New fixes and component versions in Symantec Endpoint Protection 14.0.1 (14 RU1)
search cancel

New fixes and component versions in Symantec Endpoint Protection 14.0.1 (14 RU1)


Article ID: 150723


Updated On:


Endpoint Protection




This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.0.1 (14 RU1). This information supplements the information found in the Release Notes.

New fixes

Auto-Protect exception does not work for a share’s subfolders

Fix ID: 3877677

Symptoms: An Auto-Protect exception for a sub-folder of a mapped drive does not work if drive was mapped to sub-folder of share.

Solution: Fixed discrepancies in the relative paths, which are needed for the exception. Trimmed the path to be relative to the root of the drive rather than the share.


ALS changes location to Public every few hours

Fix ID: 3910243

Symptoms: Automatic location switching (ALS) unexpectedly changes the location to Public every few hours.

Solution: Changed the way the DNS lookup cache refreshes when the DNS server IP changes due to network updates, so that the hostname always resolve and location switching is prevented.


SEPM does not purge administrators from database after deleting them

Fix ID: 3926000

Symptoms: After you delete SEPM administrators, the Symantec Endpoint Protection Manager database does not delete them.

Solution: Fixed a missing argument value in the SQL query that sets the timestamp value required for purging database records.


Writing EFS-encrypted files to a USB drive results in a zero-byte file name

Fix ID: 3932765

Symptoms: An Application and Device Control policy is set to read-only and blocks all write activity to USB storage. When you create an Encrypting File System (EFS)-encrypted file and attempt to write it to a USB drive, the action unexpectedly generates a zero-byte file on the USB drive. For a non-EFS-encrypted file, the write fails and no file name is generated, which is expected. 

Solution: Removed lsass.exe from the whitelist, which blocks the creation of the zero-byte file.


Unable to load Windows after 12.1.6 MP3 installation

Fix ID: 3934030

Symptoms: After you install Symantec Endpoint Protection 12.1.6 MP3 to a server operating system, it stays on the Windows logo after a restart.

Solution: Fixed the driver loading sequence, so that SymNets loads after AFD.sys.


Host Integrity check fails for “AV definition not updated” even if definitions update

Fix ID: 3952857

Symptoms: The Host Integrity check fails an antivirus-related HI policy, even if the definitions are fully up to date.

Solution: The check now first tries to load SymVPN.dll from the Symantec installation path. If the .dll fails to load from there, only then does the check try to load this file from the system path.


Servers with SEP 12.1.6 MP1a installed do not run a weekend scheduled scan as expected

Fix ID: 3957316

Symptoms: High-load servers that have version 12.1.6 MP1a installed do not complete the weekend scheduled scan, despite set to Best Scan Performance.

Solution: Corrected a problem where a scheduled scan doesn't complete when the system is under high stress.


Incorrect information displays about detection

Fix ID: 3961096

Symptoms: An Auto-Protect detection on the server displays the message “RequestedAction_17” instead of a general failure error.

Solution: Modified the reverse scan to return a “file not found” code instead of a generic fail code if the detected file doesn't exist anymore due to a previous remediation. Auto-Protect event processing now checks for all failure return values instead of just a fail code, and no longer sets the action code for the remediation to general failure if a previous remediation deleted the file.


Scan error occurs when a Polish keyboard character is in the file path

Fix ID: 3962563

Symptoms: If you right-click a file or folder whose path contains a special Polish character in order to perform an On-Demand scan, the following error occurs:  “No files/folders could be scanned.” The scan fails.

Solution: Update the DoScan code to handle a situation in which the GetShortPathName function fails to get the short file names because of a special character.


“Symantec Endpoint Protection detected risks while you were logged out” displays on logon, but nothing is found in the logs

Fix ID: 3973514

Symptoms: If a scan detects a risk while the system is in a logged-off state, the next user to log on sees the message, “Symantec Endpoint Protection detected risks while you were logged out. You may need to open the Antivirus and Antispyware Protection Risk Log to view and take action on the risks.” However, when you check the risk log, there nothing on which you can take action.

Solution: Changed code to avoid setting the pending risk notification flag to true on log on if the detection was already remediated.


Bug Check D1 after migrating to 12.1.6 MP5 with a Mellanox NIC

Fix ID: 3977290

Symptoms: A Bug Check D1 crash occurs when a call to HandleSyncRecv() traverses the net buffer list (NBL). The system has a Mellanox NIC installed.

Solution: Fixed the code flow to parse actual NBL count to prevent the crash.


Multiple issues occur with manually imported client packages

Fix ID: 3977338

Symptoms: Multiple issues occur when manually importing a client package, which impacts domain import/export functionality.

Solution: If a package already exists, the import skips it. This package then displays on the package list in the Symantec Endpoint Protection Manager user interface.


SEPM does not update 64-bit virus definitions

Fix ID: 3977949

Symptoms: Symantec Endpoint Protection Manager fails to update 64-bit virus definitions.

Solution: Updated to delete any existing 0 byte or delta file, to prevent the blocking of AV definition updates.


