Symantec Endpoint Detection and Response (EDR) Patching for DigiCert G1 Expiration Required by October 15th, 2026
search cancel

Symantec Endpoint Detection and Response (EDR) Patching for DigiCert G1 Expiration Required by October 15th, 2026

book

Article ID: 439693

calendar_today

Updated On:

Products

Endpoint Detection and Response Endpoint Detection and Response Cloud Endpoint Detection and Response Hardware

Issue/Introduction

The recent expiration of DigiCert’s G1 root certificate can disrupt Symantec Endpoint Detection and Response (EDR) ability to download updates and hotfix patches. If no action is taken before October 15th, 2026 at 11:59:59 PM UTC, the system may fail to validate the update server’s certificate chain, causing update attempts to fail. 

Environment

Symantec EDR
Versions: 4.9.1, 4.10, 4.11, 4.12

Resolution

  • Broadcom will continue to support product updates and hotfix patches during a 6 month transition period, through October 15th, 2026 at 11:59:59 PM UTC.  
  • Broadcom's upgrade and hotfix patch servers will support connections from Symantec EDR appliances during this time.  

 

Why you can still download the fix today
Broadcom will support backwards compatibility through a cross-signed certificate on the server which is compatible with existing in-field SEDR deployments.  As a result, the normal download path for this hotfix remains available while that server certificate is valid.

 

What you must do before October 15th, 2026 at 11:59:59 PM UTC

  • Customers are required to complete patching before the end of the transition period which is October 15th, 2026 at 11:59:59 PM UTC.
  • After this deadline, access to Broadcom repositories from unpatched appliances will be disabled, and all attempts to download hotfixes or product upgrades for SEDR will fail.

To avoid service disruption and ensure continued supportability, customers must plan and execute remediation in advance, using the per-version table below as a reference for their specific deployment. Failure to patch by October 15th, 2026 at 11:59:59 PM UTC prevents certificate chain validation for update servers and will result in loss of update capability and may leave systems exposed to known vulnerabilities.

Your SEDR version

What to do

4.12 or 4.11 (Currently supported)

Use the SEDR command line patch command to download and install the hotfix for your release. 

admin> patch download atp-patch4-generic-4.11.0_4.12.0-1
admin> patch install atp-patch4-generic-4.11.0_4.12.0-1

 

Note: When you upgrade from a patched 4.11 to 4.12, the hotfix must be re-applied.  After the upgrade, you must first remove the previous patch and install a new one as follows:

admin> patch remove atp-patch4-generic-4.11.0_4.12.0-1

...

admin> patch install atp-patch4-generic-4.11.0_4.12.0-1

...

4.9.1 (Limited exception)

Use the SEDR command line patch command to install the 4.9.1-specific hotfix.

admin> patch download atp-patch9-generic-4.9.1-1
admin> patch install atp-patch9-generic-4.9.1-1

This version is currently EOSL (End Of Service Life).  This is a one time exception where a hotfix is being provided.  Broadcom strongly recommends that you migrate to at least 4.11 in the near future.

  • If you choose to upgrade to 4.11 or 4.12 before October 15th, 2026 at 11:59:59 PM UTC, you do not need to apply the hotfix until after you upgrade.
  • If you apply the hotfix to 4.9.1 and then upgrade, you still need to apply the hotfix after upgrading to 4.11 or 4.12.

Note: A direct upgrade from 4.9.1 to 4.12 is not possible.  You must first upgrade directly to 4.11, then use the product upgrade feature to update to 4.12.

4.10 (EOL)

The support status of this release differs from that of versions 4.11 and 4.12.

  1. Upgrade to 4.12
  2. Then apply the 4.12 hotfix with patch

The same cross-sign window applies: complete both the upgrade and apply the 4.12 hotfix before October 15th, 2026 at 11:59:59 PM UTC so download paths remain open.

Powered by Wolken Software