New fixes in Symantec Endpoint Protection 12.1.6

book

Article ID: 161982

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This document lists the new fixes and component versions in Symantec Endpoint Protection 12.1 Release Update 6 (SEP RU6, or 12.1.6). This information supplements the information found in the Release Notes.

Resolution

Download the Latest Version

Contents

Symantec Endpoint Protection 12.1.6 fixes

Apache process crashes, clients reporting offline after SEPM upgrade

Fix ID: 3680595, 3682969, 3721675

Symptom: In environments with large numbers of content definition downloads, httpd.exe crashes.

Solution: Fixed the logic in the high-performance file download routines for Symantec Endpoint Protection Manager’s httpd.exe implementation.

Unexpected server error on SEPM

Fix ID: 3725146

Symptom: The processing of content events stops if an event has the wrong number of fields.

Solution: Correctly handle an event with the wrong number of fields so that Symantec Endpoint Protection Manager can continue to process events that are in the correct format.

Excessive non-paged memory used by Symnets.sys driver

Fix ID: 3362553

Symptom: Symnets.sys exhausts non-paged pool memory.

Solution: Eliminated invalid calls that lead to memory exhaustion.

Thin client cannot connect to a Citrix Xen Desktop VDI after a virus definition update

Fix ID: 3590578

Symptom: System freezes due to a deadlock in File System Auto-Protect driver after updating virus definitions.

Solution: Modified File System Auto-Protect driver to avoid this deadlock.

After upgrade to SEP 12.1 RU5, unexpected server error: "Latest full not found"

Fix ID: 3646984

Symptom: Certain content definitions, such as CIDS signatures, do not update during LiveUpdate for Symantec Endpoint Protection Manager due to the incorrect removal of the latest content definitions.

Solution: Updated Symantec Endpoint Protection Manager’s routines to appropriately manage latest and non-latest full definition content removal logic.

GUP fails to retrieve content from SEPM with error: “GUProxy - not enough memory”

Fix ID: 3652490

Symptom: The Symantec Endpoint Protection client cannot download the full definition contents (full.zip) when multiple concurrent full.zip downloads are in progress from the Group Update Provider.

Solution: Added support for multiple concurrent full.zip content downloads from the Group Update Provider.

ccSvcHst.exe crashes and fills up the hard drive with large dump files

Fix ID: 3673616

Symptom: The Common Client Crash Handler fills the client hard drive with large memory dump files generated by the frequent crashing of ccSvcHst.exe.

Solution: Disable the Common Client trace crash handler settings once the Symantec Endpoint Protection installer exits.

Duplicate processing of DAT files on SEPM

Fix ID: 3742133

Symptom: Symantec Endpoint Protection Manager can duplicate the processing of DAT files if the Apache or Tomcat service restarts, which leads to out-of-memory issues.

Solution: Process the DAT file if it's already a combined DAT file, instead of appending it to another DAT file.

Scheduled Reports run at a later time every day

Fix ID: 2148375

Symptom: A scheduled report does not run on time in many common scenarios, such as the Symantec Endpoint Protection Manager server being powered off for a period of time, or on the 31st day in a month.

Solution: Separated the logic for monthly scenario from the other options (Hourly, Daily, Weekly), and optimized the logic to handle all scenarios.

Submission Control Signature SEPM Client Activity Log might show submission failures

Fix ID: 3511712

Symptom: The Client Activity log displays messages indicating that a submission from Intrusion prevention failed.

Solution: Removed an older, obsolete server name from the Symantec Endpoint Protection client installation configuration file, which was causing the issue.

Blue screen appears on SEP client computers

Fix ID: 3584396

Symptom: Symantec Endpoint Protection client computer experiences a blue screen error with BugCheck 50.

Solution: Resolved an issue with a change in the SRTSP (AP) module that caused the blue screen.

SEP clients try to reach Download Insight website directly

Fix ID: 3611350

Symptom: A Symantec Endpoint Protection component tries to connect to the external Symantec URL for Download Insight, ignoring proxy settings, if a connection to the proxy server fails for any reason.

Solution: Updated behavior to appropriately honor proxy settings.

SMC maximum password length options differ between command line and user interface

Fix ID: 3620589

Symptom: The SMC.exe -p command-line option does not work when the password defined in the Symantec Endpoint Protection Manager policy exceeds 15 characters.

Solution: Changed the maximum accepted command-line password length to 256 characters.

Discrepancy on the SEPM Home Page Endpoint Status report for limited administrators

Fix ID: 3628312

Symptom: Limited administrators see a discrepancy in the information displayed on the Home page and the data displayed in the actual reports on the Home page, such as Out-of-date and Up-to-date.

Solution: Corrected query logic to correctly display all information that is available to the limited administrator.

12.1 RU5 Download Insight fails due to IPS component with Virus and Spyware Protection-only install

Fix ID: 3632782

Symptom: With a Symantec Endpoint Protection 12.1 RU5 client that installs only Virus and Spyware Protection and Advanced Download Protection, Download Insight malfunctions on Windows XP and Windows Server 2003 platforms, due to a missing component.

Solution: Updated the installer to correctly install all necessary Symantec Endpoint Protection kernel components when only the Virus and Spyware Protection and Advanced Download Protection options are chosen.

SEP Daily Status report does not show correct number of computers

Fix ID: 3640666

Symptom: The Daily/Weekly Scheduled Risk Reports display inconsistent computer counts.

Solution: Corrected the queries in the reports so that the counts are consistent.

Device control policy to block printer results in blocking USB Hub devices

Fix ID: 3644812

Symptom: A device control policy to block printer devices actually results in blocking USB Hub devices as well.

