Symantec Endpoint Protection Manager (SEPM) is upgraded to 14.3 RU4 version and Symantec Endpoint Protection (SEP) client is showing an error.
Error: Browser Intrusion Prevention is not functioning correctly
SEPM 14.3 RU4
SEP 14.3 RU4
The Web Extension content folder on the client shows empty.
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\WebExtDefs
SEPM lux.log shows that the content was downloaded but failed to install due to error: Result Message: FAIL - decompression failed
11:43:24.740218 [Component Result - START]
11:43:24.740218 Component ID: {F17786B6-8BAA-425E-A4FC-DE88BD95C91D}
11:43:24.740218 Display Name: SEPM Web Extensions Win32
11:43:24.741270 PVL: SEPM Web Extensions Win32_14.3 RU4_SymAllLanguages
11:43:24.741270 Result Code: 0x00010000
11:43:24.741270 Result Message: OK
11:43:24.741270 [Package Result - START]
11:43:24.742274 File: 1652203490jtun_sepcwebextensionwin32.7z
11:43:24.742274 Result Code: 0x80010766
11:43:24.742274 Result Message: FAIL - decompression failed
11:43:24.742274 [Package Result - END]
11:43:24.743238 [Component Result - END]
11:43:24.756221 [Component Result - START]
11:43:24.756221 Component ID: {F07786B6-8BAA-425E-A4FC-DE88BD95C91D}
11:43:24.756221 Display Name: SEPM Web Extensions Win64
11:43:24.757266 PVL: SEPM Web Extensions Win64_14.3 RU4_SymAllLanguages
11:43:24.757266 Result Code: 0x00010000
11:43:24.757266 Result Message: OK
11:43:24.758246 [Package Result - START]
11:43:24.758246 File: 1652203763jtun_sepcwebextensionwin64.7z
11:43:24.758246 Result Code: 0x80010766
11:43:24.758246 Result Message: FAIL - decompression failed
11:43:24.759720 [Package Result - END]
11:43:24.759720 [Component Result - END]
This error is related to not being able to access or write a content file.
Web Extensions content contains a main file with .crx extension (sep.crx)
If .CRX extension files are blocked in Application and Device Control policy, the content will fail to install.
SEP Control logs have the below entries which will show the block:
5/11/2022 11:44:22 AM 502 Critical : (3) Block - Caller MD5=db1c277b6044ac3b73a6deb10f160c62 File Read 0x0 5/11/2022 11:43:19 AM 5/11/2022 11:43:19 AM CRX file access block | File and Folder Access Attempts 167652 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\sesmcontinst.exe 0x00000000 No Module Name C:\ProgramData\Symantec\LiveUpdate\LiveUpdateDownloads\1652203490jtun_sepcwebextensionwin32.7z.extracted\sep.crx Default SYSTEM NT AUTHORITY No
The Web Extensions content is not available on the SEPM as it is getting blocked by custom application control rule to block read/write on .crx extensions.
After removing the block rule, content can be installed at SEPM, which in turn will be available for the clients to download.
After content update, the malfunction error will not be shown.
Disable the Application Control rule that is blocking the CRX extension.