This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.3 RU1 (14.3.3384.1000). This information supplements the information found in the Release Notes.

• New Fixes
• Component versions

Download the full release through the Broadcom Software Download Portal. For details, see Download the latest version of Endpoint Protection.

New fixes

SEP prevents user profile WER folders from being deleted at logoff

Fix ID: ESCRT-767

Symptoms: WER folders are not deleted on logoff.

Solution: Resolved a scenario that prevented the removal of a handle to the WER folders.

AD synchronization imports OU User userPrincipalName while clients check in using sAMAccountName

Fix ID: ESCRT-1053

Symptoms: Clients check-in to the Default Group using the sAMAccountName instead of the UPN.

Solution: Updated the API used to get the correct value.

Windows Server 2012 R2 hangs at login after a client upgrade and the first reboot

Fix ID: ESCRT-2299

Symptoms: Windows hangs on the first reboot post migration.

Solution: Corrected an intermittent problem where Windows would hang on the first reboot after migrating Symantec Endpoint Protection.

Invalid MAC addresses listed in network logs when Risk Tracer is enabled

Fix ID: ESCRT-2401

Symptoms: Local MAC field in client logging is showing an invalid format.

Solution: Updated the format to ensure the value is passed in the correct form.

SEP Firewall reverse DNS lookup is not resolving the DNS name

Fix ID: ESCRT-2618

Symptoms: SEP firewall is not resolving DNS under certain conditions.

Solution: Added support for compressed strings in DNS reverse response packets.

SEP Application Control log entries are truncated if it is longer than 512 characters

Fix ID: ESCRT-2984

Symptoms: Log entries in the Application Control can appear truncated if the associated path, key, or value is long.

Solution: Increased the character length support for Application Control logs.

SEP Application Control causes a delay for Chinese language input in Word and Excel

Fix ID: ESCRT-2997

Symptoms: Chinese character input is delayed for Word and Excel when Application Control is present.

Solution: Corrected a lock timing issue that caused a delay.

SEP Download Insight detects a file downloaded via a Trusted Domain

Fix ID: ESCRT-3031

Symptoms: Download Insight detects files downloaded via a Trusted Domain when an IP address is used instead of a URL.

Solution: Added support for IP addresses within Trusted Domain exclusions.

Firewall rules imported via command line are not saved on Windows 10

Fix ID: ESCRT-3098

Symptoms: Firewall rules imported via smc –importadvrule command are not saved on Windows 10.

Solution: Corrected an issue that prevented rules from saving when using the importadvrule command.

Bugcheck 0x34 on SymEFASI64.sys

Fix ID: ESCRT-3201

Symptoms: Intermittent system crash observed with SymEFASI64.sys.

Solution: Updated SymEFA to correct a scenario that could result in a system crash.

Missing description for SEPM Command Scan to identify which type applies each SEP Client

Fix ID: ESCRT-3338

Symptoms: There is no icon or description to identify which scan types are supported by which SEP Client in the SEPM Command Scan dialog window.

Solution: Added an OS icon ahead of each scan type.

Automatic exclusions missing for File Based Write Filter (FBWF) on Windows 7 Embedded

Fix ID: ESCRT-3355

Symptoms: Managed SEP client on Windows 7 Embedded with FBWF enabled is unable to update content without manual exclusions.

Solution: Automatic exclusions added to allow content to be updated on managed clients when FBWF is enabled.

IPS signatures display incorrect default values for Action and Log in the SEPM IPS Exclusion dialog

Fix ID: ESCRT-3368

Symptoms: Specific IPS Audit signatures display incorrect default values in the SEPM IPS Exception policy for Action and Log.

Solution: Corrected an issue that prevented the correct values for Action and Log from being displayed.

Location Awareness does not change locations as expected when Airplane Mode is enabled

Fix ID: ESCRT-3424

Symptoms: The SEP client does not change locations when Airplane Mode is enabled or all Network Adapters are disabled and the location condition “Client does not use any networking” is used as location change criteria.

Solution: Corrected an issue that prevented Location Awareness from identifying that no working interface is available.

ccSubSDK folder increases in size periodically

Fix ID: ESCRT-3437

Symptoms: ProgramData\Symantec\Symantec Endpoint Protection\<Version>\Data\CmnClnt\ccSubSDK increases in size when product submissions are unable to complete.