SEPM upgrade to 12.1.6 MP5 results in high CPU usage by SemSvc.exe and crashes of httpd.exe

Fix ID: 3978562

Symptoms: After you upgrade Symantec Endpoint Protection Manager version to 12.1.6 MP5, a rule with many wildcard paths added to the Application and Device Control policy may cause the memory to become over-utilized. This scenario leads to errors in scm-server-0.log and high CPU usage.

Solution: Modified policy publishing to more correctly deal with many wildcard folders in a row.


SEPM doesn't update File Fingerprint List description or last modified fields when automatically updating fingerprints

Fix ID: 3980949

Symptoms: During the modification of the file fingerprint list, Symantec Endpoint Protection Manager does not modify the Update time and Description as expected.

Solution: For fingerprint lists collected through clients, the description does not change through automatic update in the console. File fingerprint list can be automatically updated through FTP, instead of importing manually. The Update time stamp is now updated if the list is modified manually or through the auto update feature.


SEPM installation fails during GPOPolicyReview

Fix ID: 3981481

Symptoms: When you install Symantec Endpoint Protection Manager while logged on as a Domain Administrator account, the installation fails during GPOPolicyReview.

Solution: Enabled the install with a Local Administrator account.


Moving though client groups while logged on to SEPM Web Console results in a lag or delay

Fix ID: 3983014

Symptoms: If you have a large number of client groups and log on to Symantec Endpoint Protection Manager through the Web Console, and then expand the client tree, if you click on a random client, the description in the right pane displays the information for a different client.

Solution: Fixed a third-party component so that only information for the selected client info displays in the right pane.


Pop-up windows for SEP for found malware appear behind other windows

Fix ID: 3983328

Symptoms: When Symantec Endpoint Protection detects malware, the pop-up scan result window that alerts the detection appears behind other windows.

Solution: After the scan completes, if there was at least one infected file, the scan results window is brought to the front as the active window.


Windows 7 client computer intermittently fails as an unmanaged detector

Fix ID: 3984482

Symptoms: A Windows 7 client computer configured in the Symantec Endpoint Protection Manager as an unmanaged detector intermittently appears to fail in that role. This failure occurs more often depending upon how often the client (or Symantec Endpoint Protection services) are restarted.

Solution: Updated code so that the unmanaged detector role is still enabled after a Symantec Endpoint Protection client restart.


Output from SEPMRepairTool does not include computer domain names

Fix ID: 3986058

Symptoms: Output from the SEPMRepairTool does not include computer domain names.

Solution: Added computer domain name information into the output.


With SEP installed, using non-hardcoded values for rastls.dll causes Wireless Authentication to fail

Fix ID: 3986496

Symptoms: If you use non-hardcoded values for rastls.dll and install Symantec Endpoint Protection, Wireless Authentication fails.

Solution: When restoring the registry backup values, it now keeps the registry data type as REG_EXPAND_SZ, which preserves environmental variables.


Issues with Test Account when the directory server changes from LDAP to AD

Fix ID: 3987024

Symptoms: The Symantec Endpoint Protection Manager administrator cannot log on if the Active Directory user name does not include the domain name. If you click Test Account, it fails even if you provide the correct user name. 

Solution: Clicking Test Account now checks the Active Directory user account with the full user name.


Discrepancy in data count occurs within the Comprehensive Risk Report

Fix ID: 3988956

Symptoms: A discrepancy in data count occurs between Risk Distribution Over Time and Risk Distribution by Risk Name sub-report as displayed in the Comprehensive Risk Report.

Solution: Corrected the corresponding SQL queries to correct the results and resolve the discrepancy.


SEPM incorrectly detects that an ATP fingerprint list applies to a group

Fix ID: 3994504

Symptoms: Symantec Endpoint Protection Manager incorrectly detects that an Advanced Threat Protection fingerprint list applies to a group. You are not able to delete the list.

Solution: Ignore inherited client groups in checking blacklist deletion.


Some of the clients in a group do not upgrade with Auto-Upgrade, even after two months

Fix ID: 3994518

Symptoms: Some of the clients do not upgrade after as long as two months, with Auto-Upgrade configured on the group.

Solution: The Symantec Endpoint Protection client no longer loses Auto-Upgrade settings that it receives while awaiting reboot to complete a previous upgrade.


After repairing the installation, the size of the SEP client in Programs and Features increases

Fix ID: 3996320

Symptoms: The size of the Symantec Endpoint Protection client installation in Programs and Features increases after you run an installation repair.

Solution: The MSI custom actions recalculate the size allocated during reinstallation and add them to the existing EstimatedSize registry value. Updated code to restore the original size value after a repair.


Unable to upgrade SEPM from 12.1.1 MP1 to 12.1.6 MP5

Fix ID: 3998355

Symptoms: Could not upgrade the Symantec Endpoint Protection Manager from 12.1.1 MP1 to 12.1.6 MP5 due to a broken content link.

