This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.3 RU3 (14.3.5413.3000). This information supplements the information found in the Release Notes.

• New Fixes
• Component versions

Download the full release through the Broadcom Software Download Portal. For details, see Download the latest version of Endpoint Protection.

Additional fixes for 14.3 RU3 Patch 2 (14.3.5457.3000)

Symantec Endpoint Protection (Windows)

Incident ID: CRE-8259
Incident Description: Cloud-managed agents may encounter a LiveUpdate error when proxy settings are defined

Incident ID: CRE-9044
Incident Description: Installation rollback observed during CopyFile Action for EdrEpmpCStorage.dat

Incident ID: CRE-9923
Incident Description: Clients switching from one site to another site do not send operational status immediately after switching

Incident ID: CRE-9937
Incident Description: ccSvcHst.exe crash observed under certain low memory conditions

Additional fixes for 14.3 RU3 Patch 1 (14.3.5433.3000)

ccSvcHst.exe exception observed with ucrtbase.dll

Fix ID: ESCRT-8192

Symptoms: Japanese language endpoints observe an intermittent exception with ccSvcHst.exe.

Solution: Corrected a string conversion issue with certain Japanese characters.

Clients display Proactive Threat Protection is malfunctioning error after upgrading to 14.3 RU2

Fix ID: ESCRT-7787

Symptoms: ‘Proactive Threat Protection is malfunctioning.’ error observed on some endpoints after upgrading to 14.3 RU2.

Solution: Resolved a disk latency check failure which was delaying the load of Proactive Threat Protection modules.

Intermittent error observed when downloading large executables with Microsoft Internet Explorer

Fix ID: ESCRT-7619

Symptoms: Race condition can result in download failures for large executables.

Solution: Improved handling of .partial files created by Internet Explorer for large executables.

DHCP release observed when SymErr.exe is executed on Citrix servers

Fix ID: ESCRT-7202

Symptoms: Citrix servers intermittently observe a network connection reset with SEP client telemetry enabled and a scheduled submission event occurs.

Solution: Resolved a case where ping submissions could fail, which resulted in the endpoint attempting to rectify potential network connection issues.

New fixes for 14.3 RU3 (14.3.5413.3000)

ccSvcHst.exe process crash observed intermittently on Group Update Provider

Fix ID: ESCRT-2844

Symptoms: ccSvcHst.exe process crash caused by APPLICATION_FAULT_INVALID_POINTER_READ_ACTIONABLE_EntryCorruption.

Solution: Updated libcurl to version 7.76.1.

‘System Infected: Trojan.Linux.Xorddos Activity 2’ signature is missing from the SEP Mac IPS exception list policy

Fix ID: ESCRT-4334

Symptoms: Signature ID 30739 is missing from the SEP Mac IPS exception list policy.

Solution: Corrected an issue that prevented certain signature IDs from displayed properly.

Computer Status export operation takes an extended period of time

Fix ID: ESCRT-5396

Symptoms: When attempting to export a Computer Status report from the SEPM, the operation takes an extended period of time when there are a large number of records.

Solution: Updated the Computer Status export query to significantly improve query performance.

Host Integrity only logs a security event the first time if there is no change in the result

Fix ID: ESCRT-5545

Symptoms: Host Integrity logs a security event only the first time if there is no change in result.

Solution: Updated the setting “Keep result of check for” to trigger a Host Integrity check every 24 hours if it is set to 1 day.

Site drop-down dialog window in SEPM continues to show sites that have been deleted

Fix ID: ESCRT-5670

Symptoms: References to SEPM sites that have been intentionally deleted will continue to appear in the “Site” drop-down dialog window for logs and reporting filters.

Solution: Sites that have been intentionally deleted will no longer appear in the Site drop-down dialog.

Export of SONAR logs filtered by Risk Name results in an empty CSV file

Fix ID: ESCRT-6291

Symptoms: Filtering on a specific Risk Name within Monitors->Logs->SONAR and attempting to export the results creates a blank CSV file.

Solution: Updated the export query to return the expected results.

SEP Mac IPS event action is missing from the IPS event log

Fix ID: ESCRT-6340

Symptoms: IPS events do not show the action taken when viewing the logs in SEPM reporting.

Solution: Added support for SEP Mac IPS events to include the action taken. 

Devices are not searchable in the ICDm Console even though events appear under the Investigation tab

Fix ID: ESCRT-6411

Symptoms: Cloud-managed endpoints prepared via the ClientSideClonePrepTool are not searchable in the ICDm console.

