribution report shows incorrect results for Macintosh clients
Fix ID: 2161348
Symptom: The Virus Definitions Distribution report may show more Macintosh clients than exist in the environment.
Solution: The report was incorrectly showing some Windows clients as Macintosh clients. The SQL query was updated to resolve this issue.
 
Scan start and end date/time are identical if scan continues beyond midnight local time
Fix ID: 2162894
Symptom: When a manual or scheduled scan continues beyond midnight local time, the start time is written to one log file and the end time is written to a second log file. The scan history shows the same date for "Started On" and "Completed" if the log retention settings are such that the log has been purged from the computer.
Solution: The Completed scan time is now shown as empty if it cannot be determined from the log files on the disk.
 
The remote console auto-populates the incorrect IP address in login console
Fix ID: 2163694
Symptom: On a computer with multiple network cards, the remote console may auto-populate with an incorrect, non-routable IP address.
Solution: The remote console now auto-populates with the IP address as determined by the browser session.
 
Client totals in Protection Content Versions report do not match the sum of individual counts
Fix ID: 2164519
Symptom: Client totals in the Protection Content Versions report do not match the sum of the individual client counts.
Solution: The bar chart and table were corrected so that the client totals add up correctly.
 
Administrator-defined scheduled scan settings are not migrated correctly from Symantec AntiVirus Corporate Edition 10.1 to Symantec Endpoint Protection 11.0
Fix ID: 2165113
Symptom: Administrator-defined scheduled scan settings for Macro viruses and Non-macro viruses are not correctly migrated from Symantec AntiVirus Corporate Edition 10.1 to Symantec Endpoint Protection 11.0.
Solution: The Symantec Endpoint Protection Manager console uses the default values for display if no setting can be determined for MacroVirusAction, NonMacroVirusAction, or SecurityRisksAction. When policies are applied, the default values are also used if they do not exist. In addition, Symantec Endpoint Protection Manager will print message to the log: "SEVERE - The AV Policy: <name> is corrupt, Please check and update."
 
Unknown Exception errors in Scm-server.log and PackagePublisherTask.log due to a corrupt Antivirus/Antispam policy
Fix ID: 2188666
Symptom: The Scm-server.log and PackagePublisherTask.log file contain Unknown Exception errors due to a corrupt Antivirus/Antispam policy.
Solution: The Symantec Endpoint Protection Manager console will use the default values for display if no setting can be determined for MacroVirusAction, NonMacroVirusAction or SecurityRisksAction. When policies are applied, the default values are also used if they do not exist. In addition Symantec Endpoint Protection Manager will print message to the log: "SEVERE - The AV Policy: <name> is corrupt, Please check and update."
 
Symantec Endpoint Protection Manager console hangs when you select Detected Processes in the TruScan Proactive Threat Scan Exceptions menu
Fix ID: 2166540
Symptom: In the Symantec Endpoint Protection Manager console, go to Policies > Centralized Exception > (policy) > Edit > Centralized Exceptions > Add > Windows Exceptions > TruScan Proactive Threat Scan Exceptions > Detected Processes. The Symantec Endpoint Protection Manager console hangs when you select Detected Processes if there is a large number of client groups.
Solution: A SQL query was optimized for better performance when there are a large number of client groups.
 
A Client view export from Symantec Endpoint Protection Manager only contains the first 1,000 entries
Fix ID: 2168449
Symptom: In the Symantec Endpoint Protection Manager Client view, when a search query results in more than 1,000 clients, the export in .CSV format contains only the first 1,000 entries.
Solution: The query was modified to return all records in the exported .CSV file.
 
Completed scan window cannot be closed due to a missing Close button
Fix ID: 2171285
Symptom: If multiple manual or scheduled scans start in series, the scan windows cannot be closed because the Close button never appears.
Solution: The scan window user interface was modified to show the Close button when the scan completes.
 
Duplicate entries in Symantec Endpoint Protection Manager external logging
Fix ID: 2171952
Symptom: Symantec Endpoint Protection Manager database maintenance generates duplicate entries in Symantec Endpoint Protection Manager external logging (syslog or dump file records). For example, Virus found or Security risk found events that have already been logged appear again in the external logging at a later date, with a time stamp corresponding to the default midnight maintenance.
Solution: The SQL query for external logging was modified to prevent deleted records from appearing.
 
The Packet Log detail shows incorrect port information for TCP and UDP
Fix ID: 2173173
Symptom: In the Packet Log viewer, port number, sequence number, and ack number may show negative values. The checksum may be shown in the incorrect host byte order.
Solution: The Packet Log viewer was modified to use unsigned formatting for port, sequence, and ack numbers. Network byte order is now used for the checksum. In addition, the font has been changed to fixed width for better readability.
 
Location Awareness template for Safenet Softremote incorrectly identifies the connection as Juniper Netscreen VPN
Fix ID: 2174607
Symptom: A location awareness policy contains two locations: one for Juniper NetScreen VPN and one for Safenet Softremote. Clients running Safenet Softremote incorrectly switch to the Juniper Netscreen location.
Solution: Juniper NetScreen VPN and SafeNet SoftRemote VPN are now merged into a single location template.
 
Symantec Endpoint Protection Manager console check boxes can be selected by clicking outside the bounds of the check box
Fix ID: 2179119
Symptom: In the Symantec Endpoint Protection Manager remote console, some check boxes, for example Symantec Endpoint Protection Manager > Clients > Group > Properties > Block New Clients) can be selected without clicking directly on the check box.
Solution: The remote console UI was modified to distinguish between clicks on the description vs. the check box.
 
Symantec Endpoint Protection client downloads a full.zip file instead of the delta
Fix ID: 2179554
Symptom: If the Symantec Endpoint Protection Manager server heavily loaded, a client requesting a delta will not get a reply from the server in a timely manner. The client retries again and obtains a "full.zip" file instead of the delta.
Solution: Symantec Endpoint Protection Manager now correctly handles subsequent requests from clients and allows the first one to complete before serving another request.
 
A notification is displayed for blocked device, even if the "Notify users when devices are blocked" option is disabled
Fix ID: 2183345
Symptom: The application and device control policy has disabled the option "Notify users when devices are blocked". When the client user accesses a blocked device, Symantec Endpoint Protection may display a notification.
Solution: The check box label was modified to read as follows: Notify users when devices are blocked or unblocked.
 
A limited administrator cannot change Antivirus/Antispam policies
Fix ID: 2183562
Symptom: Administrators with limited rights who can manage a certain group cannot manage Antivirus/Antispam policies.
Solution: The remote console was modified so that second or third level windows inherit the privileges from the parent window.
 
Migrating from Symantec AntiVirus Corporate Edition 10.1 to Symantec Endpoint Protection 11.0 does not restart the client as expected
Fix ID: 2185290
Symptom: A Symantec Endpoint Protection client installation package is marked for silent restart after installation. The package is deployed to the Symantec AntiVirus Corporate Edition 10.1 client, but the client does not restart as expected at the end of the migration.
Solution: A Windows function call was not returning correctly and did not pass the reboot status to the installer. The code was modified to pass the correct status to allow the reboot to occur.
 
A group name may appear more than once in the Group Filter field when you create a report
Fix ID: 2185329
Symptom: A group name may appear more than once in the Group Filter field when you create a report.
Solution: The Symantec Endpoint Protection Manager console was modified to correct any redundant group names in the filter creation window.
 
Symantec Endpoint Protection Manager LiveUpdate server settings policy allows you to add to the internal LiveUpdate server list even though the list is inactive
Fix ID: 2188576
Symptom: Symantec Endpoint Protection Manager LiveUpdate server settings policy allows you to add to the internal LiveUpdate server list even though the list is inactive.
Solution: User interface elements in the third-party LiveUpdate server panel are now controlled by LiveUpdate server status to prevent this issue.
 
Legacy Symantec AntiVirus Corporate Edition servers cannot send logs to Symantec Endpoint Protection Manager
Fix ID: 2188759
Symptom: Legacy Symantec AntiVirus Corporate Edition servers may intermittently stop sending logs to the Symantec Endpoint Protection Manager server. The legacy.sab file on the Symantec Endpoint Protection Manager server does not maintain the correct configuration.
Solution: The legacy.sab file was being overwritten with an incorrect value when administrators logged into Symantec Endpoint Protection Manager. Symantec Endpoint Protection Manager was modified to keep the legacy.sab value correctly.
 
The Symantec Endpoint Protection client is unable to clean invalid content from the download folder
Fix ID: 2189176
Symptom: The Symantec Endpoint Protection client receives the message: "Not configured to update from Symantec Endpoint Protection Manager." Temporary (.tmp) files remain in the directory %Program Files%\Symantec\Symantec Endpoint Protection\LiveUpdate and cannot be purged.
Solution: The Symantec Endpoint Protection client was modified to correctly purge temporary content when it is no longer needed.
 
Notification delivery is inconsistent when configured with a damper period
Fix ID: 2189828
Symptom: Only one notification is received if threats are found at an interval greater than the damper period. For example, if the damper period is 20 minutes, and the same threat is reported every 25 minutes, only one notification is received.
Solution: The SQL query for notifications was modified to correctly report notifications if a damper period is selected.
 
Exported risk logs in .CSV format does not show the IP address of the device with the risk
Fix ID: 2191485
Symptom: Exported risk logs in .CSV format does not show the IP address of the device with the risk.
Solution: A column for "IP Address" was added to the exported risk log in .CSV format.
 
The Symantec Endpoint Protection client risk log is inconsistent with the Symantec Endpoint Protection Manager risk log for the same event
Fix ID: 2192871
Symptom: The Symantec Endpoint Protection client risk log indicates "restart required - quarantined" but Symantec Endpoint Protection Manager risk log for the same event only shows "Virus found (Quarantined)".
Solution: A new STATUS column was added to the ALERTS table to track the status of the risk log (success vs. restart required). The SQL queries used for the risk log were modified to take this status into account to ensure the client and server risk logs are consistent.
 
Smc.exe causes a high CPU load on Windows 2008 R2 Terminal Server
Fix ID: 2192985
Symptom: Smc.exe causes a high CPU load on Windows 2008 R2 Terminal Server.
Solution: Smc.exe was optimized to reduce the frequency of enumerating terminal server sessions and processes.
 
Symantec Endpoint Protection Manager log file contains the message: Datastore Error; For input string: "((1))"
Fix ID: 2194856
Symptom: The Symantec Endpoint Protection Manager log for processing clients displays the following message: Datastore Error; For input String: "((1))" This results in the failure of Symantec Endpoint Protection Manager to update client data.
Solution: A database API call was returning an unexpected value. Symantec Endpoint Protection Manager was modified to correctly parse the value and avoid the exception.
 
The Rtvscan.exe process terminates unexpectedly with exception code 80000003
Fix ID: 2195830
Symptom: The Rtvscan.exe process terminates unexpectedly with exception code 80000003.
Solution: Additional error checking was added to Rtvscan.exe to prevent this crash.
 
Randomized scans run multiple times and are not consistent
Fix ID: 2196367
Symptom: On Windows 7, a weekly scheduled scan is configured with a randomization window. The scan may run multiple times within that window.
Solution: The randomized scan logic was optimized to prevent multiple scans from running in the same time window.
 
Wireless MAC address is not reported to Symantec Endpoint Protection Manager server
Fix ID: 2197860
Symptom: When a wireless adapter is enabled, the adapter's MAC address is not reported to Symantec Endpoint Protection Manager and does not appear in reports.
Solution: Out-of-date MAC entries in the LAN_DEVICE_DETECTED table are now cleaned correctly. This was preventing the new MAC address from registering with Symantec Endpoint Protection Manager.
 
TN3270 terminal emulation software causes the computer to hang when Symantec Endpoint Protection 11.0 is installed
Fix ID: 2197976
Symptom: When certain TN3270 terminal emulation software is installed, it may cause the computer to hang when Symantec Endpoint Protection 11.0 is installed.
Solution: SSSensor.dll was modified to prevent a deadlock during packet examination.
 
Symantec Endpoint Protection Manager home page Risk Per Hour charts show 100 events when only a single risk event is found
Fix ID: 2200505
Symptom: Symantec Endpoint Protection Manager home page Risk Per Hour charts shows 100 events when only a single risk event is found.
Solution: The Symantec Endpoint Protection Manager home page logic was modified to correct the Risk Per Hour chart.
 
Bugcheck D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL ) references wpsdrvnt.sys
Fix ID: 2202918
Symptom: The computer crashes with BugCheck D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL (D1)) when Symantec Endpoint Protection 11.0 is installed. The blue screen error references wpsdrvnt.sys.
Solution: Additional error checking was added to wpsdrvnt.sys to prevent this crash.
 
AgentLogCollector-0.log contains an error regarding code page 65001 (UTF-8)
Fix ID: 2204547
Symptom: The following errors are displayed in the AgentLogCollector-0.log when Symantec Endpoint Protection Manager is configured for a SQL 2008 server:
2010-10-14 18:58:21.893 FINE: SQLException: Failed to load data: SQLState = S1000, NativeError = 0
Error = [Microsoft][SQL Server Native Client 10.0]This version of SQL Server Native Client does not support UTF-8 encoding (code page 65001) Using batch handler
Solution: Symantec Endpoint Protection Manager was modified so that bcp.exe is never run in Batch Mode. In Bcp Mode, Symantec Endpoint Protection Manager runs bcp.exe first and falls back to Batch Mode if any errors are encountered.
 
Broadcom network adapter configuration is modified unexpectedly when Symantec Endpoint Protection 11.0 is installed
Fix ID: 2213075
Symptom: The Broadcom network adapter Duplex configuration is unexpectedly changed when Symantec Endpoint Protection 11.0 is installed.
Solution: Symantec Endpoint Protection was modified with enhanced NDIS6 support in this release to resolve the issue.
 
Symantec Endpoint Protection Manager remote console Home/Monitor/Report pages load very slowly or time out
Fix ID: 2216089, 2223013
Symptom: The three first pages (Home/Monitor/Report) in the Symantec Endpoint Protection Manager remote console are very slow to load (5 minutes or more) and may time out.
Solution: A new stored procedure and an index were added to optimize the Home/Monitor/Reports pages.
 
The Symantec Endpoint Protection client user interface displays green status for malfunctioning firewall
Fix ID: 2216186
Symptom: The Symantec Endpoint Protection client management system logs show the error "Firewall driver failed to open network adapter" and the firewall does not block connections as expected by policy. The client user interface shows the firewall is ON and functioning correctly.
Solution: When the Teefer driver cannot be opened, SMC now correctly broadcasts red status to the user interface.
 
When Symantec Endpoint Protection Manager machine locale is set to Thai, reports generated (risk, scan reports) from Symantec Endpoint Protection Manager show the date 1/1/1970
Fix ID: 2216942
Symptom: When the Symantec Endpoint Protection Manager machine locale is set to Thai, the reports that are generated (risk, scan reports) from Symantec Endpoint Protection Manager show the date 1/1/1970.
Solution: The Symantec Endpoint Protection client was modified to save data with the Gregorian calendar format. Symantec Endpoint Protection Manager was modified to detect and correctly display any legacy logs in Buddhist calendar format.
 
The Comprehensive Risk Report shows discovered dates as 12/31/1969 in certain time zones
Fix ID: 2220016
Symptom: The Comprehensive Risk Report may show some dates as 12/31/1969 in some time zones.
Solution: Symantec Endpoint Protection Manager was corrected to show the proper date, or to show Unknown if the date cannot be determined.
 
PTP scan results in a large amount of traffic to Samba file server
Fix ID: 2221915, 2235099
Symptom: The PTP scan in Symantec Endpoint Protection 11.0 enumerates the Start Menu .lnk files. If these link files resolve to a network share, the links are followed. A large number of Symantec Endpoint Protection clients running PTP scans simultaneously may result in a large amount of traffic to the network share.
Solution: The COH component was optimized to reduce the need to access the network share during PTP scans.
 
Symantec Endpoint Protection Manager Web console OK button stops functioning after certain operations
Fix ID: 2223851
Symptom: The Symantec Endpoint Protection Manager Web console OK button stops functioning after the LiveUpdate timeout interval is modified.
Solution: The Web console was corrected to resolve this issue.
 
Application and Device Control behaves differently in the Symantec On-Demand Protection virtual desktop
Fix ID: 2224081
Symptom: An Application and Device Control policy is configured to allow running wordpad.exe when it is launched under the Symantec On-Demand Protection virtual desktop environment. The policy behaves as expected in Windows XP, but not in Windows 7.
Solution: Operating System Protection (OSP) inheritance was modified on Vista and above operating systems to resolve this issue.
 
The Symantec Endpoint Protection Manager console displays GMT time instead of local time on the Monitors/Reports pages after upgrading from Symantec Endpoint Protection 11.0 RU6a to RU6-MP2
Fix ID: 2227371
Symptom: After upgrading Symantec Endpoint Protection Manager from Symantec Endpoint Protection 11.0 RU6a to RU6-MP2, the console always displays time as GMT instead of local time on the Monitors and Reports pages.
Solution: The time zone calculation logic in Symantec Endpoint Protection Manager was corrected to resolve this issue.
 
IIS fails to start Secars.dll and cannot process clients
Fix ID: 2227598
Symptom: Secars is unable to receive the Tomcat client cache information (action=35) and fails to start.
Solution: IIS 7.0 changed the default limit for maximum allowed content length to 30 megabytes. If the Tomcat client cache exceeds this value, Secars fails to start. During Symantec Endpoint Protection Manager installation/migration, the IIS 7.0 max allowed content length is changed to 500 megabytes.
 
Symantec Endpoint Protection Manager administrators who log out of the Web console are not shown as logged out
Fix ID: 2229298
Symptom: The status report for online Symantec Endpoint Protection Manager administrators is not accurate when administrators log on and off using the Web console. Administrators are shown as logged in when they are not.
Solution: The Web console was modified to ensure that the logout function executes correctly. In addition, the logic to determine the online/offline status was enhanced.
 
The Reports to Include option for a Scheduled Comprehensive Risk Report is reset to the default when the filter is saved as Default in Korean
Fix ID: 2230808
Symptom: The Reports to Include setting for a Scheduled Comprehensive Risk Report is reset to the default when the filter is saved as Default in Korean.
Solution: A PreparedStatement is now used to query the filter by filter name.
 
Smc.exe process terminates unexpectedly with exception code e06d7363
Fix ID: 2232964
Symptom: When SMC is stopped with the command smc -stop, the smc.exe process may terminate unexpectedly with exception code e06d7363.
Solution: The Group Update Provider (GUP) feature in smc.exe was modified to prevent this crash.
 
Symantec Endpoint Protection Manager fails to replicate some data in the SCANS table
Fix ID: 2236222
Symptom: SQL queries executed on the SCANS table on two replicated databases may show discrepancies. In some cases a client's last scan time is not identical, or one site contains client scan records that are missing on the other site.
Solution: Replication was enhanced with caching to ensure that the client scan data is replicated correctly.
 
Symantec Endpoint Protection Manager experiences multiple failures: failed replication, creation of 0-byte packages, and slow remote console access
Fix ID: 2237558, 2292931, 2240393
Symptom: Symantec Endpoint Protection Manager experiences multiple failures: failed replication, creation of 0-byte packages, and slow remote console access.
Solution: A deadlock in a SQL query was resolved to prevent these issues.
 
Restoring Symantec Endpoint Protection Manager database results in high CPU usage by SemSvc.exe
Fix ID: 2239986
Symptom: During a database restore, SemSvc.exe causes high CPU usage and does not recover.
Solution: An invalid client package in the database failed to import. During database restore, SemSvc.exe would attempt to import the package repeatedly. SemSvc.exe was modified to skip invalid client packages.
 
CygWin fatal error "couldn't allocate heap" when running Perl script with Application and Device Control enabled
Fix ID: 2241805
Symptom: The client has an active and enabled Application and Device Control policy. A Perl script running inside CygWin may fail with fatal error: couldn't allocate heap.
Solution: The Application and Device Control driver, sysplant.sys, was modified to use a different memory allocation method to prevent this error.
 
The Symantec Endpoint Protection system log displays Windows 7 clients as "Windows Vista"
Fix ID: 2241934
Symptom: A Symantec Endpoint Protection system log may incorrectly display the operating system as "Windows Vista" for a Windows 7 client.
Solution: The Symantec Endpoint Protection client now changes a Windows API call to determine the operating system version correctly.
 
Embedded database version displayed on the Symantec Endpoint Protection Manager console is not correct
Fix ID: 2244601
Symptom: The version of the embedded database is incorrect in the Symantec Endpoint Protection Manager console (Admin > Servers > Local host database).
Solution: The embedded database version is now correctly updated in the schema during migration.
 
Updating the Install Data Collection setting causes an exception on the server
Fix ID: 2245924
Symptom: When updating the Install Data Collection setting in Symantec Endpoint Protection Manager, the scm-server-0.log file may contain the error, "SEVERE: PackageTask.publishPackages: Caught exception while unzipping client package!"
Solution: After updating the IDC setting, the package task no longer includes 0-byte delta packages.
 
Application and Device Control policy causes a third-party application to consume 100% CPU
Fix ID: 2251285
Symptom: When Symantec Endpoint Protection is installed and an Application and Device Control policy is enabled, a third-party application consumes 100% CPU.
Solution: The Sysfer DLL was modified to correctly handle shadow copy.
 
Symantec Endpoint Protection Manager log warns of PRIMARY KEY violation
Fix ID: 2253184
Symptom: The Symantec Endpoint Protection Manager log contains the error message "SEVERE: Unknown Exception java.sql.SQLException: Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'. Cannot insert duplicate key in object 'dbo.SEM_COMPUTER'."
Solution: A SQL query was modified to prevent the primary key violation.
 
Replication fails due to deadlock during ReplicationTask
Fix ID: 2253188
Symptom: Replication fails due to deadlock during ReplicationTask while processing SEM_CONTENT_DEL table.
Solution: The batch size for table replication was increased to resolve this issue.
 
Symantec Endpoint Protection Manager is slow to process .dat files
Fix ID: 2273344
Symptom: Symantec Endpoint Protection Manager is slow to process .dat files, causing the .dat files to build up in the AgentInfo folder. The Secars log may include the message "The disk space allocated for inbox is full."
Solution: The performance of AgentInfo was increased by adding an index and using several prepared statements.
 
NTP displays the message "Waiting for updates" after migration
Fix ID: 2275269
Symptom: An Antivirus-only installation of Symantec Endpoint Protection is upgraded to one with firewall/NTP using the ADDLOCAL="Firewall" option to msiexec. After migration, the NTP stripe in the Symantec Endpoint Protection UI displays the message: Waiting for updates.
Solution: Network Threat Protection content was not being applied correctly during migration. The DefUtils component was updated to resolve this issue.
 
Local user profiles become corrupted on Windows Vista and Windows 7 computers
Fix ID: 2291558
Symptom: Users are unable to log on to their local Windows profiles.
Solution: The method that Rtvscan.exe uses to monitor the user's scheduled scan registry has been enhanced to resolve this issue.
 
BugCheck 8E (KERNEL_MODE_EXCEPTION_NOT_HANDLED) references Sysplant.sys
Fix ID: 2291863, 2275174
Symptom: The computer crashes with BugCheck 8E (KERNEL_MODE_EXCEPTION_NOT_HANDLED) when Symantec Endpoint Protection 11.0 is installed. The blue screen error references sysplant.sys.
Solution: The Application and Device Control driver (sysplant.sys) was modified to obtain file path data from the PEB structure.
 
