ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

New fixes and component versions in Symantec Endpoint Protection 14.2 RU1

book

Article ID: 151042

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.2 RU1. This information supplements the information found in the Release Notes.

Download the full release through MySymantec. For details, see Download the latest version of Endpoint Protection.

You can also download client-only patches through Symantec Endpoint Protection 14.2 RU1 client-only patches.


New fixes

PowerShell script can write to USB despite a block rule

Fix ID: ESCRT-780

Symptoms: PowerShell scripts can get around an Application Control rule to block write activity to USB.

Solution: Updated the drive type in the internal drive cache to correct this issue.

 

SEP client becomes self-managed

Fix ID: ESCRT-771

Symptoms: If you create a read-only file under C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\version\Temp\BinUpload and reboot the computer (or restart the smc service), the Symantec Endpoint Protection client becomes self-managed.

Solution: Updated the heartbeat process so that initialization succeeds, and the client remains managed.

 

SEP for Linux client cannot accept proxy settings from a policy

Fix ID: ESCRT-763

Symptoms: Symantec Endpoint Protection clients on Linux computers do not apply proxy settings from Symantec Endpoint Protection Manager policy. Therefore, the Linux clients cannot connect to LiveUpdate for content.

Solution: Corrected the method that is used when using the HTTPS protocol instead of HTTP, so that the proxy settings recognize and give the proper connection to LiveUpdate.

 

SEP clients fail to register with SEPM when “&” is used in the registration data.

Fix ID: ESCRT-743

Symptoms: The Symantec Endpoint Protection client cannot connect properly to Symantec Endpoint Protection Manager if the user that is logged on to the client has the ampersand character (&) in the username.

Solution: Updated registration processing to avoid errors when “&” is referenced in the registration data.

 

SEP for Mac client computers do not switch locations as expected

Fix ID: ESCRT-723

Symptoms: Symantec Endpoint Protection clients on Macs sometimes do not switch locations until the computer reboots or after a long period of time, such as 20 minutes or more.

Solution: Fixed a logic error in subnet-based matching.

 

SEP cloud portal creates duplicate whitelist and blacklist entries

Fix ID: ESCRT-575

Symptoms: Whitelist and blacklist entries from the Symantec Endpoint Protection cloud portal are more than the entries that appear in Symantec Endpoint Protection Manager policy.

Solution: Corrected the last position marker so that whitelists and blacklists entries are correctly accounted for.

 

ccSvcHst.exe crashes after installation of SEP 14.2

Fix ID: ESCRT-552

Symptoms: After you install Symantec Endpoint Protection 14.2, ccSvcHst.exe crashes with error 0xc0000409 (stack-based buffer overrun) and bugcheck string FAIL_FAST_INVALID_ARG.

Solution: Corrected a buffer sizing issue so that this crash does not occur.

 

UseLastServer=0 does not randomize SEPM server choice

Fix ID: ESCRT-516

Symptoms: When you use the UseLastServer=0 value in the registry as described in the article How Endpoint Protection client load balancing works in a managed environment, Symantec Endpoint Protection Manager servers are not randomly picked during failover and roaming scenarios as expected.

Solution: Fixed code to let randomization work after it was refactored in a recent feature addition.

 

SymEFA causes servers to crash

Fix ID: ESCRT-493

Symptoms: Servers with Symantec Endpoint Protection 14.0.0 MP2 experience a blue screen crash caused by SymEFA with Bugcheck 27.

Solution: Fixed an asynchronous read issue.

 

Hyper-V Manager fails connection to local VM with sysfer.dll injection

Fix ID: ESCRT-492

Symptoms: With Symantec Endpoint Protection 14.2 installed, the Hyper-V Manager cannot connect to the Hyper-V virtual machine.

Solution: Fixed the process hang by injecting sysfer.dll to any other DLL than Kernel32.dll.

 

Unexpected server error emails come every 10 minutes from SEPM

Fix ID: ESCRT-404

Symptoms: Symantec Endpoint Protection Manager incorrectly sends emails every 10 minutes that incorrectly indicate that there is an unexpected server error.

Solution: Fixed the code to correctly handle unexpected characters in a Symantec Endpoint Protection Manager group name, to stop the errors and emails.

 

SEP for Mac client firewall cannot be disabled via client GUI

Fix ID: ESCRT-358

Symptoms: You cannot disable the client firewall from the client user interface for Symantec Endpoint Protection for Mac. When you switch the firewall off, the icon turns red for a moment, but the firewall does not turn off.

