New fixes and component versions in Symantec Endpoint Protection 14 MP2

book

Article ID: 150633

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14 Maintenance Pack 2 (14 MP2). This information supplements the information found in the Release Notes.


New fixes

SEP 14 MP1 causes random hangs on servers and desktops

FIX ID: 4071163, 4071509, 4075683, 4079555, 4080313, 4082812, 4083960, 4085244

Symptom: Servers and desktop computers lock up or hang after they upgrade to Symantec Endpoint Protection 14 MP1. During this hang, you cannot connect remotely to the systems using programs such as Remote Desktop Connection. This issue also occurs with virtualized servers and desktop computers hosted on VMware and Hyper-V. You do not get a log on screen, nor can you access anything on the computers while they are in this state, though the affected systems may respond to pings. This issue appears to occur at random. A restart allows the affected computers to work again, but the issue may return.

Solution: Changed the Auto-Protect code so that it does not encounter deadlocks under certain circumstances.

 

Each expired SEPM authentication token leaves an unnecessary thread running

FIX ID: 4072746

Symptom: After you authenticate and get a new REST API token for Symantec Endpoint Protection Manager, and then invalidate the token, you continue to see ping requests in catalinaWS.out and KeepAlive-*.log.

Solution: Added a check so that when the token is invalidated, the keep-alive task cancels and logs out from Symantec Endpoint Protection Manager.

 

GUPs at remote branches do not update content across slow WAN links

FIX ID: 4078751

Symptom: Symantec Endpoint Protection clients fail to obtain content from Group Update Providers over slow wide-area network (WAN) links.

Solution: Corrected an issue where the Group Update Provider incorrectly handled the HTTP response code 400 from Symantec Endpoint Protection Manager, which caused the content corruption.

 

SEPFL client is unable to connect to SEPM with HTTPS, client reports offline

FIX ID: 4083632

Symptom: Symantec Endpoint Protection clients for Linux fail to connect to Symantec Endpoint Protection Manager servers using HTTPS. These clients report as offline.

Solution: Updated the build script to let pkg-config pick up the correct packages.

 

"Touch ID Failed. Unable to complete Touch ID Setup" with SEP installed on 2016 MacBook Pros

FIX ID: 4073991

Symptom: You install Symantec Endpoint Protection 14 MP1 on a MacBook Pro that runs macOS 10.12.3 and with TouchID enabled. You enable device control with a rule to block USB. After you upgrade the operating system to 10.12.4 from the App Store, the enrollment of a fingerprint with TouchID fails. Touch ID also does not work for existing fingerprints. When you uninstall Symantec Endpoint Protection, Touch ID works again as expected.

Solution: Updated code to let the operating system arbitrate an EFI partition in mount callback.

 

CCsvchst.exe crashes with an allocation error

FIX ID: 4082774

Symptom: ccSvcHst.exe crashes when it reaches the 2GB limit and returns a memory allocation failure.

Solution: Fixed the memory allocation failure by catching the exception instead of crashing.

 

An upgrade from 12.1.6 MP7 to 14 MP2 causes an error with the embedded DB

FIX ID: 4085443

Symptom: An upgrade of Symantec Endpoint Protection Manager from 12.1.6 MP7 to 14 MP2 results in an error. When you log on, the following error message displays: "Unexpected server error. ErrorCode: 0x10010000." The first three tabs (Home, Monitors, and Reports) are also blank.

Solution: Separated the way the embedded database and the SQL Server database is handled.

 

SEP for Mac LiveUpdate does not honor the "Do Not Use Proxy" setting

FIX ID: 4061009

Symptom: LiveUpdate for Symantec Endpoint Protection for Mac fails to honor the setting not to use the proxy, and incorrectly connects to the system-configured proxy server.

Solution: This setting is now saved in the agent settings, and is honored by LiveUpdate.

 

AutoUpgrade fails on SEP for Mac clients

FIX ID: 4073563

Symptom: You have set Symantec Endpoint Protection Manager-client communications to use SSL on port 443, and have blocked port 8014. Under certain conditions, however, auto-upgrade for Symantec Endpoint Protection clients for Mac uses a hardcoded port of 8014 even in cases where it would normally use 443. As a result, auto-upgrade fails.

Solution: Auto-upgrade now reads the port and protocol for use from the SyLink file, which is used for heartbeat communication.

 

IPS notifications appear after turning IPS off

FIX ID: 4074655

Symptom: After you install Symantec Endpoint Protection 14 MP1, client computers get continuous popups when they connect to Wi-Fi: "Symantec Vulnerability Protection has found and blocked an ARP Cache Poison attempt (99990)."

Solution: Updated code that that notification displays if global the IPS notification is enabled.

