This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 12.1 Release Update 6 Maintenance Pack 5 (12.1.6 MP5). This information supplements the information found in the Release Notes.

In addition to the following fixes, this release addresses the following security advisories:

• Symantec Decomposer Engine Multiple Parsing Vulnerabilities (SYM16-010)
• Symantec Endpoint Protection Manager Multiple Security Issues (SYM16-011)

New Fixes

SEPM entries do not separate correctly on Syslog

FIX ID: 3784668

Symptom: Some messages received by Syslog Server from Symantec Endpoint Protection Manager are not being separated correctly. This occurs because Symantec Endpoint Protection Manager uses \r for an end-of-line character escape when forwarding to a Syslog Server, and the industry standard is \n.

Solution: The management console now provides a dropdown list so that you can select the end-of-line separator when using TCP mode to send logs to Syslog Server.

IPS exclusion for Host Group by Subnet stopped working after upgrade to 12.1.5

FIX ID: 3816728

Symptom: For an IPS exclusion, when using a subnet exclusion like 10.13.10.210 with netmask 255.255.255.255, the exclusion fails. All of the exclusion entries that follow fail as well.

Solution: Using netmask 255.255.255.255 no longer causes an IPS exclusion failure.

Citrix system hangs randomly with 12.1.4 in conhost.exe

FIX ID: 3819417 

Symptom: The Citrix VDI client computer hangs randomly due to a crash of the process conhost.exe.

Solution: Upgraded the Symantec Endpoint Protection client with SymEFA 6.0.2 to solve these deadlock issues.

Linux client fails to register with SEPM with error 400

FIX ID: 3827790 

Symptom: The Linux client for Symantec Endpoint Protection fails to register to the management console. The attempt returns the HTTP error code 400.

Solution: Increased the size of the allowable client registration data, which can also now be configured through the registry key:

• Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM\MaxPostDataLength
• Valid value range: 4096 to 128*1024

IPS definitions incorrectly display as "Not Available" in SEPM

FIX ID: 3840898

Symptom: In the client view in Symantec Endpoint Protection Manager, the IPS definitions display as “Not Available”. However, when viewing individual client information, the definitions are actually correct and up-to-date.

Solution: Changed the query to only request the client IPS-related revisions on the displayed list of clients.

ccSvcHst.exe crashes frequently due to heap corruption

FIX ID: 3864196

Symptom: An intermittent but frequent ccSvcHst.exe crash indicates memory heap corruption.

Solution: Updated LiveUpdate Engine from a version that caused this side effect to one that resolves the issue (2.4).

After upgrade to SEP 12.1.5 from 12.1.2, scheduled scans take a very long time

FIX ID: 3865630

Symptom: After an upgrade to Symantec Endpoint Protection 12.1.5 from 12.1.2, scheduled scans take a very long time.  Debug logging references the message “User is not Idle.” No user is logged on at the time of the scan.

Solution: Updated the Common Client component.

Docker container cannot run with Auto-Protect driver on CentOS 7.1

FIX ID: 3869840

Symptom: Auto-Protect method for detecting attempts to write to file fails on computers that run CentOS 7.1.

Solution: Auto-Protect now interacts correctly in the filesystem’s namespace, allowing these calls to complete successfully.

Time discrepancy in the risk logs

FIX ID: 3890083

Symptom: In Symantec Endpoint Protection Manager exported risk logs, the event date is later than the event end date.

Solution: Modified the logic to modify the event end date instead of the event date.

Policy serial number displays the local time zone instead of GMT for some SEPM groups

FIX ID: 3895213

Symptom: The policy serial number contains a locally formatted time stamp, which causes the policy to display the local time zone instead of GMT for those groups in the management console.

Solution: Displays the GMT time stamp for the policy where it should.

GUP on Windows Server 2012 fails to update clients

FIX ID: 3904878

Symptom: Group Update Providers running Windows Server 2012 fail to update clients, because the clients are not able to download definitions from them. Group Update Providers running Windows Server 2003 do not experience this issue.

Solution: Added the process ccSvcHst.exe as an exception to Microsoft's firewall rules.

SEP removes third-party service during upgrade

FIX ID: 3917002

Symptom: During an upgrade, Symantec Endpoint Protection removes a service called CCProxy from a third-party product, due to a shared name with a service from an older unsupported Symantec product. The removal of this service causes the application that uses it to fail.

Solution: Modified the code that removed this service.

Crash of smcd due to “Update Now” commands received simultaneously

FIX ID: 3922331

Symptom: On the Symantec Endpoint Protection client for Linux, the process smcd crashes with a segmentation fault in libpthread if the client receives two "Update Now" commands at the same time.

Solution: Modified the code so that it now correctly handles receiving two "Update Now" commands received at the same time.  One command is rejected as a duplicate. The other command proceeds as expected.