Antivirus definitions become stuck on a single revision until SMC is restarted or the computer is rebooted
Fix ID: 2296147
Symptom: Antivirus definitions become stuck on a single revision and are not affected by a LiveUpdate. The client updates definitions only if the SMC.exe service is restarted or the computer is rebooted.
Solution: SMC.exe was modified to prevent a condition where it fails to apply new content because another type of content is pending.
 
Replication performance is decreased after upgrading to Symantec Endpoint Protection 11.0 RU6 MP2
Fix ID: 2305346, 2297935, 2312010
Symptom: Replication performance is decreased after upgrading to Symantec Endpoint Protection 11.0 RU6 MP2. A SQL query of the SEM_CONTENT table shows many stale entries.
Solution: SQL queries were optimized and stale entries in the SEM_CONTENT table are now removed during the sweeping task.
 
Large numbers of VDI sessions become unresponsive
Fix ID: 2315197
Symptom: In a virtual desktop infrastructure environment, VDI sessions running Symantec Endpoint Protection 11.0 may become unresponsive or hang.
Solution: The COH component was modified to prevent a condition in which it cannot correctly determine the owner of a process.
 
After migration from Symantec AntiVirus Corporate Edition 10.1 to Symantec Endpoint Protection 11.0, clients report AV Engine Off until SMC service is restarted
Fix ID: 2334318
Symptom: A client is migrated from Symantec AntiVirus Corporate Edition 10.1 to Symantec Endpoint Protection 11.0. After migration, the Symantec Endpoint Protection clients report AV Engine Off.
Solution: Rtvscan was incorrectly reporting the AV Engine status due to the service name change between Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection. Symantec Endpoint Protection now queries the correct service name.
 
A new help window is opened for every use of F1
Fix ID: 2349564
Symptom: A new help window displays each time the F1 key is pressed.
Solution: Before launching Windows Help (hh.exe), Symantec Endpoint Protection now checks whether the help has already been launched.

 

Release Update 6 Maintenance Patch 3 (RU6 MP3)

[Back to top]

What's new in this version
Symantec Endpoint Protection RU6 MP3 provides fixes since the release of RU6 MP2. This maintenance patch cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to RU6. It must be installed over RU6, RU6a, RU6 MP1, or RU6 MP2.
 
Network file operations are slower when file system Auto-Protect is enabled
Fix ID: 1886713
Symptom: File I/O over the network is slower when file system Auto-Protect is enabled.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
 
File and share access is slower when connecting to Windows 2008 servers
Fix ID: 1939686
Symptom: Network access time is slower between Windows XP clients and Windows 2008 servers when accessing shares.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
 
File system Auto-Protect network scanning consumes excess network bandwidth
Fix ID: 2140818
Symptom: Network scanning of file system Auto-Protect causes excess bandwidth.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
 
Domain controller or router is detected by Symantec Endpoint Protection as MAC spoofing
Fix ID: 2049673
Symptom: The first time a computer running Symantec Endpoint Protection is connected to a wired network, Symantec Endpoint Protection detects the domain controller or router as MAC spoofing. The following messages may appear in the Symantec Endpoint Protection log: "Active Response Major: Traffic from IP address <address> is blocked from <start time> to <end time>." or "Active Response Disengaged: Active Response that started at <start time> is disengaged. The traffic from IP address <address> was blocked for 600 second(s)."
Solution: The MAC spoofing detection will only alert after the second ARP response is detected.
 
Microsoft Excel files open slowly from Microsoft Outlook when third-party Outlook add-ons are installed
Fix ID: 2070109
Symptom: Microsoft Excel files are slow to open from Microsoft Outlook when certain third-party Outlook add-on is installed.
Solution: Auto-Protect was optimized to reduce certain file name normalization and file size query operations.
 
File copying dialog hangs when copying between Windows 7 and Windows 2008 computers
Fix ID: 2102159
Symptom: With Server Message Block Volume 2 (SMB2) enabled, file copies between Windows 7 and Windows 2008 may hang. The file copy dialog may never complete.
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
 
Symantec NetBackup communications lost when Symantec Endpoint Protection is installed
Fix ID: 2114674
Symptom: Network communications are lost when a client running Symantec Endpoint Protection is connected to a Netbackup media server, and the server is under high load (e.g. multiple jobs running).
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
 
Client connection to the server fails when proxy servers are configured
Fix ID: 2125088
Symptom: The Symantec Endpoint Protection client is unable to establish communication with the server when a proxy is used. The client logs may contain the messages "Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87" or "Unable to create Session with 'No Proxies' settings - Error Code: 87".
Solution: Symantec Endpoint Protection was not getting a proper INET session handle when a proxy is used due to a change in the Microsoft API call InternetOpen(). Symantec Endpoint Protection was modified to use INTERNET_OPEN_TYPE_DIRECT instead of INTERNET_OPEN_TYPE_PROXY.
 
System Lockdown fails when access to registry is hardened
Fix ID: 2132838
Symptom: System Lockdown is not working as expected. The Symantec Endpoint Protection logs contain the messages "Sysfer exception 1032 C:\WINDOWS\system32\svchost.exe" or "Sysfer exception 260 C:\WINDOWS\system32\lsass.exe ".
Solution: Lack of privilege to read certain registry values was causing an exception in Sysfer. Symantec Endpoint Protection was modified to correct the exception.
 
SMC.exe process consumes excessive virtual memory
Fix ID: 2137535
Symptom: A Symantec Endpoint Protection client acting as a GUP may leak virtual memory.
Solution: Symantec Endpoint Protection was modified to properly clean up an object that was not being destroyed when the client is a GUP.
 
Applications launch slowly over network shares
Fix ID: 2141780
Symptom: Applications running on a Windows 2008 server running Symantec Endpoint Protection are slow to load when file system Auto-Protect is enabled on the server and files on the server are encrypted.
Solution: When files on the server are encrypted, file system Auto-Protect generates an extra create call to LSASS to get the encryption key. This results in degraded performance as well as a situation in which Symantec Endpoint Protection's access to the file is denied.
An option has been added to allow Symantec Endpoint Protection to skip these scans, resulting in increased performance but decreased security. When the scans are skipped a machine not running Symantec Endpoint Protection will be able to copy a threat to the server. The threat will be detected by the server if it is accessed by any server application, by another client running Symantec Endpoint Protection, or by a manual scan on the server.
Customers may obtain the tool via Symantec Technical Support.
An alternative to the tool is to exclude encrypted files and folders using file system Auto-Protect exclusions.
 
GUP does not respond immediately to client requests when policy contains GUPs in different subnet
Fix ID: 2143552
Symptom: Clients do not immediately contact the nearest GUP when policy is applied containing a GUP in a different subnet. The client does not download from the GUP until the threshold has passed "Maximum time that clients try to download updates from a GUP before Symantec Endpoint Protection Manager".
Solution: The GUP is now considered ready for connections if the GUPLIST that includes the static GUP is not empty.
 
SmcGui.exe is unstable when the A.V.A. game is running
Fix ID: 2149778
Symptom: SmcGui.exe process crashes when the A.V.A. game is executed.
Solution: The Microsoft API call GetDC() returns a NULL pointer when the A.V.A. game is running. Symantec Endpoint Protection was modified to check for this condition.
 
SMC.exe is unstable when processing improper UDP packets
Fix ID: 2158106
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6 or RU6 MP1, the SMC.exe process terminates unexpectedly.
Solution: Improper UDP packets were causing an unhandled exception in SMC. SMC was modified to validate UDP packets correctly before processing them.
 
Error when navigating on French language Symantec Endpoint Protection Manager Client tab
Fix ID: 2161962
Symptom: On the French localized Symantec Endpoint Protection Manager, on the client tab of a group with a large number of clients, clicking the ">|" button to see the last page gives an error: Echec de laffichage des donnees de la page {0.EN_US}. Motif : chaine dentree : " 1 de 41".
Solution: An inconsistency in client UI pages was resolved to solve this issue.
 
LSASS.exe process usage spikes when files are accessed on a Windows Server 2003 system
Fix ID: 2166510
Symptom: LSASS.exe CPU usage spikes when files are accessed on a Windows Server 2003 system.
Solution: When files on the server are encrypted, file system Auto-Protect generates an extra create call to LSASS to get the encryption key. This results in degraded performance as well as a situation in which Symantec Endpoint Protection's access to the file is denied.
An option has been added to allow Symantec Endpoint Protection to skip these scans, resulting in increased performance but decreased security. When the scans are skipped a machine not running Symantec Endpoint Protection will be able to copy a threat to the server. The threat will be detected by the server if it is accessed by any server application, by another client running Symantec Endpoint Protection, or by a manual scan on the server.
Customers may obtain the tool via Symantec Technical Support.
An alternative to the tool is to exclude encrypted files and folders using file system Auto-Protect exclusions.
 
Windows Firewall status changes incorrectly if Network Threat Protection is not installed
Fix ID: 2168437
Symptom: Symantec Endpoint Protection is installed without Network Threat Protection (NTP). When switching locations to one which enables NTP, the windows firewall is disabled.
Solution: Symantec Endpoint Protection was modified to check the profile for NTP installation state before enabling or disabling Windows Firewall
 
Symantec Endpoint Protection client requests full.zip antivirus content instead of a delta
Fix ID: 2176922
Symptom: A newly installed Symantec Endpoint Protection client will download the full.zip antivirus content from the server when it should download a delta instead.
Solution: Symantec Endpoint Protection was modified to prevent a condition where a newer version of the usage.dat file could be overwritten by stale data.
 
Virus definition sequence number is reported inaccurately in the database
Fix ID: 2187364
Symptom: Virus definition sequence number is not accurately reported in the database.
Solution: Symantec Endpoint Protection was incorrectly setting the definition sequence number to 0 even if the definitions were in use. This value was propagated to the Symantec Endpoint Protection Manager database. Symantec Endpoint Protection was modified to check if the virus definitions are in use before setting the value to 0.
 
Symantec Endpoint Protection client location awareness changes location incorrectly
Fix ID: 2189866
Symptom: A Symantec Endpoint Protection client with location awareness enabled changes locations incorrectly.
Solution: If the TTL (time-to-live) on DNS responses is very short, Symantec Endpoint Protection may incorrectly detect a new location change. Symantec Endpoint Protection was modified to handle very short TTL on DNS responses.
 
GUPs request incorrect delta package from server
Fix ID: 2202771
Symptom: One client comes online after being off-line for some time. The client requests a delta from its GUP covering the off-line time span. All other GUPs on the same subnet incorrectly request the same delta from the server.
Solution: Microsoft changed the default receive timeout in Internet Explorer 7 from 3600 seconds to 30 seconds. This may cause client connections to be cancelled before the GUP can finish downloading the content from Symantec Endpoint Protection Manager. This results in the client switching to the next GUP. Symantec Endpoint Protection was modified to properly apply the correct timeout to the connection handle.
 
Network connections to an application server are disconnected
Fix ID: 2214576
Symptom: Clients running an application from an application server disconnect after upgrading to Symantec Endpoint Protection 11.0 RU5.
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
 
Symcorpui.exe is unstable when running a manual scan on Windows 7 64-bit
Fix ID: 2229978
Symptom: Symcorpui.exe terminates unexpectedly when running a manual scan on Windows 7 64-bit.
Solution: Symantec Endpoint Protection did not have adequate rights to a registry key, resulting in an unhandled exception in Symcorpui.exe. Symantec Endpoint Protection was modified to prevent this crash.
 
Performance of file save operations to a network server degrades over time
Fix ID: 2239945
Symptom: Business applications that save to a network server eventually become very slow, then hang. When the slowdown or hang occurs, end users can temporarily remediate by stopping and starting the smc.exe process.
Solution: Auto-Protect was optimized to reduce certain file name normalization and file size query operations.
 
White-listing of Network Access Control clients does not work correctly
Fix ID: 2240825
Symptom: A device that should be white-listed is getting a quarantine configuration.
Solution: DHCP Enforcer was incorrectly comparing profile serial numbers in some environments. The Enforcer was modified to prevent this issue.
 
SmcGui.exe is unstable after using the command "smc -stop"
Fix ID: 2243925
Symptom: SmcGui.exe crashes after using the command "smc -stop".
Solution: Symantec Endpoint Protection was modified to use a different method for new thread creation to prevent the crash.

 

Release Update 6 Maintenance Patch 2 (RU6 MP2)

What's new in this version

The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use. This maintenance patch cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to RU6. It must be installed over RU6, RU6a, or RU6-MP1.

Symantec Protection Center
Symantec Protection Center is a Web-based console that allows you to access and manage multiple Symantec products. The console provides visibility and analytics across products as well as useful security feedback and attack statistics.

The console provides a single sign-on screen for the following registered Symantec products:

  • Symantec Endpoint Protection

  • Symantec Critical System Protection

  • Symantec Web Gateway

  • Symantec Brightmail Gateway

  • Symantec IT Analytics

  • Symantec Data Loss Prevention

Symantec Endpoint Protection Manager Web-based console
You can access Symantec Endpoint Protection Manager remotely in a Web-based console. The Java-based remote console is also still available.

Symantec Endpoint Protection for Macintosh
You can use Symantec Endpoint Protection Manager to manage Mac OS X clients that run Symantec software.

Randomized scheduled scans
You can specify a time interval during which scheduled scans start, and enable the scans to start at different times within that time interval. By running scans at random times, you can increase scan performance, especially in virtualized environments.

Enhanced default Antivirus and Antispyware security policies
For new product installations, changes in the default security policies make Symantec Endpoint Protection more efficient at detecting malware.

Customers who upgrade to Symantec Endpoint Protection version 11 RU6a MP2 do not receive new default policies. To see the new recommended Antivirus and Antispyware security policies settings so that you can make the settings changes in your policies manually, see Security Response recommendations for Symantec Endpoint Protection settings.

The Symantec Endpoint Recovery Tool
The Symantec Endpoint Recovery Tool provides an image that you can burn on a disc, and then use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively.

You can download the tool from the following URL: https://fileconnect.symantec.com/.

You need your Symantec Endpoint Protection serial number to download the tool.

Host Integrity policies check for additional security software
You can run a Host Integrity check to see whether the client computers run the following software:

  • Norton Antivirus 2010
  • Norton Internet Security 2010
  • Norton 360 Version 3.0
  • Symantec Endpoint Protection Version 11 Release Update 6a, MP2
  • McAfee Internet Security 2010
  • McAfee VirusScan Plus 2010
  • McAfee Total Protection 2010
  • McAfee VirusScan Enterprise 8.7i
 
Components included in this version
Autoprotect
10.3.4.4
AVComp
2.0.58.0
Behaviour Blocking
3.5.3.004
CCEraser
20072.0.1.6
COH
6.1.12.15
Common Client
6.5.3.005
DecABI
1.2.6.1
Defutils
4.1.3.3
Deuce Engine
3.0.2.2007-06-06_01
ECOM
81.3.0.17
Intelligent Updater
5.0.1.6
LiveUpdate
3.3.0.99
LiveUpdateAdmin
2.2.2.9
MAC Client
11.0.57xx.203
Microdefs
2.7.0.13
QServer
3.6.6200.56
SAV for Linux
1.0.10.26
SNAC DHCP
11.0.389
SNAC ODA
11.0.6200.416
SNAC Scanner
5.1.5.94
SyKnAppS
3.0.3.3
SymEvent
12.8.3.23
SymNetDrv
7.2.5.9
Teefer2
11.0.6170.27
VxMS (MSLight)
5.2.0.4
WpsHelper
12.0.0.20
 
Behavior and user interface changes
 
Performance improvements made for AutoProtect to reduce system slowdown when applications load
Fix ID: 2080191 & 2178828
Symptom: System performance slowdown when applications load a large number of temp files on startup with FileSystem AutoProtect enabled.
Solution: AutoProtect performance was enhanced to skip scanning of deleted files on close. Files will still be scanned if they are opened again prior to cleanup.
 
User-defined exclusions can now be added to 64-bit operating systems
Fix ID: 2026019 & 1895102
Symptom: You add user-defined exclusions on an unmanaged Symantec Endpoint Protection client, but the exclusions are not honored by the client. You are running a 64-bit operating system.
Solution: Windows 64-bit folder redirection was preventing the exclusions from being honored. The file dialog boxes for exclusion creation were modified to handle 64-bit redirected paths correctly.
 
"CCApp is trying to close" dialog no longer appears on shutdown
Fix ID: 2077858
Symptom: Under a high workload while a computer is shutting down, occasionally the dialog box "CCApp is trying to close" appears.
Solution: Code changes to ensure the shutdown signal is correctly received and processed by all application processes that are running.
 
When changing from DST to Standard Time, Scheduled Reports now run at the correct time
Fix ID: 1911213
Symptom: When changing from DST to Standard Time, the time in Scheduled Report is one hour off.
Solution: Resolved by storing the Timezone Name in the DB when configuring the Scheduled Report/Notification. This Timezone Name is used to calculate the correct Timezone offset used to generate the report. The schema was changed for this new column.
 
Added support for MacBinary format files to the Outlook Auto-Protect plug-in
Fix ID: 1871464
Symptom: Some Microsoft Excel attachments cannot be opened in Outlook 2003 SP3
Solution: Support for MacBinary format files was added to the Outlook Auto-Protect plug-in
 
Clients are no longer auto-upgraded when their group has no assigned package
Fix ID: 2052034
Symptom: A client is in a group with an upgrade package. Before the upgrade can occur, the client is then moved to a group without an upgrade package. The client is still upgraded.
Solution: The client's package information is flushed when it is moved, so the download thread will not detect and download the update.
 
When File System AutoProtect non-viral threat actions are set to Quarantine/Deny Access, AutoProtect always denies access and never tries to quarantine. If the file is newly created, AutoProtect deleted the file.
 Fix ID: 1954266
Symptom: You have configured File System AutoProtect actions to Quarantine/Deny Access on non-viral threats. When a non-viral threat is accessed, AutoProtect denies access and does not attempt to quarantine per your configuration.
Solution: The interaction between the Symantec Endpoint Protection client and File System AutoProtect was modified to better process these types of threats. Specific changes

The UI option "Block security risks from being installed" was removed
New UI options have been added to File System AutoProtect > Advanced settings
 - "Delete newly created infected files if the action is 'leave alone (log only)'" will get a new sub-option:
 "Delete newly created security risks if the action is 'leave alone (log only)'".
 The default state for "Delete newly created security risks if the action is 'leave alone (log only)'" will be checked.
 - If the parent option "Delete newly created infected files if the action is 'leave alone (log only)'" is unchecked, "Delete newly created security risks if the action is 'leave alone (log only)'" will also be unchecked and grayed out.

Client and Manager fixes
 
SMC.exe accessing an application with Network Application Monitoring no longer generates network overhead
Fix ID: 2115750
Symptom: You have configured Symantec Endpoint Protection for Network Application Monitoring, and are running an application from a network share. SMC.exe accesses the application repeatedly which generates unnecessary network traffic.
Solution: The firewall engine was attempting to read information from the network share too often. The code was modified to request the information only once.
 
Ping Flood and Ping of Death are now named correctly in log files
Fix ID: 2030682
Symptom: You experience a "Ping-of-Death" false positive.
Solution: The description of Ping-of-Death was incorrectly set to Jolt 2. The description of Ping Flood was incorrectly set to Ping-of-Death. The descriptions have been corrected.
 
SCANS table SCAN_TYPE and COMMAND_ID fields are now populated correctly for a number of scan types
Fix ID: 2052884
Symptom: You are using a tool to view the SCANS table in the Symantec Endpoint Protection Manager database. In that table, the SCAN_TYPE and COMMAND_ID fields are not populated for some scan types.
Solution: The SCAN TYPE and COMMAND ID fields are now populated for scan commands that are issued from the remote console.
 
User domain and host domain changes reported from the client no longer result in a network loss
Fix ID: 2060622
Symptom: The user domain name changes unexpectedly and is reported incorrectly in the Symantec Endpoint Protection Manager console. This may lead to loss of communication between the client and the server.
Solution: The code that collects the DNS domain information was modified to prevent this issue.
 
A missed scan event no longer triggers outside of the configured window for the first scan
Fix ID: 2049664
Symptom: You are installing the Symantec Endpoint Protection client for the first time (not an upgrade). After receiving the policy from the server, an antivirus scan occurs outside the expected scan window.
Solution: On a first-time install, the LastStartTime registry value is not set, which was triggering a scan to run unexpectedly. The scan logic was modified to account for this case so the scan is not considered a missed event.
 
DHCP suffix matching now looks at the active interface and will switch locations
Fix ID: 2077809
Symptom: You have configured your location-based criteria to use a DHCP connection DNS suffix. The client network changes so the rule does not match, yet the client does not switch locations.
Solution: After the computer shuts down and switches to another network interface, the offline interface's DHCP DNS suffix was still being used to choose the location. The client was modified to use the online interface suffix only.
 
 
Network Threat Protection windows appeared when using mixed mode or client mode
Fix ID: 1764415
Symptom: A message appears: "Network Threat Protection: <Application> has changed since the last time you used it." This message appears if you use client mode or mixed mode.
Solution: A new option was added to mixed mode. The Symantec Endpoint Protection Manager administrator can now correctly configure the message settings
 
 Clients no longer take several minutes to switch locations
Fix ID: 2072812
Symptom: When using auto-location, it takes the client a long time (approximately 2 minutes or more) to switch between locations.
Solution: The hardware ID (HWID) calculation was delaying the auto-location switch. The HWID calculation now occurs closer to the start of the heartbeat cycle.
 
Fixed a Primary Key Violation on SEM_CONTENT during Replication
Fix ID: 2109504
Symptom: In the Symantec Endpoint Protection Console, you see the message "Primary Key Violation" during replication.
Solution: A SQL statement was modified to avoid primary key violation.
 
Resolved a system crash (blue screen error) when Symantec Endpoint Protection is installed with the Network Threat Protection feature
Fix ID: 2052946
Symptom: System crash (blue screen error) when Symantec Endpoint Protection is installed with the Network Threat Protection feature.
Solution: A third party NDIS6 driver was not compatible with the Symantec Endpoint Protection Teefer2.sys driver. The driver was modified to prevent the crash.
 
Auto-Upgrade installation no longer initiates on the client when a restart required is flagged from previous installation
Fix ID: 2064479
Symptom: During Auto-Upgrade, the installation package will run when a client has requested a restart.
Solution: The Auto-Upgrade process should not run if the client has a pending restart. The upgrade package will be ignored if there is a pending restart.
 
Saved Outlook attachments on Windows 7 no longer have a temporary file attribute
Fix ID: 2034671
Symptom: Saved Outlook attachments on Windows 7 have a temporary file attribute.
Solution: The temporary attribute was removed for attachments saved from Outlook.
 
Duplicate Serial_Number, Group_ID records were preventing the Policy Serial Number from displaying on the Symantec Endpoint Protection Manager Client > Group Details tab
Fix ID: 2028624
Symptom: The Policy Serial Number does not display on the Client > Group Details tab in the Symantec Endpoint Protection Manager console.
Solution: Duplicate Serial_Number and Group_ID records were preventing the Policy Serial Number from displaying. A primary key was added to avoid duplicate entries in the serial_number table.
 
Edit and Delete of Network Service events are now logged
Fix ID: 2100779
Symptom: Edit and Delete of Network Services in the Symantec Endpoint Protection Manager console are not logged as events.
Solution: Logging of events was added when the administrator edits or deletes a network service.
 
Symantec Endpoint Protection Manager Console refreshes when a client description is updated
Fix ID: 2032910
Symptom: The changed description for a Computer or User is not reflected immediately on the Symantec Endpoint Protection Manager Console.
Solution: A local cache is now updated when changes are made to ensure they immediately appear in the Symantec Endpoint Protection Manager console.
 