 

Microsoft EMET prevents ADC rules from properly functioning

FIX ID: 4075166

Symptom: An Application and Device Control rule to block Excel and Word from launching cmd.exe and powershell.exe does not work on 32-bit Windows 8 or 10 when Microsoft's Enhanced Mitigation Experience Toolkit (EMET) protects the applications.

Solution: Updated the method by which certain instructions are dealt, to prevent issues.

 

SEP detects dwhxxx.lnk as Trojan.Gen

FIX ID: 4077572

Symptom: Symantec Endpoint Protection Auto-Protect detects dwhxxx.lnk files in the folder C:\ProgramData\Symantec\DefWatch.DWH\ as Trojan.gen. These files are linked to files that are already quarantined.

Solution: Gave the file handling implementation to ccSvcHst, so that access to the folder is only granted to SYSTEM.

 

SEPM does not export log files to Syslog server as expected

FIX ID: 4077957

Symptom: You configure Symantec Endpoint Protection Manager to export log files to a Syslog server. However, the logs that you see in the Symantec Endpoint Protection Manager user interface do not match those on the Syslog server.

Solution: Made changes to pick up all detected threat names for log export from the database.

 

SEP service does not stay started after installing a Windows update

FIX ID: 4078747

Symptom: After you install a Windows update (KB3188730, released on January 29th, 2017) to computers in your network, you find several managed client computers where the Symantec Endpoint Protection master service (ccSvcHst.exe) does not start or does not stay started. The service instead crashes.

Solution: Added code to ensure ccSvcHst.exe starts when encountering a specific return value while starting Sylink threads on a managed client.

 

SEPM dashboard graphs do not populate in a certain configuration

FIX ID: 4078764

Symptom: The Symantec Endpoint Protection Manager dashboard graphs do not populate when certain conditions are met. Instead the following database error message displays: "[SQL Server] Incorrect syntax near the keyword 'and'."

Solution: Corrected the syntax error of the query.

 

On-demand or custom scans freeze or stop while scanning certain files in 14 MP1

FIX ID: 4080359

Symptom: As Symantec Endpoint Protection processes compressed files during an on-demand scan or a custom scan, the scan freezes, and does not scan the remaining files.

Solution: Fixed a thread synchronization issue when handling a callback.

 

Citrix roaming profiles cannot be deleted due to locked WER folders

FIX ID: 4080362

Symptom: With Symantec Endpoint Protection 14 installed, Citrix roaming profiles cannot be deleted because of to locked Windows Error Reporting (WER) folders.

Solution: Fixed the code to allow the roaming profiles to be deleted.

 

Application Control stops preventing USB writing

FIX ID: 4080669

Symptom: Application Control stops preventing USB writing after you push application control rules from Advanced Threat Protection.

Solution: Sanitized the input hashes to lowercase so that sorting logic works as expected.

 

Chrome's Adobe Flash component fails to update with SMC started

FIX ID: 4082749

Symptom: With the SMC service started, the Adobe Flash Player component included with Chrome does not update. If you check for an Adobe Flash Player update through chrome://components, it downloads an update and attempts to install it. However, the update does not complete, and ends with the message, "Component not updated."

Solution: Added a check to coordinate and prevent the simultaneous access of files.

 

Clients fail to update content due to an general error

FIX ID: 4082750

Symptom: Definitions on the Symantec Endpoint Protection clients do not update. The logs show with the message, "Error: Content update general error (0xE0010001), DuResult: Failed to acquire LiveUpdate lock (39)."

Solution: Updated code to ignore any failures with moving or copying content after download, in order to allow the update process to complete.

 

Cannot move client in an Active Directory structure

FIX ID: 4086493

Symptom: You are not able to move a client if the Active Directory structure contains accounts that do not have Symantec Endpoint Protection installed.

Solution: Fixed by ignoring NULL hardware keys.

 

After an upgrade to 14, subsequent upgrade prompts for SQL SA credentials when it should not

FIX ID: 4005721

Symptom: During an upgrade from 14 to a newer release, the upgrade window still asks for SQL system administrator (SA) credentials even though the credentials are not needed.

Solution: Prevented the display of the user credential panel when upgrading from SEP 14 to a later version.

 

SymDaemon intermittently crashes on macOS 10.12

FIX ID: 4059894

Symptom: The Symantec Endpoint Protection client (SymDaemon) installed on macOS 10.12 (Sierra) intermittently crashes.

Solution: Fixed race condition for Auto-Protect preferences that caused the crash.

 

Windows Server 2016 incorrectly displays as "Windows Server 2015"

FIX ID: 4082744

Symptom: Windows Server 2016 incorrectly appears in reports and logs as "Windows Server 2015."

Solution: Fixed the display strings to "Windows Server 2016."

 

Reputation queries to Symantec Insight Private Cloud fail

FIX ID: 4080751

Symptom: Reputation query submissions to Symantec Insight Private Cloud (SIPC) fail for Symantec Endpoint Protection 14 clients.