Solution: Fixed incorrect state change in code.

 

SEP prefix exceptions for Application Control do not work as expected on Windows 10

Fix ID: ESCRT-342

Symptoms: The USER_PROFILE prefix fails to expand to any absolute path when the logged-on user on a Windows 10 computer cannot be identified. This failure causes both the Exception policy for Application Control items and the Virus and Spyware custom scan policy to not work when you use the USER_PROFILE prefix.

Solution: Fix the logic to identify the logged-on user, so that the USER_PROFILE prefix expands correctly in this situation.

 

SEPM site status report shows "No Data Available"

Fix ID: ESCRT-340

Symptoms: When you generate a Site Status Report for Symantec Endpoint Protection Manager, the status indicates that no data is available.

Solution: Changed the way a null pointer exception for an optional schema field is handled, so that the report generates without error.

 

Mac users can cancel an in-progress scan, even though "Allow scan cancel" is not checked

Fix ID: ESCRT-299

Symptoms: Mac users can cancel a virus and spyware scan. However, the setting to allow users to cancel the scan is not enabled in Virus and Spyware Protection policy.

Solution: Fixed the logic error that incorrectly allows scans to be cancelled.

 

Searching for clients by IP address range in SEPM returns clients outside of an IP range

Fix ID: ESCRT-282

Symptoms: When you search in Symantec Endpoint Protection Manager for clients out of an IP range, the search returns clients within the IP range.

Solution: Corrected the search condition to define the range during a search.

 

ccSvcHst.exe crashes because of an invalid pointer read

Fix ID: ESCRT-280

Symptoms: Symantec Endpoint Protection’s ccSvcHst process crashes, noting an invalid pointer in SpNet.

Solution: Fixed so that this crash does not occur when ccSvcHst calls SpNet’s Host Info API.

 

When viewing SEPM remotely with a Mac with a Retina display, log columns auto-expand

Fix ID: ESCRT-272

Symptoms: You use the remote console to view Symantec Endpoint Protection Manager from a Mac with a Retina display. When you go to Monitors > Logs, the log columns unexpectedly expand when you move the cursor over it.

Solution: Fixed the code to properly handle Retina displays.

 

SEPM lists incorrect groups in EDR

Fix ID: ESCRT-270

Symptoms: When using Symantec Endpoint Detection and Response (EDR) with Symantec Endpoint Protection Manager, the incorrect group list displays in EDR. The Symantec Endpoint Protection Manager API provides an incorrect group list and excludes multiple groups with the same group name and level number. Therefore, these groups do not appear in EDR.

Solution: Fixed the stored procedure used in getting the groups to make the list properly.

 

SEP for Mac 14.2 clients cannot communicate or get updates from a 14.2 MP1 SEPM

Fix ID: ESCRT-261

Symptoms: Symantec Endpoint Protection 14.2 clients for Mac are not able to connect to a Symantec Endpoint Protection Manager with the later version of 14.2 MP1.

Solution: Fixed a backward compatibility issue in the code.

 

The start or end date of the license does not display correctly in SEPM

Fix ID: ESCRT-255

Symptoms: The start date, end date, or both display incorrectly in Symantec Endpoint Protection Manager because the date and the time appear to display in the wrong time zone. The time zone displays the time in GMT.

Solution: Corrected to display the data in the local time zone.

 

SEPM does not work on Windows Server 2008 64-bit due to Java error

Fix ID: ESCRT-252

Symptoms: After you upgrade Symantec Endpoint Protection Manager to version 14.2 MP1, you encounter a logon issue on Windows Server 2008. The message includes a reference to java.lang.UnsatisfiedLinkError.

Solution: Blocked installation of Symantec Endpoint Protection Manager on Windows Server 2008.

 

After a SEPM upgrade, shared firewall policies are missing

Fix ID: ESCRT-242

Symptoms: After you upgrade Symantec Endpoint Protection Manager from 14.0.1 (14 RU1) MP2 to 14.2 MP1, shared firewall policies are missing. Unexpected owners also exist on select shared and non-shared policies after the upgrade.

Solution: Fixed the shared policies with a defined owner value.

 

DBValidator fails on multiple SEPM servers

Fix ID: ESCRT-240

Symptoms: The DBValidator tool output notes failures due to broken links.

Solution: Fixed an issue that caused broken links to occur.

 

SEP for Mac client doesn't forward device control events to SEPM

Fix ID: ESCRT-237

Symptoms: Symantec Endpoint Protection clients for Mac do not send device control events to Symantec Endpoint Protection Manager.

