This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.3 RU2 (14.3.4615.2000). This information supplements the information found in the Release Notes.

• New Fixes
• Component versions

Download the full release through the Broadcom Software Download Portal. For details, see Download the latest version of Endpoint Protection.

Additional fixes for 14.3 RU2 Patch 3 (14.3.4657.2000)

Symantec Endpoint Protection (Windows)

Incident ID: CRE-8259
Incident Description: Cloud-managed agents may encounter a LiveUpdate error when proxy settings are defined

Incident ID: CRE-9044
Incident Description: Installation rollback observed during CopyFile Action for EdrEpmpCStorage.dat

Incident ID: CRE-9923
Incident Description: Clients switching from one site to another site do not send operational status immediately after switching

Incident ID: CRE-9937
Incident Description: ccSvcHst.exe crash observed under certain low memory conditions

Additional fixes for 14.3 RU2 Patch 2 (14.3.4647.2000)

ccSvcHst.exe exception observed with ucrtbase.dll

Fix ID: ESCRT-8192

Symptoms: Japanese language endpoints observe an intermittent exception with ccSvcHst.exe.

Solution: Corrected a string conversion issue with certain Japanese characters.

Clients display Proactive Threat Protection is malfunctioning error after upgrading to 14.3 RU2

Fix ID: ESCRT-7787

Symptoms: ‘Proactive Threat Protection is malfunctioning.’ error observed on some endpoints after upgrading to 14.3 RU2.

Solution: Resolved a disk latency check failure which was delaying the load of Proactive Threat Protection modules.

Intermittent error observed when downloading large executables with Microsoft Internet Explorer

Fix ID: ESCRT-7619

Symptoms: Race condition can result in download failures for large executables.

Solution: Improved handling of .partial files created by Internet Explorer for large executables.

DHCP release observed when SymErr.exe is executed on Citrix servers

Fix ID: ESCRT-7202

Symptoms: Citrix servers intermittently observe a network connection reset with SEP client telemetry enabled and a scheduled submission event occurs.

Solution: Resolved a case where ping submissions could fail, which resulted in the endpoint attempting to rectify potential network connection issues.

Additional fixes for 14.3 RU2 Patch 1 (14.3.4637.2000)

Client Intrusion Prevention Policy with a large number of excluded signatures causes performance issues

Fix ID: ESCRT-7272

Symptoms: CIDS policies with >1000 excluded signatures results in the SEP client taking an extended period of time to start.

Solution: Improved handling of CIDS policies containing a large number of excluded signatures.

Virtual Image Exception tool does not successfully flag all files as safe

Fix ID: ESCRT-7211

Symptoms: “Error: Unable to read file (1920)” is observed on certain files when using the VIETool.

Solution: Resolved an issue that prevented VIETool from interacting with certain long file paths.

SEPMasterService does not automatically restart when used with MemoryMonitor

Fix ID: ESCRT-7074

Symptoms: MemoryMonitor setting is being used and SEPMasterService does not always automatically restart after it has been triggered.

Solution: Fixed an issue that prevented ccSvcHst.exe child processes from terminating.

New fixes for 14.3 RU2 (14.3.4615.2000)

Memory Exploit Mitigation is unexpectedly enabled after upgrading to 14.3

Fix ID: ESCRT-4454

Symptoms: MEM policies that were set to disabled become enabled after upgrading to 14.3.

Solution: Groups without a current MEM policy will receive a new Default Memory Exploit Mitigation policy during the upgrade process.

Policy Serial Number field is blank on clients after upgrading to 14.3

Fix ID: ESCRT-4702

Symptoms: Failed to import server policy error is observed and clients retain an older policy serial number.

Solution: Resolved an issue with the “Last Modified” field in the Firewall policy.

System Admin client sweep events visible to domain users

Fix ID: ESCRT-4785

Symptoms: Client sweep events are visible to all SEPM domain users.

Solution: Client sweep events from the system admin are no longer visible to SEPM domain users.

SEP Mac client doesn’t load the System Extension immediately after installation

Fix ID: ESCRT-4813

Symptoms: After a fresh installation, the SEP Mac System Extension isn’t loaded until the User Interface is opened.

