Endpoint Protection

I'm using SEP v12.1.671.4971 and have been for the past 3 years without any problems.

A couple of weeks ago, I upgraded from Internet Explorer 9 to Internet Explorer 11 using Windows Update.  I then logged into all my usual websites, ticking the "remember me" checkbox so that session cookies would be created.

I started using IE11 and found it was working well, until after about 24 hours when I discovered I had been logged out of all my websites - every single one.

I then moved into investigation and test mode, to try to figure out the cause.  After a few days, I worked out that it was the SEP Active Scan.

My session cookies work perfectly before the Active Scan - I've tested them right up until the last minute before the Scheduled Active Scan starts - but immediately after the Active Scan has finished I am no longer logged in to any of my websites.  I've been able to repeat this several times now.  I've also tested disabling the Scheduled Active Scan with the result that my session cookies continue to work for days.

I don't know, specifically, what the Active Scan is doing to cause this behaviour, but I suspect it may have something to do with the new way that IE10 and IE11 store and manage their cache (including cookies) - see this link, this link and this link.

It's driving me crazy because at the moment I'm having to re-log in to every single one of my websites every 24 hours.

Has anyone else come across this problem?  Does anyone have a solution?

Thanks all.

If you have a test machine , install the latest 12.1.4 and check again.

See same problem thread

https://www-secure.symantec.com/connect/forums/internet-explorer-automatic-password-dont-work-anymore

What's your risk log show? Does it show that cookies were detected and removed?

@Rafeeq - I have upgraded to v12.1.4100.4126 and the problem still exists.

@James007 - No, that thread is NOT the same problem.  That thread is about an Internet Explorer AutoComplete problem.  My problem is about Session Cookies.  Totally different.

@_Brian - The Active Scan risk log reports that "Tracking Cookies" were deleted, not "Session Cookies".

When I was using IE9 the Active Scan deleted my Tracking Cookies but my Session Cookies were not touched and I remained logged in to all my websites.  The Active Scan only started messing with my Session Cookies after I upgraded to IE11.  This leads me to believe that SEP does not understand the new method that IE10 and IE11 uses to manage cookies/cache/history (as I stated in my original post).

Very possible. Is this only your PC (unmanaged I assume?). If managed, it's possible to exclude cookies from being detected.

@_Brian - Currently it is only my PC (I test all upgrades on my own PC first), but I plan to upgrade four other PCs to IE11 soon, so they'll all hit this problem.  I also know of one other person who has this problem (he gave up and reverted back to IE9 while I continued to investigate).

All the PCs (including my own) are unmanaged, but even if they were managed I'd be reluctant to exclude cookies from the Active Scan as that's a workaround, not a solution (I'm an IT professional dealing with troubleshooting issues every day so I don't like to let things go unresolved).

There is one thing about the Active Scan risk log that concerns me.  At the end of the list of deleted Tracking Cookies there is an item named "Unused Cookies" (see screenshot attachment).  If I'm correct that SEP doesn't understand the new IE10/IE11 cookie management method, SEP could be mistakenly deleting Session Cookies because it thinks they are Unused Cookies.

The only way I can check this is to revert to IE9, run the Active Scan again and see if it also lists Unused Cookies in the risk log.  Luckily I can do that very easily as I've been testing using a known good Ghost image.  I'll retore the image tomorrow, perform the test then report back here with my finding.

I restored my Ghost image this morning (which includes IE9 and SEP v12.1.671.4971).  I then logged into 6 websites to create Session Cookies, surfed a little to create some Tracking Cookies, and finally ran a manual Active Scan.

The risk log for the Active Scan also shows an item named "Unused Cookies" (see screenshot attachment), however I remained logged in to all 6 websites after the Active Scan was complete.

So, no difference in the risk log between IE9 and IE11 (both show the "Unused Cookies" item as deleted), but SEP is definitely doing something different with Session Cookies when IE11 is installed.

Can anyone provide a definitive answer on whether SEP knows about the new IE10/IE11 browsing history storage location and format (see links in my original post)?

Likely need to look to support to answer this question.

I've opened a case with Symantec Support.  I'll post back with updates as things progress.

Quick update...

Yesterday I returned to my new Ghost image (which includes IE11 and SEP v12.1.4100.4126) and the problem still exists (as expected, no surprise there).

Symantec support are working on the issue.  According to them I'm the only person to have reported this problem.  I have supplied them with background information and forwarded SymHelp data so they can investigate.