SEP client ccSvcHst.exe crashes during startup

FIX ID: 3941776

Symptom: SEP client does not start due to it crashing during startup with an invalid read in ccSvcHst.exe, module oleaut32.dll.

Solution: Modified the code so that it correctly handles the crash and leak.

BSOD after upgrading to 12.1.6

FIX ID: 3809513

Symptom: After an upgrade to 12.1.6, the Symantec Endpoint Protection client does not start due to a SymEFA crash.

Solution: Fixed the code that was not executing properly.

Power Eraser events are incorrectly handled

FIX ID: 3813616

Symptom: Any single risk event is logged with a recommendation of running Power Eraser regardless of whether or not it was actually required.  No Power Eraser notifications are being triggered.

Solution: Single risk events are no longer flagged as requiring Power Eraser.

AutoUpgrade fails on some clients where multiple product codes are identified in the registry

FIX ID: 3885749

Symptom: Upgrades initiated through AutoUpgrade fail, even though the installed version is older and should be upgraded. This failure occurs because multiple Symantec Endpoint Protection product codes are found in the Windows Registry, under Installer\UpgradeCodes.

Solution: AutoUpgrade now uses information from the most recent product code set.

In the Full Definitions Report, 12.1.4, 12.1.5, and 12.1.6 clients indicate they do not support XDelta

FIX ID: 3839455

Symptom: In the Full Definitions Request report viewable in Symantec Endpoint Protection Manager, clients that run versions 12.1.4 – 12.1.6 list Reason Code 8, “Client did not support XDelta,” as to why full content was provided. These client versions support XDelta.

Solution: In this situation, Reason Code 8 indicates that the server sends the full set of definitions due to a failure to send the delta.

Auto-Protect does not work with Ubuntu 16.04

FIX ID: 3910719

Symptom: Symantec Endpoint Protection Auto-Protect kernel modules do not compile on Ubuntu 16.04.

Solution: Auto-Protect now successfully compiles and loads on Ubuntu 16.04.

SEP 12.1.5 for Linux clients fail to register with SEPM if no default gateway is configured

FIX ID: 3793209

Symptom: A Symantec Endpoint Protection client for Linux that does not have a default IP address does not register to the management console that shares the same default gateway in the network.

Solution: Linux client now validates the default gateway IP before using it. If the value is null, it assigns 0.0.0.0 instead.

Auto-Protect does not work with Ubuntu 14.04 (64-bit kernel 4.2.8-040208)

FIX ID: 3906089

Symptom: Symantec Endpoint Protection client for Linux does not work on Ubuntu 14.04 with kernel version 4.2 because the filename structure of the kernel changed.

Solution: Accounted for changes in 4.2 kernel to allow Auto-Protect to compile, load, and protect.

BSOD in a Hyper-V environment when upgrading to 12.1.6

FIX ID: 3847456

Symptom: Upgrading the Symantec Endpoint Protection client from 12.1.4 to 12.1.6 on Hyper-V cluster servers causes continuous BSODs.

Solution: No longer calls certain SymEFA APIs when dealing with Cluster Shared Volumes (CSV) or network volumes.

Linux client fails to register with SEPM with error: HTTP 400

FIX ID: 3864271

Symptom: An HTTP 400 error occurs when the Symantec Endpoint Protection client for Linux tries to connect and register with Symantec Endpoint Protection Manager.

Solution: Corrected the limit of the client’s registration data file size. This change allows clients with data files greater than 4MB to successfully connect and register.

Server hangs due to SRTSP64.sys

FIX ID: 3908313

Symptom: Windows Server 2008 hangs, and the memory dump points to an issue with SRTSP64.sys in fltmgrFltAcquirePushLockExclusive.

Solution: For Auto-Protect, introduced a locking hierarchy among the threads, which does not hold more than one lock at a time (nested exclusive locks).

BSOD with BugCheck USER_MODE_HEALTH_MONITOR (9e) on Windows Cluster servers

FIX ID: 3911039

Symptom: On a clustered server configuration, computers experience a BSOD with a stop code of USER_MODE_HEALTH_MONITOR (9e).

Solution: Changed Auto-Protect to properly handle work items to prevent the BSOD.

Domain Controller server intermittently unresponsive after an upgrade to 12.1 RU6 MP1a

FIX ID: 3916567

Symptom: The server becomes unusable and unresponsive shortly after an upgrade to 12.1 RU6 MP1a.

Solution: Resolved issue within the DNS Cache component of the SymNetS driver, so that it only tracks Symantec Endpoint Protection client DNS resolutions, instead of all server DNS resolutions.
 

Component Versions in Symantec Endpoint Protection 12.1.7004.6500

Red text indicates components that have updated for this release.

An asterisk (*) indicates the component version that is included with the release, but might be updated by LiveUpdate when a newer version is released.