New fixes and features in Symantec Endpoint Protection 12.1.4

Article:TECH211972  |  Created: 2013-10-28  |  Updated: 2013-10-30  |  Article URL http://www.symantec.com/docs/TECH211972
Article Type
Technical Solution


Issue



This document lists new fixes and features in Symantec Endpoint Protection 12.1 Release Update 4 (SEP 12.1.4). This information supplements the information found in the Release Notes.


Solution



 

What's new in this release

This is a summary of the feature updates in SEP 12.1.4. For full details, read the Release Notes.
 

Expanded operating system and browser support

  • Supports Mac OS X 10.9 and Windows 8.1 / Server 2012 R2.

  • Supports the latest versions of Internet Explorer, Firefox, and Chrome.

Expanded and improved features for Endpoint Protection for Mac

  • Improved remote deployment features for the client, including a standardized deployment package for use with third-party client management systems that supports unattended, logged out, and silent deployment.

  • Intrusion prevention for Mac client computers.

  • LiveUpdate 6 for Mac, which does not require Java and can run with no user logged in.

  • Content for Mac from Symantec Endpoint Protection Manager (SEPM)

  • Other improvements including improved scheduled scan options, user interface improvements, and language support

Faster alerting and notification for priority events

SEP 12.1.4 Windows clients can quickly send priority events to SEPM without waiting for the next heartbeat. You can create notifications without a damper for critical events. Priority events include malware detections and IPS alerts.

 

New fixes in this release

 
A detected threat does not have a corresponding entry in the risk log
Fix ID: 2760392
Symptom: You see the pop-up warning, “Threats were detected while you were logged out,” but the risk log does not display a corresponding entry.
Solution: Fixed a condition where a flag did not properly reset after a threat was detected and then exonerated by reputation.
 
System hangs after reboot on Windows XP Embedded SP3
Fix ID: 2874059
Symptom: After you install Symantec Endpoint Protection client on a Windows XP Embedded device on which PCAnywhere and specific video adapters are also installed, a crash in the video memory occurs.
Solution: Addressed a video memory read conflict to prevent the crash.
 
Scan Logs do not display updated scan status
Fix ID: 2948062
Symptom: Administrator-defined scheduled scans do not update the scan status of Symantec Endpoint Protection Manager scan logs if you suspend then complete the scan.
Solution: Fixed a condition where a suspended status was not correctly cleared when the scan completed.
 
Microsoft Outlook 2010 freezes
Fix ID: 2961089
Symptom: If you install Symantec Endpoint Protection Microsoft Outlook plug-in along with McAfee DLP software, Microsoft Outlook 2010 appears to hang or become unresponsive when you open or add an attachment.
Solution: Updated the internal email attachment scan engine to avoid potential scan conflicts.
 
Cannot generate quick risk reports
Fix ID: 3044591
Symptom: When you try to generate quick risk reports, PHP errors and warnings display. You also see many PHP-related errors in the reporting logs.
Solution: Validated the PHP variables to resolve this condition.
 
Some detection counts do not display correctly in reports
Fix ID: 3058411
Symptom: The distribution bar under the “Risk Detection Counts and Detection by Computer” report shows one color, instead of the expected multiple colors for different infection types.
Solution: Updated the reporting mechanisms to display different threats with the appropriate colors.
 
Application and Device Control exception is not working correctly
Fix ID: 3060353
Symptom:An Application and Device Control folder control exception does not work correctly with an absolute path, such as “C:\TEST”.
Solution: Added support for absolute path exclusions.
 
Management Server Configuration Wizard encounters Unexpected Server Error
Fix ID: 3064213
Symptom: An Unexpected Server Error occurs after you run the Management Server Configuration Wizard.
Solution: Corrected the method that compared and stored server names in the database.
 
When both the Symantec Endpoint Protection client and management server are installed, Windows Server Backup utility cannot complete a volume shadow copy
Fix ID: 3065313
Symptom: When you install both Symantec Endpoint Protection client and Symantec Endpoint Protection Manager 12.1.x on the same computer, the \System Volume Information\EfaData\ folder grows large in size. This growth causes a lack of available free space for the Windows Server Backup Utility to create a volume shadow copy.
Solution: Added code to monitor additions to the SymEFA database to ensure that all temp table additions are cleaned up and deleted when completed.
 