Solution: Updated the SEP client to properly interact with ClientSideClonePrepTool when it is in a cloud-managed configuration.

SEPM Web Console returns “Internal Error” after upgrading to a newer version

Fix ID: ESCRT-6590

Symptoms: SEPM Remote Web Console returns “Internal Error – The request resulted in an internal error.” after upgrading to a newer version.

Solution: Corrected an error that prevented certain JAR files from being replaced during the upgrade process.

SEPMasterService doesn’t start as expected after upgrading to a newer version

Fix ID: ESCRT-6624

Symptoms: SEPMasterService doesn’t start as expected if an upgrade to a newer version of the SEP client is pending and then a Microsoft Windows Update is then downloaded and installed before the reboot is performed to complete the upgrade process.

Solution: In 14.3 RU3, subsequent upgrades no longer require a reboot to complete the upgrade process.

SEP Firewall unexpectedly blocks SonicWall Connect VPN traffic

Fix ID: ESCRT-6692

Symptoms: SEP Firewall blocks SonicWall Connect VPN traffic even with an Allow rule in place.

Solution: Resolved an issue that caused misidentification of the adapter type for SonicWall Connect VPN.

SEP Firewall unexpectedly blocks SonicWall Connect VPN traffic

Fix ID: ESCRT-6716

Symptoms: SEP Firewall blocks SonicWall Connect VPN traffic even with an Allow rule in place.

Solution: Resolved an issue that caused misidentification of the adapter type for SonicWall Connect VPN.

Out of Date client count on SEPM Home Page is incorrect on initial login

Fix ID: ESCRT-6785

Symptoms: “Out of Date” client count on SEPM Home Page doesn’t update until the administrator attempts to drill down into the results.

Solution: Updated login procedure to ensure the “Out of Date” client count is correctly reflected when the Home page is initially loaded.

Send Test Email button does not send an email if configured to use SSL

Fix ID: ESCRT-6790

Symptoms: The Send Test Email button in the Server Properties->Email Server tab does not work if “Require the specified email server to use a secure connection” is checked and the protocol is set to SSL.

Solution: Corrected an issue that caused an invalid certificate path to be returned when Send Test Email is configured to use SSL.

Installation packages created from an imported SEPM domain appear in an incorrect group

Fix ID: ESCRT-6797

Symptoms: Installation packages linked to an imported SEPM domain, results in the SEP client reporting to a group associated with the original domain.

Solution: Fixed an issue that caused the group id to be retained when multiple domains are exported and imported.

Checksum.exe exits without completing

Fix ID: ESCRT-6831

Symptoms: Checksum.exe closes unexpectedly and the logs indicate a crash occurred at 0xc0000005.

Solution: Fixed a crash in Checksum.exe under certain conditions.

Bugcheck 139 on Sysplant.sys

Fix ID: ESCRT-6845

Symptoms: Intermittent blue screen of death observed on Windows Server 2016 under certain conditions.

Solution: Resolved a timing issue in Sysplant that could result in a rare crash condition.

Citrix VDI endpoints intermittently crash with Radia Client Automation Agent installed

Fix ID: ESCRT-6852

Symptoms: Intermittent blue screen of death observed on Citrix VDI endpoints that have both SEP and Radia Client Automation Agent installed.

Solution: Resolved an interaction between Auto-Protect and Radia Client Automation Agent that had the potential to result in a crash.

SanDisk 3.2 Gen 1 USB devices are not recognized by SEP

Fix ID: ESCRT-6855

Symptoms: SanDisk 3.2 Gen 1 USB devices are unable to interact with Application and Device Control as the Device ID is not passed to SEP correctly.

Solution: Corrected an issue with how Application and Device Control handles the registry key path for certain device types.

Location does not change as expected when conditions are met

Fix ID: ESCRT-6974

Symptoms: Location Awareness policy that uses a DNSLookUp condition does not change locations even though the criteria for change is met.

Solution: Updated the SEP client to ensure stale data is properly cleared when DNS info changes.

Severity filter in SEPM logs does not include all expected events

Fix ID: ESCRT-7033

Symptoms: When the Severity filter is set to “Minor and above” for Monitors->Compliance->Client Host Integrity, events above Minor are not included in the results.

Solution: Updated the Severity filter query to ensure the intended events are included when set to “Minor and above”.

MemoryMonitor setting does not always restart SEPMasterService

Fix ID: ESCRT-7074

Symptoms: SEPMasterService does not restart intermittently when MemoryMonitor is configured.

Solution: Resolved an issue that prevented SEPMasterService from stopping under certain conditions.