Symantec Endpoint Protection will no longer download the same definition file repeatedly when the disk is full
Fix ID: 2171888
Symptom: The Symantec Endpoint Protection client downloads the same content repeatedly when the disk is full
Solution: The client will now estimate the disk space needed to apply an update before deciding to download the content.
 
Server logs no longer show messages "Not in GZIP format"
Fix ID: 2096442
Symptom: You see the message "Not in GZIP format" when you generate a report or notification
Solution: The issue occurs when the administrator who originally created the report is locked. Reports and notifications were modified to prevent this message from appearing.
 
LiveUpdate content creation is no longer delayed
Fix ID: 2081458
Symptom: Delta creation of LiveUpdate content takes longer than expected. In addition, external logging of these events may take a long time to display in the Symantec Endpoint Protection Manager console.
Solution: Delta creation was on a shared timer with other Symantec Endpoint Protection Manager tasks. Delta creation was moved into a timer that is separate from the backup, scheduled reporting, and external logging tasks.
 
Resolved a crash (blue screen error) on the Symantec Endpoint Protection client when Network Threat Protection is installed
Fix ID: 2097548
Symptom: The computer crashes (blue screen error) on Windows 7 64-bit running Symantec Endpoint Protection 11.0 RU5 or RU6 with Network Threat Protection installed
Solution: The teefer2.sys driver was modified to fix an issue unbinding from the miniport.
 
Clients will now download content even with a restart pending after a migration
Fix ID: 2048485
Symptom: Clients migrating from Symantec Sygate Enterprise Protection 5.x to Symantec Endpoint Protection 11.0 do not download content until after a restart.
Solution: A mismatch between old and new versions of the sysplant.sys driver prevented the driver from accepting the new codes. Symantec Endpoint Protection was updated to send the old code if the new code failed.
 
.TMP files no longer fill the AgentInfo directory
Fix ID: 1785223
Symptom: Partial .tmp files are leftover in the inbox\agentinfo folder on the Symantec Endpoint Protection Manager server.
Solution: Partial .tmp files were left due to incorrect xml processing while updating .tmp files. Xml processing related to .tmp file creation was modified to ensure opstate information from legacy clients is handled properly.
 
Risk distribution over time report now shows all expected data
Fix ID: 1960293
Symptom: Risk events generated after a particular time are not included in the report. For example, assume the local time zone is GMT+10. If a risk event is generated before 10AM, it would not be counted as event of that day.
Solution: Risk events database entries are now translated into local time when grouping by day.
 
Scheduled reports no longer cause Symantec Endpoint Protection Manager to throw "Unexpected parameter value" errors
Fix ID: 2088937
Symptom: When viewing scheduled reports in the Symantec Endpoint Protection Manager console, you see "Unexpected parameter value" errors.
Solution: A SQL statement was modified to prevent the error.
 
Symantec Endpoint Protection firewall notifications are no longer displayed when notifications are disabled
Fix ID: 2038728
Symptom: When switching locations quickly, the application blocking notification will display, even though the notification should be suppressed by policy.
Solution: The location tracking code was modified to correctly suppress the notification.
 
Unmanaged Detector updates the IP Address for previously-detected MAC Address
Fix ID: 2035608
Symptom: Unmanaged Detector fails to update the IP address for previously-detected MAC Address.
Solution: A SQL prepared statement was modified to correctly update the IP address in the database.
 
Symantec Endpoint Protection Manager no longer displays PHP warning messages if display_errors is enabled
Fix ID: 2035626
Symptom: When "display_errors = On" is set in the php.ini for the Symantec Endpoint Protection Manager, the following messages may appear in the remote console:
"Warning: date() [function.date]: It is not safe to rely on the system's time zone settings"
"PHP Deprecated: Function session_is_registered() is deprecated..."
Solution: The message "It is not safe to rely on the system's time zone settings" may be resolved by adding both "display_error=on" and "date_timezone=<timezone>" (e.g. "date_timezone=America/Chicago") in the php.ini file.
The message "Deprecated: Function session_is_registered() is deprecated" is resolved with better session handling in Symantec Endpoint Protection Manager. No user action is required.
 
Sorting Antivirus policies by date now displays correctly
Fix ID: 2052537
Symptom: In the Symantec Endpoint Protection Manager remote console, when sorting the AV Policies History by Event Time, the sort order is incorrect.
Solution: Symantec Endpoint Protection Manager was modified to better handle exceptions in order to properly sort the policies.
 
LiveUpdate "Low Disk Space Warning" now runs Windows Cleanup correctly
Fix ID: 1877483
Symptom: If you are low on disk space, running LiveUpdate prompts you to run Windows Cleanup. Windows Cleanup fails to start if the user chooses to open this application.
Solution: The environment block of LUALL.EXE was modified to allow Windows Cleanup to run.
 
Scan and Deliver now submits threat samples correctly to gateways.dis.symantec.com
Fix ID: 2047967
Symptom: You have a .txt file in your quarantine that you want to submit to Symantec Response. Scan and Deliver fails to submit the threat sample to Symantec.
Solution: A date-processing issue when handling the samples was corrected to allow the submission to complete.
 
Default User folder on a Citrix server can now be renamed when SMC.exe is running
Fix ID: 1833529
Symptom: You are running Symantec Endpoint Protection 11.0 on a Citrix server, and the SMC.exe process is running. You want to rename the Default User folder but cannot because it is locked by the SMC process.
Solution: The SMC.exe process user profile directory can now be configured via a registry key.
HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\UserProfileOverride
(REG_EXPAND_SZ)
Its value is the desired user profile directory path. This path may contain environment variables and DBCS chars.
 
Client activity log now identifies the GUP used by the client
Fix ID: 2028334 & 2103398
Symptom: In the client activity log, you wish to see which GUP the client connects to. There is no log message providing this information. Previous releases of Symantec Endpoint Protection 11.0 contained this message.
Solution: The following log message was re-introduced:
"Start using Group Update Provider (proxy server) @ <hostname>:2967"
 
Policies are now always applied to Symantec Endpoint Protection 11.0 client
Fix ID: 2047203
Symptom: You want to apply a policy to your Symantec Endpoint Protection 11.0 client The policy is never applied.
Solution: A COM interface ID was modified to prevent a compatibility issue with some versions of msxml2.dll.
 
The "Total" row is reintroduced to a number of reports
Fix ID: 2074989
Symptom: The "Total" row was removed from a number of reports in Symantec Endpoint Protection 11.0 RU6.
Solution: The HTML legend and total row were re-introduced in the following reports:
App and Device Control > Top Groups With Most Alerted Application Control
Network Threat Protection > Top Traffic Notifications by Group
Network Threat Protection > Security Events by Severity
Computer Status > Symantec Endpoint Protection Product Versions
Computer Status > Compliance Status Distribution
Computer Status > Client Online Status
Computer Status > Client Inventory
System > Top Clients That Generate Errors and Warnings
Application and Device Control > Top Devices Blocked
Application and Device Control > Top Targets Blocked
 
Clients remain online after a database restore prior to establishing any communications between clients and Symantec Endpoint Protection Manager
Fix ID: 1855354
Symptom: You have performed a database restore, and communication between clients and Symantec Endpoint Protection Manager has not yet been reestablished. In the remote console the clients show as connected (green dot).
Solution: The online status for clients is reset to "not connected" during a database restore.
 
Daily scheduled scans now run once per day only
Fix ID: 2047179
Symptom: A scan is configured to run once per day. The scan inadvertently runs two or more times per day.
Solution: Some computers automatically adjust the clock backwards to re-synchronize with a time server. In some cases this may cause the scheduled scan to run more than once per scheduled time. The scan logic was modified to detect and correct for this condition.
 
Resolved an error indicating COH32.exe has crashed
Fix ID: 2107090
Symptom: Symantec Endpoint Protection clients receive a SONAR error indicating that Symantec Endpoint Protection needs to close. coh32.exe is listed as the faulting application.
Solution: Named pipe communication in COH was enhanced to prevent this crash.
 
Client status on the Symantec Endpoint Protection Manager home page now matches logs and reports
Fix ID: 1925448
Symptom: Home > Status Summary and Monitors > Logs > Computer Status reports do not show the same number of clients.
Solution: SQL queries for the affected reports were modified to display the correct number of clients.
 
Source IP address is now correctly displayed in Monitors > Logs > Risks
Fix ID: 1966483
Symptom: The risk monitor logs show a source IP address of "0.0.0.0".
Solution: The Symantec Endpoint Protection Manager server was modified to display a blank if the IP doesn't exist, instead of 0.0.0.0. The client was updated to ensure the source computer IP is correctly transferred to the server.
 
Content delivery via GUP is successful if HTTPS is used for client-server communication
Fix ID: 1829698
Symptom: You configure the HTTPS protocol for client-server communication, and you have GUP configured. GUP fails to deliver the content to the clients.
Solution: GUP over HTTPS was not supported until this release. This release adds HTTPS support to GUP via the WinHTTP Microsoft API.
 
Symantec Endpoint Protection now sets correct PathBackup values in RasMan\PPP\EAP Keys
Fix ID: 2054817
Symptom: On a 64-bit computer, you perform an upgrade of Symantec Endpoint Protection 11.0. After the upgrade, the RasMan\PPP\EAP Keys have replaced "SysWOW64" with "System32".
Solution: The Symantec Endpoint Protection 11.0 upgrade was accessing an incorrect registry key to determine the path to rastls.dll on 64-bit computers. The upgrade was modified to use the correct registry location.
 
Unnecessary DNS requests from Symantec Endpoint Protection clients are no longer generated
Fix ID: 2086881
Symptom: Higher than necessary network traffic as Symantec Endpoint Protection clients send unnecessary DNS requests. This happens if duplicate DNS server entries are listed in the client profile.
Solution: Check for duplicate DNS name entries in profiles, to eliminate unnecessary requests.
 
Resolved memory leak during start up
Fix ID: 2107165
Symptom: On start up, approximately 800Kb of memory is allocated for the IPS engine and is not released.
Solution: Free this non-paged memory immediately after the IPS engine loads.
 
Scheduled scans run at the wrong time on Vista or later operating systems when users are logged off
Fix ID: 2047067
Symptom: Scheduled scans run at logon instead of scheduled time on Vista or later operating systems
Solution: Code changes to ensure the scheduled scan is executed in scenarios where the user is logged off, or where a Windows scheduled task is running at the scheduled time. This applies to Windows Vista or later operating systems.
 
Application name missing from exported Network Threat Protection Attacks logs
Fix ID: 2067063
Symptom: Application name is missing from exported Network Threat Protection Attacks logs.
Solution: Added the APP_NAME column when exporting the Network Threat Protection Attacks Logs.
 
Updated scan exclusion lists on 64bit operating systems
Fix ID: 2000574
Symptom: DHCP files, DNS files and WINS files are not added into the scan exclusion list automatically on 64bit operating systems.
Solution: Add DHCP, DNS and WINS files into the 64bit scan exclusion list automatically .
 
RunOnce reg key added for the Teefer2 driver during installation
Fix ID: 2043246
Symptom: When RunOnce key is not present during an installation, the Teefer2 driver may not be installed correctly.
Solution: HKLM\Software\Microsoft\CurrentVersion\RunOnce key is created during installation of the Teefer2 driver, if it is not already present.
 
Symantec Endpoint Protection 11.0 Client and Quarantine Server now communicate correctly on a specified port
Fix ID: 2114451 & 2100542
Symptom: Symantec Endpoint Protection 11.0 client and Quarantine Server send and receive data on an unexpected port when configured to use a specific port.
Solution: Code changes to allow the Symantec Endpoint Protection 11.0 client and Quarantine Server to listen on specified ports by adding several registry keys:
32-bit platform - Quarantine Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\SendToUIPort
32-bit platform - Symantec Endpoint Protection 11.0 client:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Quarantine\Server\ListenToUIPort
64-bit platform - Quarantine Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Quarantine\SendToUIPort
64-bit platform - Symantec Endpoint Protection 11.0 client:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Quarantine\Server\ListenToUIPort
All clients and Quarantine Servers must have one of the above keys to ensure they all communicate on the same port.
 
32bit clients no longer download 64bit definitions
Fix ID: 2084734
Symptom: 32 bit Symantec Endpoint Protection client download 64bit AntiVirus definitions.
Solution: Code changes to ensure the correct definitions are downloaded for the client.
 
Network Threat Protection no longer causes applications to crash with an image base address of 0x10000000
Fix ID: 1915141
Symptom: Occasional application crashes with Network Threat Protection enabled.
Solution: Code changes to Network Threat Protection to obtain the image base address dynamic rather than assigning a static address.
 
Network Threat Protection no longer causes applications to hang
Fix ID: 2030478
Symptom: Occasional system hangs with Network Threat Protection enabled.
Solution: Code changes made to prevent the hang from occurring.
 
System crash (blue screen error) no longer occurs when Application and Device control is enabled
Fix ID: 2142085
Symptom: System crash (blue screen error) when Application and Device control is enabled.
Solution: Code changes made to no longer block access to the system volume.
 
Computer status report now shows correct totals
Fix ID: 2083627
Symptom: Symantec Endpoint Protection Manager Computer Status report (Protection Content versions) shows incorrect client totals for "Commercial Application List Versions" and "Permitted Applications List Versions".
Solution: Modified the SQL for the Protection Content Versions report to exclude the old content revisions from the database.
 
Resolved conflicts between FileSystem AutoProtect and the Windows indexing service
Fix ID: 1717040
Symptom: Domain controller hangs with Symantec Endpoint Protection 11.0 installed and FileSystem AutoProtect enabled.
Solution: Oplocks are now monitored when the AutoProtect driver is not running, preventing conflicts with the Windows indexing system.
 
Corrected the FileSystem AutoProtect exclusions for network drives
Fix ID: 2029493
Symptom: FileSystem AutoProtect exclusions do not take effect properly on shared drives. Detections that should have been excluded are detected via a UNC path or from browsing Windows Networking.
Solution: AutoProtect was modified to correctly handle exclusions on network drives.
 
Changes to GUP behavior to preserve shared content after the GUP is restarted
Fix ID: 2061670
Symptom: All content in folder SharedUpdates on a GUP is purged if a download is in progress and the machine is restarted or SMC is restarted.
Solution: Code changes made to preserve downloaded content after a GUP is restarted while a download is in progress.
 
Corrected the port number displayed in Symantec Endpoint Protection Manager for use of log forwarding
Fix ID: 2060618
Symptom: Symantec Endpoint Protection Manager's log forwarding allow TCP port 514 to be entered, but displays the default port value of 1468.
Solution: Corrected the display in Symantec Endpoint Protection Manager to show the correct report instead of the default port.
 
Added logging of client mode changes
Fix ID: 2100770
Symptom: When switching clients from Computer mode to User mode (and vice-versa), the event is not logged.
Solution: Added logging of events when an administrator switches the mode of clients.
 
Scheduled replication will now run correctly following a database restart
Fix ID: 2020597
Symptom: Scheduled replication will not run after restarting the database
Solution: Code changes to ensure that replication will start again following a database restart.
 
 
Correct memory usage reported in the Site Status report
Fix ID: 2040220
Symptom: Memory usage reported in the Site Status report is different from the memory usage shown in Windows Task Manager in virtual environments.
Solution: Display both the memory usage shown in Task Manager and the total memory used. When a user hovers over each number, the data is shown with a tooltip.
 
Corrected site reporting status in the Site Status report
Fix ID: 2063758
Symptom: The Monitors > Summary tab incorrectly shows a site as "good" when one of the servers is offline.
Solution: Code changes to the algorithm for determining if a server is offline. The same logic changes apply when calculating the Health Status of a site in the Site Status Report.
 
Clients can now be sorted correctly by free memory and disk space available
Fix ID: 2083346
Symptom: When sorting clients by Free Memory, Free Disk Space and Total Disk Space, clients are not sorted correctly.
Solution: Modifications made to string handling to return numeric values, correcting the sorting algorithm.
 
Dial-up modem rules are now skipped if no dial-up modem is present
Fix ID: 2069798
Symptom: A firewall rule that blocks traffic for dial up modems will be triggered even if the computer does not have a dial-up modem.
Solution: Code changes to correctly skip dial-up related rules if there is no dial-up connection.
 
Export of "Packet" logs from Symantec Endpoint Protection Manager now contains an "Action" field
Fix ID: 2003486
Symptom: Exports of "Packet" logs from Symantec Endpoint Protection Manager are missing the "Action" field.
Solution: Code changes made to export the "Action" field in "Packet" log exports.
 
Host Compliance Logs and Compliance Report on Symantec Endpoint Protection Manager now shows all data shown in the logs from the client
Fix ID: 1968807
Symptom: Host Compliance Logs and Compliance Report on Symantec Endpoint Protection Manager is different than the logs uploaded from the client.
Solution: Code changes made to correct the separators used in the log files which were preventing all data from being processed.
 
Computers Not Scanned report no longer contains duplicate entries
Fix ID: 1993921
Symptom: Clients are mistakenly shown multiple times in the "Computers Not Scanned" report.
Solution: SQL query was modified to report on clients based on the scan completed times, rather than scan started.
 
Firewall Policy rule changes are now displayed correctly
Fix ID: 2019390
Symptom: When a Firewall policy rule changes due to location change, the rule change is not shown on the client UI (View Network Activity page).
Solution: Changes to the client UI code to ensure the dialog box is closed and the rule change is displayed correctly.
 
English text shown in German localized version
Fix ID: 2096003
Symptom: English text appears in German Symantec Endpoint Protection Manager remote console.
Solution: The text was correctly localized.
 
Changes to prevent a crash with BugCheck F7
Fix ID: 2065490
Symptom: Microsoft Vista computers running Symantec Endpoint Protection 11.0 crash with BugCheck F7.
Solution: The AutoProtect kernel driver was modified to prevent a stack overflow condition.
 
Quarantine Server now shows the correct version number
Fix ID: 2098739
Symptom: Incorrect version number showing for the Quarantine Server within "Add or Remove Programs" control panel and "About Symantec Central Quarantine" dialog.
Solution: updated the .ism and .rc files to show the correct product version number within the "Add or Remove Programs" control panel and "About Symantec Central Quarantine" dialog.
 
Resolved situation where clients do not download content until a user logs in
Fix ID: 1978998
Symptom: In some cases, clients in computer mode configured to pull content from Symantec Endpoint Protection Manager, will fail to get content if no user is logged in.
Solution: Code changes to ensure computer description is valid when comparing database entries to active directory entries.
 
Resolved issue where client updates are reported as "In Progress" instead of "Completed"
Fix ID: 2035728
Symptom: After an Update Content command is issued, some clients report as In Progress instead of Completed in the status field.
Solution: Code change to correctly reset the uploaded flag for the command after the client update has completed successfully.
 
Changes to correct client search functionality
Fix ID: 2034712
Symptom: Client Search function returns incorrect results if the search involves more than 200 groups.
Solution: Code changes to fix the SQL commands used to query and group clients.
 
Restored ClientRemote option to select concurrent client deployments
Fix ID: 2071053
Symptom: The Deployment Number option is missing when using the client Migration & Deployment Wizard.
Solution: Code changes to the client remote tool to restore the Deployment Number option and folder page in the ClientRemote tool.
 
Corrected the labeling of security risks in the Symantec Endpoint Protection Manager Risk log when a threat is detected in a compressed file
Fix ID: 1928203 & 2086588
Symptom: When the Symantec Endpoint Protection client detects a security risk in a compressed file, the Risk log in Symantec Endpoint Protection Manager console displays it as "Virus found" instead of "Security risk found".
Solution: Show the alert record for a zip file as "Compressed File" instead of "Virus Found" to match the client side behavior.
 
Corrections to pie charts shown in Risk Reports
Fix ID: 2055022
Symptom: Risk Report pie charts are displayed incorrectly with duplicate colors appearing and inaccurate percentages shown on the chart.
Solution: Multiple code changes to correct the pie chart display.
 
Changes made to limit the size of the GUP list
Fix ID: 2120293
Symptom: When the GUP list contains thousands of items there may be performance problems resulting in a delayed content updates and higher than normal bandwidth usage.
Solution: Code changes to limit the size of the GUP list to 1Gb.
 
Cleanwipe 4.2 now removes SCS 3.1 Quarantine and SCFPolcy folder
Fix ID: 1827639
Symptom: When running in silent mode, Cleanwipe 4.2 does not remove the SCS 3.1 Quarantine or SCFPolcy folders.
Solution: Code changes to delete these folders when running in silent mode. When not run in silent mode, the MSI uninstaller will display a dialog allowing the user to chose to delete these folders.
 
Resolved LiveUpdate error preventing content from being downloaded
Fix ID: 2006319
Symptom: "<LUThreadProc>@@@@@@@@@ LU DEBUG ONLY- Download file failed due to wrong file size" error message appears in the sylink log and LU content is not downloaded by clients.
Solution: Code changes to resolve the edge-case scenario where the error message occurs and the content is not downloaded correctly.
 
Resolved issue where GUP accepts a client connection but does not deliver content
Fix ID: 2094762
Symptom: With multiple clients requesting the same content file from a GUP, in some cases a client will not receive the content if a previous attempt to download the same content failed. Restarting the GUP's smc service resolves the issue.
Solution: GUP code changes to improve error handling of content distribution logic.
 
Resolved issue where clients are unable to download content deltas when Symantec Endpoint Protection Manager load balancing is used
Fix ID: 2049824
Symptom: In multi-Symantec Endpoint Protection Manager environments where load balancing is used and clients are managed by GUPs, situations can occur where clients do not receive content. In these scenarios, clients contact one Symantec Endpoint Protection Manager to generate a content delta, but the GUP contacts a different Symantec Endpoint Protection Manager. The delta does not exist on the Symantec Endpoint Protection Manager contacted by the GUP, and nothing is downloaded.
Solution: Code changes to allow the GUP to contact multiple Symantec Endpoint Protection Managers if the requested content delta is not available.
 
Log files now respect the log limit values set in Symantec Endpoint Protection Manager
Fix ID: 2007845
Symptom: When a log file is being read by an external application, if Symantec Endpoint Protection Manager Symantec Endpoint Protection Manager is attempting to delete the file, additional log entries are made to the log file.
Solution: Code changes made to allow for synchronization between Symantec Endpoint Protection Manager and external log reading applications. Symantec Endpoint Protection Manager will retry 30 times with an interval of 1 second if the log file is locked by another application. The settings are configurable in the conf.properties file. The following are the two settings that can be configured: scm.externallog.retrycount=30 and scm.externallog.retryinterval=1000
 
Resolved a system crash (blue screen error) caused by Wpsdrvnt.sys
Fix ID: 2051421
Symptom: Crash (blue screen error) caused by Wpsdrvnt.sys with BugCheck 50.
Solution: The wpsdrvnt.sys driver was modified to prevent a memory condition leading to a crash.
 
Resolved an issue causing network connectivity issues with Network Threat Protection enabled
Fix ID: 2085484
Symptom: A computer running Java applications with Network Threat Protection installed experiences network connectivity problems.
Solution: Code changes made to the teefer2.sys odriver to avoid this issue.
 
Resolved an issue where Internet Explorer 9 Beta prevents clients from downloading content from Symantec Endpoint Protection Manager
Fix ID: 2167737
Symptom: After installing Internet Explorer 9 Beta, the Symantec Endpoint Protection client is no longer able to download content from Symantec Endpoint Protection Manager.
Solution: Code changes to support API changes made by Microsoft in Internet Explorer 9 Beta.
 
