This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14 Maintenance Pack 2 (14 MP2). This information supplements the information found in the Release Notes.
FIX ID: 4071163, 4071509, 4075683, 4079555, 4080313, 4082812, 4083960, 4085244
Symptom: Servers and desktop computers lock up or hang after they upgrade to Symantec Endpoint Protection 14 MP1. During this hang, you cannot connect remotely to the systems using programs such as Remote Desktop Connection. This issue also occurs with virtualized servers and desktop computers hosted on VMware and Hyper-V. You do not get a log on screen, nor can you access anything on the computers while they are in this state, though the affected systems may respond to pings. This issue appears to occur at random. A restart allows the affected computers to work again, but the issue may return.
Solution: Changed the Auto-Protect code so that it does not encounter deadlocks under certain circumstances.
FIX ID: 4072746
Symptom: After you authenticate and get a new REST API token for Symantec Endpoint Protection Manager, and then invalidate the token, you continue to see ping requests in catalinaWS.out and KeepAlive-*.log.
Solution: Added a check so that when the token is invalidated, the keep-alive task cancels and logs out from Symantec Endpoint Protection Manager.
FIX ID: 4078751
Symptom: Symantec Endpoint Protection clients fail to obtain content from Group Update Providers over slow wide-area network (WAN) links.
Solution: Corrected an issue where the Group Update Provider incorrectly handled the HTTP response code 400 from Symantec Endpoint Protection Manager, which caused the content corruption.
FIX ID: 4083632
Symptom: Symantec Endpoint Protection clients for Linux fail to connect to Symantec Endpoint Protection Manager servers using HTTPS. These clients report as offline.
Solution: Updated the build script to let pkg-config pick up the correct packages.
FIX ID: 4073991
Symptom: You install Symantec Endpoint Protection 14 MP1 on a MacBook Pro that runs macOS 10.12.3 and with TouchID enabled. You enable device control with a rule to block USB. After you upgrade the operating system to 10.12.4 from the App Store, the enrollment of a fingerprint with TouchID fails. Touch ID also does not work for existing fingerprints. When you uninstall Symantec Endpoint Protection, Touch ID works again as expected.
Solution: Updated code to let the operating system arbitrate an EFI partition in mount callback.
FIX ID: 4082774
Symptom: ccSvcHst.exe crashes when it reaches the 2GB limit and returns a memory allocation failure.
Solution: Fixed the memory allocation failure by catching the exception instead of crashing.
FIX ID: 4085443
Symptom: An upgrade of Symantec Endpoint Protection Manager from 12.1.6 MP7 to 14 MP2 results in an error. When you log on, the following error message displays: "Unexpected server error. ErrorCode: 0x10010000." The first three tabs (Home, Monitors, and Reports) are also blank.
Solution: Separated the way the embedded database and the SQL Server database is handled.
FIX ID: 4061009
Symptom: LiveUpdate for Symantec Endpoint Protection for Mac fails to honor the setting not to use the proxy, and incorrectly connects to the system-configured proxy server.
Solution: This setting is now saved in the agent settings, and is honored by LiveUpdate.
FIX ID: 4073563
Symptom: You have set Symantec Endpoint Protection Manager-client communications to use SSL on port 443, and have blocked port 8014. Under certain conditions, however, auto-upgrade for Symantec Endpoint Protection clients for Mac uses a hardcoded port of 8014 even in cases where it would normally use 443. As a result, auto-upgrade fails.
Solution: Auto-upgrade now reads the port and protocol for use from the SyLink file, which is used for heartbeat communication.
FIX ID: 4074655
Symptom: After you install Symantec Endpoint Protection 14 MP1, client computers get continuous popups when they connect to Wi-Fi: "Symantec Vulnerability Protection has found and blocked an ARP Cache Poison attempt (99990)."
Solution: Updated code that that notification displays if global the IPS notification is enabled.
FIX ID: 4075166
Symptom: An Application and Device Control rule to block Excel and Word from launching cmd.exe and powershell.exe does not work on 32-bit Windows 8 or 10 when Microsoft's Enhanced Mitigation Experience Toolkit (EMET) protects the applications.
Solution: Updated the method by which certain instructions are dealt, to prevent issues.
