Creating a network scan password with SHA-256 hashing after upgrading to Symantec Endpoint Protection 12.1.2


Article ID: 156896


Updated On:


Endpoint Protection


Symantec Endpoint Protection 12.1.2 uses a strong hashing algorithm (SHA-256 with salt) to create a password that is required for scans of network drives. In previous releases, Symantec Endpoint Protection used MD5 hashing. To maintain backwards compatibility, Symantec Endpoint Protection 12.1.2 uses both the MD5 field and a new field for the SHA-256 hash in its profile.

When you upgrade to Symantec Endpoint Protection Manager 12.1.2, any legacy MD5 network scan password is retained as MD5. Legacy clients can use the MD5 password. The MD5 hash, however, cannot be migrated to SHA-256, since the hash is one-way and SEPM does not maintain a clear text copy of the network scan password which was entered previously. You must re-enter the network scan password in the Virus and Spyware Protection policy to create the password with SHA-256 hashing for Symantec Endpoint Protection 12.1.2 clients.


  1. In the Symantec Endpoint Protection Manager 12.1.2 console, on the Policies tab, open a Virus and Spyware Protection policy.
  2. On the Global Scan Options tab, under Scan Network Drive, make sure you check Ask for a password before scanning a mapped network drive.
  3. Click Change Password...
  4. Enter the password.
  5. Click OK. The password is saved with both MD5 and SHA-256 hashing.
  6. Click OK to save the policy.
  7. Apply the policy to the relevant group.
Note: The change from MD5 to SHA-256 does not affect Symantec Endpoint Protection small business edition, which does not support the network scan feature.