Solution: Corrected an issue where Symantec Endpoint Protection Manager 12.1 site properties for SIPC settings did not work with Symantec Endpoint Protection 14 clients.

 

SEPFL clients that uninstall Auto-Protect do not show the definitions within SEPM

FIX ID: 4075908

Symptom: When you manually remove the Auto-Protect package on the Linux client, virus and spyware protection definitions do not show for these clients in some areas within Symantec Endpoint Protection Manager.

Solution: Updated the database queries to show the virus and spyware protection definitions Auto-Protect is not installed.

 

Ransom malware able to prevent ADC sysfer.dll injection

FIX ID: 4075936

Symptom: After you create an Application and Device Control policy against a couple of ransomware samples, you notice that something prevents sysfer.dll from being injected, resulting in the threat possibly being invisible to ADC.

Solution: Updated code so that sysfer.dll injects certain processes.

 

LiveUpdate on SEP for Linux delays by a few minutes every day

FIX ID: 4082572

Symptom: You notice that the daily scheduled LiveUpdate runs later than the scheduled time by a few minutes every day.

Solution: Added code to refresh the timer so that the following daily scheduled event occurs at a fixed time of the day as configured.

 

No notifications are available within SEPM for Browser Protection detection

FIX ID: 4082747

Symptom: After you enable the Network Threat Protection events in the Client Security Alert notifications, the report does not include the events for Browser Protection Detection, nor does it allow the notification to include them.

Solution: Added the Browser Protection Detection events in the Client Security Alert notification for Network Threat Protection.

 

Continuous virus scan leads to additional symptoms

FIX ID: 4077588

Symptom: When using the Best Application Performance scan tuning options on a busy (non-idle) system, the virus and spyware protection scan does not seem to end. This continuous scan leads to secondary symptoms, like definitions failing to update due to a scan in progress.

Solution: Updated what was preventing the maximum scan throttling limit from functioning.

 

SEP for Linux does not auto-compile for Debian 8 Jessie as expected

FIX ID: 4082767

Symptom: The Symantec Endpoint Protection for Linux kernel objects SymAP and SymEV do not auto-compile or load as expected for kernel 3.16.0-4-amd64 for Debian 8 Jessie.

Solution: The auto-compile script for building AutoProtect now supports Debian 8.

 

Component versions

The build number for this release is 14.0.2415.0200. Red text indicates components that have updated for this release.

Component

DLL File

DLL Version

SYS File

SYS Version

AutoProtect

srtsp64.dll

15.0.16.27

srtsp64.sys

15.0.16.23

BASH Defs

BHEngine.dll

Seq#= 20170322.001

11.1.1.6

BHDrvx64.sys

11.1.1.6

BASH Framework

BHClient.dll

10.1.1.52

N/A

-

CC

ccLib.dll

13.2.1.26

ccSetx64.sys

13.1.1.11

CIDS Defs

IDSxpx86.dll

Seq#= 20161130.100

15.2.4.5

IDSviA64.sys

15.2.3.14

CIDS Framework

IDSAux.dll

15.2.2.22

N/A

-

ConMan

version.txt

2.1.3.14

N/A

-

D2D

version.txt

1.2.1.5

N/A

-

D2D_Latest

version.txt

1.5.0.38

N/A

-

DecABI

dec_abi.dll

2.3.5.10

N/A

-

DefUtils

DefUtDCD.dll

4.16.0.19

N/A

-

DuLuCallback

DuLuCbk.dll

1.8.0.12

N/A

-

ERASER

cceraser.dll

117.1.0.231

eraser64.sys

117.1.0.231

IRON

Iron.dll

7.0.3.15

Ironx64.sys

7.0.2.33

LiveUpdate

LUEng.dll

2.4.0.26

N/A

-

MicroDefs

patch25d.dll

5.1.0.22

N/A

-

SDS Engine

sds_engine_x86.dll

Seq#= 20170519.004

1.3.1.315

N/A

-

SIS

SIS.dll

91.12.4400.5000

N/A

-

STIC

stic.dll

1.2.0.188

N/A

-

SymDS

DSCli.dll

6.2.0.17

N/A

-

SymEFA

EFACli64.dll

6.3.0.15

SymEFASI64.sys

6.3.0.10

SymELAM

ELAMCli.dll

2.0.1.95

SymELAM.sys

2.0.1.85

SymEvent

Sevntx64.exe

14.0.4.24

SymEvent.sys

14.0.4.16

SymNetDrv

SNDSvc.dll

15.2.2.7

symnets.sys

15.2.2.7

SymScan

ccScanW.dll

14.1.3.4

N/A

-

SymVT

version.txt

7.1.1.22

N/A

-

WLU(SEPM)

LuComServerRes.dll

3.3.200.50

N/A

-