Solution: Fixed code to ensure device control events are sent from Macs to Symantec Endpoint Protection Manager.

 

DBCS host names are corrupted in SEPM

Fix ID: ESCRT-234

Symptoms: Symantec Endpoint Protection Manager 14.2 MP1 shows corrupted characters for DBCS HostName and/or DomainName.

Solution: Use a different compatible encoding method for HostName and DomainName during registration.

 

After a SEPM upgrade, non-shared policy replaces local policy incorrectly

Fix ID: ESCRT-230

Symptoms: After you upgrade to Symantec Endpoint Protection Manager 14.2, a non-shared LiveUpdate policy replaces a local policy on the wrong groups in multiple locations.

Solution: Added a check so that the shared policy can only be placed to the correct location and group.

 

Deception sends multiple emails for the same notification events, even after acknowledgement

Fix ID: ESCRT-226

Symptoms: Old or duplicate alerts for Deception trigger new email notifications, even after you acknowledge them.

Solution: Corrected the condition so that incorrect event notifications are no longer sent.

 

SEPM scan commands are not issued when sent with Chrome

Fix ID: ESCRT-217

Symptoms: You send scan commands through Monitors > Logs for Symantec Endpoint Protection Manager while logged on through Chrome 69.0.3497. However, the commands are never issued.

Solution: Fixed the function for scan-related commands so that they work in all supported browsers.

 

SEP clients unexpectedly get content from multiple GUPs

Fix ID: ESCRT-214

Symptoms: Your Symantec Endpoint Protection clients unexpectedly get definitions from LiveUpdate instead of Group Update Providers. They then get content from multiple dynamic Group Update Providers, when you have only enabled a static Group Update Provider.

Solution: Corrected a problem where dynamic Group Update Providers are incorrectly included when enabling a static Group Update Provider. This correction also resolves the erroneous LiveUpdate downloads.

 

Last access time for a file unexpectedly changes during Auto-Protect scan

Fix ID: ESCRT-213

Symptoms: When Symantec Endpoint Protection 14 Auto-Protect scans a file, the last access time unexpectedly changes. This change affects other processes that depend on the last access time, such as backups.

Solution: Fixed an issue that occurred during file open in Auto-Protect to preserve the last access time.

 

Client activity logs in SEPM no longer show complete definition source

Fix ID: ESCRT-210

Symptoms: When you view client activity logs in Symantec Endpoint Protection Manager > Monitors > Logs > System, you notice that the server name is absent for the definition source.

Solution: Updated communication logging changes to include the server name for the definition source.

 

Computer status reports do not include all clients

Fix ID: ESCRT-205

Symptoms: Log and report queries that rely on the Symantec Endpoint Protection client type (Agent_Type = '105') omit those clients that incorrectly have no client type (Agent_Type = ‘0’).

Solution: Corrected the agent type misidentification of some upgraded clients, so that they are no longer omitted from certain logs and reports.

 

Files restored from quarantine are different in size than the original files

Fix ID: ESCRT-204

Symptoms: When you restore a file from quarantine, the file size does not match the size of the originally detected file.

Solution: Fixed an extraction issue to resolve the file size discrepancy.

 

Search for computers during Remote Push causes Java exception

Fix ID: ESCRT-199

Symptoms: You launch the Client Deployment Wizard and select Remote Push to find unmanaged computers by IP ranges. However, the search fails with the error java.io.IOException.

Solution: Updated the API to use the correct one to get one or more IP addresses from the query results.

 

Non-persistent VDI clients no longer register with the isNPVDI=1 registry key

Fix ID: ESCRT-197

Symptoms: After an upgrade, non-persistent virtual desktop infrastructure (VDI) clients no longer send the flag that identifies them as non-persistent VDI clients to Symantec Endpoint Protection Manager.

Solution: Fixed registration of Symantec Endpoint Protection client so that it provides the correct flag and value (isNPVDIClient = 1) in the registry, for both 32-bit and 64-bit clients.

 

SEP 14.2 client does not consistently honor a firewall rule when it is created by a mixed-control client

Fix ID: ESCRT-195

Symptoms: You create a firewall rule on a Symantec Endpoint Protection client that is under mixed control (partially server-controlled, and partially client controlled). However, the firewall rule is not honored during certain scenarios.

Solution: Fixed the way firewall rules are parsed to correctly determine the time information from the Symantec Endpoint Protection client UI.