Solution: Updated the code to facilitate the removal of the broken link.


LiveUpdate launches later every day on the SEP client for Linux

Fix ID: 3998617

Symptoms: Every time a daily-scheduled LiveUpdate runs on the Symantec Endpoint Protect client for Linux, it adds a few minutes to the scheduled time, so that the start time gets delayed by a minute or two every day.

Solution: Updated the code so that the following daily scheduled event occurs at the fixed time during the day as configured.


Alerts appear when a client switches locations, even when configured not to

Fix ID: 4002322

Symptoms: When a Symantec Endpoint Protect client switches from a location with a full firewall policy to a location with a withdrawn firewall policy, a number of alerts appear even when alerts are configured not to appear.

Solution: Change the hardcoded notification default value to Disabled.


Risk details show a different MD5 each time, even though it is exactly the same event and file

Fix ID: 4004295

Symptoms: An MD5 for the same event and the same file changes upon different viewings.

Solution: MD5 is no longer shown for risk events involving container files, containers within files, and cookies. 


Computer with Citrix XenApp and SEP 12.1.6 MP5 installed hangs on “applying group policy settings” after a restart

Fix ID: 4007637

Symptoms: If you install Symantec Endpoint Protect 12.1.6 MP5 on a computer that runs Citrix XenApp 14.4.1000.16 and then restart, Windows appears to hang on “applying group policy settings,” and never loads.

Solution: Changed firewall code to as to not incorrect drop Citrix traffic.


Insert Date is 1/1/1970 in exported Computer Status log

Fix ID: 4007804

Symptoms: Exported entries show inconsistent or incorrect date/time, such as 1/1/1970.

Solution: Formatted the date in the query to ensure that the result is in the expected date format.


PowerShell errors occur with Application Control enabled

Fix ID: 4008364

Symptoms: When you use PowerShell with Application Control enabled, an error message pops up.

Solution: Added a check of Sysfer.dll to reallocate per-thread data (PTD) in advance.


SRTSP load error occurs after an upgraded SEP client restarts

Fix ID: 4009215

Symptoms: Windows system log shows a loading error for SRTSP driver every time the upgraded Symantec Endpoint Protection client service restarts. For example: Event ID 7026: Boot start or system start driver failed to load: SRTSP

Solution: Ensured that error conditions at restart are handled more gracefully.


SEP client services cannot start with more than 30 VLAN network adapters enabled

Fix ID: 4009398

Symptoms: ccSvcHst crash.  Symantec Endpoint Protection client services (ccSvcHst) crash and cannot start if the client computer has more than 30 virtual LAN network adapters enabled.

Solution: Corrected an issue related to enumerating all of the NICs on a machine when there are more than 32.


Automatic exclusions missing for Exchange 2013 / 2016

Fix ID: 4010373

Symptoms: Support for automatic exclusions for Microsoft Exchange 2013 / 2016 did not correctly include the exclusions for OICE temporary folders, such as %SystemRoot%\Temp\OICE_GUID\.

Solution: Added code to exclude the temporary OICE folders that get created on the fly under %SystemRoot%\Temp folder with name similar to OICE_GUID, on a Microsoft Exchange 2016 server with a mailbox server role.


An ATP-created System Lockdown list duplicating File Fingerprints causes SEPM authentication errors

Fix ID: 4011276

Symptoms: A System Lockdown list created with Advanced Threat Protection duplicates a file fingerprint. A tool to fix it, RemoveFingerprint, failed to launch.

Solution: Developed a new tool to delete fingerprint list based on customer selection and keep Symantec Endpoint Protection Manager in a valid state after the tool is executed.


RHEL 6.6 OS crashes with SEP client for Linux installed

Fix ID: 4012179

Symptoms: On Red Hat Enterprise Linux 6.6 with Symantec Endpoint Protection installed, the symcfgd process crashes. If the crash handler is enabled and Auto-Protect is running, this situation results in a full system hang.

Solution: Fixed an issue with the Symantec Endpoint Protection client configuration database service (symcfgd).


Multiple DWHWizrd processes run and the number of them increase

Fix ID: 4012222

Symptoms: Multiple instances of the process DWHWizrd launch and continue to launch.

Solution: Corrected the mapping of rescan options and used shared memory to ensure only one instance of this process is running at a time.


Unable to export NTP traffic logs larger than 50000+ items to .csv format

Fix ID: 4012946

Symptoms: If the Network Threat Protection network traffic logs have more than 50,000 entries, the PHP-CGI process times out after 45 minutes.

Solution: Made changes to improve performance when exporting a large log set (more than 50,000), and when PHP exports log codes. Introduced a progress bar to show the progress when exporting a log.


After disabling the SEP firewall policy, the Windows Firewall erroneously shows “…managed by vendor application Symantec Endpoint Protection…” until a restart

Fix ID: 4013065

Symptoms: You disable the Symantec Endpoint Protection firewall policy in Symantec Endpoint Protection Manager and update the policy on the Symantec Endpoint Protection client. Afterwards, the Windows Firewall on client shows “…managed by vendor application Symantec Endpoint Protection…” until you restart the computer. 

