search cancel

Disabling CBC cipher for the Endpoint Protection Manager


Article ID: 257539


Updated On:


Endpoint Protection


NMAP vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak CBC cipher.  To address this alert, and to mitigate against possible exploitation attacks against the weak cipher it becomes necessary to disable the weak CBC cipher on the SEPM server.  


Vulnerable cipher which may need to be disabled by some organizations to comply with vulnerability scanning requirements


To disable CBC for client communications and SEPM Reporting functions, please make the following changes:

1.) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl

2.) Locate the following lines - the same lines will be found in both files:

3.) Locate the line containing string SSLCipherSuite and at the end of line add: "!SHA1:!SHA256:!SHA384" without double quotes. ( both the files ) 

4.) Save the changes made to each file.
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.


To disable CBC for internal SEPM server communications and web services:

  1. Create a backup of the following files
    • .../tomcat/conf/server.xml
    • .../tomcat/instances/sepm-api/conf/server.xml
  2. Edit .../tomcat/conf/server.xml
    1. Locate the line containing the string SSLCipherSuite and at the end of the line add: "!SHA1:!SHA256:!SHA384" without double quotes for the files.(example below)
      • SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4:!SHA1:!SHA256:!SHA384
    2. Save the file
  3. Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
  4. Restart the following SEPM Services
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager API Service
    • Symantec Endpoint Protection Manager Webserver

Additional Information

NMAP test scan can be done for the ports in question through command line: - 

C:\Users\Administrator>nmap --script ssl-enum-ciphers -p 8443 xx.xx.xx.xx