FIX ID: 4077572
Symptom: Symantec Endpoint Protection Auto-Protect detects dwhxxx.lnk files in the folder C:\ProgramData\Symantec\DefWatch.DWH\ as Trojan.gen. These files are linked to files that are already quarantined.
Solution: Gave the file handling implementation to ccSvcHst, so that access to the folder is only granted to SYSTEM.
FIX ID: 4077957
Symptom: You configure Symantec Endpoint Protection Manager to export log files to a Syslog server. However, the logs that you see in the Symantec Endpoint Protection Manager user interface do not match those on the Syslog server.
Solution: Made changes to pick up all detected threat names for log export from the database.
FIX ID: 4078747
Symptom: After you install a Windows update (KB3188730, released on January 29th, 2017) to computers in your network, you find several managed client computers where the Symantec Endpoint Protection master service (ccSvcHst.exe) does not start or does not stay started. The service instead crashes.
Solution: Added code to ensure ccSvcHst.exe starts when encountering a specific return value while starting Sylink threads on a managed client.
FIX ID: 4078764
Symptom: The Symantec Endpoint Protection Manager dashboard graphs do not populate when certain conditions are met. Instead the following database error message displays: "[SQL Server] Incorrect syntax near the keyword 'and'."
Solution: Corrected the syntax error of the query.
FIX ID: 4080359
Symptom: As Symantec Endpoint Protection processes compressed files during an on-demand scan or a custom scan, the scan freezes, and does not scan the remaining files.
Solution: Fixed a thread synchronization issue when handling a callback.
FIX ID: 4080362
Symptom: With Symantec Endpoint Protection 14 installed, Citrix roaming profiles cannot be deleted because of to locked Windows Error Reporting (WER) folders.
Solution: Fixed the code to allow the roaming profiles to be deleted.
FIX ID: 4080669
Symptom: Application Control stops preventing USB writing after you push application control rules from Advanced Threat Protection.
Solution: Sanitized the input hashes to lowercase so that sorting logic works as expected.
FIX ID: 4082749
Symptom: With the SMC service started, the Adobe Flash Player component included with Chrome does not update. If you check for an Adobe Flash Player update through chrome://components, it downloads an update and attempts to install it. However, the update does not complete, and ends with the message, "Component not updated."
Solution: Added a check to coordinate and prevent the simultaneous access of files.
FIX ID: 4082750
Symptom: Definitions on the Symantec Endpoint Protection clients do not update. The logs show with the message, "Error: Content update general error (0xE0010001), DuResult: Failed to acquire LiveUpdate lock (39)."
Solution: Updated code to ignore any failures with moving or copying content after download, in order to allow the update process to complete.
FIX ID: 4086493
Symptom: You are not able to move a client if the Active Directory structure contains accounts that do not have Symantec Endpoint Protection installed.
Solution: Fixed by ignoring NULL hardware keys.
FIX ID: 4005721
Symptom: During an upgrade from 14 to a newer release, the upgrade window still asks for SQL system administrator (SA) credentials even though the credentials are not needed.
Solution: Prevented the display of the user credential panel when upgrading from SEP 14 to a later version.
FIX ID: 4059894
Symptom: The Symantec Endpoint Protection client (SymDaemon) installed on macOS 10.12 (Sierra) intermittently crashes.
Solution: Fixed race condition for Auto-Protect preferences that caused the crash.
FIX ID: 4082744
Symptom: Windows Server 2016 incorrectly appears in reports and logs as "Windows Server 2015."
Solution: Fixed the display strings to "Windows Server 2016."
FIX ID: 4080751
Symptom: Reputation query submissions to Symantec Insight Private Cloud (SIPC) fail for Symantec Endpoint Protection 14 clients.
Solution: Corrected an issue where Symantec Endpoint Protection Manager 12.1 site properties for SIPC settings did not work with Symantec Endpoint Protection 14 clients.
FIX ID: 4075908
Symptom: When you manually remove the Auto-Protect package on the Linux client, virus and spyware protection definitions do not show for these clients in some areas within Symantec Endpoint Protection Manager.
Solution: Updated the database queries to show the virus and spyware protection definitions Auto-Protect is not installed.