Fixed an issue where a full scan runs instead of an active scan
Fix ID: 1991159
Symptom: When startup scans are configured to run on managed clients, a full scan is run instead of an active scan if the user logs off before the active scan finishes.
Solution: Code changes to correct the issue. When a startup scan is configured for a managed client, an active scan runs correctly.
 
Scheduled scans now run on Windows Server 2008 after a user has logged off
Fix ID: 2047880
Symptom: Scheduled scans do not start as scheduled when a user logs off of Windows Server 2008.
Solution: Code changes to resolve the issue.
 
Resolved a scenario where clients download a full.zip instead of a delta file
Fix ID: 2145102
Symptom: After a client is restarted, a full.zip file is downloaded instead of a delta file if a previous download attempt has failed.
Solution: Code changes to ensure the delta file can be downloaded after a previous failed attempt to download.
 
Resolved a scenario where clients download an unnecessary full.zip file
Fix ID: 2158533
Symptom: When download randomization is turned on, a full.zip file is downloaded unnecessarily after a client starts up.
Solution: Code changes to address the issue, preventing an unnecessary additional download.
 
Network Threat Protection now passes UDP traffic correctly on port 39999
Fix ID: 2079287
Symptom: Network Threat Protection on 64-bit operating systems does not pass UDP traffic on port 39999 correctly.
Solution: The SNAC64.exe process was interfering with traffic on this port. Symantec Endpoint Protection was modified to prevent this interference.
 
Corrected the time shown for "End Datetime" in exported scan logs from Symantec Endpoint Protection Manager
Fix ID: 2066917
Symptom: The time shown for "End Datetime" in Scan logs exported from Symantec Endpoint Protection Manager always contains the local time equivalent of GMT 00:00.
Solution: Code changes to prevent the scan end time from being truncated.
 
File access times are now correctly preserved when using Hierarchical Storage Management
Fix ID: 2028790
Symptom: In a Hierarchical Storage Management (HSM), the NoFileMod registry setting is not correctly preserving file access times.
Solution: The Common Client and Decomposer components were modified to honor the NoFileMod registry setting to prevent USN journal updates.
 
Resolved a UDP flood attack false positive
Fix ID: 2058022
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.
 
Removed unnecessary logon prompt when creating a report filter
Fix ID: 2112270
Symptom: In the Symantec Endpoint Manager Web interface the administrator is prompted to log on again when creating a report filter.
Solution: A p3p header was added to some .php files to avoid lost sessions using the Web interface.
 
Log entries for 'DBData_Event_Type_x0' are now handled correctly
Fix ID: 1987624
Symptom: After applying a GUP Policy, user will see 'DBData_Event_Type_x0' entries in the client-server activity logs.
Solution: Unique Event IDs and descriptions were defined for two client request types. These requests for updated GUP lists did not previously have descriptions, causing unknown events to be written in the log files.
 
Resolved issue where replication fails due to insufficient available memory
Fix ID: 2057061
Symptom: Failed replication between SQL and embedded database with error "OutOfMemoryError: GC overhead limit exceeded".
Solution: Code changes to ensure adequate memory is available before table data is retrieved.
 
Auto-Location Switching on Windows 7 now works correctly with Juniper VPN
Fix ID: 2023564
Symptom: Auto-Location is not effective for Juniper SSL VPN configurations on 64bit platforms.
Solution: Check the correct registry settings on 64bit platforms.
 
Changes to reduce unwanted AutoProtect detections while the client loads a policy
Fix ID: 1978553
Symptom: Known Security Risk Exclusion is not always honored when the client policy is being loaded, resulting in unwanted AutoProtect detections.
Solution: Code changes to ensure the policy is loaded correctly before scanning, reducing the chance of these unwanted detections.
 
Resolved compatibility issue with Parallels Virtuozzo Containers (PVC) application
Fix ID: 2015424
Symptom: Parallels Virtuozzo Containers (PVC) installation hangs while Symantec Endpoint Protection is running.
Solution: Code changes to handle the null pointer received during stack tracing.
 
Improved the console responsiveness when viewing the Admin > Servers page
Fix ID: 2072316
Symptom: The Symantec Endpoint Protection Manager console is slow in the Admin > Servers page.
Solution: Code changes to optimize the query on server side which is returning the client log data.
 
Symantec Network Access Control and Enforcer changes
 
Symantec Network Access Control process crashes with application event log, "Faulting application SNAC.EXE, version 11.0.5002.267, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x0001ab0a."
Fix ID: 2160041
Symptom: In a DHCP or Gateway Enforcer environment, the Symantec Network Access Control process crashes if WGX is not initialized.
Solution: SNAC.exe modified to gracefully handle instances where WGX is not available.
 
LAN Enforcer kernel panic
Fix ID: 2145482
Symptom: LAN Enforcer kernel panic caused guest user authentication with EAP-TLS.
Solution: Code changes made to prevent kernel panic.
 
Clients are not authenticated when Symantec Endpoint Protection Manager was slow to respond with UID_UNKNOWN or UID_INVALID
Fix ID: 2102800
Symptom: Clients are not authenticated correctly when Symantec Endpoint Protection Manager response was delayed longer than the response timeout after radius response or if Symantec Endpoint Protection Manager was down.
Solution: Added configurable Symantec Endpoint Protection Manager response timeout to LAN Enforcer. (sepm_resp_timeout under /proc/sys/sygate_enforcer/conf/advanced).
 
Symantec Endpoint Protection Manager Home page displays On-Demand as “Not Reporting Status”
 Fix ID: 2021748
Symptom: Symantec Endpoint Protection Manager Home page shows On-Demand agent status as offline when they are not.
Solution: On-Demand agents do not send status information to Symantec Endpoint Protection Manager, excluding from report.
 
On-Demand agent Cclientctl.exe using 100% CPU
 Fix ID: 2140535
Symptom: In certain scenarios, the On-Demand client process, Cclientctl.exe, will consume 100% of the CPU.
Solution: Cclientctl.exe was modified to prevent high CPU utilization.
 
 Clients cannot authenticate when using Windows Server 2008 as Radius Server
 Fix ID: 1979897
Symptom: RADIUS authentication always returns reject, EAP fail, when Windows Server 2008 used as a Radius Server.
Solution: Added support for Windows Server 2008 as a Radius Server.
 
 Unexpected EAP response when Radius Server is unavailable or unresponsive
Fix ID: 2131753
Symptom: LAN Enforcer returns EAP failed, instead of unavailable, when Radius Server is unavailable or unresponsive.
Solution: Added CLI command "no-radius-rsp eap-failed | eap-unavailable | no-action" to configure the action when Radius does not respond.

 

Release Update 6 Maintenance Patch 1 (RU6 MP1)

What's new in this version
Symantec Endpoint Protection RU6 MP1 (11.0.6100) provides fixes since the release of RU6 and RU6a. This maintenance patch cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to RU6. It must be installed over RU6 or RU6a.
 
Note
If you are using Symantec Endpoint Protection Manager 11.0 RU6 and plan to leverage the Auto-Upgrade feature in the console to upgrade to a new client build, read the following Knowledge Base article on importing client packages: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010081217202548
 
Behavior and user interface changes
 
Quarantine shows date added to quarantine rather than date of the file
Fix ID: 1810671
Symptom: Quarantine shows the date added to Quarantine, rather than date of the file.
Solution: A new column was added to the Quarantine view to display the date of the file.
 
The display behavior for the number of clients changed in Symantec Endpoint Protection 11 RU5
Fix ID: 1862215
Symptom: The Symantec Endpoint Protection Manager console is only able to display 1000 clients.
Solution: The console now displays up to 5000 clients.
 
Risk event compression causes duplicate entries in Symantec Endpoint Protection Manager external logging
Fix ID: 1917948
Symptom: Compressed alert logs are sent out again following 'Summarized data'.
Solution: Compressed alert logs are filtered. Only the summary alert will be sent out.
 
Notification emails from RU5 Manager on Windows 2008 contain an unexpected character
Fix ID: 1919303
Symptom: The email address contains an additional "$" character.
Solution: The default address is now SPC_Server@<domain> if the email address is not configured. Othwewise, it will use the email address specified.
 
Clients with more than one IP address show up in search clients result when they should not
Fix ID: 1919650
Symptom: When using special conditions like IP address "<>", ">=" or "<=", clients with more than one IP address show up in search client result when they should not.
Solution: The console was updated to correctly display clients with multiple IP addresses.
 
Cannot set scan type "console" as notification condition
Fix ID: 1920126
Symptom: Cannot set scan type "console" as notification condition.
Solution: "Console" and "System" are not valid scan types, and were removed from the Scan Type dropdown menu.
 
Unable to run reports on group names that contain SQL reserved keywords like UPDATE, INSERT and SELECT
Fix ID: 1939212
Symptom: Unable to run reports on Symantec Endpoint Protection Manager group names that contain SQL reserved keywords like UPDATE, INSERT and SELECT.
Solution: Updated Manager to allow reporting on group names that contain SQL reserved keywords.
 
Client status shows out of date definitions after disabling the warning in Symantec Endpoint Protection Manager
Fix ID: 1939776
Symptom: Symantec Endpoint Protection client status shows out of date definitions after disabling the warning in Symantec Endpoint Protection Manager.
Solution: The client status showing that definitions are outdated or is running without definitions is by design. The user interface was updated so that administrators can configure a checkbox (to enable notification) for when definitions are outdated by X number of days, or when Symantec Endpoint Protection is running without definitions.
 
Symantec Endpoint Protection Manager report drop-down menus disappear unexpectedly and intermittently
Fix ID: 1952244
Symptom: Symantec Endpoint Protection Manager report drop-down menus disappear unexpectedly and intermittently.
Solution: The report was updated to display the drop-down menus correctly.
 
Unable to uncheck "Check floppies for boot viruses when accessed"
Fix ID: 1952358
Symptom: Upon unchecking "Check floppies for boot viruses when accessed" in Symantec Endpoint Protection Manager, and saving the change, the checkbox is checked again after reopening the policy.
Solution: Symantec Endpoint Protection Manager was updated to resolve the logic behind the checkbox.
 
Full Scan does not scan mapped network drives
Fix ID: 2009958
Symptom: Symantec Endpoint Protection only scans drives that are physically connected to a computer.
Solution: The behavior is as designed. The interface was updated and the option "A password may be required to scan a network drive" from the "What to scan" tab was removed from a Full Scan.
 
Windows Firewall is always disabled by SMC service
Fix ID: 1992008
Symptom: The Windows Firewall is disabled even though a policy is in place that dictates it to be enabled.
Solution: If Symantec Endpoint Protection Firewall is disabled in a location, the Windows Firewall will be turned on. If Symantec Endpoint Protection Firewall is enabled in a location, the Windows Firewall will be turned off.
 
 
Client and manager fixes
 
Exported scan logs show incorrect status information
Fix ID: 1098879
Symptom: Exported scan logs show incorrect status information.
Solution: The Symantec Endpoint Protection client was updated so the status column is properly exported.
 
Incorrect translation for Previous and Next buttons in Chinese Simplified
Fix ID: 1137601
Symptom: Incorrect translation for Previous and Next buttons in Chinese Simplified.
Solution: Symantec Endpoint Protection Manager was updated to accommodate correct translation.
 
Moving firewall rules up or down in Symantec Endpoint Protection Manager via right-click on the rule name leads to warning that rule name is already in use
Fix ID: 1509921
Symptom: The message "Rule name is already used" appears when moving firewall rules up and down in Symantec Endpoint Protection Manager.
Solution: A check was added to ensure that the rule name cell comes out of edit mode before a popup is shown.
 
Location Awareness fails to recognize wireless connection at 130Mbit speed
Fix ID: 1519915
Symptom: When network speed is a criterion for location switching, the location does not switch correctly if the speed is 130Mbit.
Solution: The client was modified to enhance the way wireless interfaces are enumerated.
 
AntiVirus events that trigger a Firewall auto-block have no description
Fix ID: 1534459
Symptom: AntiVirus events that trigger a Firewall auto-block have no description.
Solution: A default description "Auto-Block event" was added to Firewall auto-block events.
 
A large number of .tmp files builds up in the XFER folder
Fix ID: 1675729
Symptom: Many files build up in the XFER folder on a Symantec Endpoint Protection client.
Solution: The Symantec Endpoint Protection client was modified to enhance extraction and clean up of XFER files.
 
Weekly scheduled scan is partially migrated when migrating Symantec AntiVirus to Symantec Endpoint Protection using the "Migration and Deployment wizard"
Fix ID: 1763113
Symptom: After a migration from Symantec AntiVirus to Symantec Endpoint Protection, the Security Risks Action pane is not shown for the scheduled scan, file system Auto-Protect, Outlook or Lotus Notes Auto-Protect.
Solution: A security risks action default configuration template is used when no action is configured for either Weekly scheduled scan, file-system Auto-Protect, email, Outlook or Lotus Notes Auto-Protect.
 
Virus definitions revert to older date/revision
Fix ID: 1826779
Symptom: Virus definitions may unexpectedly revert to an older date/revision due to invalid entries in the usage.dat file.
Solution: The Symantec Endpoint Protection client was modified to prevent invalid entries in the usage.dat file.
 
Centralized Exception for "Bloodhound.ExcelMacro" does not prevent detections
Fix ID: 1876577
Symptom: Bloodhound.ExcelMacro can be selected from a known list within the Exception Policy.
Solution: All risks of type 0 through 3, including Bloodhound.ExcelMacro, are now excluded from the known list.
 
Error "The Extend WG Protocol Driver service failed to start due to the following error:" is displayed in event viewer
Fix ID: 1887681
Symptom: After migrating SPA 5.1 to Symantec Endpoint Protection, you see the following error in the event viewer after a restart of the operating system: "The Extend WG Protocol Driver service failed to start due to the following error: The system cannot find the file specified."
Solution: The Symantec Endpoint Protection client installer was updated to resolve the error message.
 
Multiple event reinsertions to Symantec Endpoint Protection Manager database
Fix ID: 1907365
Symptom: A client may forward the same local events (scans, virus detections, definition updates, etc.) to the Symantec Endpoint Protection Manager server again, resulting in two or more copies of the same event in the database. These events have the exact same date/time as the original events, but because they are forwarded at a different time, the Database Insert timestamp is different. These duplicate events skew the presentation of logs and reports in the Console, and may cause unnecessary alerts and notifications.
Solution: Resolved the internal bookkeeping errors that caused clients to forward the same events to Symantec Endpoint Protection Manager repeatedly.
 
Access to files located on a network share is significantly slower when Application and Device Control is enabled
Fix ID: 1908362
Symptom: Access to files located on a network share is significantly slower when Application and Device Control is enabled.
Solution: The Application and Device Control cache was redesigned to improve performance.
 
Citrix causes SMC start failure
Fix ID: 1914056
Symptom: SMC and COM+ Event System services do not start when Symantec Endpoint Protection is installed with Citrix PVS Device software.
Solution: The Symantec Endpoint Protection client was modified to allow SMC to start when installed with Citrix.
 
Client displays Host Integrity details when it is in Quarantine
Fix ID: 1925059
Symptom: Client displays Host Integrity details when it is in Quarantine.
Solution: The server console was updated to properly show host integrity details.
 
DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan
Fix ID: 1925607
Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.
 
If Client Log settings expire after 0 days then .dat files build up under \data\inbox\log\system
Fix ID: 1926606
Symptom: If Client Log settings expire after 0 days then .dat files build up under \data\inbox\log\system.
Solution: Symantec Endpoint Protection Manager was modified to delete .dat files immediately if the client log settings are set to expire after 0 days.
 
Query failed when running a comprehensive risk reports for the past 24 hours
Fix ID: 1926711
Symptom: The comprehensive risk reports for the past 24 hours times out and displays a message: "Error Query failed: query could not be processed."
Solution: The report now uses a stored procedure along with temporary tables that are used to store interim results.
 
Scheduled scans run at unexpected times
Fix ID: 1931199
Symptom: Scheduled scans run at unexpected times.
Solution: If a scan is updated, the LastStart value is set to the next immediate run time after the Created time.
 
The Symantec Endpoint Protection client packet log shows incorrect information for the packet type
Fix ID: 1933067
Symptom: The Symantec Endpoint Protection client packet log shows incorrect information for the packet type.
Solution: The Symantec Endpoint Protection client was updated to correct the type in the packet log output.
 
The embedded database cannot handle Tab characters in the Description field of an Application and Device Control policy
Fix ID: 1934825
Symptom: The Symantec Endpoint Protection client fails to parse information when a Tab is encountered.
Solution: Tab characters are removed from the description field.
 
Symantec Endpoint Protection Manager always sets the external log priority to Informational
Fix ID: 1939492
Symptom: Symantec Endpoint Protection Manager logs all events to syslog server as "Informational".
Solution: Symantec Endpoint Protection Manager was updated so that the appropriate log priority is retained when using external logging.
 
 
Packet Log details show incorrect source and destination port information
Fix ID: 1939648
Symptom: Packet Log details show incorrect source and destination port information.
Solution: The Symantec Endpoint Protection client logging now correctly converts network byte order to native.
 
Reformatted or re-imaged clients that are part of an Organizational Unit (Active Directory) do not re-register to the same entry
Fix ID: 1941406
Symptom: Clients that are part of an organizational unit re-register to an incorrect group.
Solution: When using computer mode, clients now re-register properly and use the same group.
 
Unable to create a database with a database name that starts with a number
Fix ID: 1945683
Symptom: Unable to create a database with a database name that starts with a number.
Solution: The Symantec Endpoint Protection Manager installer was updated to allow a database name that starts with a number.
 
Computer stops responding with third party application called CWAT installed
Fix ID: 1947914
Symptom: The computer may stop responding when the third party application CWAT is installed.
Solution: The SymEvent driver was update to prevent the problem.
 
Symantec Endpoint Protection Clients download full definitions from Symantec Endpoint Protection Manager or GUP rather than deltas
Fix ID: 1950212
Symptom: Clients download full definitions from Symantec Endpoint Protection Manager or GUP due to the server generating 0-byte deltas.
Solution: The Symantec Endpoint Protection Manager definition delta generation was made more robust to ensure deltas are generated properly for distribution to clients and GUPs.
 
Client does not use single GUP when GUP bypass timeout is configured
Fix ID: 1951175
Symptom: The Symantec Endpoint Protection client does not use "single GUP" when GUP bypass timeout is configured.
Solution: The method in which a GUP is contacted, and the LiveUpdate files are downloaded, was modified to resolve this issue.
 
Replication failure due to Primary Key Violation
Fix ID: 1958237
Symptom: The Symantec Endpoint Protection Manager logs display an error "java.sql.BatchUpdateException: Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'. Cannot insert duplicate key in object 'dbo.SEM_COMPUTER'".
Solution: If the insert statement batch fails, Symantec Endpoint Protection Manager now catches the primary key violation exception and executes the statements one by one to make sure all data is inserted or updated to the database.
 
Under certain conditions, Symantec Endpoint Protection or Symantec Protection Agent will confuse a packet to VPN server as a packet to Symantec Endpoint Protection Manager
Fix ID: 1960378
Symptom: The Symantec Endpoint Protection client may show the IP address of the VPN server as the management server.
Solution: The Symantec Endpoint Protection client was updated to only treat packets from Symantec Endpoint Protection processes as traffic to Symantec Endpoint Protection Manager.
 
A user can save a default filter to the database, but the default filter value is empty when re-opening the command status details
Fix ID: 1965510
Symptom: A user can save a default filter to the database, but the default filter value is empty when re-opening the command status details.
Solution: Symantec Endpoint Protection Manager was updated to properly save and display the filter
 
Firewall rule using the IBM Mobility 6.1.1 VPN adapter selected cannot be saved
Fix ID: 1973279
Symptom: Firewall rule using the IBM Mobility 6.1.1 VPN adapter selected cannot be saved.
Solution: The Symantec Endpoint Protection client was modified to use the NIC name as the network connection name if it is empty.
 
Proactive Threat Protection (PTP) definitions fail to update, and PTP does not start
Fix ID: 1974386
Symptom: After upgrading Symantec AntiVirus 10.1 MR7 to Symantec Endpoint Protection 11, clients may not update PTP definitions.
Solution: Symantec Endpoint Protection Manager was updated to make startup registration more robust.
 
When extracting ZIP files across a share with Network Threat Protection installed, a hang may occur
Fix ID: 1980383
Symptom: When extracting ZIP files across a share with Network Threat Protection installed, a hang may occur.
Solution: Network Threat Protection was updated to resolve the hang.
 
Automatic upgrade to RU6 does not maintain existing configuration for install features
Fix ID: 1984339
Symptom: Automatic upgrade to RU6 does not maintain existing configuration for install features.
Solution: Symantec Endpoint Protection Manager was modified to skip rebuilding of the features when a package is imported from the Symantec Endpoint Protection folder.
 
Data mismatch between drilled down reports for "Still infected" and Quick Reports/Comprehensive Risk Report
Fix ID: 1990019
Symptom: Data mismatch between drilled down reports for "Still infected" and Quick Reports/Comprehensive Risk Report.
Solution: SQL queries in Symantec Endpoint Protection Manager were updated to provide a better match between reports.
 
Reports are not sent at expected frequency when configured for once a month
Fix ID: 1996289
Symptom: Scheduled reports are generated and sent every 30 days rather than once a month.
Solution: Symantec Endpoint Protection Manager monthly reports were updated to generated the same numeric day that the report was generated unless the numeric day does not exist this month, in which case the report is sent on the last day of this month.
 
LiveUpdate default retry interval does not work after installing Symantec Endpoint Protection Manager
Fix ID: 1999871
Symptom: LiveUpdate default retry interval does not work after installing Symantec Endpoint Protection Manager.
Solution: Symantec Endpoint Protection Manager was updated to properly set the defaults upon a fresh install.
 
Unable to apply Windows XP Service Pack 3 to SP2 machine with Proactive Threat Protection installed
Fix ID: 2000953
Symptom: Service Pack 3 logs show errors that a number of files are in use by another application. The issue does not occur when Proactive Threat Protection is not installed.
Solution: Proactive Threat Protection was updated to allow SP3 to be installed.
 
Server does not receive scan logs from a computer in user-control mode that does not have a user logged in
Fix ID: 2003472
Symptom: Symantec Endpoint Protection Manager does not receive scan logs from a computer in user-control mode that does not have a user logged in.
Solution: The Symantec Endpoint Protection client was modified to cache the last user name and logon domain. If no user is logged in, then this information is used to respond to the registration request.
 
Faulting application COH32.exe, version 6.1.9.44, faulting module COH32.exe, version 6.1.9.44
Fix ID: 2005974
Symptom: After migrating from Symantec Endpoint Protection 11 MR5 to Symantec Endpoint Protection 11 RU6, you may encounter SONAR errors popup every hour.
Solution: Proactive Threat Protection was update to prevent the crash and SONAR pop-up.
 
System hangs when migrating from Symantec AntiVirus MR5 to Symantec AntiVirus MR5 PP1
Fix ID: 2008535
Symptom: System hangs when migrating from Symantec AntiVirus (Symantec AntiVirus) MR5 to Symantec AntiVirus MR5 PP1.
Solution: Although this defect was not reported on Symantec Endpoint Protection, the product was updated to build in additional check during installation when rtvscan.exe is shutting down.
 
Registry key migration from Symantec AntiVirus 10.x to Symantec Endpoint Protection 11.x does not work
Fix ID: 2008749
Symptom: After upgrading from Symantec AntiVirus to Symantec Endpoint Protection, multithreaded scan specific registry settings are not properly migrated.
Solution: The Symantec Endpoint Protection installer was updated to ensure a proper migration from Symantec AntiVirus 10.x to Symantec Endpoint Protection 11.
 