 

SMTP server rejects SMTP commands from SEPM

Fix ID: ESCRT-194

Symptoms: Symantec Endpoint Protection Manager sends EHLO + IPv6 address commands to the SMTP server, but does so without the required prefix IPv6:. As a result, the SMTP server rejects these commands.

Solution: Updated the code to add the required SMTP prefix for IPv6.

 

SEP services stop, UI cannot open

Fix ID: ESCRT-189

Symptoms: When you try to open the Symantec Endpoint Protection 14.2 client UI, you get an error: "Symantec Endpoint Protection cannot open because some Symantec services are stopped. Restart the Symantec services, and then open Symantec Endpoint Protection."

Solution: Updated code to skip the heartbeat if the initialization thread still running and is not ready, which allows the user interface threads to run properly.

 

An administrator for a specific SEPM domain can view and edit scheduled reports for a different domain

Fix ID: ESCRT-187

Symptoms: In Symantec Endpoint Protection Manager, any administrator can view and edit any other administrator's scheduled reports. For example, a Limited Administrator can also see the scheduled reports for System Administrators, Administrators, and Limited Administrators. Limited Administrators can also see scheduled reports created by administrators from another domain.

Solution: Updated code so that the type of administrator is now being set correctly for the logon session for user interface commands.

 

Home Page "Computers needing a restart" shows cumulative number for all SEPM domains

Fix ID: ESCRT-185

Symptoms: You are logged on to Symantec Endpoint Protection Manager as an administrator who manages a specific Symantec Endpoint Protection Manager domain. However, on the Home tab, the number of computers that require a restart incorrectly shows results from all domains.

Solution: Fixed the administrator type so that the administrator for a domain only sees the computers from the correct domain that need a restart.

 

SEP 14.2 group policies are not seen on Mac clients until after the initial connection to SEPM

Fix ID: ESCRT-180

Symptoms: If you export then install a Symantec Endpoint Protection client installation package for Mac, the client does not apply the group’s policy until it connects to Symantec Endpoint Protection Manager for the first time.

Solution: Corrected group policy format in when exporting the client package for Mac.

 

Removing third-party security software removes non-security software

Fix ID: ESCRT-175

Symptoms: The option in Symantec Endpoint Protection to remove third-party security software unexpectedly removes non-security software.

Solution: Corrected the condition that removed non-security software.

 

Broken links recur in SEPM database

Fix ID: ESCRT-172

Symptoms: Broken links in the database associated with a software package keep recurring.

Solution: Updated code to more gracefully handle null pointer exceptions to prevent broken links.

 

SEPM cloud sync fails to complete

Fix ID: ESCRT-165

Symptoms: You enroll Symantec Endpoint Protection Manager in the cloud, but the sync never completes.

Solution: Corrected the version parser behavior so that the sync succeeds.

 

SEP 14.2 client content delivery not failing over to SEPM when GUP is not available

Fix ID: ESCRT-163

Symptoms: After an upgrade to Symantec Endpoint Protection 14 MP2, the clients get outdated definitions from Symantec Endpoint Protection Manager when the Group Update Provider is not available.

Solution: Fixed an incorrect condition where client was not failing over to Symantec Endpoint Protection Manager from a Group Update Provider if it is a 14.2 client.

 

“Repair duplicate IDs on cloned Endpoint Protection clients" feature does not work

Fix ID: ESCRT-161

Symptoms: You enabled the feature to repair duplicate client IDs on cloned Symantec Endpoint Protection clients. However, the duplicated client IDs are not repaired.

Solution: Updated code to keep the session_id same as hardware ID (HWID) to remain backward compatible and to allow the ID to be repaired.

 

SEP 14.2 client does not switch location

Fix ID: ESCRT-159

Symptoms: The Symantec Endpoint Protection 14.2 client does not switch location as expected when location switching is defined by the DNS lookup rule.

Solution: Updated code to ensure the link is maintained to the correct socket after the DNS server list changes, which allows location switching to occur successfully.

 

An upgrade to 14.2 changes rules for defining GUP by OS

Fix ID: ESCRT-157

Symptoms: A Symantec Endpoint Protection Manager upgrade from version 12.1.6 MP3 to 14.2 changed the OS types which defined Group Update Providers changed. After the upgrade, the computers that you expect to be Group Update Providers are no longer identified as such.

Solution: Changed code to update the Group Update Provider policy during the upgrade to ensure the Group Update Provider policy is correct.