Solution: Updated Symantec Endpoint Protection’s ownership of the Windows Firewall if the action option is “No Action” or if the Symantec Endpoint Protection firewall policy is disabled or withdrawn. This change makes the behavior consistent between before and after restart.


SEPM does not display the name of a group’s creator to the System Administrator

Fix ID: 4015271

Symptoms: The System Administrator is unable to see the name of the Domain Administrator who created a group. The Symantec Endpoint Protection Manager UI only displays a GUID.

Solution: Fixed, so that the System Administrator can see this information.


Unable to log on to SEPM 14 console when FIPS-compliant mode is enabled

Fix ID: 4019374

Symptoms: Database connectivity fails if the profile of a user who logs on with Windows Authentication is not otherwise loaded. This condition leads to the failure of Symantec Endpoint Protection Manager to function. If you disable FIPS-compliant mode, then you can log on.

Solution: Database connectivity can now consistently occur if FIPS and Windows Authentication are both in use.


Query fails when running an Action List report as a Limited Administrator

Fix ID: 4019901

Symptoms: Query timeout when running Reports > Risk > Action List while logged on as a Limited Administrator.

Solution: A new index was added to the Symantec Endpoint Protection Manager database to make the query for Risk Action more efficient.


When searching for clients through the SEPM Web Console, special characters do not display when typed

Fix ID: 4037672

Symptoms: When you log on to Symantec Endpoint Protection Manager through the Web Console and search for clients, special characters do not display when you type them.

Solution: Fixed character input in the Web Console.


SEP Auto-Protect kernel module build script fails on Ubuntu

Fix ID: 4038505

Symptoms: The auto-compilation of the symap and symev modules fail on Ubuntu kernel version 4.8.0 or later with a compilation error. After including the header, the modules get built, but the symap module causes a kernel issue with the following message: usercopy: kernel memory overwrite attempt detected to ffffa318e853fe30 (<process stack>) (12 bytes)

Solution: Added support for changes introduced in Kernel 4.8.


The command to view a scheduled scan on a Linux client does not show the correct information

Fix ID: 4049235

Symptoms: A Symantec Endpoint Protection client for Linux is moved from one group to another. The new group and the previous group have the same name, but with different settings. When you try to display scan information using the command ./sav scheduledscan -n SCAN_NAME, the settings that get displayed are sometimes for the previous group’s scan name.

Solution: The fix is to display only enabled scans when searching for information about a scan name.


SEP clients that appear as up-to-date on the Home page do not appear in the Up-to-Date Endpoints window

Fix ID: 4049246

Symptoms: The Endpoint Status section of the Home page show clients as up to date, but they do not appear in the Up-To-Date Endpoints pop-window. The clients actually appear under Out-of-Date Endpoints, even though the Home page displays no out-of-date clients. A mismatch occurs between the main page, which uses the preferences properly, and the pop-up windows.

Solution: Fixed the data query for the endpoint status pop-up windows to properly interpret the Home page main preferences.


A client search for virus and spyware protection definitions fails to return results

Fix ID: 4050603

Symptoms: A query searching does not return results for client searches on virus and spyware protection definition dates.  Messages in the scm-server-0.log shows: The multi-part identifier “SEM_AGENT.PATTERN_IDX” could not be bound

Solution: Altered the SQL query, so that running client searches based on definition dates so that it return accurate results.


SEP client UI shows an IPS definition date that differs from what the client uses

Fix ID: 4052541

Symptoms: The Symantec Endpoint Protection client UI shows an IPS definition date that is different than what the client actually uses.

Solution: The build publishing dates are used now as IPS defs date.


Policy is not reflected in the Linux client even when the installation package includes the policy

Fix ID: 4052864

Symptoms: The Symantec Endpoint Protection 14.0 client for Linux does not load policy profile information included in the installation package. However, the client does apply the profile successfully once communication occurs with Symantec Endpoint Protection Manager.

Solution: The Linux client can now successfully load the serdef.dat included with the exported client package before communication with Symantec Endpoint Protection Manager.


The ShrinkEmbeddedDB tool does not work for the 14.0 embedded database

Fix ID: 4053616

Symptoms: Error is encountered when running the updated ShrinkEmbeddedDB tool in 14.0. The tool hangs at “Stopping Tomcat services...”

Solution: Generated an updated template database file for Sybase 16.x.


Windows 8.1 computers display as Windows 10 in SEPM and in the computer status report

Fix ID: 4053826

Symptoms: Symantec Endpoint Protection Manager displays incorrect operating system information in the Computer Status Report. Windows 8.1 computers display as Windows 10.

Solution: For the same reported OS version code, the report chooses the operating system name that is reported by the majority of clients.


SEPM UI hides vertical scroll bars

Fix ID: 4055502

Symptoms: In the Symantec Endpoint Protection Manager, a redundant scroll bar inadvertently hides the vertical scroll bars for some policies, like Application to Exception Policy.