Symantec Endpoint Protection Manager Home page "Attention needed" details do not match client properties
Fix ID: 2009806
Symptom: On the Symantec Endpoint Protection Manager home page, "More Details, IPS Failures" does not match client properties.
Solution: A SQL query for IPS Failures was updated to that Symantec Endpoint Protection Manager shows the latest IPS version.
 
Blue screen error referencing sysplant.sys
Fix ID: 2017143
Symptom: Computer experiences blue screen error referencing sysplant.sys.
Solution: Application and Device Control was updated to prevent the crash.
 
LiveUpdate hangs intermittently on Symantec Endpoint Protection Manager after post-session processing
Fix ID: 2029668
Symptom: LiveUpdate hangs intermittently on Symantec Endpoint Protection Manager after post-session processing.
Solution: Symantec Endpoint Protection Manager LiveUpdate was updated to ensure proper freeing of resources.
 
Client search function returns more results than expected
Fix ID: 2030356
Symptom: Client search function returns more results than expected.
Solution: A SQL query in Symantec Endpoint Protection Manager was updated to display the proper client search results.
 
Symantec Endpoint Protection Manager is unable to export a client install package after migrating from Symantec Endpoint Protection 11 RU5 to Symantec Endpoint Protection 11 RU6a
Fix ID: 2031097
Symptom: Symantec Endpoint Protection Manager is unable to export a client install package after migrating from Symantec Endpoint Protection 11 RU5 to Symantec Endpoint Protection 11 RU6a.
Solution: Symantec Endpoint Protection Manager was updated to allow the client install to be exported after migration.
 
Install packages created by limited administrator install clients register into the default group rather than specified group
Fix ID: 2031339
Symptom: Install packages created by limited administrator install clients register into the default group rather than specified group.
Solution: Symantec Endpoint Protection Manager was updated so that exported packages contain the preferred group information.
 
Client search function does not work when search involves more than 200 groups
Fix ID: 2034712
Symptom: Client search function does not work when search involves more than 200 groups.
Solution: A SQL query was updated to display the proper client search results.
 
An unexpected UDP flood attack is reported after upgrading to RU6
Fix ID: 2038207
Symptom: An unexpected UDP flood attack is reported after upgrading to RU6, and blocks what appears to be a legitimate internal DNS server.
Solution: Symantec Endpoint Protection client was updated to verify that the DNS response packet comes from a valid DNS server.
 
After migrating Symantec Endpoint Protection Manager to RU6, Application and Device Control is enabled on legacy clients
Fix ID: 2039298
Symptom: Application and Device Control is enabled on legacy clients unexpectedly after migration to RU6.
Solution: Symantec Endpoint Protection was updated on both client and Symantec Endpoint Protection Manager side to ensure that both legacy clients and Symantec Endpoint Protection clients receive proper settings so that Application and Device Control is not inadvertently enabled.
 
 
Network Access Control Client Enforcement Agent fixes
 
RSH connections fail on 64-bit windows
Fix ID: 1927256
Symptom: On 64-bit Windows, RSH connections from 32-bit applications fail due to incompatibility with Symantec Network Access Control 64-bit network provider.
Solution: The Symantec Network Access Control network provider was corrected to be compatible with 32-bit applications on a 64-bit operating system.
 
 
Enforcer changes
 
Connection dropped due to un-required DHCP renew
Fix ID: 2028160
Symptom: With 802.1x enabled, the client sends an attempt to re-authenticate after a successful windows dot1x authentication, resulting in a DHCP release/renew attempt.
Solution: The VLAN change detection was improved to avoid dot1x re-authentication.
 
Symantec Network Access Control client randomly disconnects with UID INVALID on Enforcer
Fix ID: 2068439
Symptom: Enforcer receives two Radius authentication packets in a single authentication session.
Solution: Symantec Network Access Control was updated to decode only the first request when the Enforcer encounters multiple authentication packets in a single session.
 
Gateway Enforcer NIC will randomly go down for 30 seconds
Fix ID: 2029614
Symptom: On Gateway Enforcer with fail open enabled, the NIC driver is periodically queried for the product ID. The return value is not always valid, causing the NIC to go down.
Solution: The unnecessary query to NIC driver for product ID was removed. Gateway Enforcer was changed to obtain and validate product ID only during startup.
 
Syslog shows incorrect Host Integrity status
Fix ID: 1987889
Symptom: "Permit access" is not displayed in syslog even though Host Integrity passes.
Solution: Corrected how client and Enforcer types are differentiated when displaying logs.
 
MAB request from 3COM switch is not supported
Fix ID: 1967503
Symptom: The MAC address bypass feature of the LAN Enforcer does not work with 3COM switch.
Solution: Added support for 3COM switch with MAB enabled.
 
 
Symantec Endpoint Protection for Macintosh
 
Managed clients fail to display management information after a period of time
Fix ID: 2075100
Symptom: Managed Symantec Endpoint Protection for Macintosh clients stop displaying management information after event rewrites the SymantecRegistry.xml file to zero-byte size.
Solution: Added functionality to remediate the SymantecRegistry.xml when the file is corrupt or missing.
 
Components included in this version
 
Windows components
Component
Version
Symantec Endpoint Protection
11.0.6100
Symantec Network Access Control
11.0.6100
Auto-Protect
10.3.3.4
Avengine
20101.1.0.89
Behavior Blocking
3.5.1.4
ccEraser
2007.0.1.6
COH
6.1.11.13
Common Client
106.5.2.003
DecABI
1.2.5.130
Defutils
4.1.3.2
ECOM
61.3.0.17
VxMS (MS Light)
5.2.0.4
LiveUpdate
3.3.0.96
LiveUpdateAdmin
2.2.2.9
Microdefs
2.7.0.13
QServer
3.6.43
WpsHelper
12.1.0.20
SyKnAppS
3.0.3.3
SymEvent
12.8.3.23
SymNetDrv
7.2.5.9
Teefer2
11.0.5708.18
 
 
Macintosh components
Component
Version
Symantec Endpoint Protection for Macintosh
11.0.6100
LiveUpdate
5.1.2.22
Symantec Scheduler
4.0.3.9
SymProtector
1.0.5
Symantec QuickMenu
2.1.1.5
SymSharedFrameworks
2.3.0.15
Symantec Uninstaller
2.0.23

 

Release Update 6a (RU6a)

[Back to top]
 

What's new in this version
Symantec Endpoint Protection RU6a provides a fix for two specific problems that existed in RU6. RU6a is a full build of Symantec Endpoint Protection.

Deploying or migrating clients when using multi-byte character group names in the Symantec Endpoint Protection Management console
Fix ID: 2020545
Symptom: If you create groups with names that use a double-byte character set, you cannot add new RU6 clients to those groups through any form of installation. New clients are automatically placed into the Default group.
Solution: With RU6, clients were incorrectly parsing DBCS characters resulting in a corrupt group name. When registering with the Symantec Endpoint Protection Manager using a corrupt group name, clients are placed into the Default group. With this fix, client-side changes were made to parse DBCS group names correctly.

Periodic CPU spike when using Symantec Endpoint Protection Manager Java console
Fix ID: 2022713
Symptom: With RU6, a periodic CPU spike occurs when a user selected the Policies, Clients, or Admin page in the Symantec Endpoint Protection Manager Java-based console.
Solution: This issue was caused by a periodic refresh of the Home page to prevent a time-out of the PHP session. The refresh task now refreshes the Reports page, which consumes fewer resources. In addition, you can now configure the refresh time by setting the scm.keepalivescheduleminute value in the conf.properties file.

 
Components updated in this version
Component
Version
Symantec Endpoint Protection
11.0.6005.562

 

Release Update 6 (RU6)

[Back to top]

What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.

Symantec Endpoint Protection includes client software to run on a Macintosh computer. The client runs on the following versions of Mac OS X:

  • Mac OS 10.4
  • Mac OS 10.5
  • Mac OS 10.6 (32-bit and 64-bit versions)

The following new features are available in RU6:
  • Symantec Protection Center
    Symantec Protection Center is a Web-based console that enables you to access and manage multiple supported Symantec products. The console also provides visibility and analytics across products as well as providing useful security feedback and attack statistics.

    The console provides a single sign-on screen for the following registered Symantec products:
      • Symantec Endpoint Protection
      • Symantec Critical System Protection
      • Symantec Web Gateway
      • Symantec Brightmail Gateway
      • Symantec IT Analytics
      • Symantec Data Loss Prevention
  • The Symantec Endpoint Recovery Tool
    The Symantec Endpoint Recovery Tool is an image that you can burn on a disc, which you can use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively.

    You can download the tool from the following URL: https://fileconnect.symantec.com/
  • Scheduled scans have the option to be run at random times
    You can configure scheduled scans to run at randomized times, so that virtualized environments do not all run scan sessions at the same time.

Components included in this version
Windows components
Component
Version
Symantec Endpoint Protection
11.0.6000
Symantec Network Access Control
11.0.6000
Auto-Protect
10.3.3.4
Avengine
20081.3.1
Behavior Blocking
3.5.1.4
ccEraser
2007.0.1.6
COH
6.1.10.13
Common Client
106.5.1.006
DecABI
1.2.5.130
Defutils
4.1.2.3
ECOM
81.3.0.13
VxMS (MS Light)
5.2.0.4
LiveUpdate
3.3.0.96
LiveUpdateAdmin
2.2.2.9
Microdefs
2.7.0.13
QServer
3.6.43
WpsHelper
12.1.0.20
SyKnAppS
3.0.3.3
SymEvent
12.8.0.11
SymNetDrv
7.2.5.9
Teefer2
11.0.5708.18

Macintosh components
Component
Version
Symantec Endpoint Protection for Macintosh
11.0.6000
LiveUpdate
5.1.2.22
Symantec Scheduler
4.0.3.9
SymProtector
1.0.5
Symantec QuickMenu
2.1.1.5
SymSharedFrameworks
2.3.0.15
Symantec Uninstaller
2.0.23

Behavior and user interface changes

Endpoint Protection scan changes permissions on files located on an NFS share
Fix ID: 1711377
Symptom: When a manual or scheduled scan is run from the Symantec Endpoint Protection client on the mapped NFS share the permissions of compressed files may change to read only.
Solution: The scan will only alter file permissions on files during compressed file scanning if a "repair" or "delete" is required on a compressed file.

File cannot be scanned if user has limited permissions
Fix ID: 1715669
Symptom: A file with special or limited permissions (no read, write or users) cannot be scanned
Solution: Updated scanning techniques to allow scanning of these files

Increase in the Quarantine Maximum allowable size
Fix ID: 1744576
Symptom: The maximum quarantine size Central Quarantine allows is limited to a range of 1 MB to 4095MB.
Solution: Changed the UI to allow from 1MB to 102400 MB (100GB).

Incorrect terminology on the "Client Count by Group" report
Fix ID: 1765903
Symptom: Following an upgrade from Symantec Endpoint Protection MR2 or an older build, on the "Computer Status"->"Client Count by Group" report, "Global" is displayed instead of "My Company"
Solution: Reporting change to display the correct terminology.

Computer Status log and log details do not use consistent naming
Fix ID: 1785158
Symptom: When viewing Computer Status logs, the summary view references "Last Check-in", but the log details and exported logs use "Last Update Time".
Solution: Change "Last Update Time" to "Last Check-in"

Unable to change the Intrusion Prevention Notifications configuration dialog box from the default of 5 seconds
Fix ID: 1810853
Symptom: Only when the check box "Amount of time before re-enabling Network Threat Protection" is selected the value of "Number of seconds to display notifications" can be saved successfully.
Solution: Save the value even if the check box "Amount of time before re-enabling Network Threat Protection" is not selected.

Inconsistency between reporting data showing in the console, and the data contained in an exported file
Fix ID: 1820711
Symptom: On the "Scan log for Current Month" report, the times are different to those contained in the exported data log
Solution: Changes to the export function to not reset the timestamp during export.

"Current IPS definition" version/date remains in Symantec Endpoint Protection Manager's client information even after IPS is uninstalled.
Fix ID: 1800463
Symptom: After uninstalling Network Threat Protection from the Symantec Endpoint Protection client, the IPS definitions remain on the client information tab and Symantec Endpoint Protection Manager home page.
Solution: Include checks the sem_agent.firewall_onoff flag when displaying the version of the IPS definitions.

Symantec Endpoint Protection Manager user-interface does not state administrative privileges are required to add central exceptions
Fix ID: 1835881
Symptom: Non-admin users cannot add exceptions on the client.
Solution: Symantec Endpoint Protection Manager user-interface changed to state administrative privileges are required to add central exceptions.

Client count discrepancy between "More Details" page and "Virus Definition Distribution" page
Fix ID: 1862285
Symptom: The virus definition distribution page only shows clients that have been online in the last 12 or 24 hours, while the "more details" page shows all clients.
Solution: Added the "Last check-in time" column under "Antivirus Definition Failures" and "IPS Failures" sections of the "more details" report. All the data will be sorted first by definition or IPS signature, then by last check-in time. Changed the report names to "Antivirus Definition Update Failures" and "Intrusion Prevention Signatures Update Failures".

Limited admin cannot access the advanced configuration of a read only AV/AS policy
Fix ID: 1879953
Symptom: Limited admin cannot access the advanced configuration of a read only AVAS policy
Solution: Changes to the policy editor UI, to make all information read-only for a limited admin user


Rename "UDP Destination Port" to "Destination Port" in the Symantec Endpoint Protection Manager UI
Fix ID: 1895035
Symptom: Symantec Endpoint Protection Manager can use UDP or TCP for the destination port, but the description implies only UDP is available.
Solution: Change the description from "UDP Destination Port" to "Destination Port".

Auto Location Switching does not recognize 144 Mb/sec 802.11n connections
Fix ID: 1927272
Symptom: Auto Location Switching does not switch a client to a 144Mbs wireless connection
Solution: Added support for a 144Mbps wireless connection.

Reports filtered by 'Group' return 0 results
Fix ID: 1934242
Symptom: Reports filtered by 'Group', where a group name contains an apostrophe (e.g. PC's), return 0 results
Solution: Upgraded to PHP 5.3.1

Reporting inconsistency in Symantec Endpoint Protection Manager on the 'Still Infected' count
Fix ID: 1947676
Symptom: The 'Still Infected' count is inconsistent between the Detection Action Summary report and the Security Status report
Solution: Modification to the PHP queries to correct the Detection Action Summary report value


Client and Manager fixes
Client package repeatedly downloaded during AutoUpgrade process
Fix ID: 1232686
Symptom: Clients download the install package (full or delta) repeatedly, possibly creating network congestion.
Solution: Estimate the amount of space needed by the installer to complete the install successfully, based on the previous install package size and the new package size.

After upgrading to IE7, Quarantine Server can no longer get definition updates or submit samples
Fix ID: 1526557
Symptom: After upgrading to IE7, Quarantine Server can no longer get definition updates or submit samples
Solution: Definition servers used by QServer do not support the new SLL protocol enabled by IE7. Switched from Wininet to WinHTTP protocol.

Broadcom TPM chip is not recognized in Symantec Endpoint Protection Manager
Fix ID: 1536046
Symptom: Broadcom TPM chip is not recognized.
Solution: Added support for the Broadcom TPM chip

While installing a Symantec Endpoint Protection client locally, the install fails and rolls back with an error
Fix ID: 1545935
Symptom: Installation of Symantec Endpoint Protection fails and the SEP_INST.log contains a reference to "LiveUpdate registration failed"
Solution: Changes to the LiveUpdate installer to work around a COM failure caused by InstallShield in Microsoft Windows classes.


RTVScan unloads the user hive while windows is logging in the user
Fix ID: 1672322
Symptom: The Windows default profile is loaded showing a clean user desktop instead of the expected user's desktop.
Solution: Delay loading of user scans, which cause the hive to be loaded, during startup of RTVScan. This prevents the issue from happening during bootup.

Adding ADC policy results in Symantec Endpoint Protection pop up despite administrator settings
Fix ID: 1678176
Symptom: ADC policy results in Symantec Endpoint Protection pop up despite "Notify users when devices are blocked" option being disabled
Solution: Fixed the client pop-up notification rule to follow the applied policy.

Symantec Endpoint Protection User mode does not apply the same policy to multiple machines with the same logged in user
Fix ID: 1678248
Symptom: When logged in to several systems as the same domain account, all domain accounts do not apply the same policy in the Symantec Endpoint Protection User-Mode.
Solution: Updated logic to keep all references of a domain user logon together whenever the account is copied or moved to different groups.

HP Configuration Manager performance decrease with the Symantec Endpoint Protection firewall installed.
Fix ID: 1703292
Symptom: HP Configuration Manager takes longer to push updates when the Symantec Endpoint Protection firewall is installed.
Solution: Change in Teefer2 driver to support an additional packet status when forwarding packets.

"Server Busy" message appears when scan is run
Fix ID: 1706963
Symptom: When selecting a scan from the Symantec Endpoint Protection GUI (either "Run Active Scan" or "Run Full Scan"), an error message is displayed "Server Busy" with options to "Switch to process" or "Retry".
Solution: Check for a plugin installation, before trying to load the plugin

Symantec Endpoint Protection Manager Scheduled Reports do not consistently run as scheduled
Fix ID: 1711164
Symptom: Symantec Endpoint Protection Manager Scheduled Reports are set to run hourly, however the reports run sporadically.
Solution: Updated to PHP 5.3.1 to resolve this issue.


Windows Firewall on Windows Server 2003 is not disabled after installation of Symantec Endpoint Protection client with Network Threat Protection enabled
Fix ID: 1734372
Symptom: Windows Firewall on Windows Server 2003 is not disabled after installation of Symantec Endpoint Protection client with Network Threat Protection
Solution: Changes to the installer to disable Windows Firewall when NTP is installed

Virtual Apps running under MS App-V 4.5 will not run when Application and Device Control is enabled
Fix ID: 1734543
Symptom: Virtual Apps running under MS App-V 4.5 will not run when Application and Device Control is enabled and set to "Block programs from running on removable devices".
Solution: MS App-V loader was modifying the same PE header field as a Symantec driver, causing a synchronization issue. The corresponding field is no longer modified if App-V loader is detected.

Clients cannot use GUPs when assigned to a group with an ampersand in the name
Fix ID: 1741306
Symptom: With a location name containing an ampersand, and clients do not get updates from the designated GUP, the GUP doesn't create the SharedUpdates folder. Clients will also show an EventID12 error.
Solution: Correctly process text strings by escaping ampersands.

Random system crashes implicating sysplant.sys
Fix ID: 1743080
Symptom: A system crash occurs when sysplant is attempting to access another application that is only partially loaded into memory
Solution: Improved error handling for this situation.

RTVScan.exe terminates unexpectedly
Fix ID: 1745747
Symptom: Occasional RTVScan.exe crashes on Windows 2008 Exchange servers
Solution: Updated a number of function calls to avoid crash

Symantec Endpoint Protection Shield Systray icon intermittently changes from green to red
Fix ID: 1745765
Symptom: Symantec Endpoint Protection Shield Systray icon dot intermittently changes from green to red, and the product UI displays message saying "PTP definitions are out of date."
Solution: Included checks to make sure the Symantec Endpoint Protection client is prepared to accept messages before sending from the server.

Internet Email Auto-Protect has been configured to scan selected file types, however, all file types are scanned
Fix ID: 1746947
Symptom: Internet Email Auto-Protect has been configured to scan selected file types, however, all file types are scanned
Solution: Changes made to the Internet Email plugin, to allow longer strings to be processed

Scheduled "Comprehensive Risk" report no longer runs after upgrading
Fix ID: 1747133
Symptom: A scheduled Comprehensive Risk Report with a specified time range will fail to create a report. An IOException "Not in GZIP Format" can be seen in the server logs.
Solution: Resolved by using the usertimezone session variable.


Scheduled Daily Liveupdate runs at the wrong time
Fix ID: 1766600
Symptom: When the Symantec Endpoint Protection client is configured with a daily scheduled liveupdate, the client runs Liveupdate 24 hours after the previous scheduled liveupdate.
Solution: Corrected the logic behind LU schedules

Symantec Network Access Control agent is not communicating to the DHCP Enforcer
Fix ID: 1766913
Symptom: When data inconsistency exists between a Symantec Endpoint Protection Manager with a DHCP enforcer connected to it, and the Symantec Endpoint Protection Manager from which a Symantec Network Access Control client is getting profiles, the Symantec Network Access Control agent cannot connect to the DHCP enforcer.
Solution: The DHCP enforcer now verifies the UID from the Symantec Endpoint Protection Manager to which clients are connecting.

Clients downloading full LU content unexpectedly
Fix ID: 1782039
Symptom: Random clients continually download full LU content. Some clients may not be updated regularly. High network bandwidth usage.
Solution: Changes to allow clients to download the current full content even when newer content is available. This allows clients to retrieve deltas sooner, which will reduce network bandwidth usage.

The device tree cannot be shown when running DevViewer.exe on Windows 2000 Japanese Operating Systems
Fix ID: 1784061
Symptom: Device IDS information cannot be displayed when using DevViewer.exe on Windows 2000 with Japanese locale
Solution: Changes to DevViewer to be compatible with Japanese operating systems

On export of Computer Status logs the data is incorrectly formatted
Fix ID: 1786455
Symptom: When exporting Computer Status logs, if the "Computer Description" contains a comma, data will shift to the right when viewing in Excel.
Solution: Place strings that include commas between quotation marks

With an Application and Device Control policy enabled, a pop up message appears despite "Notify users when devices are blocked" option being disabled
Fix ID: 1790228
Symptom: When a device is removed from an existing application and device control policy, a pop-up message appears on the Symantec Endpoint Protection client despite "Notify users when devices are blocked" option being disabled. The message states that the device that was previously blocked has now been enabled.
Solution: Ticking the "Notify users when devices are blocked" box ensures that no popup messages will appear.

A deadlock occurs during replication
Fix ID: 1800313
Symptom: A deadlock occurs during Symantec Endpoint Protection Manager replication.
Solution: Deadlock priorities were changed so that the replication process should complete.


Password checks for RSA authentication are passed on to Symantec Endpoint Protection Manager administrators but not from Active Directory.
Fix ID: 1800533
Symptom: An Active Directory based administrator shows as expired in Symantec Endpoint Protection Manager even though the password has not expired in Active Directory.
Solution: A Symantec Endpoint Protection Manager will no longer show up as expired unless it has expired in Active Directory when using Active Directory synchronization for user accounts.

Virus definitions are installed on a client when AntiVirus is not selected as a feature at install time
Fix ID: 1800767
Symptom: After installing the Symantec Endpoint Protection client without AntiVirus selected, the install still
installs AV definitions on the system.
Solution: Modified the installer to only install AV definitions when AntiVirus has been installed

AutoLocation occasionally switches to another location momentarily
Fix ID: 1805871
Symptom: At startup, clients sometimes switch from one location to another even though "Remember Last Location" is checked.
Solution: changes to the AutoLocation logic during startup. When system starts, if "Remember Last Location" is checked, the correct last location will be used.

Symantec Endpoint Protection NTP behavior is inconsistent with policies in multi-site environments
Fix ID: 1806005
Symptom: If NTP policies differ between two sites, and a user disables NTP then switches to a location requiring NTP, NTP is not enabled correctly.
Solution: Remove use of a global variable in the update status thread, to prevent different threads from interfering with each other.

