Endpoint Protection

Hi,

Over the weekend, I upgraded our SEPM from 14.0 RU1 MP2 to SEPM 14.2.  Our server is a Hyper-V VM running W 2008R2. I noticed after the successful upgrade, some policies disappeared from our main group.  This group uses customized non-shared policies. After the upgrade the non-shared policies Firewall, Intrusion Prevention, Application and Device Control, Memory Exploit Mitigation, and Exceptions were gone from the group.  Any groups with shared policies were unaffected.  I also noticed some the locked settings in the remaining policies were now unlocked.  I created a checkpoint of the VM before the upgrade and was able to roll back to 14.0 RU1 MP2.  I tried the upgrade multiple times with same results each time.

I looks like I will have to create new policies to replace the ones that disappeared.  I validated the built-in db after the update and it passed validation.  I have never seen this before after dozens of upgrades over the years.  Can anyone offer an explanation?

Thanks,

CQ

Hi,

@CQ gone meaning withdraw alike (group with no policies at all) or replaced by shared ones? I'm planning to do some upgrade test from same 14 RU1 Mp2 to 14.2 this week I'll look closely for those non-shared policies. Thanks for heads up. 

@PG_PG

The policies were withdrawn.  Interestingly, I had another group where some of the non-shared policies were withdrawn but also had a group with non-shared policies in which the policies were unaffected.

Hi CQ,

Im about to upgrade also. Do you only have this issue on your main group "my company"?

LEVD

@levd

It is a second level subgroup of My Company.  The group does not inherit any policies from My Company.

My Company (has default shared policies)

  I

  Company A (has its own shared policies not inherited)

        I

        Problem Group (has its own non-shared policies)

CQ,

Thanks for the info.

LEVD

CQ,

Do you know about an easy way to recover this if it goes wrong? Offcourse i can snapshot my server however my DB is external SQL so once the tables are updated i guess i cant go back.
Can you recover from within the manager?

LEVD

@levd

I don't know of a way to recover the withdrawn non-shared policies.  I tried exporting them before the upgrade and importing after the upgrade,  This seemed to work but validated the database after the import and it failed.

I guess I will open a support call but was hoping for a Symantec response in this forum. So far, nothing.   I have not had positive experiences with support in the past.

Hi CQ,

Ok. Can you update this post about your contact with support?
Ill think ill wait with the update :)

LEVD

Any update from Symantec regarding this issue?

Hello All,

I have not seen this. Are any support cases open?  Does anyone have a DB backup from before the upgrade?  Are the policies being deleted completely, or just withdrawn?

Thanks,

John Owens

Hi All,

Please open a support case and provide case numbers.  Does anyone have a DB backup before the upgrade?

I personaly tested this on a virtual machine, created 2 test groups.

TEST1 - with Virus and Spyware policy and IPS policy non-shared

TEST2 - with FW policy and ADC policy non-shared

What happened after the upgrade to 14 RU2, from TEST1 group one of the non-shared policies disappeared and from TEST2 group both non-shared policies disappeared.

We have a case opened for one of our customers, please take a look at it: 14789126

@S_K

I have taken ownership of the case and will attempt to reproduce in house.  I will keep you posted.

John

@john_owens

I was going to open a case but I see @S_K has already done that.  For now I will hold off.  In my situation, SOME but not all non-shared policies were deleted from some my groups.  I run SEPM on a Hyper-V VM and have a checkpoint of the entire machine BEFORE the upgrade so I can easily roll back to help as needed.

CQ

I reproduced something similar.

SEP 14 RU1 MP1 installed on SEPM.

Created Test Group. Converted all policies over to Non-Shared policies.

Upgraded SEPM to 14.2.

Logged into SEPM. 

Missing after upgrade:

Intrusion Prevention

Memory Exploit Mitigation

Integrations

Exceptions

The other 4 Non-Shared policies remained after the upgrade.

Remained after upgrade:

Virus and Spyware Protection

Firewall

Application and Device Control

LiveUpdate

@CQ

Please open a case. The more cases we have the better chance there is to get this fixed quickly.

@john_owens

Will do.  FYI in my case the Firewall policy was lost too.  Also, my live update policy was replaced by a different one.

I have advanced this to Development/Engineering. If you would please open cases and reference Etrack 4186631 it would be very helpful.

Thanks,

John Owens

@john_owens

FYI my case # is 14896771

Thank you. I took ownership of it for you and will drive it from here.

KB you can subscribe to for updates.

https://support.symantec.com/en_US/article.TECH250749.html?

We have identified the issue and are working on a fix. Current ETA for availability is next week.
 

Will the fix be SEP 14 RU2a or 14 RU2 MP1?

It will be 14.2 refresh build. Current eta is next week.

