In October, 2016, the SHA-1 certificate that Symantec uses to validate reputation lookups expires. A new SHA-2 certificate replaces it. However, the Windows XP (SP 2 and earlier, 32-bit or 64-bit) and Windows Server 2003 (SP2 and earlier) operating system libraries that facilitate client communication and certificate validation do not properly validate SHA-2 certificates. Therefore, the efficacy of the Symantec Endpoint Protection (SEP) client lowers because it cannot correctly validate reputation lookups.

To prevent this scenario, you must ensure that you apply one of the following hotfixes:

• Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption
• MS13-095: Vulnerability in XML digital signatures could allow denial of service: November 12, 2013

Affected operating systems:

• Windows XP SP 2 and earlier, 32-bit and 64-bit
• Windows Server 2003 SP2 and earlier