Solution: SEP Mac installer has been updated so that the System Extension is loaded after installation.

Replication log data processing is impacted under certain configurations

Fix ID: ESCRT-5356

Symptoms: In environments that have many clients with a large amount of NICs, SEPM log processing becomes impacted.

Solution: Addressed an issue that resulted in log processing taking longer than expected when a client has a large amount of NICs.

SEPM database backup is incorrectly named in Japanese language environments

Fix ID: ESCRT-5374

Symptoms: The SEPM database backup file is using an incorrect date format for the name of the .ZIP.

Solution: Addressed an issue that resulted in a Japanese character being placed in the name of the SEPM database backup file.

SEP Linux clients fail to connect to the SEPM after installation

Fix ID: ESCRT-5544

Symptoms: Unknown SSL protocol error is observed in SEP Linux communication logs.

Solution: Resolved an issue that impacted client communication when a sub-network is configured on an interface.

SEP cloud-managed clients that receive a Firewall policy that isn’t locked will show the Firewall as disabled

Fix ID: ESCRT-5559

Symptoms: When the Firewall policy is unlocked, cloud-managed clients show the Firewall as disabled.

Solution: Resolved an issue with the policy configuration handler for cloud-managed clients.

SEP Early Launch Antimalware doesn’t enable on location change

Fix ID: ESCRT-5612

Symptoms: When switching to a group with multiple locations, Early Launch Antimalware does not enable itself again if coming from a location where it is disabled.

Solution: Corrected an issue with Early Launch Antimalware that prevented the transition from disabled to enabled when the location changes.

SEP Download Insight will continue to display a notification alert even after it has been disabled

Fix ID: ESCRT-5704

Symptoms: The show antimalware scan results on the infected device slider is disabled, but the alerts continue for cloud-managed clients.

Solution: Download Insight detection alerts are now controlled by the show antimalware scan results setting in the Integrated Cyber Defense Manager.

SEP clients fail to register with the SEPM when using SonicWall VPN

Fix ID: ESCRT-5789

Symptoms: SEP clients attempting to register with a SEPM when connected through SonicWall VPN are unable to succeed.

Solution: Addressed an intermittent issue that could prevent registration over SonicWall VPN.

Cloud-managed clients may encounter an error when attempting to apply a license under certain conditions

Fix ID: ESCRT-5842

Symptoms: SEP cloud-managed clients may intermittently fail to apply a license.

Solution: Resolved an issue that prevented license application under certain conditions such as when disk contents have been reverted or restored to a prior state.

High disk utilization observed on Citrix environments

Fix ID: ESCRT-5878

Symptoms: High disk utilization is observed in Citrix environments with a large number of Trusted Web Domain exceptions.

Solution: Updated client framework to better accommodate environments with a large number of certain exception types.

SEPM is unable to download updates for SEP Mac 14.2 IPS content

Fix ID: ESCRT-5893

Symptoms: Symantec Endpoint Protection Manager could not update Intrusion Prevention Signature Mac 14.2 observed in SEPM LiveUpdate Status logs.

Solution: Removed this content type as it is no longer necessary for SEP Mac IPS exception support.

URL Reputation Protection is not functioning properly due to an internal configuration error

Fix ID: ESCRT-5908

Symptoms: SEP Client User Interface displays a URL Reputation error if Insight Lookup is intentionally disabled.

Solution: Corrected an issue that allowed an incorrect value to be written to policy.xml.

SEP Mac client network performance is impacted

Fix ID: ESCRT-5925

Symptoms: SEP Mac client impacts network throughput when Zscaler is present or under high throughput conditions.

Solution: SEP Mac Network Content Filter updated to improve interactions with Zscaler and high throughput environments.

URL Reputation continues to attempt lookups after being disabled

Fix ID: ESCRT-5966

Symptoms: When URL Reputation is disabled it is no longer used for conviction purposes, but continues to attempt lookups.

Solution: URL Reputation lookups have been moved from the Insight Lookup toggle to the URL Reputation toggle.

SEPM Audit Logs are not forwarded to a Syslog server

Fix ID: ESCRT-6107

Symptoms: SEPM is unable to forward Audit Logs to a Syslog server when the policy file is very large.