Scheduled scan report fails to abide by an OS filter
Fix ID: 3088428
Symptom: When you schedule a Scan Report based on an OS filter, it instead returns every OS.
Solution: Fixed a query where a field was not correctly included, which resulted in the return of incorrect data.
 
Symantec Endpoint Protection installation results in warning messages in logs
Fix ID: 3088790
Symptom: Warning messages, such as Event ID 28, appear in the logs when you install the Symantec Endpoint Protection to a physical Windows Server 2008 R2 with Hyper-V.
Solution: Corrected the copy of the appropriate flags to a list created during installation. The missing flags created an issue with some drivers.
 
Unable to remove the “Delete from Quarantine” option
Fix ID: 3094415
Symptom: After you uncheck the “Delete from Quarantine” command option for Limited Admins, this option still appears on the dropdown menu as a possible Action. The only way to remove “Delete from Quarantine” from the dropdown menu is to also remove other features, such as “Enable Download Insight.”
Solution: Corrected the admin properties that PHP assigns during the session.
 
Download Protection Content reports as “Not Available” after a restart
Fix ID: 3106651
Symptom: After a client restarts, the initial heartbeat reports that Download Protection is “Not available.” As a result, a notification for “Download Protection out of date” triggers from Symantec Endpoint Protection Manager. Subsequent heartbeats report correctly.
Solution: Changed code so that the LiveUpdate process completely initializes before the client sends its initial heartbeat.
 
Too many active connections from the Group Update Provider (GUP) to Symantec Endpoint Protection Manager
Fix ID: 3110944
Symptom: The Group Update Provider (GUP) computer keeps more than 200 connections open to Symantec Endpoint Protection Manager.
Solution: Fixed a callback function that was not properly called before closing requests.
 
Client reports Firewall Status as “Disabled”
Fix ID: 3115966
Symptom: If you disable or withdraw the firewall policy from a client group, the clients display as “Disabled” on the Symantec Endpoint Protection Manager Home tab, under Endpoint Status. Clicking on the Endpoint Status chart shows the Firewall Status as “Disabled.” The Firewall Status should only display as “Disabled” if the end user disables the firewall.
Solution: Implemented the creation of a registry key during a clean installation, kept during migration, to correctly trigger the “Disabled” firewall status report.
 
Lotus Notes 7.0.3 terminates unexpectedly
Fix ID: 3133546
Symptom: Lotus Notes 7.0.3 terminates unexpectedly when you attempt to open an attachment.
Solution: Added a check for invalidation of attributes that cause the crash.
 
Some clients do not honor the restart after using the Client Deployment Wizard
Fix ID: 3136892
Symptom: When you use the Client Deployment Wizard to install a package that includes Application and Device Control, Symantec Endpoint Protection clients do not honor the reboot command provided in Client Install Settings.
Solution: Changed the code so that the reboot command triggers correctly when installing the Application and Device Control feature.
 
Clients move to the wrong group if group name has a space in it
Fix ID: 3147159
Symptom: If you copy a group name containing a space from the details tab of one Symantec Endpoint Protection Manager and paste that group name into a new group on another Symantec Endpoint Protection Manager, then the clients end up in an incorrect group. If you copy the same group name containing a space from Windows Notepad, then the clients end up in the correct group.
Solution: Fixed so that it now converts the space correctly during the copy.
 
Scan time is shown incorrectly
Fix ID: 3147840
Symptom: If you click Home > View Details > Scan Failures, the last scan time displayed is incorrect.
Solution: If the last scan time is earlier than the creation time, it now displays “Never.”
 
Teefer does not see outbound traffic on Windows XP
Fix ID: 3152001
Symptom: On Windows XP SP3, Teefer does not see the outbound traffic for QoS Packet Scheduler (PSched).
Solution: Modified the Teefer driver to resolve this issue.
 
Lotus Notes terminates unexpectedly during start-up
Fix ID: 3153742
Symptom: Lotus Notes terminates unexpectedly during start-up when it attempts to load the Notes Auto-Protect plugin (nlnhook.exe).
Solution: Fixed to make a call to a function correctly after initializing the Notes runtime system.
 
Windows Hypervisor stops responding
Fix ID: 3155684
Symptom: Windows Server 2012 Hypervisor servers stop responding after you install Symantec Endpoint Protection 12.1.2 (12.1 RU2).
Solution: Changed the code to resolve a deadlock created by an Auto-Protect scan.
 