Text "GUI% GUICONFIG#SRULE@ADVRULECONFIG#Normal" shows in the traffic log rather than the actual rule name
Fix ID: 1822294
Symptom: The text "GUI% GUICONFIG#SRULE@ADVRULECONFIG#Normal" is shown from the client side rules (Mixed or Client Control mode) when viewing the traffic log, making it difficult to determine what the actual rule or action is referenced.
Solution: Updated the description for this rule, and code changes to ensure the description is returned.

Symantec Endpoint Protection client Operating System Language is not displayed correctly in Symantec Endpoint Protection Manager
Fix ID: 1823096
Symptom: Spanish and Vietnamese languages are not shown correctly in the computer status logs.
Solution: Spanish and Vietnamese were added to the resource bundle.

Symantec Endpoint Protection does not warn users on system shutdown about external USB floppy drive plugged into the system
Fix ID: 1824851
Symptom: Symantec Endpoint Protection is not detecting external floppy drives correctly.
Solution: Symantec Endpoint Protection was updated to properly detect USB floppy drives.

Tracking cookies are detected but filenames are not displayed
Fix ID: 1826582
Symptom: Whenever a Cookie is detected its File-name and Location are displayed as Unavailable.
Solution: When the information of the Anomaly is extracted, a check for its Remediation-type is done. The Check for Cookies was missing and has been added.

Definition arrival event from QServer is logged as an error upon arrival of new definitions
Fix ID: 1826837
Symptom: Events being logged in as "Error" where as they should be logged in as "Information".
Solution: Fixed logging to show an informational message instead of an error when new definitions arrive.

Semsvc.exe using approx 1GB of memory and slow Symantec Endpoint Protection Manager performance
Fix ID: 1827949
Symptom: Memory usage increases quickly over a short period of time. Symantec Endpoint Protection Manager will use approximately 1GB of memory.
Solution: The logic to handle multiple notifications from multiple administrators was changed.

Database Back Up and Restore tool does not perform a full database backup
Fix ID: 1827968
Symptom: Database Back Up and Restore tool only backs up logs.
Solution: A new popup dialogue was added asking the administrator if they are sure they would like to backup the database. The dialog also includes a checkbox to backup the logs. By default the configured settings for the schedule backup task will be used.

Cannot mount network drives when logging onto Active Directory through an Aventail VPN client.
Fix ID: 1828057
Symptom: Active Directory user profile logon script fails to run at boot up, when using Aventail VPN client and Network Threat Protection is installed.
Solution: The product logic in Network Threat Protection was changed to correctly handle this situation.

Stop 7F (8) Kernel Stack Overflow Blue screen after installing Symantec Endpoint Protection
Fix ID: 1829876
Symptom: A stack overflow crash occurs after installing the MR4 MP2 version of the Symantec Endpoint Protection Client
Solution: Updates made to the Auto-protect component to prevent the crash

Microsoft Sysinternal utility Dbgview displays Symantec Endpoint Protection debug messages
Fix ID: 1832257
Symptom: Microsoft Sysinternal utility Dbgview displays Symantec Endpoint Protection debug messages: "SmcGui.exe m_nMSBtnAllowedAttempt is -1" and "SescLU.exe SescLu - CContentUpdateManager::Initializemultiple tries to Initialize"
Solution: These messages will no longer be displayed in Dbgview, other Symantec Endpoint Protection product messages are still displayed.

There are missing and redundant events in log handling of AntiVirus and AntiSpam policies after migrating from Symantec Antivirus 10.1.x.
Fix ID: 1832957
Symptom: In Symantec Endpoint Protection Manager->Policies>AV&AS policy>Miscellaneous>Log Handling section, the policies which migrated from SAVCE 10.1x have missing and redundant events.
Solution: Modified the missing Event Ids with a default value so they will be displayed as disabled in the UI.

Virtualized application fails to load when Symantec Endpoint Protection Application and Device Control (ADC) is enabled
Fix ID: 1833530
Symptom: Virtualized app fails to load when Symantec Endpoint Protection ADC is enabled. MS App-V loader was modifying the same PE header field as the Sysplant driver. This caused a synchronization issue.
Solution: The PE header field will no longer be modified when MS App-V is running on the same machine.


Tracking cookies detected along with PTP threats do not appear in Symantec Endpoint Protection Manager logs
Fix ID: 1837333
Symptom: Tracking cookies detected along with PTP threats appear on client logs but do not appear in Symantec Endpoint Protection Manager logs.
Solution: Added support to display tracking cookies in the Symantec Endpoint Protection Manager logs.

Symantec Endpoint Protection Manager UID error after replication cleaning duplicate clients by HASH(UID)
Fix ID: 1840183
Symptom: After replication DHCP enforcer failed to verify client UID from Symantec Endpoint Protection Manager
Solution: After deleting duplicate clients by HASH(UID), update the reserved clients with a new USN and Time Stamp.

NetBeui traffic still blocked after adding NetBeui traffic allow rule.
Fix ID: 1840562
Symptom: With NTP enabled, NetBeui traffic (and protocols using 802.3 RAW or 802.3 LLC packet format) is blocked with NetBeui protocol allow rule.
Solution: Improved parsing logic for protocols using 802.3 packet formats.


Possible RTVScan handle leaks
Fix ID: 1840917
Symptom: In some edge-cases, RTVScan can leave handles open.
Solution: Additional function calls added to ensure handles are cleaned up.

Many ports on Symantec Endpoint Protection Manager are in CLOSE_WAIT on 9090
Fix ID: 1843026
Symptom: On the Symantec Endpoint Protection Manager, there can be a build-up of 9090 ports in a CLOSED_WAIT state.
Solution: Ports are closed when they are no longer in use.

System state backup fails due to a Symantec Endpoint Protection registry key referencing a non-existing file
Fix ID: 1845046
Symptom: After autoupgrade has been run once on a Symantec Endpoint Protection client machine, a registry key is leftover referencing a non-existing file.
Solution: The leftover registry key is removed.


Logreader parse error on MR4MP2 server with MR5 client
Fix ID: 1848680
Symptom: Install MR4MP2 server and an MR5 client. After the client sends opstate data to Symantec Endpoint Protection Manager, an exception can be seen from the logs; "Invalid log record: Too few fields."
Solution: GUP state handling logic is available in MR4-MP2, and this can cause an exception in processing agent logs for GUP Opstate. This is resolved in RU6 by ignoring certain unknown log values.

Blue screen error with Teefer2 driver on MR5
Fix ID: 1850556
Symptom: Blue screen error caused by the Teefer2 driver
Solution: Code changes to lock NDIS miniport block and copy information into local variable, preventing the crash.

Windows Malware Removal Tool can hang when it detects an infection when Symantec Endpoint Protection is running on the system
Fix ID: 1853399
Symptom: When running the Windows Malware Removal Tool to remove malware the tool might stop responding or the system might hang
Solution: A fix was made in AutoProtect that prevents it from causing a hang when it detects the malware being opened by the Windows Malware Removal Tool.

Files left behind in the temp folder for client management replication
Fix ID: 1854287
Symptom: After client management replication, files remain in the replication temporary folder.
Solution: Files are properly cleaned after client management replication.

Terminal Emulation program fails to run on Windows 7 when the Sysplant driver is running
Fix ID: 1854312
Symptom: Sysplant driver crash
Solution: Sysplant driver was changing the memory address of the import table, and in some cases, moving it to read-only memory space. Code changes to ensure the table is moved to writable memory space

Symantec Endpoint Protection Client migration error when an uninstall password has been set
Fix ID: 1854479
Symptom: A Symantec Endpoint Protection client migration will fail when an uninstall password has been set. The uninstall does not complete correctly, leaving two instances of the product installed.
Solution: All stale product installs are properly removed from the system when migrating to RU6.

GUP can no longer be set to an FQDN in the LiveUpdate policy
Fix ID: 1854618
Symptom: GUP can no longer be set to an FQDN in the LiveUpdate policy.
Solution: Corrected to allow FQDN to be used in the GUP server settings.

NULL UID Errors appear in the Secars log
Fix ID: 1856572
Symptom: NULL UID Errors appear in the Secars log, or UID is not valid on the first try.
Solution: UID remains persistent across Symantec Endpoint Protection client restarts and machine reboots.

Application and Device Control does not process file path with "\\?\" prefix
Fix ID: 1857525
Symptom: Application and Device Control rule does not work or takes an incorrect action.
Solution: Added a condition check when processing file paths to ensure the path is interpreted correctly.

Certain applications crash with Symantec Endpoint Protection 11 RU5 Application and Device Control enabled
Fix ID: 1858321
Symptom: After installing Symantec Endpoint Protection 11.0 RU5 and deploying an Application and Device Control policy, applications with an image base of (0x10000000) will fail to launch.
Solution: Fixed Symantec Endpoint Protection ntdll hook to happen after Sysfer relocates, preventing the crash.

Clients copied from an Active Directory Organizational Unit import to regular Symantec Endpoint Protection Manager groups receive incorrect policies
Fix ID: 1858465
Symptom: Clients copied from AD OU's have a profile from the OU group instead of the copied non-OU group.
Solution: When copied clients are updated, the profile will not be overwritten in the Secars cache.

System hangs after new virus definitions arrive and the AutoProtect Option "Rescan the Cache when new definitions load" is enabled
Fix ID: 1859398
Symptom: System hangs after new virus definitions arrive and the AutoProtect Option "Rescan the Cache when new definitions load" is enabled
Solution: AutoProtect Rescan synchronization has been fixed

After upgrading to Symantec Endpoint Protection 11.0 RU5, web traffic is blocked
Fix ID: 1863574
Symptom: Web traffic is blocked after migrating from some earlier versions of Symantec Endpoint Protection to Symantec Endpoint Protection 11.0 RU5. When the firewall is installed, and a migration to RU5 is performed, the 'Allow all' firewall rule is disabled.
Solution: In RU6, the "allow all' firewall rule is preserved during a migration, preventing this from happening.

"PTP definitions are out of date" error if Client for Microsoft Windows is not installed or the computer is not connected to any network
Fix ID: 1864090
Symptom: If PTP is enabled, and Client for Microsoft Windows is not installed, or the computer is not connected to any network, an error message is displayed. Symantec Endpoint Protection will display an error message "PTP definitions are out of date" every time it tries to scan, and a TruScan engine load error will be logged.
Solution: This was occurring because the list of logged on users was empty. Added checks to ensure the list of users is not empty before processing.

False positive detection when using NTP Anti-MAC spoofing feature
Fix ID: 1864844
Symptom: With NTP anti mac spoofing enabled on newer versions of windows, a false-positive detection periodically blocks the gateway. This interrupts internet/wan connectivity for clients.
Solution: Correctly translate 64-bit time format which was causing the issue

Application and Device Control disables the PCMCIA controller
Fix ID: 1866316
Symptom: Application and Device Control incorrectly blocks the PCMCIA controller.
Solution: Changes made to correct behavior and to not block the controller.

Occasional blue screen error on Vista and Windows7
Fix ID: 1868542
Symptom: Computer experiences a blue screen errorbecause wininit.exe terminated abnormally on Vista or Windows7.
Solution: Changes made to prevent the blue screen from occurring, and to minimize the number of hooks into system threads.

Symantec Endpoint Protection client install failure when Regional settings are set to Hindi
Fix ID: 1869837
Symptom: Symantec Endpoint Protection MR4MP2 and RU5 clients fails to install when Regional settings are set to Hindi
Solution: When the user locale is set to the 'unicode-only' locale, user preferences were not being loaded. In this case, the product now reverts to the default locale.

Scanning a Read-Only file changed the file's Update Sequence Number (USN) in Windows Change Journal
Fix ID: 1870333
Symptom: Backup software which relies on USN might believe the Read-Only file had been modified by the scan, and an unnecessary backup of the unchanged file could be initiated
Solution: The fix prevents USN updates by modifying the Read-Only attribute code to only run when threats are detected in a container and modifications to repair or delete are requested

Product.Inventory.LiveUpdate file is not updated to reflect a location aware LU policy
Fix ID: 1874812
Symptom: When configured to download from the Symantec public LiveUpdate servers, location aware LiveUpdate policies download content from Symantec Endpoint Protection Manager instead.
Solution: When location switches or the profile is updated, the product.inventory.liveupdate file is also updated.

Disabling PTP from the tray icon will disable both PTP and OSP, but enabling PTP again will only enable PTP
Fix ID: 1879074
Symptom: Disabling PTP from the Systray icon will disable both PTP and OSP, but enabling PTP from the Systray icon only enables PTP.
Solution: Modified code to enable OSP when PTP is enabled from the Systray.

Discrepancies between report data and exported file data
Fix ID: 1879236
Symptom: When running the Symantec Endpoint Protection Manager Monitors > Scan > Logs > (Scan) or (Computer Status)
reports, there are discrepancies between the UI figures, and those figures showing in an exported file. This happens when using the time range "Past month" or "Current month".
Solution: Corrected SQL statements. The report is based on the same query as the export data function.

Network disconnect is experienced during migration
Fix ID: 1880118
Symptom: Network connection drops momentarily during some upgrades to RU5.
Solution: Delay the reinstallation of Teefer2 driver until after a reboot has occurred.

Mount Manager synchronization issue
Fix ID: 1880152
Symptom: Long time delay when mounting Ibrix file systems.
Solution: Code changes to check Mount Manager remote database semaphore status before calling Mount Manager.

Failed to mount quorum drive if SMC is running
Fix ID: 1880952
Symptom: Cluster Service doesn't work when Symantec Endpoint Protection client is running.
Solution: Code modifications to cleanup a handle leak when closing volumes.

Installation process appears to hang during LiveUpdate session
Fix ID: 1884202
Symptom: A client LiveUpdate session takes a long time to complete. The problem is more prevalent on Vista
Solution: Code changes to optimize a search by LiveUpdate for its configuration file

Script errors in the Symantec Endpoint Protection Manager remote console reports
Fix ID: 1886239
Symptom: Script errors sometimes appear when choosing start/end date of reports via the Symantec Endpoint Protection Manager remote console
Solution: Altered function naming to avoid naming conflicts that were causing the errors.

Long delay in opening large remote PowerPoint files when AutoProtect option Network Cache is enabled
Fix ID: 1886240
Symptom: Opening large files on a remote drive takes a long time
Solution: AutoProtect network file cache fixed

Incorrect LiveUpdate URL parsing
Fix ID: 1887520
Symptom: Symantec Endpoint Protection client writes an incorrect LU settings file when the LiveUpdate policy contains an HTTPS internal LU
Solution: Correctly set the protocol flag when using HTTPS URLs.

Outlook problems with attachments containing non-ASCII letters in the filename
Fix ID: 1892029
Symptom: In some specific cases, when being saved from an email in Outlook, file attachments with special characters in the filename were saved with a size of zero bytes
Solution: Added additional handling for files with special characters in their filename


Symantec Endpoint Protection Manager configuration wizard fails to install the database
Fix ID: 1892075
Symptom: cWhen installing Symantec Endpoint Protection Manager on Windows Operating Systems supporting IPv6, in some situations the installation can hang while initializing the database.
Solution: Reduce the number of getLocalHost() calls during the installation by saving the local IP value after the first call. This prevents a scenario where the database connection can time-out while getLocalHost() is called.


System Lockdown policy is not enforced unless applied twice
Fix ID: 1893435
Symptom: When System Lockdown is enabled on Symantec Endpoint Protection clients where there is no active Application Device Control policy, System Lockdown will not be enforced.
Solution: The policy will now be processed regardless of the status of Application Device Control.


GUP content update fails when the data folder is customized
Fix ID: 1893500
Symptom: The Sylink log shows "HTTP 500 internal error" when making requests with action code 310.
Solution: Instead of using the installation path, use the data folder path to publish GUP files to the correct folder.


SQL Error 1204 (cannot obtain a LOCK resource) and deadlocks observed
Fix ID: 1893574
Symptom: SQL Error 1204 and deadlocks on different transactions caused by an accumulation of LiveUpdate content in the database.
Solution: Database sweep task to clear LU content has been modified to commit changes in a smaller transaction to reduce resource consumption.



Some Symantec Endpoint Protection clients are showing multiple policies in Symantec Endpoint Protection Manager
Fix ID: 1895247
Symptom: Some Symantec Endpoint Protection clients are showing multiple policies in Symantec Endpoint Protection Manager.
Solution: Modifications made to purge out old client policies from Symantec Endpoint Protection Manager.

Replication failure notification contains additional information
Fix ID: 1896975
Symptom: When replication failure notification is enabled, events unrelated to replication are included in the notification.
Solution: Modified the notification code to include only replication related information in notifications


GUPs are deleted during the AgentSweepTask
Fix ID: 1897850
Symptom: After configuring a system as a GUP, the client entry will be removed after the Agent Sweep Task interval (default = 30 days)
Solution: Have the client report a full OpState in a defined interval (default = 24 hours)


Location switching not working on Windows 7 and Vista, when criteria is based on Wireless SSID
Fix ID: 1900965
Symptom: Symantec Endpoint Protection clients installed on Windows 7 and Vista operating systems will not switch locations when their criteria is based on Wireless SSID. Once the client connects to the SSID it will not switch to the appropriate location.
Solution: Modifications to the function calls used to obtain Wireless SSID's.


Login stalls when running Symantec Endpoint Protection
Fix ID: 1902263
Symptom: Login may take several minutes and may never complete
Solution: Fixed a synchronization issue in Tamper Protection

Simultaneous LU runs are disallowed
Fix ID: 1903409
Symptom: Only one WLU client instance can download files from a server via UNC at one time
Solution: Set the read handle as "shareable" on the server, allowing each WLU client to connect and pull files from the server

Replication failure during data aggregation
Fix ID: 1903766
Symptom: Replication failure with message "Value of Column 'CLIENT_ID' not found" during data aggregation.
Solution: Corrected the handling of "\r\n" in the client description field.

Adding a new Symantec Endpoint Protection Manager site does not update sylink.xml for clients
Fix ID: 1907898
Symptom: When adding a new Symantec Endpoint Protection Manager to an existing site, the default Management Server List (MSL) is updated but these changes are not propagated down to clients
Solution: Code changes to save the site ID in the "My ID" list


Database replication sites have inconsistent data
Fix ID: 1912561
Symptom: Despite reporting successful replication, database sites show different data for client status etc
Solution:
Added cache cleanup code prior to starting a replication job. This will ensure replication occurs with complete and accurate data


Clients continue to request the same data from their manager
Fix ID: 1912811
Symptom: In some situations Symantec Endpoint Protection clients randomly re-requesting the same content downloads repeatedly. This can cause network congestion
Solution: Path information in the xdelta packages was interfering with client processing in some cases, leading to multiple download requests from the server. Code changes made to correctly process path information in xdelta packages.

Custom message gets truncated in Application and Device Control notification when a user enters max characters in user notification
Fix ID: 1913040
Symptom: balloon tips on windows have a maximum of 255 characters and truncation would occur as necessary.
Solution: Added information on this limitation to the help documentation.


Servers show as "Offline" when replication takes more than 20 minutes
Fix ID: 1917123
Symptom: The server of a replication partner shows offline when the servers last check point time is more than 20 minutes.
Solution: Code changes to avoid this edge-case scenario from occurring. Servers will not show as 'Offline' during a long replication task



Symantec Endpoint Protection clients unable to connect to the network
Fix ID: 1935654
Symptom: Clients lose connectivity to the network, stopping and starting the SMC service restores connectivity
Solution: Generation of corrupt policy files was causing this issue. Code changes in Symantec Endpoint Protection Manager to restrict the number of processes writing to policy files simultaneously. This prevents the policy corruption from occurring


Symantec Endpoint Protection Manager console doesn't show latest IPS signatures in exception list.
Fix ID: 1943923
Symptom: If Symantec Endpoint Protection Manager has 2010 IPS content along with 2009 IPS content, the Symantec Endpoint Protection Manager console doesn't show 2010 IPS signatures in the Exception list.
Solution: Used numerical comparison of sequence number instead of string comparison to find the latest sequence number.


SRTSPL64.SYS crashes on Windows 2008 Server
Fix ID: 1949035
Symptom: BugCheck 50, PAGE_FAULT_IN_NONPAGED_AREA, in SRTSPL64.SYS
Solution: Fixed resource cleanup issues

High CPU use on Symantec Endpoint Protection clients
Fix ID: 1954276
Symptom: High CPU usage, Sysfer crash and possibly other unpredictable behavior related to Sysplant driver
Solution: Sysplant driver was failing to detach from the target process, causing an exception. Code changes made to correctly detach from target processes in all situations.

Excel hangs when opening encrypted spreadsheet when running Hibun
Fix ID: 1968574
Symptom: Excel hangs when the Hibun network file encryption feature is enabled and encrypted files are opened with Excel 2007
Solution: Update to AutoProtect to work around this error condition in the Hibun filter

Symantec Network Access Control Client is randomly disconnected
Fix ID: 1835054
Symptom: Symantec Network Access Control client is disconnected randomly with error message "WRONG GUID HI UNAVAILABLE" and the client is moved to a quarantine area
Solution: A client UID issue was resolved


Network Access Control Client Enforcement Agent fixes
Laptops are placed into remediation when the system is docked
Fix ID: 1955531
Symptom: Resuming from standby, docked laptops connected to an IP phone remain in Quarantine VLAN until user manually initiates a re-authentication.
Solution: Authentication is sent when resuming from standby when transparent mode is enabled.

High memory usage while using TLS authentication
Fix ID: 1953133
Symptom: High memory usage by svchost, winlogon, etc. while using TLS authentication, even if Symantec Network Access Control is not enabled.
Solution: Fixed process and token leak in Symantec RasMan plug-in.

HI policy utility: Run a Script creates 0 byte TMP files
Fix ID: 1828787
Symptom: After applying a HI policy to "Run a program" or "Run a script", the Windows temp folder is populated with multiple ~Ex\d{3.EN_US}.TMP files each time the client executes the Host Integrity policy.
Solution: Temporary TMP files are deleted after the program or script is run from the Windows temp directory.

Symantec Network Access Control client does not detect definitions for Norton Internet Security 2009 on 64-bit operating systems
Fix ID: 1876489
Symptom: HI cannot detect Norton Internet Security 2009 status (e.g. signature date, AS running status, etc.) on 64-bit operating systems.
Solution: On 64-bit operating system, corrected the HI check to properly detect Norton Internet Security 2009.

IAS authentication issue caused by Symantec RasMan plug-in
Fix ID: 1862222
Symptom: When Symantec RasMan plug-in is loaded by multiple processes, the plug-in will crash or consume 100% of the CPU.
Solution: Improved synchronization of Symantec RasMan plug-in when loaded by multiple processes.

Symantec Network Access Control client does not get Production IP when HI status changes to pass
Fix ID: 1861128
Symptom: When Enforcer failover occurs and HI status is changed, the client IP will not change to Quarantine IP until DHCP lease time expires.
Solution: Symantec Network Access Control client will update the HI result change with the Enforcer during next communication to renew current DHCP lease.


Enforcer fixes
When HI fails, client cannot get URL of .pac from quarantine
Fix ID: 1831801
Symptom: When HI check fails, a client in quarantine is unable to access the .pac file (configurable script for IE proxy settings).
Solution: Added missing user-class option to IMFORM packets.

On-Demand module on enforcer does not connect to the policy manager
Fix ID: 1838662
Symptom: On-Demand module on enforcer does not connect to the policy manager caused by failed initialization encryption module.
Solution: Fixed initialization errors in encryption module.

Clients are resent to Quarantine IP until boot process has completed
Fix ID: 1828894
Symptom: During boot up, clients are being resent to the Quarantine server until the boot process completes.
Solution: Delay sending 39999 after forwarding ACK packet to client and additional checks to send DHCP packet to normal server.