 

SEPM 14.2 upgrade fails with error: Argument data type bigint is invalid

Fix ID: ESCRT-155

Symptoms: The Symantec Endpoint Protection Manager upgrade to 14.2 is failing with the following error: Argument data type bigint is invalid for argument 1 of substring function.

Solution: Fixed a query that is made during the upgrade.

 

The database password field in SEPM Configuration Wizard does not accept certain characters

Fix ID: ESCRT-153

Symptoms: When you run the Symantec Endpoint Protection Manager Configuration Wizard and authenticate with Windows Authentication, the following characters are not accepted in the database password field: [ ] { } ( ) , ; ? * ! @

Solution: Removed the validation for special characters when using Windows Authentication.

 

Daily/weekly scheduled scans do not work on 14.2 managed Mac clients

Fix ID: ESCRT-151

Symptoms: An administrator-defined daily or weekly scheduled scan for Mac clients does not work properly. An example of an administrator-defined scan would be one that you configure for every Wednesday at 1:00 PM.

Solution: Fixed the time conversion code for scheduled scans.

 

Client-Server activity logs reporting multiple events for "The client computer has been renamed"

Fix ID: ESCRT-149

Symptoms: Clients enrolled to Symantec Endpoint Detection and Response (EDR) make requests that result in "The client computer has been renamed" events to log in Symantec Endpoint Protection Manager.

Solution: Fixed the Event ID used to signify the event that the EDR info file was downloaded. Updated the log message to reflect that the client updated the info file.

 

SEP 14.2 kernel modules don’t compile on Ubuntu Linux kernel version 4.15

Fix ID: ESCRT-147, ESCRT-127

Symptoms: Symantec Endpoint Protection 14.2 does not build Auto-Protect kernel modules for Ubuntu Linux 16.04 and 18.04 with kernel version 4.15.

Solution: Made changes to Auto-Protect kernel module code so that they work on kernel 4.15.

 

Linux RedHat 6.5 crashes due to SEP client symev module

Fix ID: ESCRT-139

Symptoms: Linux RedHat 6.5 crashes. The logs indicate that the crash was a result of the Symantec Endpoint Protection for Linux client module symev, in symev_nfsd4_proc_compound.

Solution: Added a check to handle the passing of negative values in the kernel code.

 

SEP 14.2 for Linux cannot update definitions from LUA

Fix ID: ESCRT-136

Symptoms: The Symantec Endpoint Protection for Linux client fails to download certain definitions from LiveUpdate Administrator.

Solution: Made changes to the file luxds.dat to get the correct file during LiveUpdate Administrator processing.

 

SEP client UI reports Virus and Spyware Protection is disabled

Fix ID: ESCRT-132

Symptoms: After you open the Symantec Endpoint Protection client interface, you notice after a few minutes that it displays that Virus and Spyware Protection is disabled.

However, when you look at the clients in Symantec Endpoint Protection Manager, they are online and are up-to-date.

Solution: Corrected the table values to ensure that they are properly displayed on the client side.

 

SEPM DB upgrade fails due to java.lang.ClassCastException

Fix ID: ESCRT-131

Symptoms: When you upgrade Symantec Endpoint Protection Manager to version 14.2, it fails. The log indicates that the database upgrade failed with the error java.lang.ClassCastException.

Solution: Fixed the conditions on checking the usage of a local policy.

 

Unable to add risk exceptions in SEPM

Fix ID: ESCRT-129

Symptoms: You are unable to add an application from the risk log to the Exceptions policy.

Solution: Add correct application code to add block or allow to the Exceptions policy from the risk log.

 

SEPM saved filters do not retain limit settings on several displayed entries

Fix ID: ESCRT-125

Symptoms: When you save a filter under Symantec Endpoint Protection Manager > Monitors > Logs, it doesn’t retain the limit setting on several displayed entries.

Solution: Resolved a duplicate variable name, so that it correctly display the right setting for the filter.

 

Delay before SEPM log data is sent to the external logging server

Fix ID: ESCRT-120

Symptoms: Symantec Endpoint Protection Manager intermittently hangs, which causes a significant delay in log forwarding logs to a Qradar external logging server.

Solution: Made the 2ms delay configurable, so that you can disable the delay, if needed.

 

SEP for Linux has invalid license file error due to checksums

Fix ID: ESCRT-118

Symptoms: After you upgrade Symantec Endpoint Protection client for Linux from version 12.1 to 14.0 RU1 MP2, the following message appears in syslog.log: “The client has obtained an invalid license file (sep.slf) from the server.”

