Browser Intrusion Prevention is not functioning correctly
search cancel

Browser Intrusion Prevention is not functioning correctly

book

Article ID: 243067

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection Manager (SEPM) is upgraded to 14.3 RU4 version and Symantec Endpoint Protection (SEP) client is showing an error.
Error: Browser Intrusion Prevention is not functioning correctly

Environment

SEPM 14.3 RU4

SEP 14.3 RU4

Cause

The Web Extension content folder on the client shows empty.
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\WebExtDefs

SEPM lux.log shows that the content was downloaded but failed to install due to error: Result Message: FAIL - decompression failed

11:43:24.740218  [Component Result - START]
11:43:24.740218   Component ID: {F17786B6-8BAA-425E-A4FC-DE88BD95C91D}
11:43:24.740218   Display Name: SEPM Web Extensions Win32
11:43:24.741270   PVL: SEPM Web Extensions Win32_14.3 RU4_SymAllLanguages
11:43:24.741270   Result Code: 0x00010000
11:43:24.741270   Result Message: OK
11:43:24.741270   [Package Result - START]
11:43:24.742274    File: 1652203490jtun_sepcwebextensionwin32.7z
11:43:24.742274    Result Code: 0x80010766
11:43:24.742274    Result Message: FAIL - decompression failed
11:43:24.742274   [Package Result - END]
11:43:24.743238  [Component Result - END]

11:43:24.756221  [Component Result - START]
11:43:24.756221   Component ID: {F07786B6-8BAA-425E-A4FC-DE88BD95C91D}
11:43:24.756221   Display Name: SEPM Web Extensions Win64
11:43:24.757266   PVL: SEPM Web Extensions Win64_14.3 RU4_SymAllLanguages
11:43:24.757266   Result Code: 0x00010000
11:43:24.757266   Result Message: OK
11:43:24.758246   [Package Result - START]
11:43:24.758246    File: 1652203763jtun_sepcwebextensionwin64.7z
11:43:24.758246    Result Code: 0x80010766
11:43:24.758246    Result Message: FAIL - decompression failed
11:43:24.759720   [Package Result - END]
11:43:24.759720  [Component Result - END]

This error is related to not being able to access or write a content file.
Web Extensions content contains a main file with .crx extension (sep.crx) 
If .CRX extension files are blocked in Application and Device Control policy, the content will fail to install.

SEP Control logs have the below entries which will show the block:

5/11/2022 11:44:22 AM 502 Critical : (3) Block  - Caller MD5=db1c277b6044ac3b73a6deb10f160c62 File Read 0x0 5/11/2022 11:43:19 AM 5/11/2022 11:43:19 AM CRX file access block | File and Folder Access Attempts 167652 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\sesmcontinst.exe 0x00000000 No Module Name C:\ProgramData\Symantec\LiveUpdate\LiveUpdateDownloads\1652203490jtun_sepcwebextensionwin32.7z.extracted\sep.crx Default SYSTEM NT AUTHORITY No

 

Resolution

The Web Extensions content is not available on the SEPM as it is getting blocked by custom application control rule to block read/write on .crx extensions.
After removing the block rule, content can be installed at SEPM, which in turn will be available for the clients to download. 
After content update, the malfunction error will not be shown.

Disable the Application Control rule that is blocking the CRX extension.

Powered by Wolken Software