Solution: Modified device control to only block the printer’s parent USB device.

Blue screen error after upgrading SEP

Fix ID: 3649959

Symptom: A blue screen occurs with BugCheck 3b on Symantec Endpoint Protection client, which points to a SymEFA component.

Solution: Fixed a performance issue which caused the blue screen.

Busy server experiences worker thread deadlocks and runs out of worker threads

Fix ID: 3660134

Symptom: Servers with multiple volumes might experience deadlock when Symantec Endpoint Protection queries for file data.

Solution: Modified queries so that Symantec Endpoint Protection only requests data from individual volumes based on the un-remediated items on each volume.

Application installation fails from a network location on Windows XP computers that run 12.1 RU5

Fix ID: 3660859

Symptom: Beginning with Symantec Endpoint Protection 12.1.5, some applications that are installed or run from a network drive crash, if the applications read data from their own .exe files.

Solution: Change to File System Auto-Protect driver to appropriately open a file handle to avoid a crash.

Unable to delete Client Install Settings from Admin page

Fix ID: 3669194

Symptom: Unable to delete any Client Install Settings through the Admin page if the setting was previously applied to any group.

Solution: Corrected the setting that erroneously indicated the settings file was still in use.

Macs experience high CPU usage by SymDaemon

Fix ID: 3671496

Symptom: After a user logs out, Macs may experience a slow system for some time after they log on again. This situation occurs when a particular scheduled scan launches when the user was logged out.

Solution: Added a check for the validity of the home directory path before the scan engine launches. If no user is logged on, the scan engine checks /Users, instead.

After upgrading SEPM to 12.1 RU5, 32-bit virus definitions do not update

Fix ID: 3671931

Symptom: After a Symantec Endpoint Protection Manager upgrade to 12.1 RU5, the 32-bit Virus and Spyware definitions are not up to date.

Solution: Gave the semsrv and semwebsrv accounts full access to the LiveUpdate symcData folder.

When attempting to restore quarantined files, Central Quarantine Server (QServer) hangs

Fix ID: 3672057

Symptom: When attempting to restore quarantined files, Central Quarantine Server hangs, and the restore never finishes.

Solution: Corrected a parsing error that resulted in an application hang or crash when restoring the original file.

Error 2502 while upgrading the client computers from SEP 11.0.6 / SEP 12.1 RU3 to 12.1 RU5

Fix ID: 3680155

Symptom: Error 2502 appears while upgrading the client computers from an old Symantec Endpoint Protection version to 12.1 RU5.

Solution: Initialized a variable that had not previously been initialized due to a blank computer serial number.

After an upgrade to 12.1 RU5, SEPM stops functioning properly after a while

Fix ID: 3683851

Symptom: An infinite recursive loop issue occurs when Symantec Endpoint Protection Manager processes the scan log in an environment with a high frequency of duplicated hardware keys.

Solution: Use SCAN_IDX (the primary key of the SCANS table) to retrieve the scan log entry, and update the SCANS table using SCAN_IDX.

Errors display after upgrading SEPM to 12.1 RU5

Fix ID: 3685209

Symptom: After an upgrade to 12.1 RU5, attempts to log on to SEPM through the host name may result in a failure, with the error message “Request contents are invalid” and the error code 0x120c0000.

Solution: Modified tamper detection functionality to handle all host names correctly.

Firewall rules incorrectly block an established connection when the screensaver activates

Fix ID: 3686164

Symptom: Firewall rules incorrectly block an established connection when the screensaver activates. The firewall state table clears unexpectedly.

Solution: Screensaver activation now reevaluates connections only when a screensaver-specific rule exists in the firewall policy.

SEPM 12.1 RU5 Risk Log displays fewer events than in CSV export

Fix ID: 3688344

Symptom: Exported risk logs show more events than when viewing the same log in the user interface.

Solution: Adjust the export to properly handle compressed events in the same way they are handled by the user interface view.

Custom log location folder lacks correct ACL settings

Fix ID: 3689028

Symptom: After Symantec Endpoint Protection 12.1 RU5 strengthened ACL settings on program folders, the required ACL settings only apply to the current data folder, and not the default data path. Lack of the correct ACL settings on the default data path prevent the incoming client data from flowing to the custom folder.

Solution: Removed the logic of checking default data folder first, and added logic to check the existence of the current data path only before sending client data to Symantec Endpoint Protection Manager.

Unable to use hyphen character in LiveUpdate Settings proxy settings menu

Fix ID: 3695618

Symptom: Proxy server field doesn't allow hyphen and underscore characters.

Solution: Allowed hyphen and underscore characters as valid characters in a proxy server name.

Content update throttling ignored on VDI clients

Fix ID: 3703897

Symptom: Performance issues occur soon after the VDI image starts because content updates are not being throttled as expected.

Solution: Configured client to use the randomization setting if we missed the first heartbeat for downloading the content.

Event ID 7000 and 7041: SemWebSrv and SemSrv fail to start after an upgrade to 12.1 RU5

Fix ID: 3705158

Symptom: Symantec Endpoint Protection Manager services failed to start after an upgrade to 12.1 RU5. This issue also occurs with a new installation.

Solution: Added a check to review domain policies during an installation or an upgrade, and alerts users to add our accounts to their domain policies. Since the Symantec Endpoint Protection Manager installer cannot modify domain policies, administrators manually during the Symantec Endpoint Protection Manager install.

During install, at the MSI stage, the installer reviews domain policies. If an issue is found, the installation pauses with an alert. The alert contains missing account information, and points to a document to help you resolve the conflict. Admins can make changes to the domain policies, redeploy those policies, and then retry to continue installation. Otherwise, the admin can cancel the installation, which rolls back. They can then make changes to domain policies and then launch the installation again.