Clients are switched to quarantine after lease time expires
Fix ID: 1889503
Symptom: DHCP inform packets interrupt lease status causing clients to switch to Quarantine IP after lease time expires.
Solution: Inform packets will trigger a 39999 force-renew on agent to trigger client renew request.

Failover Enforcers become active/active
Fix ID: 1890869
Symptom: Enforcers becomes active/active at the same time which may cause an ARP broadcast storm.
Solution: Changed to use Enforcer start time (GMT) instead of up time to determine mastership.

Enforcer kernel panic with trunking is enabled
Fix ID: 1940369
Symptom: An Enforcer kernel panic will occur with trunking enabled and a client is attempting to authenticate.
Solution: Improved memory checking to avoid Enforcer kernel panic.

HI configurations file corruption seen in Security Log
Fix ID: 1739980
Symptom: Two HI engines are running HI checks at the same time causing HI result to report as corrupted.
Solution: Added restrictions to allow only one HI engine to run at once.


Symantec Network Access Control DHCP Plug-in fixes
After install of OnDemand client, client is not communicating with Plug-in Enforcer
Fix ID: 1920822
Symptom: Plug-in Enforcer does not initiate an authentication session when it receives DISCOVER packet
Solution: Initiate authentication session for DISCOVER packet.

Symantec NAP client will be sent to Quarantine VLAN even when HI passes
Fix ID: 1833474
Symptom: When an administrator logs off the system, Symantec NAP client will be sent to quarantine VLAN even if HI passes.
Solution: Corrected 'Run As' permission for a Symantec Enforcer module.

Wireless access points are being rejected by Integrated DHCP enforcer
Fix ID: 1903745
Symptom: If 'Allow All' mode is used with trusted vendor or MAC, 'rejected' logs will show up even if the trusted devices have the correct/normal IP address.
Solution: Clients are checked against the trust vendor and MAC list before setting "Allow All" tag.

"Symantec Agent is not running or running an incompatible version" error on Symantec Network Access Control client
Fix ID: 1787373
Symptom: "Symantec Agent is not running or running an incompatible version" error on Symantec Network Access Control client when Symantec Network Access Control service is delayed during startup.
Solution: Moved the Symantec Network Access Control service to earlier startup sequence.

 

Release Update 5 (RU5)

[Back to top]

What's new in this version
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.

Symantec Endpoint Protection Manager now supports the following operating systems:

    • Microsoft Windows Server 2008 Service Pack 2 (all editions except for Itanium)
    • Microsoft Windows Server 2008 R2 (all editions except for Itanium)

Symantec Endpoint Protection Manager can now be used with Microsoft SQL Server 2008.

The Symantec Endpoint Protection or Symantec Network Access Control client now supports:
    • Microsoft Windows 7 (all editions except for Itanium)
    • Microsoft Windows Server 2008 R2 (all editions except for Itanium)
    • Microsoft Windows Vista Service Pack 2

The size of the client upgrade package used for auto-upgrading has been significantly reduced.
This reduces the amount of traffic that is sent to the clients when you auto-upgrade them. The auto-upgrade process is faster and conserves network bandwidth.

You can configure the following features for the Group Update Provider:
    • Limit the amount of bandwidth that the Group Update Provider can use when the Group Update Provider downloads content from the management server.
    • You can define a Group Update Provider by using rules and conditions, such as an IP address or host name. You can configure a single Group Update Provider in a single LiveUpdate Policy that applies across multiple groups for multiple clients.
    • Define clients to connect to a Group Update Provider within the same site to improve performance.
    • Identify which clients act as Group Update Providers.

The client now includes a Download Support Tool command on the Help and Support menu.
    • Users on the client can download a support tool from the Support Web site that helps to diagnose the common issues that they might encounter on the client.

Symantec Network Access Control includes the following enhancements:
    • New Host Integrity templates support Altiris 7, BigFix Enterprise Suite, and new versions of additional third-party products.
    • End users with a valid RADIUS logon but a computer with no client installed can be blocked from your company's network.
    • You can configure when the command-line interface on the Enforcer times out.


Components included in this version
 
Component
Version
Symantec Endpoint Protection
11.0.5002
Symantec Network Access Control
11.0.5002
Auto-Protect
10.3.0.15
Avengine
20081.1.1
Behavior Blocking
3.3.0.015
ccEraser
2007.0.1.6
COH
6.1.9.44
Common Client
106.5.0.10
DecABI
1.2.5.130
Defutils
4.1.1
ECOM
81.3.0.13
VxMS (MS Light)
5.2.0.4
LiveUpdate
3.3.0.92
LiveUpdateAdmin
2.2.1.16
Microdefs
2.7.0.13
QServer
3.6.20
WpsHelper
12.0.1.41
SyKnAppS
3.0.3.3
SymEvent
12.8.0.11
SymNetDrv
7.2.5.9
Teefer2
11.0.5

Product fixes by category

Symantec Endpoint Protection Antivirus and Antispyware
This section describes the customer fixes for Antivirus and Antispyware since the release of MR4 MP2 (11.0.4.4200).
Under the guest account, Symantec Endpoint Protection clients report multiple warnings
Fix ID: 1128048
Symptom: Under the guest account, Symantec Endpoint Protection clients report that Antivirus and Antispyware Protection does not function correctly.
Solution: Corrected status query to accommodate guest (minimal) privileges.

Updated hardware key due to MAC address change causes Symantec Endpoint Protection client re-registration with Symantec Endpoint Protection Manager
Fix ID: 1397560
Symptom: Multiple entries for Symantec Endpoint Protection clients on the console, duplicate hardware keys for different clients, and multiple clients that share the same hardware key.
Solution: The algorithm to create the hardware key was changed so the hardware key should not change with minor hardware changes, such as the disabling of NICs.

Smcgui.exe crashes for a Restricted user
Fix ID: 1528962
Symptom: Smcgui.exe crashes when logging on as a Restricted user.
Solution: Improved object handling.

Location awareness only works when the Primary DNS suffix matches the condition
Fix ID: 1529689
Symptom: On Windows 2000, Location Awareness fails to switch when configured on a specified network interface.
Solution: Change to Location Awareness.

TPM Device not displayed in the Symantec Endpoint Protection Manager
Fix ID: 1536046
Symptom: The Symantec Endpoint Protection client was not able to correctly identify the TPM chip vendor.
Solution: Changed the client to handle failures better when attempting to retrieve the TPM chip vendor information.

Decomposer version is blank in the Symantec Endpoint Protection client user interface
Fix ID: 1540746
Symptom: Under Help and Support, the Decomposer version is blank.
Solution: Corrected the location to retrieve the Decomposer version.

Unable to disable the "Threats were detected while you were logged out" message
Fix ID: 1542336
Symptom: With all notifications disabled, if a virus is discovered as part of a scheduled scan while the user is logged out, the user is notified that threats were discovered when the user logs in.
Solution: Added an option to toggle the client-side notification of the message.

Smcgui.exe unexpectedly takes foreground focus
Fix ID: 1558158
Symptom: On Windows XP embedded computers, Smcgui.exe unexpectedly takes foreground focus.
Solution: Changed Smcgui.exe to not take foreground focus in invisible mode.

The Symantec Endpoint Protection client fails heartbeat with Error Code=87;AH or Error Code=0;AH
Fix ID: 1603851
Symptom: With a large number of IP addresses configured on the Symantec Endpoint Protection client, the registration information exceeds size limitations and the client is not able to register with the server.
Solution: Set a limit of 16 IP addresses on the client.

64-bit Symantec Endpoint Protection clients do not pass Host Integrity check
Fix ID: 1651293
Symptom: 64-bit Symantec Endpoint Protection clients connecting through Juniper VPN are blocked by the Juniper Host Checker because the Juniper Host Checker does not recognize that the client successfully passed the Host Integrity check.
Solution: Corrected the location where Host Integrity results are read.

Scheduled LiveUpdate does not run at random times as expected
Fix ID: 1651364
Symptom: Scheduled LiveUpdate does not run at random times as expected.
Solution: Fixed algorithm to randomize the start times.

Scheduled LiveUpdate still launches LuAll.exe although the "Use a LiveUpdate Server" option is unchecked
Fix ID: 1652473
Symptom: After migration, LiveUpdate still uses LuAll.exe to download content from an internal or external LU server, regardless of whether the Use a LiveUpdate Server option is checked.
Solution: Scheduled LiveUpdate settings are cleared and the Symantec Endpoint Protection client uses the LiveUpdate policy from the Symantec Endpoint Protection Manager.

Log forwarding settings for Scan Aborted, Scan Started, and Scan Stopped do not work properly
Fix ID: 1664764
Symptom: Regardless of the log forwarding setting in Symantec Endpoint Protection Manager, the Symantec Endpoint Protection clients always forward the Scan aborted, Scan started, and Scan stopped logs.
Solution: Corrected the log forwarding to not always forward Scan logs.

Eraser Engine displays Version 0.0
Fix ID: 1668299
Symptom: The Protection Content Versions report and Help show clients' Eraser Engine version as 0.0.
Solution: Removed the dependency on Proactive Threat Protection content to be present while Eraser Engine version is calculated.

LiveUpdate tries to contact external LiveUpdate Servers despite policy setting
Fix ID: 1678207
Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers.
Solution: The Use a LiveUpdate Server setting is checked before attempting to download content.

A Group Update Provider leaves TCP connections in the CLOSE_WAIT state, preventing Symantec Endpoint Protection clients from updating
Fix ID: 1679515
Symptom: With limited concurrent download connections configured, TCP connections can be exhausted if Symantec Endpoint Protection clients do not terminate sessions cleanly.
Solution: Architectural changes were made to the Group Update Provider to handle clients that do not terminate sessions cleanly.

Remediation options for Email Auto-Protect are grayed out in the Symantec Endpoint Protection client
Fix ID: 1704540
Symptom: The Remediation options for Email Auto-Protect are visible and grayed out on the Symantec Endpoint Protection client, but do not appear in the Symantec Endpoint Protection Manager.
Solution: The Remediation options for Email Auto-Protect are not configurable and have been removed.

Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account
Fix ID: 1729073
Symptom: Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account.
Solution: Enhanced error handling in Smcgui.exe on Windows 2000.

Location awareness switches based on "Primary DNS Suffix" provided by domain controller
Fix ID: 1732720
Symptom: Location awareness switches based on the Primary DNS Suffix provided by the domain controller.
Solution: Location awareness switching by DNSSuffix will only switch through the Connection-specific DNS suffix provided by DHCP.

SMC.exe uses entire CPU core and client/manager communication fails after migrating or installing the Symantec Endpoint Protection client
Fix ID: 174134
Symptom: After upgrading a Symantec Endpoint Protection client, communication with the Symantec Endpoint Protection Manager fails because the default gateway is not in the same subnet.
Solution: Enhanced the process to find the best route to the server after the gateway IP address changes.

Symantec Endpoint Protection client user interface has inconsistent behavior when restoring items displayed in Quarantine
Fix ID: 1783193
Symptom: The Restore and Delete buttons remain grayed out in the client View Quarantine windows when certain items are selected but are available in right-click context menu.
Solution: Fixed to have consistent behavior when viewing in Quarantine view and right-click context menu.

Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager
Fix ID: 1543985
Symptom: Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager.
Solution: Added a dependency relationship for SMC service and System Event Notification service at startup.

MSI Repair function reverts the Symantec Endpoint Protection Manager/IIS port to 8014 from non-default
Fix ID: 1601640
Symptom: MSI repair causes the Symantec Web server port to revert to the default value.
Solution: Added a custom Web site port setting to the conf.properties file during a repair install.

Symantec Endpoint Protection client upgrade warnings are inconsistent
Fix ID: 1638457
Symptom: Symantec Endpoint Protection client upgrade warnings on 64-bit upgrades are inconsistent with 32-bit upgrade warnings.
Solution: Changed the 64-bit upgrade warnings to be consistent with the 32-bit upgrade warnings.

Symantec Endpoint Protection Manager Home page shows the virus definition date as 1/1/1970
Fix ID: 1391394
Symptom: On a clean Symantec Endpoint Protection Manager installation before running LiveUpdate, the Symantec Endpoint Protection client virus definition date shows as 1/1/1970 on the console Home page.
Solution: The client virus definition date is properly initialized.

RTVScan.exe does not release memory until after the scan completes
Fix ID: 1427192
Symptom: When very large containers are scanned, memory continues to grow until the scan completes.
Solution: Memory usage is reduced by not storing unnecessary data during the scan.

Outlook Auto-Protect has problems with attachments containing non-ASCII letters in the file name
Fix ID: 1529690
Symptom: Attachments with non-ASCII characters cannot be opened.
Solution: Added functionality to retrieve the UNICODE file name attribute to correctly create the target file name.

Microsoft Word files are deleted as soon as they are opened on a local partition
Fix ID: 1536936
Symptom: Microsoft Word files are deleted as soon as they are opened on a local partition.
Solution: Auto-Protect was modified to do non-buffered I/O on NTFS file system.

Crash occurs during process termination with bug check 8E
Fix ID: 1545269
Symptom: System crashes during process termination with bug check 8E.
Solution: Auto-Protect was changed to better handle scans during process termination.

An application fault occurs in RTVScan.exe due to corrupted data in the registry
Fix ID: 1592186
Symptom: An application fault in RTVScan.exe occurs when it attempts to read an unexpected date value in the registry for a scheduled scan.
Solution: Checks were added to validate the date value.

Administrator scheduled scans are not running at specified times
Fix ID: 1594128
Symptom: With missed events disabled, scheduled scans are not correctly flagged as missed events.
Solution: Enhanced missed event detection to account for the user environment when detecting missed events.

Users suddenly cannot access shared files with Auto-Protect enabled
Fix ID: 1594214
Symptom: Users suddenly cannot access shared files with Auto-Protect enabled.
Solution: Enhanced Auto-Protect to better handle client file accesses to a server.

Symantec Endpoint Protection crashes in RTVscan when performing multi-threaded scan
Fix ID: 1639778
Symptom: An application crash occurs in RTVscan when run with multi-threaded or hyper-threaded options enabled.
Solution: Additional checks were added to prevent an application crash.

Symantec Endpoint Protection does not detect eicar.com when it is downloaded using Google Chrome
Fix ID: 1673766
Symptom: Using Chrome, threats are downloaded without detections while using selected file extension settings in Auto-Protect.
Solution: Added the .TMP and .PART extensions (for Firefox) to the default extension list for Auto-Protect.

Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server
Fix ID: 1675715
Symptom: Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server.
Solution: Enhanced Auto-Protect to better handle client file accesses to a network share or a mapped network drive.

Crash on Windows Vista with bug check 7f
Fix ID: 1738584
Symptom: Crash on Windows Vista with bug check 7f.
Solution: On Windows Vista, enhanced Auto-Protect to better handle situations of low kernel stack memory.

Coh32.exe has an application error with the message "The instruction at '0x044be849' referenced memory at '0x000000000'"
Fix ID: 1744359
Symptom: On Windows 2000, when running a process from a mapped drive, the Windows system cannot determine the mapped drive and causes a crash in COH32.
Solution: Additional checks were added to better handle this situation.

Symantec Endpoint Protection Email Auto-Protect does not work properly when using Secure POP3 (POP3S) port 995
Fix ID: 1509203
Symptom: Symantec Endpoint Protection Email Auto-Protect does not work properly when using POP3S port 995. The Symantec Endpoint Protection email proxy modifies SSL v2 Client Hello, preventing POP3S SSL mail connections in some cases.
Solution: Fixed the email proxy to not modify SSL v2 Client Hello.


Symantec Endpoint Protection Firewall
This section describes the customer fixes for the firewall since the release of MR4 MP2 (11.0.4.4200).

Firewall does not block traffic to or from Juniper SA Network Connect virtual NIC
Fix ID: 1262087
Symptom: Juniper SA Network Connect virtual NIC does not specify a media type, causing Teefer2 to not bind to the adapter.
Solution: Added Juniper SA Network Connect virtual NIC media type to Teefer2.

With NICs that use a TCP offload engine, Symantec Endpoint Protection with Network Threat Protection enabled causes networking problems, such as connection failures and performance degradation
Fix ID: 1389258
Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data.
Solution: Teefer2 corrected to preserve checksum data.

DNS resolution fails while connected via Microsoft VPN
Fix ID: 1442277
Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data.
Solution: Teefer2 corrected to preserve checksum data.

System crashes with STOP 7E during Symantec Endpoint Protection client installation
Fix ID: 1532340
Symptom: When Teefer2 is loaded, it accesses a list of system modules. When these system modules are changed while Teefer2 is processing them, the system crashes.
Solution: Improved handling of the system data.

Last Download Time shows an erroneous date
Fix ID: 1538048
Symptom: The "Last Download Time" that is uploaded from the Symantec Endpoint Protection client side is incorrect.
Solution: The client's Last Download Time is properly initialized.

Firewall rule unable to block application with use of DNS Host or DNS Domain types in Host Groups
Fix ID: 1540750
Symptom: When configuring the Host Group to use a DNS host name or DNS domain, the rule does not block traffic.
Solution: Additional checks were added to identify the correct IP address to use when sending RDNS packets.

Crash in sysplant.sys caused by stale data
Fix ID: 1541319
Symptom: A crash occurs when Sysplant attempts to access stale internal data.
Solution: Fixed Sysplant to properly identify and not store stale internal data.

Disabling the Browse files and printers on the network option through Network Threat Protection has no effect
Fix ID: 1543964
Symptom: When a user disables "Browse files and printers on the network" and "Share my files and printers with others on the network" under Network Threat Protection options, the user is still able to access and share folders.
Solution: A missing default file rule was added to the policy file.

With a dial-up adapter, firewall rules are not applied while using Internet Explorer
Fix ID: 1544028
Symptom: With a dial-up adapter, network traffic is tunneled through WANARP instead of the correct application, Internet Explorer.
Solution: Fixed to identify the correct application.

The Symantec Endpoint Protection client is unable to maintain a network connection through the 802.1x enforcement after the Cisco VPN client 3.6.6 dials up
Fix ID: 1544442
Symptom: With Cisco VPN clients, EAP packets are being blocked by Network Threat Protection.
Solution: Modified Network Threat Protection to only block EAP packages when 802.1x authentication mode is set to a 3rd party supplicant.

Sysplant prevents Cygwin compiler from building code
Fix ID: 1556624
Symptom: Cygwin cannot compile source code if Symantec Endpoint Protection is installed with Application and Device Control enabled.
Solution: Resolved a conflict between the Symantec Endpoint Protection client and Cygwin.

Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring
Fix ID: 1586674
Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes.
Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length.

Host integrity configuration file is corrupted on Windows Vista
Fix ID: 1587248
Symptom: On Windows Vista, Application and Device Control causes Host Integrity checks to fail with errors in the security log, indicating that the Host Integrity configuration file is corrupt.
Solution: Application Device Control was corrected to allow Host Integrity checks to succeed.

Sysplant causes CosmoCall Agent software to crash
Fix ID: 1592206
Symptom: With Application and Device Control installed, CosmoCall Universe 4.5 software does not launch and returns the error message "CosmoCall Universe 4.5 has encountered a problem and needs to close."
Solution: Corrected compatibility issue with CosmoCall Universe.

On Windows Vista, Application and Device Control is not able to log DLL injection attempts to IExplorer.exe
Fix ID: 1653904
Symptom: A client with an Application and Device Control policy to block DLL injections blocks successfully, but does not display a notification or add an entry to the logs.
Solution: Both a notification and log entry are successfully created.

System Lockdown exclusions are not honored, which causes strange characters in file path
Fix ID: 1677455
Symptom: System Lockdown exclusions are not honored, which causes strange characters to appear in file paths, as seen in "Unapproved Applications Only" logs.
Solution: Changed how the file path is obtained to avoid strange characters.

Symantec Endpoint Protection detects Jolt2 DoS attack when Altiris agent sends large amounts of ICMP packets to the Altiris server
Fix ID: 1677459
Symptom: Symantec Endpoint Protection detects a Jolt2 DoS attack when the Altiris agent sends large amounts of ICMP packets to the Altiris server.
Solution: Symantec Endpoint Protection clients will not detect Jolt2 DoS attack with systems patched with the corresponding Microsoft update.

A crash caused by sysplant.sys, bug check 1000008E occurs
Fix ID: 1723596
Symptom: A crash caused by sysplant.sys, bug check 1000008E occurs.
Solution: Enhanced Sysplant to better handle exceptions.


Symantec Endpoint Protection Manager
This section describes the customer fixes for Symantec Endpoint Protection Manager since the release of MR4 MP2 (11.0.4.4200).

The Symantec Endpoint Protection Manager cannot use registry key (default) as a file path in a Host Integrity check
Fix ID: 1543123
Symptom: The user interface does not allow the use of the registry key (default) as a file path for a Host Integrity check.
Solution: Removed restriction that disallows the use of registry key (default).

Policy settings never update after creating a new management server list using specific Japanese strings
Fix ID: 1739908
Symptom: Policy settings never update after creating a new management server list using specific Japanese strings.
Solution: Enhanced Enforcer parser.

Home, Monitors, and Reports pages are blank on the remote console after updating Java to version 1.6 Update 11
Fix ID: 1473464
Symptom: When using a remote console, some Symantec Endpoint Protection Manager pages are blank after updating to Java 1.6 update 11.
Solution: Upgraded the version of Java Desktop Integration Components (JDIC).

Windows 2008 is identified as Vista in scm-server logs
Fix ID: 1503238
Symptom: Windows 2008 is identified as Vista in server logs.
Solution: Updated the Java version.

Replication error - violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER' occurs
Fix ID: 1534861
Symptom: Replication fails with the error "Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'."
Solution: Synchronized replication merging process, so that only one replication merging process is run at a time.

User Account Control prompt on Windows 2008 Server or Vista when using a remote console does not reflect the status of UAC
Fix ID: 1536901
Symptom: When opening the remote console for Symantec Endpoint Protection Manager on Windows 2008 Server or Vista, the user is prompted to disable UAC when UAC is already disabled.
Solution: The user prompt was changed.

IPS Exclusions do not work for DNS host and DNS Domain used with Host Groups
Fix ID: 1538126
Symptom: After creating Host Groups with DNS host and DNS domain, selecting the associated Host Groups to create IPS Host Exclusions does not work.
Solution: Defining the host by MAC address, DNS host, and DNS domain is not supported. A message was added to warn the user.

Saved filter converts commas to "*2C"
Fix ID: 1538175
Symptom: In reporting saved filters, commas are converted to"*2C".
Solution: When loading saved filters from the database, commas are no longer converted.

Replication occurs over a proxy server if a LiveUpdate proxy is defined
Fix ID: 1538199
Symptom: If a LiveUpdate proxy is defined, replication is attempted over the proxy server and fails.
Solution: Use connection-wise proxy setting instead of setting system property.

New Software Package notification email contains multiple redundant lines
Fix ID: 1539834
Symptom: When a user creates notifications for new software downloads, the email contains duplicate descriptions over a period of time.
Solution: SQL query corrected and updated email format to now include time, download description, and which server downloaded the content.

A broken link appears in the dbvalidator.log
Fix ID: 1543995
Symptom: A broken link appears in the dbvalidator.log.
Solution: Added a verification to check whether the policy is in use.

User is prompted to change Administrator password at Reporting logon when set to never expire
Fix ID: 1545139
Symptom: Although the Symantec Endpoint Protection Manager Administrator's password is set as "Password never expires," the user is prompted to change the password after 60 days.
Solution: Corrected the configuration to not request password change when set to never expire.