FIX ID: 4075936
Symptom: After you create an Application and Device Control policy against a couple of ransomware samples, you notice that something prevents sysfer.dll from being injected, resulting in the threat possibly being invisible to ADC.
Solution: Updated code so that sysfer.dll injects certain processes.
FIX ID: 4082572
Symptom: You notice that the daily scheduled LiveUpdate runs later than the scheduled time by a few minutes every day.
Solution: Added code to refresh the timer so that the following daily scheduled event occurs at a fixed time of the day as configured.
FIX ID: 4082747
Symptom: After you enable the Network Threat Protection events in the Client Security Alert notifications, the report does not include the events for Browser Protection Detection, nor does it allow the notification to include them.
Solution: Added the Browser Protection Detection events in the Client Security Alert notification for Network Threat Protection.
FIX ID: 4077588
Symptom: When using the Best Application Performance scan tuning options on a busy (non-idle) system, the virus and spyware protection scan does not seem to end. This continuous scan leads to secondary symptoms, like definitions failing to update due to a scan in progress.
Solution: Updated what was preventing the maximum scan throttling limit from functioning.
FIX ID: 4082767
Symptom: The Symantec Endpoint Protection for Linux kernel objects SymAP and SymEV do not auto-compile or load as expected for kernel 3.16.0-4-amd64 for Debian 8 Jessie.
Solution: The auto-compile script for building AutoProtect now supports Debian 8.
The build number for this release is 14.0.2415.0200. Red text indicates components that have updated for this release.
Component |
DLL File |
DLL Version |
SYS File |
SYS Version |
AutoProtect |
srtsp64.dll |
15.0.16.27 |
srtsp64.sys |
15.0.16.23 |
BASH Defs |
BHEngine.dll Seq#= 20170322.001 |
11.1.1.6 |
BHDrvx64.sys |
11.1.1.6 |
BASH Framework |
BHClient.dll |
10.1.1.52 |
N/A |
- |
CC |
ccLib.dll |
13.2.1.26 |
ccSetx64.sys |
13.1.1.11 |
CIDS Defs |
IDSxpx86.dll Seq#= 20161130.100 |
15.2.4.5 |
IDSviA64.sys |
15.2.3.14 |
CIDS Framework |
IDSAux.dll |
15.2.2.22 |
N/A |
- |
ConMan |
version.txt |
2.1.3.14 |
N/A |
- |
D2D |
version.txt |
1.2.1.5 |
N/A |
- |
D2D_Latest |
version.txt |
1.5.0.38 |
N/A |
- |
DecABI |
dec_abi.dll |
2.3.5.10 |
N/A |
- |
DefUtils |
DefUtDCD.dll |
4.16.0.19 |
N/A |
- |
DuLuCallback |
DuLuCbk.dll |
1.8.0.12 |
N/A |
- |
ERASER |
cceraser.dll |
117.1.0.231 |
eraser64.sys |
117.1.0.231 |
IRON |
Iron.dll |
7.0.3.15 |
Ironx64.sys |
7.0.2.33 |
LiveUpdate |
LUEng.dll |
2.4.0.26 |
N/A |
- |
MicroDefs |
patch25d.dll |
5.1.0.22 |
N/A |
- |
SDS Engine |
sds_engine_x86.dll Seq#= 20170519.004 |
1.3.1.315 |
N/A |
- |
SIS |
SIS.dll |
91.12.4400.5000 |
N/A |
- |
STIC |
stic.dll |
1.2.0.188 |
N/A |
- |
SymDS |
DSCli.dll |
6.2.0.17 |
N/A |
- |
SymEFA |
EFACli64.dll |
6.3.0.15 |
SymEFASI64.sys |
6.3.0.10 |
SymELAM |
ELAMCli.dll |
2.0.1.95 |
SymELAM.sys |
2.0.1.85 |
SymEvent |
Sevntx64.exe |
14.0.4.24 |
SymEvent.sys |
14.0.4.16 |
SymNetDrv |
SNDSvc.dll |
15.2.2.7 |
symnets.sys |
15.2.2.7 |
SymScan |
ccScanW.dll |
14.1.3.4 |
N/A |
- |
SymVT |
version.txt |
7.1.1.22 |
N/A |
- |
WLU(SEPM) |
LuComServerRes.dll |
3.3.200.50 |
N/A |
- |