An error message is displayed when attempting to modify Provider Order

Fix ID: ESCRT-7104

Symptoms: Attempting to modify the network provider list in the Provider Order tab results in the error: “Failed to get network providers.” after upgrading.

Solution: Fixed a problem with unmanaged client installations that caused SnacNP to be added to the network provider list.

Endpoints with a localized computer domain name are unable to download definition content

Fix ID: ESCRT-7137

Symptoms: Endpoints that have a Korean language domain name are unable to receive definition content.

Solution: Corrected an encoding issue that prevented the endpoint from downloading content under certain conditions.

SEDR connection with a 14.3 RU2 SEPM is interrupted by an error

Fix ID: ESCRT-7150

Symptoms: The error: “Exception while applying group level policy for task: Exception PolicyTask.” is observed when attempting to establish a connection from SEDR to a 14.3 RU2 SEPM.

Solution: Corrected an issue that caused a SEPM RESTAPI to return a 500 Internal Server Error.

14.3 RU2 SEPM Home Page does not load when the database originates from a location where server collation was enabled

Fix ID: ESCRT-7187

Symptoms: SEPM Home Page does not load after upgrading to 14.3 RU2 when the database originates from an environment where server collation was enabled at some point in its history.

Solution: Corrected an issue that caused certain tables created as part of the upgrade to 14.3 RU2 to use server collation.

Virtual Image Exception tool returns a 1920 error

Fix ID: ESCRT-7211

Symptoms: VIETool returns the error: “Unable to read file (1920)” when attempting to interact with certain long file paths.

Solution: Improved support for long file paths in VIETool.

“All” filter is unable to be selected from drop-down in SEPM Monitors Compliance log

Fix ID: ESCRT-7261

Symptoms: “All” is missing from some drop-down filters when attempting to filter within the SEPM Monitors->Logs->Compliance log.

Solution: Updated conditional settings to ensure “All” is available within all applicable filter drop-downs.

Endpoints with a large number of excluded IPS signatures take an extended period of time to load

Fix ID: ESCRT-7272

Symptoms: ccSvcHst.exe consumes a significant amount of CPU on startup for an extended period of time when a large (>1000) number of excluded IPS signatures is applied via policy.

Solution: Improved policy processing to accommodate large IPS exception policies.

SEPM java “Out of Memory” error intermittently encountered

Fix ID: ESCRT-7288

Symptoms: When the SEPM Audit Log contains a large number of entries an Out of Memory error is intermittently encountered.

Solution: Fixed an OutOfMemoryError for the External Logging – Audit Log.

SEP Linux clients do not honor their LiveUpdate policy

Fix ID: ESCRT-7340

Symptoms: SEP Linux clients do not honor their LiveUpdate policy when it has been modified to point to an internal LiveUpdate server or configured to use SEPM Reverse Proxy.

Solution: Corrected a timing issue that prevented LiveUpdate from using the appropriate configuration if it did not successfully shutdown.

ccSvcHst.exe crashes intermittently on Windows Server 2008 R2

Fix ID: ESCRT-7393

Symptoms: ccSvcHst.exe crashes intermittently on Windows Server 2008 R2 with ucrtbase.dll.

Solution: Fixed an exception that could occur under certain conditions.

Edit Properties dialog window does not appear for some clients on the Clients page

Fix ID: ESCRT-7402

Symptoms: When right-clicking a client on the Clients page and selecting Edit Properties, the dialog window does not always appear.

Solution: Corrected an exception encountered when attempting to load the Edit Properties dialog for certain clients.

Internal Server Error encountered when attempting to enroll Endpoint Threat Defense for Active Directory with a SEPM

Fix ID: ESCRT-7481

Symptoms: Enrolling Endpoint Threat Defense for Active Directory with a SEPM that contains SecureID authenticated administrators results in an Internal Server Error.

Solution: Resolved an issue that caused SETDAD to encounter an exception during enrollment when SecureID administrators are present.

Limited Administrator accounts experience slow performance when viewing the SEPM Home Page and other resources

Fix ID: ESCRT-7604

Symptoms: Slow performance and resource access is impacted when logged in as a Limited Administrator level account.

Solution: Improved query performance for Limited Administrator accounts.

SEP Linux kernel panic observed on Ubuntu 14 when auditd starts

Fix ID: ESCRT-7659

Symptoms: Intermittent system crash observed on Ubuntu 14 when auditd starts.

Solution: Fixed a memory corruption issue that could occur when auditing is enabled on Ubuntu 14.

Component versions

The build number for this release is 14.3.5413.3000. 

Red text indicates components that have updated for this release.