Unable to deploy Symantec Endpoint Protection client via Remote Push; Error: could not copy protectionxxxx.dat to export directory
search cancel

Unable to deploy Symantec Endpoint Protection client via Remote Push; Error: could not copy protectionxxxx.dat to export directory

book

Article ID: 268466

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When trying to deploy Symantec Endpoint Protection client via remote push, the deployment fails.

In RemotePushInstallClientWin-#.log you see the following error message.

2022-10-12 18:15:29.008 THREAD 83 FINEST: PackageExportUtil> copyAllowListFiles>> copying file protection07C1E07A83D93BF9E65DD275C519D656.dat
2022-10-12 18:15:29.009 THREAD 83 SEVERE: PackageExportUtil> copyAllowListFiles>> could not copy protection07C1E07A83D93BF9E65DD275C519D656.dat to export directory
2022-10-12 18:15:29.009 THREAD 83 FINEST: RemotePushInstallClientWinHandler> preparePackage>> copying allow list files finished with result: false

Environment

Symantec Endpoint Protection Manager 14.3 RU5 refresh, RU6 and RU7 with fingerprint list populated into system lock down.

Cause

This is a known issue where SEPM fails to build SEP packages that include a system lockdown policy with imported file fingerprints. If you push a package from a group containing such a policy, the package export utility will fail.

Resolution

This problem has been fixed as of SEPM 14.3 RU8.

As a workaround, you can push the package and choose to export it from a different group that does not contain a system lockdown policy with fingerprint lists. If necessary, you can create a separate group. Once the SEP agent has been deployed, you can move it to the required group that includes the system lockdown fingerprint list.

Additional Information

This dat file contains the file fingerprint list for the system lockdown policy. The remote push package build is trying to pull this file to include, looking it up by the checksum of the contents when it went into the database. The trouble is, when the file is written to the outbox\agent\whitelist\dat directory, it's written out in encrypted format, and its filename uses its current (post-encryption) checksum instead of what's in the database. These two checksums will never match.