Negative number appears in Detection Action Summary report
Fix ID: 1555834
Symptom: The Detection Action Summary report displays negative numbers due to mismatched database records.
Solution: Corrected the data parsing to avoid mismatched database records.

French localized Symantec Endpoint Protection Manager cannot create scheduled reports due to incorrect date format
Fix ID: 1587237
Symptom: On French localized Symantec Endpoint Protection Managers, scheduled reports cannot be created due to an incorrect date format.
Solution: Specified the date format before saving the scheduled report to the database.

Sorting by date in Client Status page generates scrambled results
Fix ID: 1587874
Symptom: When trying to apply a filter/sort based on "Last Update Time," dates are not sorted correctly.
Solution: Changed the data type to date comparison sorting.

The Symantec Endpoint Protection Manager client table Sort button stops working and does not toggle
Fix ID: 1587920
Symptom: The Sort button stops working randomly when attempting to sort elements on the Symantec Endpoint Protection Manager Clients tab.
Solution: Avoid multiple mouse listeners for the same table header.

The Search Client option allows limited administrators to run commands on computers in groups with no access rights
Fix ID: 1589447
Symptom: The Search Client option shows computers in groups that limited administrators do not have permissions to access.
Solution: Only show the allowed groups to limited administrators.

Duplicate client records in the database point to groups that no longer exist, causing communication failures
Fix ID: 1589472
Symptom: Duplicate client records in the database point to groups that no longer exist, causing communication failures.
Solution: During replication, clients without a valid group ID are cleaned.

Default size of the Symantec Endpoint Protection Manager user interface does not allow all filters to be seen or selected when adding a Scheduled Report
Fix ID: 1592013
Symptom: Not all filters are visible when creating Scheduled Reports.
Solution: Added a scrollbar to the filter selection when the number of filters is greater than 7.

System Administrator Scheduled Reports inappropriately visible across Symantec Endpoint Protection Manager Domains
Fix ID: 1592959
Symptom: System administrator permissions are retained for Domain administrators, which makes previously created reports accessible.
Solution: System administrator permissions are not longer retained after logging off the Symantec Endpoint Protection Manager domain.

Learned applications paths are incorrect
Fix ID: 1593025
Symptom: The use of a backslash '\' instead of a forward slash '/' in learned application paths causes firewall rules to function incorrectly.
Solution: During profile compilation, incorrect path separation characters are corrected.

Replication fails when the password for the Symantec Endpoint Protection Manager account used for replication contains the % character
Fix ID: 1593159
Symptom: Cannot authenticate with special characters in the Symantec Endpoint Protection Manager account password, causing replication failures.
Solution: Corrected to allow authentication to succeed with the use of special characters.

Improper end time in exported scan logs
Fix ID: 1593319
Symptom: The Symantec Endpoint Protection Manager console correctly displays the start and end time but the end time is incorrectly shown in exported logs.
Solution: Avoided trimming the end date data after it is retrieved from the database.

Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash
Fix ID: 1595804
Symptom: Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash.
Solution: Corrected Symantec Endpoint Protection Manager reports to show backslashes.

Notification batch script does not finish successfully
Fix ID: 1595961
Symptom: When configuring a notification to run a batch script, the script is executed but does not complete successfully.
Solution: Allowed the server task to wait for the batch script to complete before termination.

Data truncation errors appear in the logs
Fix ID: 1597067
Symptom: Data truncation errors appear and error logs are created in the antivirus log directory.
Solution: Added more error checking to check the log session GUID for validity.

Replication fails with "Duplication of Primary key"
Fix ID: 1597521
Symptom: Replication fails with "Duplication of Primary key".
Solution: Duplicate data with the same key values are only included once.

Scheduled reports return a list of report recipients with extra space
Fix ID: 1597537
Symptom: While editing the recipient list for scheduled reports, the error message "Invalid characters have been removed from the list of emails." appears even though no changes are made.
Solution: The email recipient list is saved without additional spaces.

"No entries" in Monitors > Logs> Computer status on embedded replication partner (with SQL)
Fix ID: 1597713
Symptom: No date is shown for Computer status logs when related data is available in database.
Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time.

Unmanaged Detector does not acknowledge excluded computers and IP phones
Fix ID: 1600943
Symptom: IP address ranges that should be excluded appear in the results of unmanaged computers notifications.
Solution: Corrected data retrieval from the database to filter excluded IP ranges.

Host compliance log details are truncated when a Host Integrity policy has a large number of requirements
Fix ID: 1601779
Symptom: With a SQL database, host compliance log details are truncated when a Host Integrity policy has a large number of requirements.
Solution: Host compliance log details are no longer truncated.

A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked
Fix ID: 1631487
Symptom:A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked.
Solution: Fixed various user interfaces in the console to limit administrator access.

64-bit Windows XP in exported Computer Status Export logs is incorrect
Fix ID: 1633311
Symptom: In the Computer Status Log, Symantec Endpoint Protection clients running 64-bit Windows XP show as "Other".
Solution: Added Windows XP Professional x64 Edition in the logs.

The raw data dump from the External Logging options does not contain column header identifiers
Fix ID: 1633619
Symptom: The raw data dump from the External Logging options does not contain column header identifiers.
Solution: Added header information on all logs created by the External Logging feature.

Clients are not deleted from historical data and skew reports
Fix ID: 1639520
Symptom: Legacy clients and servers no longer on the network still show in the Security Status report with out-of-date definitions.
Solution: Added additional checks for legacy clients and servers with improper status updates.

LiveUpdate errors are listed as warnings instead of errors
Fix ID: 1652423
Symptom: In the Symantec Endpoint Protection Manager logs, LiveUpdate errors are listed as warnings instead of errors.
Solution: Changed LiveUpdate errors from Warning to Error.

Single client does not receive the commands sent from Symantec Endpoint Protection Manager
Fix ID: 1654964
Symptom: In the Symantec Endpoint Protection Manager, a command issued to a single client with a hardware key starting with 00 is not run by the client.
Solution: A hardware key starting with 00 is no longer identified as an unavailable client.

Behavior of outbreak notifications is inconsistent
Fix ID: 1656397
Symptom: Overlapping single risk and outbreak conditions do not trigger outbreak notifications when expected.
Solution: Algorithm changed to better detect overlapping risks or outbreaks.

With Simplified Chinese, garbage characters appear in attack logs
Fix ID: 1664719
Symptom: With Simplified Chinese, garbage characters appear in Symantec Endpoint Protection Manager Network Threat Protection logs.
Solution: Added UTF-8 encoding for SQL Server 2000.

Changes to the maximum number of clients displayed per page in the default view are not preserved in other views
Fix ID: 1665823
Symptom: Changes to the maximum number of clients displayed per page in the default view are not preserved in other views.
Solution: Synchronize the settings when saving display filters for each view.

Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs
Fix ID: 1669897
Symptom: Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs.
Solution: To avoid duplicates, only the shared Centralized Exception policies are displayed.

Event times are shown as "1970/01/01 08:00:00" [TimeZone:+8] in notification email
Fix ID: 1672629
Symptom: Email alerts for event notifications show as "1970/01/01..." even though the Symantec Endpoint Protection Manager console shows the correct event time.
Solution: Corrected the date and time format conversion for email notifications.

The Symantec Endpoint Protection Manager quits when displaying a large log of unapproved applications
Fix ID: 1673860
Symptom: The Symantec Endpoint Protection Manager quits due to a Java heap space error when viewing Unapproved Applications Only on the System lockdown page that exceed 290K records.
Solution: Unapproved Applications Only logs are limited to displaying the last 20,000 records. Users can still view all the logs from the Application and Device Control Logs report.

Symantec Endpoint Protection Manager client status "Last Check-in" date/time is calculated inconsistently
Fix ID: 1673951
Symptom: In the Symantec Endpoint Protection Manager, client "Last Check-in" date/time shows as Symantec Endpoint Protection Manager date/time until the client checks in as part of the regular heartbeat.
Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time.

Client status is displayed incorrectly in the Symantec Endpoint Protection Manager console
Fix ID: 1677244
Symptom: Client status is displayed incorrectly on the Home page Status Summary, but correctly on the Clients tab.
Solution: Corrected the query to retrieve client status from the database.

Moving users between OUs within Active Directory is not correctly reflected on the Symantec Endpoint Protection Manager interface
Fix ID: 1678457
Symptom: Users created with display names greater than 64 characters are truncated, causing updates to fail.
Solution: Limit the display name to 64 characters.

The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migration
Fix ID: 1679706
Symptom: The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migrating to Symantec Endpoint Protection Manager 11.0 MR4 MP2.
Solution: Fixed agent log collection.

The number of clients in an email notification and the corresponding report do not match
Fix ID: 1701459
Symptom: The number of clients in an email notification and the corresponding report do not match.
Solution: Synchronized email notification and the corresponding report.

Long policy description entries cause events to be dropped
Fix ID: 1710139
Symptom: Long policy description entries cause events to be dropped.
Solution: Set a limit of 256 characters for policy description field.

The Symantec Endpoint Protection Manager is slow to apply policy changes after importing 10,000 OUs
Fix ID: 1714092
Symptom: The Symantec Endpoint Protection Manager experiences sluggish performance when importing large numbers of OUs.
Solution: Enhanced the performance of Active Directory synchronization.

Initial replication fails with the notification "The transaction log for database 'sem5' is full"
Fix ID: 1714303
Symptom: Initial replication fails with the notification "The transaction log for database 'sem5' is full".
Solution: Increased the max database transaction log size based on the company size selected during the Symantec Endpoint Protection Manager Installation Wizard.

Bad CurrentSequenceNum registry value contributing to .dat.err file build up on MR4 MP2 Symantec Endpoint Protection Manager
Fix ID: 1716657
Symptom: Truncation errors cause the accumulation of .dat.err files in the agentinfo folder.
Solution: Fixed the truncation errors.

Virus alerts emails do not contain the file and file patch that was infected
Fix ID: 1719962
Symptom: Virus alerts emails do not contain the file and file patch that was infected.
Solution: Added information about the file and file path to virus alerts email.

The string "\r\n" in the description field on the client properties in Symantec Endpoint Protection Manager causes data truncation error when replicating
Fix ID: 1720809
Symptom: The string "\r\n" in the description field on the client properties in the Symantec Endpoint Protection Manager causes data truncation error when replicating.
Solution: Multi-line descriptions are completely read by the Symantec Endpoint Protection Manager.

Duplicate clients in the Symantec Endpoint Protection Manager
Fix ID: 1722503
Symptom: After importing Active Directory OUs, duplicate clients appear in the Symantec Endpoint Protection Manager.
Solution: Deleted duplicate clients during replication.

Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1
Fix ID: 1723779
Symptom: Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1.
Solution: If you use non-defaults in a Antivirus and Antispyware Policy for TruScan Proactive Threat Scans (that is, not Log-Only), a potential risk is considered as a Security Risk in order to trigger the single risk notification.

SystemBiosVersion registry value results in a Symantec Endpoint Protection Manager error "An invalid XML character"
Fix ID: 1725075
Symptom: An invalid XML character in the SystemBiosVersion registry value causes the client to fail to register with Symantec Endpoint Protection Manager.
Solution: Invalid characters are removed.

When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed
Fix ID: 1732819
Symptom: When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed.
Solution: Limited the maximum number of clients to display to 1000 clients.

Client search by IP address only returns the first IP address even though the computer has more than one
Fix ID: 1733240
Symptom: Client search by IP address only returns the first IP address even though the computer has more than one.
Solution: Changed to allow multiple IP address client searches.

"Unable to communicate with Reporting component" when you log onto the Symantec Endpoint Protection Manager remote console under certain conditions
Fix ID: 1740140
Symptom: With two Symantec Endpoint Protection Manager consoles set up up to use different IIS ports, remote console login does not work on the second Symantec Endpoint Protection Manager and returns the error "Unable to communicate with Reporting component".
Solution: During remote logon, the corresponding IP address and IIS port are correctly obtained.

Symantec Endpoint Protection Manager Home Page "Security Status . Attention Needed" lists old data in details
Fix ID: 1745613
Symptom: Symantec Endpoint Protection ManagerHomePage "Security Status . Attention Needed" lists old data in details.
Solution: The algorithm to create the hardware key was changed such that the hardware key should not change with minor hardware changes, such as disabling of NICs.

Symantec Endpoint Protection Manager Active Directory sync at root OU produces duplicate clients. AD sync at sub OUs produces no duplication
Fix ID: 1745722
Symptom: Symantec Endpoint Protection Manager Active Directory synchronization at root OU produces duplicate clients caused by a carriage return in the computer description.
Solution: Removed unnecessary carriage return from computer description.

Java .1 errors when installing Symantec Endpoint Protection Manager to remote database using Windows Authentication
Fix ID: 1764453
Symptom: After Symantec Endpoint Protection Manager installation using Windows Authentication, the Semsrv process does not stay started, causing console login to fail with Java .1 error.
Solution: Removed database instance name from domain name, so that the IIS anonymous account can be configured properly.


Symantec Network Access Control
This section describes the customer fixes for Symantec Network Access Control since the release of MR4 MP2 (11.0.4.4200).

Client peer to peer authentication blocks other clients' access to its share folder
Fix ID: 1483035
Symptom: Configuring the peer's address was not using the correct IP address.
Solution: Corrected to use the client's IP address.

SNAC.EXE and Services.exe take up to 40% of CPU
Fix ID: 1519912
Symptom: After boot up, SNAC.exe and Services.exe are consuming up to 40% of the CPU.
Solution: Corrected NAP service monitoring.

IP is not released when On-Demand client is exited
Fix ID: 1557687
Symptom: After the On-Demand client is exited, the client does not release the production IP.
Solution: Before exiting, the client sends a notification to all plug-ins.

User is unable to connect to the network via VPN when using the Gateway Enforcer On-Demand plug-in
Fix ID: 1638565
Symptom: User is unable to connect to the network with Jiangnan VPN via the Gateway Enforcer.
Solution: Added support for Jiangnan VPN.

Client has delayed access to network resources during the boot up sequence
Fix ID: 1640120
Symptom: A client has a quarantine IP address for about 1 minute even if Host Integrity check passes.
Solution: Use WGX to receive and send heartbeat to Gateway and DHCP Enforcer when Windows networking system is not ready.

DHCP Appliance does not supply secure mask 255.255.255.255
Fix ID: 1586761
Symptom: The Enforcer Appliance does not replace the subnet mask given out by the Microsoft DHCP server with a 32-bit mask.
Solution: Added a CLI command to enable secure.netmask in DHCP Enforcer.

Users taking considerable amount of time to switch from Quarantine to Production scope
Fix ID: 1587480
Symptom: After being placed into the Quarantine DHCP scope, users are taking a considerable amount of time to be correctly switched into the Production scope.
Solution: DHCP status is updated when authentication status changes.

The Gateway Enforcer switches continuously switches between standby and active
Fix ID: 1592129
Symptom: The Gateway Enforcer continuously switches between standby and active due to failed ARP loop detection.
Solution: Enhanced ARP loop detection on the Gateway Enforcer.

The Enforcer loses trunking function after self reboot
Fix ID: 1600101
Symptom: The Enforcer loses the trunking function after a self reboot.
Solution: Trunking status is set to enable when failopen is enabled after a reboot.

Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen
Fix ID: 1708592
Symptom: Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen.
Solution: Fixed compatibility issue with CheckPoint VPN.

Guest Access does not work when using MAB & Transparent mode
Fix ID: 1511304
Symptom:When in transparent mode with MAB enabled, guests are not allowed on the production network.
Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request.

RADIUS server rejects the user before PEAP authentication
Fix ID: 1630710
Symptom: RADIUS server rejects the user before PEAP authentication.
Solution: LAN Enforcer continues to PEAP authentication to mimic a RADIUS server.

LAN Enforcer does not communicate with Great Bay scanning device correctly
Fix ID: 1740074
Symptom: After deleting client MAC addresses from the Great Bay device, the client cannot authenticate using MAB (Dot1x).
Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request.

Unable to connect to wireless, no Symantec Network Access Control, over PEAP authentication
Fix ID: 1788308
Symptom: With Symantec Network Access Control in transparent mode over PEAP authentication, a client is unable to connect to wireless.
Solution: Fixed to not handle PEAP packets when Symantec Network Access Control is set to transparent mode.

 

Maintenance Release 4 Maintenance Pack 2 (MR4 MP2)

[Back to top]

This section describes the new features and fixes included in Maintenance Release 4 Maintenance Patch 2 (MR4 MP2) of Symantec Endpoint Protection 11.0 (also known as version 11.0.4202). This maintenance pack cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to MR4. It must be installed over Maintenance Release 4 (MR4), (MR4-MP1), or (MR4-MP1a).


What's in this release
This maintenance patch resolves in-field reported issues within Symantec Endpoint Protection client, Symantec Endpoint Protection Manager. These release notes also list updated and new Readme items for this release.

Note: The latest available release of Symantec Network Access Control is MR4 MP1. There have been no customer fixes since the release of Symantec Network Access Control MR4 MP1.
 

Component
Version
Symantec Endpoint Protection
11.0.4202
Symantec Network Access Control
11.0.4010
AutoProtect
10.2.10.2
Avengine
20081.2
Behavior Blocking
3.3.7.15
ccEraser
2007.0.1.6
COH
6.1.8.8
Common Client
6.3.8.004
DecABI
1.1.1.39
Defutils
4.1.0.19
ECOM
61.3.0.17
VxMS (MS Light)
5.2.0
LiveUpdate
3.3.0.85
LiveUpdateAdmin
2.2.1.13
Microdefs
2.5.37.0
QServer
3.6.16
WpsHelper
11.0.717.804
SyKnAppS
2.5.12
SymEvent
12.5.3.2
SymNetDrv
7.2.3.302
Teefer2
11.0.697



Product Fixes by category

Symantec Endpoint Protection: Antivirus/Antispyware
RTVScan.EXE terminates unexpectedly when initiating a scheduled scan
Fix ID: 1523740
Symptom: RTVScan.exe terminates unexpectedly when initiating a scheduled scan.
Solution: A common client component, MSL, was updated to prevent the crash.

Quarantine scan causes Auto-Protect detections in %temp% folder
Fix ID: 1525749
Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files.
Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now REPAIRABLE. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them.

Intermittent Outlook crashes
Fix ID: 1511242
Symptom: Outlook exits unexpectedly when using "Previous Item" or "Next Item" option.
Solution: The Outlook plug-in was changed to keep track of the most recent ExchangeCallback Pointer correctly.

Sysfer crashes Adobe Elements
Fix ID: 1522283
Symptom: Sysfer crashes Adobe Elements when using context to convert .doc(x) files to PDF format.
Solution: Changed a function to read a string-type parameter correctly so that the memory address is properly accessed.

Windows 2008 x64 share connectivity problems
Fix ID: 1442447
Symptom: After a period of time (hours to a day or so) file shares become unresponsive on Windows 2008 x64.
Solution: Auto-Protect update.

TempProfile_Nlnhook is created for each user that logs into a multi-user Lotus Notes installation
Fix ID: 1519913
Symptom: A directory named "TempProfile_Nlnhook" is created in customer's Citrix Presentation Server environment under the user profile folder (%USERPROFILE%).
Solution: Changed to use the CAccessToken class to get the currently logged in user name from the access token, and to send it to the LoadUserProfile () instead of the temporary directory name.

CleanWipe fails to properly remove Symantec AntiVirus 10.2 from a 64-bit operating system
Fix ID: 1532299
Symptom: Symantec AntiVirus still appears in Add/Remove Programs, the CleanWipe log will show various deletion errors, and key folders and files are left behind after using CleanWipe to remove Symantec AntiVirus 10.2.
Solution: A different API is used to detect that Symantec AntiVirus 10.2 is installed on a 64-bit operating system.

Proactive Threat Protection displays the status "Waiting for Update" after a client migration
Fix ID: 1456698
Symptom: Proactive Threat Protection displays the status "Waiting for Update" after a client migration.
Solution: After migration, Proactive Threat Protection should be "on" and should display the latest version.

Antivirus performance is slow when scanning the procmail.log
Fix ID: 1415668
Symptom: It may take a few minutes to scan the procmail.log file. Rtvscan.exe CPU usage increases up to 99%.
Solution: Decomposer engine update.

The Symantec Endpoint Protection installation fails with a "Return value 2" when CP_USASCII is disabled
Fix ID: 1499625
Symptom: The Symantec Endpoint Protection installation fails.
Solution: Symantec Endpoint Protection now uses CP_ACP instead of CP_USASCII when the installation path is validated during installation.

CLT_INST temp folder is left behind whenever a remote install is done (through wizard or Find Unmanaged)
Fix ID: 1527791
Symptom: A CLT_INST folder is left behind after installation.
Solution: VPREMOTE now marks the CLT_INST folder for deletion upon next reboot.

During migration from Symantec AntiVirus 10 MR 7 to Symantec Endpoint Protection 11 MR4 the installation removes all log-files from C:\Temp\Logs
Fix ID: 1509069
Symptom: Upon completion of the installation, the log files are moved to %ALLUSERSPROFILE%\Symantec\Symantec Endpoint Protection\Logs.
Solution: Updated the installer to use a unique temporary folder to store the Symantec logs.

SMCGUI.exe causes users to lose windows focus
Fix ID: 1460045
Symptom: SMCGUI.exe often stops and starts, causing a user to lose window focus.
Solution: When loading a profile, a return value is checked to see if it is NULL upon calling a specific function.

High paged pool memory usage for Auto-Protect
Fix ID: 1511152
Symptom: Pool monitor shows high memory usage for SavE and SaEe pooltags.
Solution: AV engine update.

Stand-alone Quarantine Console installation cannot connect to any remote Quarantine Server
Fix ID: 1506385
Symptom: Trying to connect to selected server fails with the following error message: Cannot connect to server <SERVER NAME>.
Solution: The installer was changed to make the installation directory available to post-install script functions.

A Defwatch scan does not run on Microsoft Windows Vista if no user is logged on to the computer
Fix ID: 1508276
Symptom: The Defwatch scan does not run on Microsoft Windows Vista unless a user is logged on.
Solution: If no user is logged on, an elevated access token is used to run the Defwatch scan.

Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan
Fix ID: 1486799
Symptom: Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan.
Solution: Symantec Endpoint Protection was modified to allow the product to query the Windows Security Center information correctly.

Users with local administrator privilege can bypass the Symantec Endpoint Protection uninstall password
Fix ID: 1515363
Symptom: A user is able to bypass the uninstall password by using an undisclosed procedure.
Solution: The MSI file was updated to prevent administrators from bypassing the uninstall password.

While running CleanWipe (RunCleanWipe.bat) with the -silent switch, a dialog box prevents uninstallation from completing
Fix ID: 1588132
Symptom: A modal dialog box appears indicating the Symantec AntiVirus has been uninstalled, and prevents the uninstallation from completing.
Solution: Modified the MSIUnst.bat file to change a command line switch to MsiExec that removed the modal dialog.

Auto-resume of content-package does not resume across reboots or restart of SMC.exe
Fix ID: 1557479
Symptom: Content package download does not resume after either the computer or SMC.exe is restarted.
Solution: Preserve the partially downloaded files and use the HTTP range header information to download the remaining bytes from Symantec Endpoint Protection Manager.

Clients cannot download content from Group Update Provider (GUP)
Fix ID: 1588869
Symptom: Clients attempt to connect to the GUP to download content, but the clients are rejected. The sylink.log shows "<GetLUFileRequest:>
 

 




Legacy ID



2007121216360648


Article URL http://www.symantec.com/docs/TECH103087


Terms of use for this information are found in Legal Notices