Solution: Removed the redundant scroll bar, so that the scroll bars display properly.


High CPU usage caused by ccSvcHst.exe

Fix ID: 4056241

Symptoms: The process ccSvcHst.exe consumes a large amount of CPU.

Solution: Now handling long names properly.


SEP 14 Web Console and Java Remote Console disallows entry of special characters

Fix ID: 4056404

Symptoms: When you log on to Symantec Endpoint Protection Manager with the Web Console or the Java Remote Console, you are unable to enter special characters.

Solution: Fixed character input in the remote consoles.


Operating system hangs during SEP client installation

Fix ID: 4057994

Symptoms: During the installation of the Symantec Endpoint Protection 14 client, the Windows operating system hangs.

Solution: Added SymEvent into IRON service dependencies.


Changing the database password not working as expected

Fix ID: 4058877

Symptoms: When you attempt to change the database password for the embedded (Sybase) database using the Management Server Configuration Wizard, it fails.

Solution: Enclosed the password with double quotes in SQL statement.


Search results in SEPM do not appear to be sortable

Fix ID: 4059173

Symptoms: You are unable to sort the results of a client search by columns.

Solution: Adjusted query to allow for column sorting.


Using a wild card in the IP address field results in a warning

Fix ID: 4059251

Symptoms: When you search for an IP address in either Monitors or Reports using the asterisk wildcard (*), an error occurs indicating it is not a valid IP address.

Solution: Added support again for the asterisk.


The Disable Symantec Endpoint Protection option in the Windows notification area behaves unexpectedly

Fix ID: 4059660

Symptoms: You lock the user interface to prevent the client from making changes, and apply the policy to the client. However, Disable Symantec Endpoint Protection in the notification area (system tray) remains active, but if you click it, Symantec Endpoint Protection does not disable. The option to disable Symantec Endpoint Protection is only greyed out after you also lock Enable Suspicious Behavior Detection option in Virus and Spyware Protection policy for SONAR.

Solution: Locked Enable Suspicious Behavior Detection and disabled the checkbox when SONAR is enabled in Symantec Endpoint Protection Manager.


IPS alerts appear for silent IPS detections on Macs

Fix ID: 4059902

Symptoms: Alerts are seen on Macs for silent IPS detections, which are not visible in Symantec Endpoint Protection Manager.

Solution: Added a fix to recheck for the flags from SymDaemon.


SEPM not compatible with 4096-bit or higher certificates, preventing logon into the remote consoles

Fix ID: 4059906

Symptoms: Symantec Endpoint Protection Manager logon with the Java Remote Console or Web Console fails if the imported certificate has a size greater than or equal to 4096 bits.

Solution: Symantec Endpoint Protection Manager now allows a certificate size of greater than or equal to 4096 bits.


USB devices excluded in Mac device control are not initializing

Fix ID: 4059909

Symptoms: If you make a permission change in a Device Control policy for Mac and then unsafely eject a removable device, then Device Control does not allow the operating system to mount it again.

Solution: Changed to allow device to mount with full permission and then remount.


Windows 10 Enterprise non-persistent VDI clients hang after SEP 14 installation restart

Fix ID: 4060587

Symptoms: After you install Symantec Endpoint Protection 14 to 64-bit Windows 10 Enterprise non-persistent VDI clients (Citrix PVS) and then restart, they hang.

Solution: Allowed UDP traffic that is sent from Citrix driver bnistack6.sys from teefer.sys directly.


SEP 12.1 client for Mac client sends incorrect Left Alone status to SEPM regardless of actual action taken

Fix ID: 4060740

Symptoms: The Symantec Endpoint Protection client for Mac, version 12.1.x, sends a Left Alone status to Symantec Endpoint Protection Manager, even if you take action to a prompt on the Mac.

Solution: Handled Auto Repair and AutoQuarantine based on a “first action, second action” scenario.


Scan gets stuck while processing a file from Softgrid

Fix ID: 4061039

Symptoms: When the Symantec Endpoint Protection client scans a Softgrid file, the scan never completes and the scan window doesn’t close.

Solution: Adjusted the way the file scan performs.


Incorrect URL when using Web Link and Email from Java console

Fix ID: 4062427

Symptoms: When you log on to Symantec Endpoint Protection Manager with the Java Remote Console and then deploy clients with Web Link and Email, the URL to get the installation package is incorrect. Instead of the Symantec Endpoint Protection Manager, it refers to the computer on which you logged on with the Java Remote Console.

Solution: Updated so that the email includes URLs that refer to the Symantec Endpoint Protection Manager server.


The link for a forgotten password cannot be disabled for access to SEPM with the Web Console

Fix ID: 4062836

Symptoms: The Forgot your password? link on the Symantec Endpoint Protection Manager is enabled when you log on with the Web Console, even though you configured it not to appear.

Solution: Updated third-party library for settings consistency.


Location switching criteria does not work with short name, only FQDN

Fix ID: 4062874

Symptoms: The location switching criteria “ICMP Request type Host Name” does not work with a short name, only the fully-qualified domain name.