Juniper Network Agent Virtual Adapter missing from VPN classification
Fix ID: 3160119
Symptom: Juniper Network Agent Virtual Adapter (Juniper Junos Pulse client) does not appear within the “Any VPN” classification in the firewall rules.
Solution: Included the Junos Pulse VPN in the “Any VPN” classification.
 
Windows Server 2008 R2 is not identified correctly in Symantec Endpoint Protection Manager
Fix ID: 3161161
Symptom: Symantec Endpoint Protection Manager shows an incorrect operating system name for Windows Server 2008 R2 computers in the client inventory report and client properties dialog.
Solution: Updated the operating system name correctly in the opstate table.
 
Cannot generate risk report
Fix ID: 3161681
Symptom: When you create a risk report for “Action List” or “Infected and At Risk Computers”, the query fails.
Solution: Fixed an issue with joins in the SQL query.
 
Log file size grows to be very large
Fix ID: 3162820
Symptom: Log messages continue to write to scm-ui.log, even after the user logs out of the console. As a result, the log file grows very large.
Solution: Limited the size of scm-ui.log and scm-ui.err, which are configurable in the conf.properties file. Modified the method of logging System.out, System.err and other console logging..
 
Windows OXP 64 bit is listed incorrectly
Fix ID: 3179393
Symptom: If you click Monitors > Logs > Computer Status > View Log, Windows Server 2003 clients incorrectly display as Windows XP 64-bit.
Solution: Corrected the OS type for pre-Microsoft Vista operating systems.
 
GFValidate.exe application error 1000
Fix ID: 3189844
Symptom: When Symantec Endpoint Protection Management server is running, you see program errors or crashes when ThreatCon contains an invalid certificate.
Solution: Changed the exception handling to catch the exception, so that the program can exit gracefully.
 
Windows client incorrectly becomes a Group Update Provider (GUP) after an upgrade
Fix ID: 3191960
Symptom: After you upgrade a Windows XP computer to Symantec Endpoint Protection 12.1.2, the computer becomes a GUP even though it was not designated as one.
Solution: Fixed some incorrectly interpreted logic in the code.
 
Management Server Configuration Wizard displays an error when using a non-default path for the database data folder
Fix ID: 3203819
Symptom: When you designate a new database using a non-default data folder, such as on drive D:, the Management Server Configuration Wizard displays an error about the database data folder, because it is incorrectly looking for the default path on C:.
Solution: Changed the way the database data folder path information passes to the Management Server Configuration Wizard.
 
Cannot add applications to Exception policy
Fix ID: 3203823
Symptom: You try to add detected applications to existing Exception policies, but those policies do not display in the Monitors tab.
Solution: Changed the code so that when you copy a policy to the Policies tab, the copy action clears all information associated with a non-shared or location-specific policy.
 
Discrepancy in the Endpoint Status report
Fix ID: 3203825
Symptom: The information displayed on the Home tab under Endpoint Status is different from the information displayed when you click the chart for details.
Solution: Modified the query used to report the status for a more consistent display of information.
 
An unexpected database error occurs
Fix ID: 3203833
Symptom: An unexpected database error occurs when you log on the Web Services Application Registration page.
Solution: Fixed the logic in the code that resulted in an improper translation.
 
Client upgrade rolls back
Fix ID: 3203874
Symptom: At the end of the upgrade to Symantec Endpoint Protection 12.1.2 on a computer with a custom Windows system root directory, the installation rolls back to the previous version.
Solution: Changed the code to get the correct system root directory path, so that Sysplant correctly starts and the upgrade succeeds.
 
BIOS serial number not stored
Fix ID: 3203878
Symptom: The Symantec Endpoint Protection client sends the BIOS serial number when it connects to the Symantec Endpoint Protection Manager. You can see this information in the scm-server-*.log, but it is not stored within the Symantec Endpoint Protection Manager.
Solution: Built a mechanism to handle the retention of BIOS serial numbers.
 
Symantec Endpoint Protection Internet email Auto-Protect prevents POP3 email from being sent or received
Fix ID: 3203882
Symptom: When you check email with a client program that uses the service session (session 0), sending or receiving email experiences delays if you install Symantec Endpoint Protection Internet email Auto-Protect.
Solution: Removed an unnecessary notify function used only in Session 0.
 