Virtual Image Exception tool crashes

Fix ID: 3705283

Symptom: The Virtual Image Exception tool (vietool) crashes. Event logs show that the NMToolWorkerService service terminated unexpectedly.

Solution: Handle the error message gracefully if the file’s full name is too long.

SEP client installer rolls back and fails

Fix ID: 3709190

Symptom: The Symantec Endpoint Protection client installer rolls back and fails, due to a failure to migrate the ProfileManagement.dat file.

Solution: Added alternate method of obtaining the profile data with the required encryption key if the ProfileMangement.dat file cannot be migrated.

SEPM Embedded Database listens on default UDP 2638 even with custom port specified

Fix ID: 3709368

Symptom: The Symantec Endpoint Protection Manager Configuration Wizard is failing to create a database with a specified custom port if the embedded database port (2638) is in use by another application.

Solution: Append the custom port to the JDBC URL string if the default port 2638 is occupied by other application.

SMC service does not start due to serdef.dat corruption

Fix ID: 3711180

Symptom: SMC service cannot start because the server profile file (serdef.dat) is corrupted.

Solution: Added a fallback mechanism to load the server profile from a backup profile file. When SMC is restarted it will load the correct server profile.

ATP: Endpoint IP information displays twice in group setting

Fix ID: 3717492

Symptom: When you use Symantec Advanced Threat Protection: Endpoint (ATP: Endpoint) IP address in the Private Cloud panel under External Communication settings, the IP address displays a second time as a Priority 2 server.

Solution: Fixed the logic error and ensured that while copying the private cloud settings to other groups, the settings are not duplicated to the current group.

AutoUpgrade does not respect reduced-size install setting

Fix ID: 3721853

Symptom: AutoUpgrade performs upgrade of reduced-size client to full-size client, regardless of the option set in Client Install Settings.

Solution: Added appropriate mapping between config.xml and setAid.ini.

“Query Failed” when switching between log content tables

Fix ID: 3741906

Symptom: “Query Failed” error screen displays when switching between log content tables if the previous table was sorted by a column that is not in the new table.

Solution: Updated sorting column to default to Time if the previous sorting column is not in the new table.

After an upgrade, a generic resource error occurs in SEPM

Fix ID: 3746232

Symptom: After upgrading, a generic resource error occurs after using the Symantec Endpoint Protection Manager web console where the session has timed out, where the web console was accessed by an IP-formatted URL, or was accessed using an invalid URL. The message reads in part:

"The Symantec Endpoint Protection Manager server does not have enough memory to start another remote web console session.”

Solution: Changed the way these URLs are handled and provided a button to restart a new session instead of a resource error. For the invalid URL scenario, a message returns indicating an internal error.

SMC commands do not set proper return code in %errorlevel%

Fix ID: 3387362

Symptom: SMC commands do not return any error codes if the operation fails.

Solution: SMC commands now return error codes for the operation to indicate success and what the failure was, if any, per documentation.

ADC blocking MTP device causes Device Manager to hang

Fix ID: 3692877

Symptom: Application and Device Control is not working properly when attempting to block a Media Transfer Protocol (MTP) device.

Solution: Moved DevManStub.exe to the proper installation path location to allow this to work.

Under Exceptions policy, cannot create Application Exception

Fix ID: 3723791

Symptom: The application exception dialog box doesn't come up in the Exceptions policy.

Solution: Handled specific case of a null file-size in the database, related to a particular application which threw an exception while parsing, but failed to show the application exception dialog box.

Content Distribution Monitor reports the wrong latest IPS date/revision for Symantec

Fix ID: 3723871

Symptom: The latest IPS version from Symantec does not display in the Content Distribution Monitor tool.

Solution: Update the Content Distribution Monitor tool to display the correct IPS version.

Error when logging on to SEPM: "Request contents are invalid"

Fix ID: 3671430

Symptom: With the computer's region format set to Turkish or Azerbaijani, Symantec Endpoint Protection Manager log in fails with error "Request contents are invalid".

Solution: Symantec Endpoint Protection Manager language encoding corrected for these region formats.

SEPM with LiveUpdate disabled in conf.properties breaks SEPM LiveUpdate scheduling in a multiple SEPM server site

Fix ID: 3718771

Symptom: A Symantec Endpoint Protection Manager server that disables LiveUpdate in the conf.properties file can still be selected for LiveUpdate scheduling on another Symantec Endpoint Protection Manager server on the same site. This can cause a significant delay in running LiveUpdate.

Solution: Resolved an issue on LiveUpdate scheduling for site with multiple Symantec Endpoint Protection Manager servers.

Mac Host Integrity content 12.1 does not include RU4 version of SEP client for Mac

Fix ID: 3501169

Symptom: Host Integrity content did not update to include Symantec Endpoint Protection Mac versions for 12.1 RU4 and later.

Solution: Added this content in subsequent builds.

Product shows license serial number in client user interface

Fix ID: 3594716

Symptom: Symantec Endpoint Protection client shows license serial number in system log dialog.

Solution: Removed the license serial number from resource file.

Auto-refresh of the scan logs page in SEPM does not display updated information

Fix ID: 3684332

Symptom: Although the scan logs in Monitors > Logs appear to auto-refresh based on the admin configured time interval, updated data does not display until the user navigates out of the page and then views the scan logs again.

Solution: Updated script dependencies so that auto-refresh now properly displays updated information on the scan logs page.

After a GUP upgrades to 12.1 RU5, ccSvcHst.exe crashes and creates multiple dump files

Fix ID: 3692462

Symptom: The process ccSvcHst.exe crashes and creates multiple dump files after upgrading the Group Update Provider to 12.1 RU5.