Solution: Implemented a file size limit for the ccSubSDK folder.

Details missing for Event Type: The computer account has been deleted

Fix ID: ESCRT-3495

Symptoms: Event Type: The computer account has been deleted contains no information about the event.

Solution: Added Computer Name to the event description for System Logs: Administrative in SEPM.

Cloud-managed SEP clients continue to download content on a LiveUpdate schedule when disabled

Fix ID: ESCRT-3518

Symptoms: System Policy is configured to disable the LiveUpdate schedule, but clients continue to run LiveUpdate.

Solution: Corrected a LiveUpdate trigger that would occur on client restart.

Clients with an IP address ending in .255 do not switch locations

Fix ID: ESCRT-3637

Symptoms: The SEP client does not change locations when the IP address ends in .255 and a location condition that relies upon IP address as location criteria is used.

Solution: Corrected an issue that prevented Location Awareness from evaluating a client ending with a .255 IP address.

Browser Protection events are not exported to a dump file

Fix ID: ESCRT-3702

Symptoms: The event type field is missing from Browser Protection events that are exported to a dump file.

Solution: Event Type column added to the external log-security file.

Windows Security Log contains Event ID 4673 with UAC enabled

Fix ID: ESCRT-3739

Symptoms: The Windows Security Log contains multiple Event ID 4673 events with UAC enabled and SEP installed.

Solution: Corrected an issue that resulted in continuous admin checks for the user session of ccSvcHst.exe.

Deadlock observed with Auto-Protect enabled alongside the Qualys Agent

Fix ID: ESCRT-3823

Symptoms: Unable to login to 3^rd party application due to a deadlock between SRTSP64 and Qualys Agent.

Solution: Resolved an issue in Auto-Protect so that a lock is no longer required.

Credential Theft deceptor incorrectly triggers every 2 hours

Fix ID: ESCRT-3872

Symptoms: Clients intermittently trigger the Credential Theft deceptor on non-English operating systems.

Solution: Updated Credential, File, and DNS deceptor scripts to support non-English operating systems.

Bugcheck 139 on SymEFASI.sys

Fix ID: ESCRT-3883

Symptoms: Rare system crash observed on Windows Server 2012 that involves SymEFASI64.sys.

Solution: Added synchronization protection in several places for SymEFA.

Bugcheck on Windows 10 with Early Launch AntiMalware set to Good Only

Fix ID: ESCRT-3955

Symptoms: System crash observed when Early Launch AntiMalware is enabled and configured to “Good Only”.

Solution: Updated SymELAM to properly support updated boot-start drivers.

Locations do not change for an extended period of time

Fix ID: ESCRT-4076

Symptoms: When Cisco VPN is present and DNS Lookup is used as location criteria the location may not change immediately.

Solution: Location Awareness will now check location criteria again after Cisco VPN is ready.

Users are unable to disable the firewall even though the policy is configured to All Users

Fix ID: ESCRT-4132

Symptoms: Only Administrator accounts can disable Network Threat Protection or uncheck Enable Firewall.

Solution: Updated the SEP client to properly honor the All Users setting for limited users.

SEPM Administrators can create Single Risk Event notifications for domains they do not administer

Fix ID: ESCRT-4272

Symptoms: Single Risk Event notifications can be configured for all domains instead of the domain defined for the SEPM Admin account.

Solution: Updated Single Risk Event notification to honor the correct rights for the account creating it.

Bash.exe is not blocked by Application Control

Fix ID: ESCRT-4275

Symptoms: Application Control rules that would apply to Git Bash are not honored.

Solution: Updated Application Control to properly initialize and control Git Bash.

Virtual Image Exception tool is no longer functional after upgrading to 14.3

Fix ID: ESCRT-4321

Symptoms: VIETool.exe exits with an unexpected termination error and does not complete successfully with 14.3.

Solution: Addressed an issue where VIETool would fail to complete with error “Service terminated unexpectedly.”

