ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Deception Reports force the SEPM console to log out


Article ID: 238584


Updated On:


Endpoint Protection


While trying to run a Deception Report, user gets logged out after hitting Create Report button. After that, user is back at the SEPM login page and a small window with the line "Reporting - Log On" appears.

Following records can be found in the reporting.log:

ERROR:form verification failed - form: FilterForm, file: DeceptionReport.php, referer: https://win-m8mge1fr057:8445/Reporting/behavior/deceptionreports.php?FirstRun=1_
ERROR:could not find valid username in session
ERROR:request verification failed - file=DeceptionReport.php, referer=
INFO:Ssl client verification not successful so not getting the client certificate
INFO:Login start


The issue is due to the missing form tokens. For example:

$filterFormVerified = AuthUtils::verifyFormTokenFromRequest('behavior_filterform');
$switcherFormVerified = AuthUtils::verifyFormTokenFromRequest('behaviorswitcher');
$updateFilterFormVerified = AuthUtils::verifyFormTokenFromRequest('behavior_updatefilter');
$switcherTypeFormVerified = AuthUtils::verifyFormTokenFromRequest('switchtype_form');

if (!$filterFormVerified && !$switcherFormVerified && !$updateFilterFormVerified && !$switcherTypeFormVerified
&& !AuthUtils::verifyFormTokenFromRequest('secondary'))

Unknown macro: { AuthUtils}


SEP 14.3 RU3/RU4


Permanent fix should get included to RU5. 

For workaround please follow the below instruction.

  • Locate the directory <SEPM>\Inetpub\Reporting\Behavior
  • Back up the following files:
    • DeceptionReport.php
    • DeceptionReportUserName.php
    • DeceptionReportTarget.php
    • DeceptionReportRuleName.php
  • Replace the 4 files with the new ones from the attached zip file,

Important note: If the fix was applied, the original files need to be replaced prior to upgrading!

Attachments get_app