Solution: Updated the code to handle string buffer resize exceptions to avoid process crash.

Column sort malfunctions in the client view of a client group

Fix ID: 3697673

Symptom: After the column order changed, the three columns of IPS Definitions, Download Protection Definitions, and SONAR Definitions could be sorted, but they should not be. Meanwhile, other sortable columns were not sorted.

Solution: Disable the sort function for the three columns using the column index of table view to filter the three columns IPS Definitions, Download Protection Definitions, and SONAR Definitions.

File Reputation Lookup Alerts send malformed emails when triggered

Fix ID: 3713171

Symptom: File Reputation Lookup Alert notifications created after the install of Symantec Endpoint Protection Manager 12.1 RU5 sends incomplete emails when triggered and does not include details about why this email was sent.

Solution: File Reputation Lookup Alert notifications are now created correctly and generate the expected email report.

The lock for Intrusion Prevention setting is disabled if the HI check fails and changes quarantine policy

Fix ID: 3714724

Symptom: If a parent location has IPS policy with IPS enabled and locked and Browser IPS is enabled and locked, but the Quarantine location has a firewall policy but no IPS policy, the client applies IPS settings of IPS enabled and unlocked and browser IPS is enabled and unlocked. The client does not inherit settings from the parent location as expected.

Solution: Quarantine location will now inherit all settings from parent location that are not explicitly set in Quarantine.

The first profile received by a SEP client cannot be removed from ccSettings

Fix ID: 3718773

Symptom: The first profile received by a Symantec Endpoint Protection managed client cannot be removed from the ccSettings database.

Solutions: Adjusted settings so that the correct profile is identified as active.

Svchost.exe crash due to sysfer.dll causes continuous restarts

Fix ID: 3723905

Symptom: A svchost.exe crash due to sysfer.dll causes continuous restarts.

Solution: Compared the registry string lengths to make sure the string search does not overrun the boundary.

SEP affects backup storage unmounts

Fix ID: 3371867

Symptom: Symantec Endpoint Protection interferes with storage unmounts after a backup is done.

Solution: SymEFA now keeps track of volume lock requests. If a volume lock is in process, SymEFA won't attach to the volume, and prevents SymEFA from trying to re-attach a volume when Auto-Protect closes its volume handle.

Web access from guest OSes are blocked by SEP firewall

Fix ID: 3651374

Symptom: After installing 12.1 RU4MP1 or 12.1 RU5 on Hyper-V host computer, web access from the guest OSes are blocked by the Symantec Endpoint Protection firewall.

Solution: Adjusted the process ID error return to allow for packets coming from a guest OS.

Symantec Workflow interaction with SEPM incorrectly results in a security breach email in RU5

Fix ID: 3660089

Symptom: When using Symantec Workflow to interact with Symantec Endpoint Protection Manager, the logout process results in Symantec Endpoint Protection Manager triggering a security breach notification that is emailed to all System Administrators.

Solution: Modified the Symantec Endpoint Protection Manager to no longer incorrectly trigger a security breach on this legitimate interaction.

SEP Mac IPS detects "brute force remote logon" despite host exclusions

Fix ID: 3669436

Symptom: Even if an IP address range-based exclusion is added in the IPS exclusion policy, Symantec Endpoint Protection client for Mac’s IPS detects a brute force remote log on. Signature exceptions are not possible.

Solution: The IP address range's start and end addresses are now processed properly.

Management Server Configuration Wizard fails when testing ODBC connection

Fix ID: 3675921

Symptom: Installation or reconfiguration of the Symantec Endpoint Protection Manager fails when you use a domain account without administrative privileges for configuring Symantec Endpoint Protection Manager with a remote SQL server using Windows authentication.

Solution: Modified the code to test ODBC connection in the context of the user credentials provided during configuration.

Heartbeat interval permanently reduced to 3 seconds or 1 second if the option to download policies and content from the management server is unchecked on SEPM

Fix ID: 3680818

Symptom: If Download policies and content from the management server is unchecked on Symantec Endpoint Protection Manager under the group’s Communication Settings, then the heartbeat interval is never set to the user-defined value. It continues to be either 3 seconds or 1 second.

Solution: Updated the logic to reset heartbeat interval by considering the state of the above mentioned check box download policies and content from the management server.

12.1 RU5 no longer properly blocks access to SEPM web console as configured

Fix ID: 3683967

Symptom: Symantec Endpoint Protection Manager no longer blocks the remote console when configured to do so.

Solution: Changed the logic that determines if the communication is coming from the web console.

"Missing package files" when installing SEP on Ubuntu 14.04

Fix ID: 3710266

Symptom: Symantec Endpoint Protection 12.1 RU5 for Linux Installation fails on Ubuntu 14.04, giving an error as "Missing Package Files".

Solution: Updated the installer script to ensure a successful installation on Ubuntu 14.04.

SEPM web access page references the discontinued Google Chrome Frame plug-in

Fix ID: 3705230

Symptom: The Symantec Endpoint Protection Manager Web Access page has a dead link to the discontinued Google Chrome Frame plug-in. The Google Chrome Frame Plug-in is no longer supported by Google and has been retired as of February 25, 2014, and is no longer available for download.

Solution: Removed link and updated the subscript on the home page.

Typo in message to snooze a scheduled scan on Mac

Fix ID: 3727803

Symptom: A typo appears in the message to snooze scheduled scan.

Solution: Text "may temporarely" changed to "might temporarily".

On a German OS, Quick Reports "Current Month" Time Range calculation incorrect for most 31 day months

Fix ID: 3622865

Symptom: On a German language OS, the Quick Reports "Current Month" time range calculation is incorrect for most 31 day months.