Policies fail to import when FileLastModifiedDate is defined

Fix ID: ESCRT-4353

Symptoms: Policies with Network Monitoring enabled and Unmonitored Applications with FileLastModifiedDate defined do not import into the SEP client.

Solution: Corrected an issue where policies containing last fail date modified would fail to import.

Location Awareness conditions for DNS Server Address do not work as expected

Fix ID: ESCRT-4409

Symptoms: Location does not change as expected when an IPv6 DNS address is specified.

Solution: Updated location awareness to better handle special IPv6 DNS addresses.

Bugcheck 50 on SRTSP64.sys

Fix ID: ESCRT-4438

Symptoms: Intermittent system crash observed on Windows Server 2016.

Solution: Updated SRTSP to prevent the encounter of a scenario that could result in a system crash.

System hang observed after upgrade of the SEP client

Fix ID: ESCRT-4552

Symptoms: Immediately after upgrading the SEP client a rare system hang may be experienced after the first reboot.

Solution: Updated Application Control to prevent a scenario that could result in a system hang.

Symantec Endpoint Protection creates .dat files in Windows\Temp folder

Fix ID: ESCRT-4600

Symptoms: After upgrading to 14.3, a large number of .dat files are observed in the Windows\Temp folder on some systems.

Solution: Corrected an error in Common Client that resulted in extra .dat files being created when a problem is encountered.

SEP Mac SepInstallerApp crash observed after upgrading to 14.3

Fix ID: ESCRT-4636

Symptoms: SepInstallerApp crash observed intermittently when upgrading from a previous version of the SEP Mac client.

Solution: Resolved an issue that results in a possible SepInstallerApp crash when upgrading from a prior version of the SEP Mac client.

SEP EFAInst.exe crash observed during upgrade on Windows 7

Fix ID: ESCRT-4639

Symptoms: EFAInst.exe crash observed intermittently during upgrade of the SEP client.

Solution: Updated SymEFA to prevent the encounter of a scenario that could result in a EFAInst.exe process crash.

SEP Mac application firewall pop-ups observed with 14.3 MP1

Fix ID: ESCRT-4667

Symptoms: Non-configurable application firewall pop-up displayed in 14.3 MP1.

Solution: Added a check for the application firewall dialog window.

Intermittent definition corruption observed on SEP clients

Fix ID: ESCRT-4698

Symptoms: Definition corruption observed intermittently on SEP clients.

Solution: Resolved a rare scenario that prevented definitions from updating properly.

Client group changes in SEPM are not synced to the Cloud Console

Fix ID: ESCRT-4740

Symptoms: The removal and addition of client groups in SEPM are not always synced to the Cloud Console.

Solution: Updated CommonCloudHub to ensure that SEPM group changes are now always reflected on the Cloud Console.

SQL deadlocks observed after upgrading SEPM to 14.2 RU2

Fix ID: ESCRT-4749

Symptoms: Intermittent SQL deadlocks observed when processing Event notifications or with External Logging enabled.

Solution: Fixed a deadlock when updating the SYSTEM_STATE table.

ccSvcHst.exe crash observed intermittently

Fix ID: ESCRT-4928

Symptoms: ccSvcHst.exe periodically crashes with faulting module: ucrtbnase.dll.

Solution: Fixed a scenario that resulted in an exception encountered in ccSvcHst.exe.

Additional fixes for 14.3.3385.1000

SEPM upgrade to 14.3 RU1 encounters an error if a repair installation is performed

Fix ID: ESCRT-5679

Symptoms: SEPM upgrade to 14.3 RU1 is interrupted due to missing cryptoj.jar if a repair installation is performed.

Solution: Corrected an issue during repair installations that could prevent a specific JAR file from being placed in its proper location.

SEPM upgrade to 14.3 RU1 encounters a SQL Exception if database mirroring is enabled

Fix ID: ESCRT-5685

Symptoms: SEPM upgrade to 14.3 RU1 is unable to proceed if database mirroring is enabled. The following error is observed: "The operation cannot be performed on database "sem5" because it is involved in a database mirroring session or an availability group."

Solution: Corrected an issue that impacted support for database mirroring SQL Server configurations.

Component versions

The build number for this release is 14.3.3384.1000. 

Red text indicates components that have updated for this release.