Unable to copy from USB
Fix ID: 3204602
Symptom: After you upgrade Windows Vista to Symantec Endpoint Protection 12.1.2, you are unable to read files from a USB device, even though the Application and Device Control policy only prohibits writing to a USB device.
Solution: Fixed a block error code that prevented the correct implementation of the policy.
 
Server crashes with BugCheck 8E
Fix ID: 3205461
Symptom: A Symantec Endpoint Protection client installed to a server operating system crashes with BugCheck 8E {c0000005, f723fac3, abb89930, 0}. The crash log contains a reference to SRTSP.sys.
Solution: Changed the code to ensure that a function is not NULL before removing the reference to it.
 
LiveUpdate fails to process content on Symantec Endpoint Protection Manager
Fix ID: 3206868
Symptom: The LiveUpdate client runs successfully and downloads the content on Symantec Endpoint Protection Manager 12.1.2 (RU2), but fails during the post-processing of the content.
Solution: Changed the code so that when the Management Server Configuration Wizard runs, it ensures the keystore password is the same for all the components in the Server.xml file.
 
EFS encrypted files are damaged
Fix ID: 3210868
Symptom: After a content download triggers a Defwatch scan, EFS encrypted files become corrupted.
Solution: Updated the code to read an encrypted file without buffering.
 
Weekly deadlocks occur on Symantec Endpoint Protection Manager database
Fix ID: 3230279
Symptom: The server logs indicate weekly deadlocks on the Microsoft SQL Server database used by Symantec Endpoint Protection Manager. These deadlocks place an excessive load on the database server.
Solution: Fixed the underlying query that caused the deadlocks.
 
USB data stick removal results in BugCheck 7E error
Fix ID: 3232873
Symptom: When you remove a USB memory stick, the computer crashes with error code 0X0000007E (BugCheck 7E).
Solution: Changed the code to track for a NULL pointer. If it occurs, the corresponding function gracefully fails.
 
Servers are slow or unresponsive
Fix ID: 3241493
Symptom: After you install the Symantec Endpoint Protection client without Network Threat Protection, the file share server appears to be offline, or becomes extremely slow and unresponsive.
Solution: Fixed a condition that lead to a deadlock in the cache manager.
 
Connectivity issues with 3G connection
Fix ID: 3241534
Symptom: When you try to connect to the internet with a 3G NIC, the Symantec Endpoint Protection firewall component detects a problem and blocks the connection.
Solution: Changed the code so that Teefer copies protocol information to overlying drivers.
 
Wired 802.1x connection attempt results in BugCheck 50 referencing Teefer
Fix ID: 3244951
Symptom: When attempting to connect using wired 802.1x authentication, the computer crashes with BugCheck 50. The blue screen message references teefer.sys.
Solution: Implemented a check on the returned buffer size to prevent a negative value from causing a memory access error.
 
LiveUpdate does not update Symantec Endpoint Protection client
Fix ID: 3245096
Symptom: The Symantec Endpoint Protection client downloads but cannot update definitions with LiveUpdate. Content updates from the Symantec Endpoint Protection Manager occur as expected.
Solution: Fixed an issue where LiveUpdate Engine created an incorrect path and copied the definitions to it.
 
Enabling Windows Driver Verifier on Teefer2 results in BugCheck 139
Fix ID: 3245497
Symptom: You install Symantec Endpoint Protection, enable the Windows Driver Verifier for Teefer2, and reboot. An attempt at a network connection causes the computer to crash with BugCheck 139.
Solution: Changed the code to save some flags before calling a function.
 
Cluster is unable to fail over with AutoProtect enabled
Fix ID: 3246552
Symptom:  With AutoProtect enabled, an active cluster node cannot fail over and hangs.
Solution: Corrected a delay in the AutoProtect volume dismount that resulted in cluster failover failures.
 
Some Intrusion Prevention exclusions do not work
Fix ID: 3262355
Symptom: After you create an Intrusion Prevention (IPS) policy exclusion to keep an application from being blocked, Intrusion Prevention continues to block the application.
Solution: Changed the code to now skip any abandoned signature IDs so that it can continue to parse the exclusion list.
 
Download Protection reports as malfunctioning 
Fix ID: 3262365
Symptom: Client computers always report Download Protection as malfunctioning on the first heartbeat after the Symantec Management Client (SMC) service is started. This issue occurs because the heartbeat reports the status before this component fully initializes.
Solution: Changed the code so that the client initially reports OK by default, instead of indicating malfunction.
 