Solution: The date format on a German OS is now correctly handled.

Links to risk write-ups from Monitor > Summary > New Risks still use IeEmbed.exe

Fix ID: 3662002

Symptom: The risk name links under Monitor > Summary > New Risks page cannot redirect correctly in a proxy environment because of IeEmbed.exe.

Solution: Use a temporary page to redirect the link to an IE browser.

Virus Definitions Distribution report bars do not display correctly

Fix ID: 3680562

Symptom: Virus Definitions Distribution report bars do not display correctly.

Solution: Set the standard US decimal separators in PHP.

Typo in error message in in scm-server*.log

Fix ID: 3684471

Symptom: The error message “Login is from a local address Stirng format true” contains a typo.

Solution: Spelling error corrected to “String”.

File server does not respond because SRTSP64.SYS causes a deadlock

Fix ID: 3595012, 3600591

Symptom: Deadlocks may occur on a 64-bit computer during Auto-Protect file read operations.

Solution: Resolved an intermittent hang the occurred while filtering network file operations.

System Lockdown is not able to block IE6 if launched from SEP user interface

Fix ID: 3527298

Symptom: System Lockdown is not able to block Internet Explorer 6 (IE6) when launched from the Symantec Endpoint Protection client user interface. When IE launches by other methods, Application and Device Control blocks it.

Solution: Application and Device Control now verifies that any processes that the SEP GUI launches during System Lockdown are signed by Symantec. Those processes that are not signed by Symantec are not launched.

Cannot uncheck FileCache option on SEPM

Fix ID: 3640759

Symptom: When you close the Virus and Spyware Protection policy dialog, a redundant instruction saves the default FileCache options. Therefore, the policy does not save FileCache configuration changes.

Solution: Corrected the FileCache dialog logic.

Blue screen error with bugcheck BAD_POOL_CALLER (c2) caused by SYMTDI.SYS

Fix ID: 3525860

Symptom: You see a blue screen error due to unsynchronized access to the disconnect data block, which attempts to deliver the same disconnect twice and delete the block twice.

Solution: Changed to use interlocked exchange to access the data.

After using AutoUpgrade, the deployment report in SEPM shows “The client decided to reject the upgrade package” for many clients

Fix ID: 3624243

Symptom: Many clients in a group display a bad deployment status in the Symantec Endpoint Protection Manager’s deployment report. This message appears when the Symantec Endpoint Protection client attempts to upgrade to the same version that the client already has, or to an earlier version. This status message is confusing.

Solution: Updated the deployment report so that the report displays “Not deployed, version is same or later” in this situation.

SEP clients indicate that IPS definitions are not available, even though they have the latest definitions

Fix ID: 3549262

Symptom: The Symantec Endpoint Protection clients erroneously show that IPS definitions are not available.

Solution: Added code to update the CIDS opstate cache when the CIDS opstate cache is not initialized. This additional step prevents the cache corruption that results in the CIDS opstate reporting that CidsDefsetVersion is “00000000”.

Long delay opening or adding email attachments with both SEP Outlook Auto-Protect plug-in and McAfee DLP 9.3 Outlook plug-in installed

Fix ID: 3616301

Symptom: When the Symantec Endpoint Protection 12.1.4 (12.1 RU4) Outlook Auto-Protect plug-in and the McAfee DLP plug-in are both installed, you experience a long delay (8-23 seconds) in opening or adding email attachments. During an email scan, Symantec Endpoint Protection also scans the boot records.

Solution: Disabled boot record scans for email plug-in scans, by default.

SEP ADC does not block some registry changes on Windows 8.1

Fix ID: 3637764

Symptom: Application and Device Control does not block various registry changes on Windows 8.1.

Solution: Changed code to unlock the section of the registry before the Sysplant driver tries to modify it, and restores the lock immediately after Sysplant is done.

Weekly Scheduled Scan does not start on the SEP client

Fix ID: 3645127

Symptom: Sometimes, weekly scheduled scan does not start on the Symantec Endpoint Protection client on Windows.

Solution: Fixed a boundary condition error in loop that caused this issue.

SEP ADC doesn't log caller MD5 on 64-bit Windows

Fix ID: 3670468

Symptom: Application and Device Control does not log caller MD5 for 64-bit Windows computers. After the Application and Device Control rule triggers on the clients, the Symantec Endpoint Protection Manager logs contain the target MD5, but not the caller MD5.

Solution: The caller MD5 now writes to the logs after its calculation.

High memory usage from SymEFA databases

Fix ID: 3046332

Symptom: Under certain circumstances, the Symantec Endpoint Protection client makes a full Insight (SymEFA) query, such as during the client heartbeat and during virus and spyware scans. During this query, the SymEFA database files use a lot of memory. Windows uses a lot of physical memory for the file map of these database files.

Solution: Mitigate the memory load by optimizing the verification code for existing unremediated items.

SEPM web console stalls at "Initializing... please wait"

Fix ID: 3516906

Symptom: The first time you try to log on with the web console, the Symantec Endpoint Protection Manager appears to hang, displaying the message “Initializing

please wait”.

Solution: Added a command to delete the contents for a cached directory that can cause this delay or hang.

Database validation does not pass, and the Dbvalidator log shows 'Link is broken for [4] target ids'

Fix ID: 3533202

Symptom: The dbvalidator tool retrieves objects from Symantec Endpoint Protection Manager database twice. The first retrieval gets all the objects used in the database. The second retrieval tries to determine what is using the non-existing (broken) objects. The second retrieval fails and the validation does not pass.