Solution: Changed the example in the Symantec Endpoint Protection Manager UI to a format that works.


RHEL 7.2 fails to shut down with SEP client installed

Fix ID: 4067151

Symptoms: With the Symantec Endpoint Protection client installed, the Red Hat Enterprise Linux 7.2 system hangs during shutdown.

Solution: Adjusted this critical process to not stop servicing requests when the syslog daemon is busy.


Scrolling in Notification Conditions scrolls entire screen

Fix ID: 4069023

Symptoms: When you scroll in the Notification Conditions pane, the entire screen scrolls.

Solution: Fixed code to scroll properly in this pane.


Single risk notifications display application name as risk name

Fix ID: 4071555

Symptoms: The application name is listed as the risk name in an email notification.

Solution: Updated source to display threat name in the email notification.


Auto-Upgrade fails for SEP 14 when including latest content

Fix ID: 4073623

Symptoms: Auto-Upgrade fails in Symantec Endpoint Protection 14 when the upgrade package contains the latest content.

Solution: Fixed algorithm for finding the most recent content.


Host Integrity fails to execute on several computers in SEP (Spanish localization)

Fix ID: 4078849

Symptoms: Host Integrity failure occurs on the Spanish-localized Symantec Endpoint Protection client.

Solution: Fixed an escape typo that only occurred on the Spanish localized version.


SEPM upgrade to 14 fails at 0%: “Failed to create audit log event for this server upgrade”

Fix ID: 4079215

Symptoms: When upgrading Symantec Endpoint Protection Manager from 12.1.6 MP6 to 14 MP1, it fails at 0% with “Failed to create audit log event for this server upgrade.”

Solution: Fixed with source code change.


Proxy setting not being used to connect to some URLs

Fix ID: 4079594

Symptoms: Sending pings from the Ping Submission Tool doesn't follow proxy settings as configured in Symantec Endpoint Protection Manager.

Solution: Fixed with source code change.


Import Organizational Unit or Container option in SEPM is not available to Domain Administrators in 14.x

Fix ID: 4079853

Symptoms: A Symantec Endpoint Protection Manager Domain Administrator does not see the option to import an Organizational Unit in version 14.

Solution: Fixed with source code change so that a domain administrator can import an Organizational Unit.


Proxy setting not being used to connect SEP clients to some URLs

Fix ID: 4079967

Symptoms: Proxy setting not being honored on the Symantec Endpoint Protection client.

Solution: Added support for HTTPS.


When installing SEP client for Linux on CentOS 6.4, Auto-compile fails

Fix ID: 4081627

Symptoms: You install Symantec Endpoint Protection client on CentOS 6.4 server. During installation you see the following error message: “Build Auto-Protect kernel modules from source code failed with error: 1.”  Auto-compile on CentOS 6.x systems fails because it is unable to find linux/nfsd/*.h files. As a result, Auto-Protect malfunctions.

Solution: Made auto-compile detection of CentOS 6 systems more robust, allowing compilation on systems that have a modified /etc/issue file.


ccSvcHst crashes with access code violation 0xc0000005

Fix ID: 4082138

Symptoms: ccSvcHst crashes with an access code violation: 0xc0000005.

Solution: Added a check for an allocation failure.


Button to test email configuration works, but notification emails are never sent

Fix ID: 4082422

Symptoms: The Test Email button in Mail Configuration works when using TLS and Office365 SMTP. However, the actual notification emails are never sent.

Solution: Synchronized with the mail server to get the correct status.


SEPM external logging fails to preserve Unicode characters in a dump file

Fix ID: 4082517

Symptoms: Instead of preserving Unicode Cyrillic-script Slavic characters in Symantec Endpoint Protection Manager external logging, only a garbled string appears in the dump file.

Solution: Updated so that when SEPM External logging function output log to dump file, it uses the UTF-8 character set.


Localization mistake in HIDefs hilib_es.xml prevents Host Integrity from working on Spanish computers

Fix ID: 4085928

Symptoms: Windows Host Integrity on a Spanish-language client cannot pass. The Spanish-language client shows the following error message: “Error al ejecutar la comprobación de integridad del host. Tipo de error: 0x00400020, código de error: 0x00000000”

Solution: Fixed the issue and rebuilt new Host Integrity content for publish. When Symantec Endpoint Protection Manager downloads the updated Host Integrity content, then the Spanish-language client applies the new HI template.


Manual compile fails on SLES 11 SP3 3.0.101-0.47

Fix ID: 4086386

Symptoms: Auto-Protect fails to load on SLES 11 SP3 (3.0.101-0.47) and either logs a message indicating it was unable to find syscall table, or crashes the computer with a page-fault.

Solution: Greatly increased the ability of Auto-Protect to load when other third-party modules have been loaded, such as secfs2, Tripwire, and so on.


Intermittent high CPU usage on single CPU systems

Fix ID: 4087608

Symptoms: The AVHostPlugin.dll REGWATCH function calls result in intermittent high CPU usage on single CPU systems.