Persistent “unexpected server error” notification
Fix ID: 3262370
Symptom: You receive System Event Notification emails multiple times a day reporting an unexpected server error. The Symantec Endpoint Protection server logs display the message, “This is not a valid IP address.”
Solution: Changed the code to ignore the unsupported IPv6 address returned by the client.
 
“Unexpected server error” appears in server logs
Fix ID: 3262375
Symptom: For the Symantec Endpoint Protection Manager, the server name is different than the host name. The Symantec Endpoint Protection Manager’s server logs display repeated errors by ScheduledReportingTask about an UnknownHostException. You do not receive email notifications or scheduled reports.
Solution: Changed the code to use the Symantec Endpoint Protection Manager computer’s host name instead of its server name when building the Reporting URL.
 
“Unexpected server error [0x10010000]” when deleting a Symantec Endpoint Protection Manager administrator
Fix ID: 3262376
Symptom: When you try to delete an administrator account in Symantec Endpoint Protection Manager but opt to retain the existing reports, the message “Unexpected server error [0x10010000]” appears and the administrator account remains.
Solution: Changed the code to resolve this error.
 
The policy serial number unexpectedly updates at midnight
Fix ID: 3262394
Symptom: You notice that the policy serial number updated at midnight, but you did not update a policy at that time, only earlier in the day.
Solution: Changed the logic when saving baseline firewall rules, so that unnecessary items do not trigger a policy change when the Agent Sweeping Task runs at midnight.
 
Some errors in reporting logs related to risk reporting
Fix ID: 3262395
Symptom: There are PHP errors and warnings in the reporting log. The pie charts on the Monitors tab contain no information, and you encounter a fatal error when you click Reports > Quick Reports.
Solution: Added some safety checks to avoid the generation of these errors.
 
Auto-refresh value reverts for Command Status
Fix ID: 3262398
Symptom: The Auto-refresh value you configure under Monitors > Command Status reverts to the previous value.
Solution: Changed the code so that the cache file updates after you make a change to Auto-refresh.
 
Scheduled or On-Demand scans fill backup cache disks
Fix ID: 3268131
Symptom: You observe that on a computer using a third-party backup program, a scheduled or on-demand scan unexpectedly fills the backup cache disk.
Solution: Changed the file-opening logic during the scan from Read/Write to Read Only.
 
SMC service crashing
Fix ID: 3275417
Symptom: The Symantec Management Client (SMC) service crashes on client computers that are Group Update Providers (GUPs).
Solution: Fixed a condition in which a context callback released before the function returned.
 
Accelerated heartbeat after clients fails to register with Symantec Endpoint Protection Manager
Fix ID: 3279095
Symptom:  When Symantec Endpoint Protection Manager returns a registration failure with code 412, the client triggers another registration in five seconds. This behavior results in performance degradation on Symantec Endpoint Protection Manager.
Solution: Resolved the issue by reducing the heartbeat frequency when the client receives this response code.
 
Installation of Symantec Endpoint Protection causes BugCheck 8e
Fix ID: 3279568
Symptom: After the installation of Symantec Endpoint Protection, the computer crashes with BugCheck 8e. A triggered Auto-Protect scan appears to be the cause.
Solution: Added a check to verify whether the thread terminates in addition to checking the process exit time.
 
 

Component Versions in Symantec Endpoint Protection 12.1.4

Component
Version
AV Engine
20131.1.5.61
AutoProtect
14.4.2.7
BASH Defs
7.8.0.10
BASH Framework
7.0.0.226
CC
12.3.4.4
CIDS Defs
12.0.0.380
CIDS Framework
11.1.0.73
ConMan
1.1.0.10
D2D
1.2.0.3
D2D_13
1.3.0.3
DecABI
2.3.1.1
DefUtil
4.7.0.27
DuLuCallback
1.5.0.69
ECOM
131.1.5.61
ERASER
113.1.1.1
Iron
3.2.2.10
LiveUpdate
2.2.2.3
MicroDefs
3.6.0.79
SIS
12.1.3507.3652
SymDS
2.2.1.10
SymEFA
4.3.1.3
SymELAM
1.0.2.7
SymEvent
12.9.5.3
SymNetDrv
13.1.2.7
SymVT
5.3.0.25
WLU(Symantec Endpoint Protection Manager)
3.3.100.15
 

 




Article URL http://www.symantec.com/docs/TECH211972


Terms of use for this information are found in Legal Notices