Solution: Fixed the dbvalidator tool logic to correctly set the flag for both retrievals.

Bugcheck 0x19_20 BAD_POOL_HEADER referencing Iron64.sys

Fix ID: 3570942

Symptom: In Symantec Endpoint Protection 12.1.2.1 (12.1 RU2 MP1), a blue screen error occurs in Iron64.sys with BAD_POOL_HEADER check code.

Solution: Updated the IRON driver to make it thread-safe.

The SEP firewall enables itself after every restart, even if the firewall policy disables it

Fix ID: 3581873

Symptom: You disable the Symantec Endpoint Protection client firewall with the firewall policy in Symantec Endpoint Protection Manager, but after every restart, the firewall is enabled again.

Solution: Fixed a side issue of a previous fix, where state information was not retained.

Comprehensive risk report fails when selecting "Distribution of Actions Taken against Risks"

Fix ID: 3591923

Symptom: When you try to create a comprehensive risk report and select Distribution of Actions Taken against Risks, the report fails to generate. The SQLServer process takes 100% of the CPU’s resources.

Solution: Corrected the SQL query to address this.

smc -stop does not stop the SEP services if the client requires a password

Fix ID: 3592784

Symptom: If you configure the Symantec Endpoint Protection notification area icon to be hidden and then try to stop the password-protected client services with the command smc -stop, the services do not stop. Because the notification area icon is hidden, you are not prompted to enter a password.

Solution: Added a command-line password prompt for this specific case.

SEPM login hangs or takes a long time during replication

Fix ID: 3595647

Symptom: Replication takes much longer than expected, or completely hangs.

Solution: After processing schema object IDs, cache them so that the replication merge does not process them again.

Macs experiencing high CPU usage for SymDaemon

Fix ID: 3605884

Symptom: High CPU usage in SymDaemon causes the whole system to slow down. This issue occurs even when there are no running scans.

Solution: Changed the API in use to prevent memory leaks when no user is logged in.

SEPM processing slows down due to incorrect replication state does not return to 0 after replication finishes

Fix ID: 3613994

Symptom: Symantec Endpoint Protection Manager slows down processing items such as .dat files due to an erroneous replication state. This state should return to 0 once replication completes and does not.

Solution: Corrected the SQL statement to set or reset the replication state in table SEM_REPLICATION_STATE.

Blue screen error with bugcheck SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) in SYMEFA64.SYS

Fix ID: 3615258

Symptom: A blue screen error occurs with bugcheck SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e), probably caused by SymEFA64.sys.

Solution: Changed the query statement in SymEFA to address this issue.

Changes to the exceptions policy are not saved for Windows Folder exceptions

Fix ID: 3623204

Symptom: Once you create a folder exception for Windows, you cannot seem to modify the exception.

Solution: Fixed the logic to address any changes to the exception type to allow it to save.

SEPM cannot push client package to itself with the Client Deployment Wizard

Fix ID: 3626587

Symptom: On Windows servers, a local push deployment with the Client Deployment Wizard (CDW) in Symantec Endpoint Protection Manager 12.1.5 (12.1 RU5) fails. The same push deployment succeeds when you use clientremote.exe.

Solution: Corrected the logon parameter so that the push install can succeed with the Client Deployment Wizard.

RSA authentication for SEPM administrators stops working after upgrade

Fix ID: 3636768

Symptom: After an upgrade to Symantec Endpoint Protection 12.1.5 (12.1 RU5), RSA authentication stops working.

Solution: Securid.exe now launches by the Process Launcher service (semlaunchsrv.exe) and under the System account, so that it has access to the C:\Windows\SysWow64 folder.

Traffic loss due to high RDNS queries

Fix ID: 3640736

Symptom: A high number of duplicated RDNS queries causes traffic loss. Some firewall domain name block rules are also invalid in some situations. Both of these issues stem from an incorrect DNS query for remote IPs.

Solution: Fixed the logic to the query.

Refresh token expires every 2 weeks for RMM

Fix ID: 3641927

Symptom: A hard-coded value for a refresh token for RMM (Web Services for Remote Management) caused the expiration of RMM services.

Solution: Added scm_rmm_refresh_token_expiration_days to conf.properties to configure the refresh date.

Symantec Embedded Database service cannot start after upgrade

Fix ID: 3643493

Symptom: In some environments, the embedded database service cannot start after an upgrade to 12.1.5 (12.1 RU5).

Solution: Changed the SQLANYs_sem5 service SID type from restricted to unrestricted.

Limited admins can overwrite or add Network Services in the SEPM

Fix ID: 3643504

Symptom: In Symantec Endpoint Protection Manager, limited administrators can overwrite and add Network Service entries by importing previously exported policies that reference Network Services.

Solution: Corrected the logic to check privileges when importing policies.

SEPM fails to upload logs by batch mode when BCP fails

Fix ID: 3646935

Symptom: Symantec Endpoint Protection Manager 12.1.5 (12.1 RU5) fails to revert to batch mode when BCP fails. The SQL user domain account does not have local logon user rights in the GPO, so BCP expectedly fails.

Solution: Modified the code to handle the errors properly when BCP fails.

Limited admin is not able to run commands

Fix ID: 3659056

Symptom: Limited administrators cannot run commands after giving them the correct rights to do so.

Solution: Fixed logic to give limited administrators the correct rights for read-only groups.

Replication fails with BCP errors: Unable to open connection

Fix ID: 3660062

Symptom: After you change the Microsoft SQL Server TCP port, the BCP command line no longer includes the TCP port. As a result, BCP can no longer connect to the remote SQL Server computer, and replication fails.

Solution: Append the TCP port into the BCP command line.