Solution: Improve CPU usage by improving the REGWATCH function.


Policy update causes Skype for Business to disconnect

Fix ID: 4087657

Symptoms: After a policy update or a Host Integrity state change, a Symantec Endpoint Protection client that uses DHCP as well as peer-to-peer (P2P) authentication loses its IP address for a very short time. This situation causes temporary, hard-to-trace networking issues, such as Skype disconnects.

Solution: The Symantec Endpoint Protection client no longer temporarily disconnects the network during a policy update on computers that run both DHCP and peer-to-peer authentication.


Network Application Monitoring is enabled by default but client UI shows it as disabled

Fix ID: 4088626

Symptoms: On an unmanaged client, the Symantec Endpoint Protection client UI setting for Network Application Monitoring is unchecked, suggesting it is disabled, but the feature still works as expected.

Solution: Corrected the unmanaged client setting for Network Application Monitoring.


Scheduled Risk Report and locally run Risk Report does not match

Fix ID: 4088798

Symptoms: When you schedule a daily and a weekly report, the data included in these reports does not match the same reports that are run locally.

Solution: Fixed the date filters used in Symantec Endpoint Protection daily and weekly reports.


Virtual Machine hangs and are unable to login into the machine

Fix ID: 4090921

Symptoms: After upgrading to Symantec Endpoint Protection 14, the systems intermittently lock up, which causes the systems to become unresponsive. The issue occurs about once a week, and is somewhat sporadic, but also seen consistently on the same systems.

Solution: The change skips any input or output from the scanner process.


A Limited Administrator of any SEPM domain is able to see certain details for all domains on SEPM

Fix ID: 4092434

Symptoms: After you log on to Symantec Endpoint Protection Manager with a Limited Administrator and run a Comprehensive Risk Report, the Infected File Status section of the contains the data for all Symantec Endpoint Protection Manager domains.

Solution: Fixed the query used in the Infected File Status section of the Comprehensive Risk Report.


Custom IPS Signatures do not log full application path

Fix ID: 4092465

Symptoms: Custom IPS Signatures do not log full application path.

Solution: Updated to keep the full path file name info when passing the file name info to the IDS engine for processing.


SEPM log shows incorrect data for ICMP in traffic log

Fix ID: 4092492

Symptoms: Firewall traffic logs for ICMP packets do not show the correct information in Symantec Endpoint Protection Manager.

Solution: Fixed with source code change.


Operating system hangs randomly after installing SEP 14 MP1

Fix ID: 4092944

Symptoms: After you install Symantec Endpoint Protection 14 MP1, the operating system randomly hangs.

Solution: Fixed with source code change.


SEP ADC causing up to a 30-second hang with PhishAlarm Outlook Add-in enabled

Fix ID: 4096256

Symptoms: Application and Device Control causes up to a 30-second hang with PhishAlarm Outlook Add-in enabled.

Solution: Improved Application Control codes to reduce checksum calculate times.


After migration to 14, SEP client restarts in a loop

Fix ID: 4096829

Symptoms: After a migration from 12.1.6 MP5 to version 14, SymEFA does not run, causing systems to restart in a loop.

Solution: Fixed with source code change.


The option to display a message when definitions are outdated does not reflect in managed clients

Fix ID: 4096887

Symptoms: You check the option in the Virus and Spyware Protection Policy to “Display a Windows Security Center message when definitions are outdated: Warn after: x days.” However, you do not see this choice reflected in the managed clients.

Solution: Corrected an issue where the policy was not being processed correctly.


SEPM upgrade to 14 MP2 rolls back during the LiveUpdate installation

Fix ID: 4097237, 4098158

Symptoms: The Symantec Endpoint Protection Manager upgrade to version 14 MP2 fails with a LiveUpdate error: LUcheck 206.

Solution: Fixed with source code change.


SEP 14 MP1 client crashes Lync 2013

Fix ID: 4098057

Symptoms: When you upgrade or install Symantec Endpoint Protection, existing Windows Error Reporting (WER) settings in the registry are deleted, causing Lync 2013 to crash.

Solution: Corrected an issue where Symantec Endpoint Protection install removed existing Windows Error Reporting settings before writing Symantec Endpoint Protection-specific Windows Error Reporting settings.


A field the Agent Proactive Detection log has an unexpected value of MDS

Fix ID: 4098112

Symptoms: A field in the Agent Proactive Detection log, Permitted application reason, has a value of MDS.

Solution: Fixed the typo from MDS to MD5.


IPS does not detect a port scan attack

Fix ID: 4098907

Symptoms: IPS is unable to detect a port scan attack.

Solution: Fixed with source code change.


Citrix roaming profiles cannot be deleted with SEP 14 MP2 installed

Fix ID: 4099309

Symptoms: Citrix roaming profiles cannot be deleted due to roaming Windows Error Reporting folders locked by Symantec Endpoint Protection 14 MP2.