Solution: External logging updated to better process large policy sizes.

SEP Linux does not honor –local-repo installer argument

Fix ID: ESCRT-6139

Symptoms: SEP Linux continues to connect to the Public repo even when the –local-repo argument is used.

Solution: Updated the installer to better handle HTTP and HTTPS URLs specified as a local repository.

Client User Interface displays multiple problems

Fix ID: ESCRT-6222

Symptoms: Application exceptions with an invalid file size result in the client UI displaying multiple errors.

Solution: Corrected an issue that allowed an incorrect value to be written to policy.xml.

Sustained CPU utilization observed on Citrix environments

Fix ID: ESCRT-6315

Symptoms: ccSvcHst.exe is observed in Citrix environments with a large number of exceptions to sustain ~25% CPU utilization.

Solution: Updated client framework to better accommodate environments with a large number of certain exception types.

SEP client SMC commands do not work without a logged in user

Fix ID: ESCRT-6327

Symptoms: SMC commands do not work without a logged in user.

Solution: Updated SMC command support for systems without a logged in user.

Auto-upgrade doesn’t work when “Maintain existing client features when updating” is unchecked

Fix ID: ESCRT-6333

Symptoms: Unable to click the “OK” button when an Auto-Upgrade package is assigned to a group and the “Maintain existing client features when updating” is unchecked.

Solution: Resolved an issue that prevented the OK button from functioning under a specific configuration.

SEP Mac User Interface displays “Pending” when attempting to open the client

Fix ID: ESCRT-6338

Symptoms: Pending and a loading bar is displayed when attempting to open the SEP Mac Client User Interface.

Solution: Resolved a process crash that can occur when the User Interface is opened.

SEP Mac system extension is observed using high CPU utilization

Fix ID: ESCRT-6359

Symptoms: Corespeechd and Usereventagent consume large amounts of CPU.

Solution: Implemented improvements to the System and Network extensions for the SEP Mac Agent.

SEP Mac client displays warnings when the IPS policy is intentionally disabled

Fix ID: ESCRT-6361

Symptoms: SEP Mac Client User Interface displays “Your Mac is at Risk”.

Solution: Resolved an issue that resulted in the SEP Mac client displaying a warning for a padlocked policy.

ccSvcHst.exe process crash

Fix ID: ESCRT-6384

Symptoms: ccSvcHst.exe crashes after applying a Firewall policy with an Application Rule that has a Last Modified Date specified.

Solution: Corrected a calculation issue with the Last Modified Date field.

14.2 RU2 Core 1.5 SDS content can no longer be updated via JDB

Fix ID: ESCRT-6453

Symptoms: 14.2 RU2 Core 1.5 SDS JDB content fails to apply to a 14.3 RU1 or later SEPM.

Solution: Addressed a processing issue encountered with 14.3 RU2 JDB content.

Bugcheck 0xCA on SyDvCtrl.sys

Fix ID: ESCRT-6457

Symptoms: Intermittent bugcheck observed on Windows 10 2004 when a USB block policy is in place and certain USB devices are inserted.

Solution: Resolved an issue that created the potential for a bugcheck under certain conditions.

SEP Mac firewall displays enabled in SEPM even though it is disabled

Fix ID: ESCRT-6463

Symptoms: SEP Mac clients report that the Firewall is enabled even when it has been intentionally disabled.

Solution: Corrected a problem that prevented the client from reporting the correct Firewall status to the SEPM.

SEP Mac client prevents Apple AirPlay connections

Fix ID: ESCRT-6486

Symptoms: Apple AirPlay is unable to successfully connect after upgrading to 14.3 RU1.

Solution: Resolved a compatibility issue with Apple AirPlay and AppleTV.

Heur.AdvML.C false positive detections observed intermittently

Fix ID: ESCRT-6968

Symptoms: Heur.AdvML.C detections observed intermittently on files with a good reputation.

Solution: Resolved an issue that can occur when a reputation look-up is interrupted.

Component versions

The build number for this release is 14.3.4615.2000. 

Red text indicates components that have updated for this release.