ClientRemote.exe failing to push to more than 15 clients at a time

Fix ID: 3691610

Symptom: Client deployment with ClientRemote.exe fails after the approximately 15 clients.

Solution: Changed the temporary file name format to ensure the correct parsing for more than 15 clients.

.ERR files created when SEPM processes .DAT files

Fix ID: 3742132

Symptom: When Symantec Endpoint Protection Manager reads opstate (.DAT) files, it generates .ERR files.

Solution: Symantec Endpoint Protection Manager correctly converts and processes USN files.

Tamper Protection alerts on dfrgntfs.exe

Fix ID: 3413532

Symptom: Tamper Protection alerts on the Windows defragmentation program (DFRGNTFS.EXE) after SONAR definitions update to revision 20131203.011.

Solution: Tamper Protection adds an exclusion rule for this program.

LiveUpdate does not run on the specified schedule when the NIC has no default gateway

Fix ID: 3511525

Symptom: LiveUpdate does not run with an internal LiveUpdate server when the NIC lacks a defined default gateway.

Solution: Removed the check for an Internet connection if using an internal LiveUpdate server and there is no default gateway for the NIC.

The Last Scan Time or Last Scanned Time for scheduled report is incorrect

Fix ID: 3553048

Symptom: You see different times in two places for the last scan time and the last scanned time. You think that they should be the same since they seem to refer to the same information.

Solution: The column header Last Scanned Time (Home > Reports, with the report type Computers by Last Scan Time) refers to the time the most recent scan finishes. It now reads Last Scan Completed.

The column header Last Scan (Clients > Client group, with the view Protection Technology) indicates the time the most recent scan starts. It now reads Last Scan Started.

Errors on client package export when imported AD groups contain specific characters

Fix ID: 3594776

Symptom: You import an Active Directory group containing special characters on Symantec Endpoint Protection Manager. When you export a client package assigned to this group, it fails.

Solution: Check to sanitize the group name during the package export.

SmartDNS blocks all incoming DNS traffic to the client

Fix ID: 3522496

Symptom: SmartDNS blocks all incoming DNS traffic to the client.

Solution: Handle DNS response packets with partial compression instead.

Unmounting volume fails after services restart on SEP client

Fix ID: 3519280

Symptom: After a backup runs, unmounting the volume fails after the Symantec Endpoint Protection 12.1.4 (12.1 RU4) smc service and the SRTSP drivers restart.

Solution: Oplock issues fixed in Auto-Protect.

SEP client policy update failure when system lockdown uses a large file fingerprint list

Fix ID: 3533487

Symptom: Symantec Endpoint Protection client 12.1.4 (12.1 RU4) or 12.1.4.1 (12.1 RU4 MP1) fails to update the client’s policy with system lockdown enabled if a large file fingerprint list is assigned to the Approved Applications list.

Solution: Removed the 8MB file size limit for the protection list file.

NIC driver issues after using Cleanwipe

Fix ID: 3611336

Symptom: When you run the latest version of Cleanwipe while logged on with a user account that is a member of two groups, the network adapter drivers are removed after a restart.

Solution: Now prompts for user group selection to avoid breaking the uninstallation.

SEPM scan reports do not show all computers

Fix ID: 3614996

Symptom: Clients that have previously been deleted from Symantec Endpoint Protection Manager, have checked back in, but have not been scanned since they checked back in, do not show up in the Computer Not Scanned report.

Solution: Clients that have been deleted and then check back in are treated as new clients with no scan history. These clients then show up in the Computers Not Scanned report until they complete a scan.

SEPM stops replicating with an error when a file named "Program" is located at the root of the SEPM install drive

Fix ID: 3641315

Symptom: When an executable path contain spaces that may become ambiguous if another program’s name is the same up to the space, SemLaunchSvc may execute another program instead.

Solution: Enclosed the executable paths with quotation marks in commands to avoid ambiguity.

Cannot enable "Include only clients that have checked in with the management server today" in SEPM

Fix ID: 3646594

Symptom: You cannot enable Include only clients that have checked in with the management server today in the Virus Definitions Out-of-date notification.

Solution: A new notification type in 12.1.5 (12.1 RU5) inadvertently overwrote the setting that stores the check box selection for out-of-date content notification conditions. This issue has been corrected.

Unexpected scheduled scan on the client after a return to Standard Time

Fix ID: 3655795

Symptom: An unexpected scheduled scan appears after a return to Standard Time from Daylight Savings Time or Summer Time.

Solution: Removed an unnecessary end of day check, since it triggered a scan when the clocks turn back an hour upon returning to Standard Time.

HI template files are not included in exported SEP client package

Fix ID: 3518941

Symptom: Host Integrity Check fails due to missing template files, and the computer cannot connect to the network.

Solution: Added code to correctly export Host Integrity definitions from Symantec Endpoint Protection Manager, and added code to correctly install this content on the client.

SEPM sends notification for low disk space when there is adequate disk space

Fix ID: 3551334

Symptom: Symantec Endpoint Protection Manager sends a low disk space notification when there is plenty of disk space available.

Solution: Implemented an additional check for disk space usage to ensure the low disk space diagnosis was correct.

SEPM current deployment settings do not work consistently

Fix ID: 3567574

Symptom: The option Apply current deployment settings to other groups does not work consistently.

Solution: Corrected the logic to exit the deployment entities loop after deleting an entry.

IPS alerts are being generated even though a host exclusion is set up

Fix ID: 3583691

Symptom: If you configure reverse DNS lookup for use, the IPS exclusion list does not work, and IPS alerts appear for an excluded hosts.

Solution: Perform FQDN address or IP address resolution on suspected attacker's address.