Solution: Fixed the code to allow the roaming profiles to be deleted.


Bug Check 19 in Sysplant.sys during initial system load

Fix ID: 4100327

Symptoms: A crash (Bug Check 19) occurs in Sysplant.sys during Windows startup.

Solution: Fixed with source code change.


Server hangs with SEP 14 MP1 installed

Fix ID: 4104539

Symptoms: The server hangs with Symantec Endpoint Protection 14 MP1 installed.

Solution:  Changed Auto-Protect so that it does not encounter deadlocks under certain circumstances.


CIDS .jdb update for SEPM 14 MP2 does not work

Fix ID: 4105702

Symptoms: You place the .jdb file to update CIDS content onto a Symantec Endpoint Protection Manager that runs version 14 MP2. However, Symantec Endpoint Protection Manager only processes the 14.0 CIDS content.

Solution: Added JDB support for processing MP2 CIDS content.


After installing the SEP client on Windows 10 using AutoUpgrade and restarting, the client loses its network connection

Fix ID: 4105717

Symptoms: The Windows 10.0.14393 update causes a loss of network connectivity.

Solution: Fixed an issue with Teefer2.
Issue was also fixed by Microsoft as described in this KB:


The dump file that the SEPM external logging feature generates is missing some entries

Fix ID: 4107842

Symptoms: After the management server processes a new set of events in the external logging feature, some entries in the dump file do not appear. The dump file is located in %SEPM%\data\dump.

Solution: Fixed the log rotation mechanism of the dump file.


After upgrading from version 12.1.x to 14, the management server hangs

Fix ID: 4108415

Symptoms: After upgrading from 12.1.x to either 14 RTM or 14 MP2, the management server hangs and you cannot connect remotely to the management server using an RDP connection. This issue also occurs with virtualized servers and desktop computers hosted on VMware and Hyper-V. You do not get a log on screen, and you cannot access the management servers, although the affected servers may respond to pings. This issue occurs randomly. A restart allows the affected computers to work again, but the issue can return.

Solution: Changed the way resource locks are acquired.


Windows 10 does not start with both the SEP client and a language pack installed

Fix ID: 4109958

Symptoms:  After installing a language pack on a Windows 10 client computer with Symantec Endpoint Protection installed, Windows 10 does not start.

Solution: Fixed a compatibility issue between fontdrvhost.exe and sysfer.dll.


Upgrading to version 14 MP1 and restarting caused a loss of network connectivity on Windows 7 SP1

Fix ID: 4112171

Symptoms: This action causes a removal and installation of the Teefer2 driver, where a function call to Apply() fails.

Solution: Fixed this issue on Windows 7 and other operating systems.


Timestamps are only in local time when external logging is used in SEPM

Fix ID: 4112246

Symptoms: When external logging in enabled in Symantec Endpoint Protection Manager, all the timestamps are  in the local time zone only.

Solution: Modified external logging to use either UTC or the local time zone in all the timestamp columns, depending on the configuration.


Management servers randomly hang after an upgrade to 14 MP2

Fix ID: 4117229

Symptoms: Symantec Endpoint Protection Manager randomly hangs due to a scan thread acquiring a read lock and definitions update acquiring a write-access lock, which then asks for a read lock on the same file.

Solution: Fixed with source code change.


Client computer hangs or becomes unresponsive

Fix ID: 4117946

Symptoms: The system hang is caused by the Symantec Endpoint Protection components BHDrvx64.sys and SymEvent.

Solution: Fixed with source code change.


High CPU usage on servers when Auto-Protect is enabled

Fix ID: 4120366

Symptoms: When Auto-Protect is enabled, CPU usage is high and performance is low.

Solution: Fixed a resource leak that occurred under certain conditions, which caused the high CPU usage.


14 MP2 Mac clients connect to specific Symantec websites every two hours

Fix ID: 4121029

Symptoms: The Symantec Endpoint Protection 14 MP2 Mac clients connect to or every two hours, even though the connection was disabled from Symantec Endpoint Protection Manager and the Symantec Endpoint Protection client.

Solution: Disabled the error reporting for Submissions.


File server stops responding after SMBv2 enabled

Fix ID: 4123668

Symptoms: The File server intermittently stops responding after the Windows Server Message Block (SMB) version 2 (SMBv2) is enabled. Server Message Block (SMB) is a network file sharing protocol meant for sharing files and printers between computers.

Solution: Fixed the compatibility issue with SMBv2.

Component versions

The build number for this release is 14.0.3752.1000. Red text indicates components that have updated for this release.


DLL File

DLL Version

SYS File

SYS Version






Seq#= 20170926.001


BASH Framework









Seq#= 20170824.200


CIDS Framework




CP3 version.txt N/A -
CX cx_lib.dll N/A -

























DuLuxCallback duluxcallback.dll N/A -







LUX Lux.dll    









SDS Engine


Seq#= 20170930.005










Seq#= 20170925.008



























Symulator version.txt N/A -
TCSAPI version.txt N/A -
Titanium titanium.dll N/A -