I ran into the same issue, not only did i lose my policies at first, but then account got locked out, luckily i did roll back to old VM and have an external SQL database and it held everything that was previous. I will put in a case as well and see what gets said, Needless to say after many of years of doing updates and upgrades, it seems after 12-14 it has been alot of problems, i had to redo a whole server because my 14.0 which was working fine, decided to no longer allow anyone to log into it.  i put a case in for that , but end result was i had to redo one from scratch, luckily i had exported copies of policies, and was able to import those, but had to do all the hardware device exceptions from scratch

@john_Owens, I have the same issues as well , luckily was able to roll back , did you want me to add a case in for this?

Hi John,

Will you be updating this thread once this fix is released?

Thanks

Hi Michael,

Yes, I will do that.  You can also subscribe to this document to be updated for when the refresh build is available.

https://support.symantec.com/en_US/article.TECH250749.html?

Thanks,

John

14.2.760.0000 is now posted and available for download on FileConnect.  This will fix the Non-Shared Policy issue.

Is there any change in SEP client side for this new version 14.2.760.0000?

What about if somebody already upgraded to 14 RU2? Is upgrade from 14 RU2 to 14 RU2 Refresh build possible?

And what about the problem with unnmanaged client 14.2 RU - firewall rules are not working after system reboot? 

Is anyone aware? Did you open a support case? If so, post the case number.

I'm newbie here, pls advice how to open the case. And the problem is following. I'm using at the moment unmanaged client, first one, previos version 14.01RU - no any problem. After upgrading to 14.2RU (clear installation and rolling over), f.e. i have Application Rule allow browser (try IE11, Chrome, Firefox, Slimjet) any traffic, i made opposite rule in firewall Rules to block any traffic from browsers, and these rules are working until i make rebooting the system (try Win7x64 and Win10x64). When the system has been rebooted, Firewall Rules are in place but not working the above browsers clear walking in the net. 

Google Translation

Open a case following this:

https://support.symantec.com/en_US/contact-support.html

Case Number 15116949 and I attached info from SymDiag.

But still not good to upgrade to 14 RU2 even the Refresh Build because still other issues which are new and not solved:

• Replication starts to fail after upgrading Endpoint Protection Manger to 14.2
  https://support.symantec.com/en_US/article.TECH250795.html
• Location Awareness stops working after upgrading to Endpoint Protection 14.2
  https://support.symantec.com/en_US/article.TECH250794.html

Why Symantec didn't fix all these issues at once in a new release, for example 14 RU2 MP1?

S_K -

Are you having the Non-Shared Policy issue?  If so, you would need to roll back before the upgrade (Disaster Recovery) and then upgrade to the refresh build of 14.2.

If you are not having that issue, you do not need to upgrade the SEPM to the refresh build.

The other 2 issues you stated are being looked at for 14.2 MP1.  The non-shared policy issues was big enough we felt it needed to be addressed as soon as possible and that is why the refresh build was delivered.

John

How do I know if I'm downloading 14.2.760.000 from FileConnection? The dates of what I downloaded is June 22nd and 21st, which doesn't appear to the 14 RU2 refresh that I need to avoid this non-shared policy issue.

The older builds were pulled.  The only version available is 14.2.760.000.

is upgrade of the SEPM from 14 RU2 to 14 RU2 Refresh build supported because for previous builds it was not, for example:

Upgrading from 14 MP1 (14.0.2332.0100) to 14 MP1 Refresh Build (14.0.2349.0100) is not supported

After upgrade to 14.2.760.000 we are still missing custom policies. I have a SEP DB backup and access to a full backup of the server files pre-upgrade. What I don't have are exported policies to import that are current.

Is there any way for me to recover those lost settings?

Hi Seth,

Did you restore to before upgrade and then upgrade with 14.2.760?  Just upgrading from the broken state to the new 760 build will not bring back the custom policies.

Nope, we waited until the refresh build was available (it was a direct upgrade from 14.0.3876.1100). Guess I was overconfident that the issue was resolved and deleted the snapshot after the 'successful' install. Didn't realize I had a problem until days later when some systems were having trouble receiving definitions from the GUPs and server and discovered that the entire firewall rule was missing (guess Windows FW doesn't open port 2967 by default).

If there is a simple way to pull it from an older server backup, great. If not, I will try to restore the pre-uprade server to a new VM and export the policies.

John  Thanks for all of the work in the forums . . . .

Is there a way to extract the firewall configurations from the backups?

Thanks!

Hi Joe,

If you install another SEPM and restore from that Backup you could then export the policies.  There is no way to do it just from the backup itself though.

John

this version absolutely does NOT fix the issue with non-shared policies. I upgraded from 14.0.3752.1000 to 14.2.760 and lost nearly all of my shared policies. 14.2.760 was the first version of 14.2 that i have touched.

David Fauci -

Did you lose Non-Shared or Shared Policies?  We have many reports of the build correcting the issue with Non-Shared Policies.  If your non-shared policies were removed in this upgrade I encourage you to open a case.

Thanks,
John Owens