Unable to add client install package to SEPM client groups

Fix ID: 3617457

Symptom: When you try to add a client install package to a client group in Symantec Endpoint Protection Manager, you see an error that the replicated software package cannot be found in the cache (0xF0000000).

Solution: Fixed object references of the type SoftwarePackage so that they are not modified in Symantec Endpoint Protection Manager domains.

SEP for Linux installs old documentation

Fix ID: 3627590

Symptom: The Symantec Endpoint Protection 12.1.5 (12.1 RU5) client for Linux installs the /opt/Symantec/symantec_antivirus/docs folder with old documentation.

Solution: Install the correct documentation.

SEPM does not display the local time in exported logs

Fix ID: 3630868

Symptom: When you export the Computer Status Logs report, most of the columns with date and time values are not properly converted to local time.

Solution: Fixed the conversion of date/time columns when exporting the Computer Status logs.

Clients are incorrectly identified as GUPs

Fix ID: 3639309

Symptom: Clients are incorrectly defined as Group Update Providers when the client host name contains repeating letters.

Solution: Fixed the string comparison algorithm to correctly determine a string pattern match.

SEPM unable to expand settings in Reports

Fix ID: 3640460

Symptom: In the Symantec Endpoint Protection daily or weekly reports, nothing happens when you click Greater than 7 days under the section Virus Definitions Distribution.

Solution: Added a new row for clients with no definitions. Expanding this row should now display the details of the clients.

Index rebuild happens more than once in SEPM upgrade

Fix ID: 3652818

Symptom: During the Symantec Endpoint Protection Manager upgrade process, the indexes are being rebuilt more than once per site, which is unnecessary.

Solution: Optimized the index rebuild process during the upgrade.

FQDN not allowed in the HI file download page

Fix ID: 3653276

Symptom: A FQDN is not allowed when providing a UNC path for Host Integrity.

Solution: Modified the regex to add support for FQDN.

IIS Service error during SEPM repair after removing IIS

Fix ID: 3661647

Symptom: You upgrade Symantec Endpoint Protection Manager from 11.0, then repair the installation. When the installation script tries to restart IIS, it fails because IIS is uninstalled.

Solution: Fixed the installation script so that an IIS restart is not required when the service is not present.

SEPM security status shows Attention Needed when failure threshold has not been met

Fix ID: 3678087

Symptom: The message Attention Needed appears on the Home page, but when you click Details, you see no issues.

Solution: The security status summary on the Home page now counts SONAR-disabled clients correctly.

SEP 11 RU5 SEPM cannot use wildcard (*) for Trusted Internet Domain exception

Fix ID: 3731643

Symptom: Unlike previous versions, you cannot use the wildcard extensions like *.symantec.com for the Trusted Internet Domain settings.

Solution: Fixed the code checks for a valid domain.

Google Chrome browser warns that the SEPM web console Home page loads unencrypted content

Fix ID: 3634952

Symptom: When you log on to the Symantec Endpoint Protection Manager web console in newer versions of Google Chrome, a warning displays near the address bar: “Your connection to SEPM is encrypted with 128-bit encryption. However, this page includes other resources which are not secure.”

Solution: Correct the protocol in use to visit links on the Home page to an encrypted version.

AutoUpgrade feature set change fails if an uninstall password is set

Fix ID: 3588225

Symptom: You configure AutoUpgrade to change the SEP feature set on a group of clients. However, if uninstallation requires a password on the client, the change to the feature set fails.

Solution: Added a check to notify installer to not prompt for a password during an AutoUpgrade feature set change.

Spelling error in the German SEP client interface

Fix ID: 3641230

Symptom: The option "Einstellungen ändern" on the menu in the Symantec Endpoint Protection client interface in German is spelled "Einstellungen andern". The umlaut is missing above the letter "a" in "ändern". When you click that option, the resulting window has the same spelling error.

Solution: Corrected the spelling.

SEPM log shows the wrong engine version for SEP 12.1.5 clients

Fix ID: 3659916

Symptom: A dump log created by Symantec Endpoint Protection Manager, agt_system.tmp, does not show the right engine version for 12.1.5 (12.1 RU5) clients.

Solution: Added the correct header information during the build process.

With SEP installed, unable to create an Xbox package using developer tools

Fix ID: 3615097

Symptom: Xbox XDK package creation with Microsoft Durango XDK/ADK’s MakePkg fails when Symantec Endpoint Protection is installed. Package creation succeeds for ADK 6.2.10812 and earlier, but fails with ADK 6.2.11785 and later.

Solution: Added a SymEFA exclusion to prevent this issue from occurring. After installation, the computer must restart for the exclusion to take effect.

Component versions in Symantec Endpoint Protection 12.1.6

Component Version
Antivirus Engine 20141.2.0.56
Auto-Protect 14.6.3.37
BASH Defs 9.1.1.4
BASH Framework 8.0.0.137
CC 12.12.0.15
CIDS Defs 14.2.1.9
CIDS Framework 12.4.0.11
ConMan 1.1.2.7
D2D 1.2.0.3
D2D_13 1.3.0.3
DecABI 2.3.3.2
DefUtils 4.8.1.4
DuLuCallback 1.5.1.5
ECOM 141.2.0.59
ERASER 114.1.1.3
IRON 4.0.4.13
LiveUpdate 2.3.1.7
MicroDefs 3.8.1.1
SIS 91.12.290.5000
SymDS 3.0.0.69
SymEFA 5.1.1.2
SymELAM 1.0.3.17
SymEvent 12.9.6.19
SymNetDrv 14.0.4.5
SymVT 5.4.0.49
WLU (Symantec Endpoint Protection Manager) 3.3.100.15