Solution: Corrected an incorrect status handled during checksum processing.

 

The embedded database fails and .mdmp files generate

Fix ID: ESCRT-116

Symptoms: The Symantec Endpoint Protection Manager embedded database crashes because .dat file processing is stuck on a large file. Many .mdmp files generate in the Symantec Endpoint Protection Manager installation directory under the Tomcat\Bin directory, which take up a large amount of space on the hard drive.

Solution: Updated code to prevent pre-14.0.1 clients from flooding Symantec Endpoint Protection Manager with DefWatch notifications. Made improvements to error handling to prevent Symantec Endpoint Protection Manager from leaking database connections.

 

SEP for Linux modifies modules.dep frequently

Fix ID: ESCRT-112

Symptoms: After you install the Symantec Endpoint Protection 14.0.1 MP2 client for Linux, you notice that it frequently modifies the modules.dep file, which defines kernel module dependency lists.

Solution: Updated code to create links instead of modifying the file directory.

 

Commands are sent to groups to which Limited Administrator has no access

Fix ID: ESCRT-108

Symptoms: A Limited Administrator can issue commands to groups to which they have no access rights.

Solution: Updated code so that Limited Administrators can only issue commands to the groups to which they have access.

 

SEP client doesn't send large risk log files to SEPM

Fix ID: ESCRT-106

Symptoms: The Symantec Endpoint Protection client skips sending large risk log files to Symantec Endpoint Protection Manager.

Solution: Updated code to permit large log uploads to Symantec Endpoint Protection Manager.

 

Content Distribution Monitor tool does not correctly display IPS definitions

Fix ID: ESCRT-102

Symptoms: The Content Distribution Monitor tool doesn’t get information about the latest Intrusion Prevention content for versions later than 14.0.

Solution:Added the new IPS moniker so that it can display Intrusion Prevention content for later versions of Symantec Endpoint Protection.

 

Group and policy serial number is blank after upgrading clients to 14.2

Fix ID: ESCRT-94

Symptoms: A firewall policy does not import properly on the client if it contains a rule that specifies an application which includes a last modified date.

Solution: Updated code so that these firewall policies can now import properly on the client.

 

Error occurs adding an exclusion from the risk log for a specific file

Fix ID: ESCRT-92

Symptoms: When you attempt to add an exclusion from a risk log for a specific file, you get an error.

Solution: Added filter to catch invalid SHA1 or SHA2 values, so that the exception can be added correctly.

 

SEP 12.1 clients managed by SEPM 14.x show SONAR definitions as not available

Fix ID: ESCRT-88

Symptoms: Symantec Endpoint Protection 12.1 clients that are managed by Symantec Endpoint Protection Manager 14.x show their SONAR definitions as not available.

Solution: Updated the SQL query for version 12.1 clients to match that of version 14.x clients, so that the availability of SONAR content is only dependent on Proactive Threat Protection being installed.

 

Event Detail information for MEM detections show as N/A for all entries

Fix ID: ESCRT-86

Symptoms: When you view the logs in Symantec Endpoint Protection Manager, under Logs > Network and Host Exploit Mitigation > Memory Exploit Mitigation, you see that all event detail information displays as N/A.

Solution: Corrected the EVENT_ID in query to correctly gather the event details for Memory Exploit Mitigation.

 

Auto-Protect malfunctions on Debian 8

Fix ID: ESCRT-81

Symptoms: In Symantec Endpoint Protection for Linux, Auto-Protect kernel modules symev and symap fail to load into the kernel, resulting in an Auto-Protect malfunction.

Solution: Increased the number of calls to find the correct table address, so that initialization succeeds.

 

Registry keys for SymQual remain even if SymQual is disabled

Fix ID: ESCRT-79

Symptoms: If you disable SymQual from Symantec Endpoint Protection Manager, SymQual still leaves unexpected registry settings under LocalDumps.

Solution: Update the method used to load and destroy SymQual settings.

 

Override application list for MEM policy intermittently blank

Fix ID: ESCRT-77

Symptoms: In Symantec Endpoint Protection Manager, the override application list in the Memory Exploit Mitigation policy intermittently appears as blank. You regularly use a .jdb file to update Intrusion Prevention content for versions 14.0 and 14.2, and this content appears to interfere with each other.

Solution: Updated code so that the IPS content that you drop by .jdb file publishes to the correct folder.

 

SEP IronDB does not update status of whitelisted file definitions when using blacklisted files on EDR

Fix ID: ESCRT-73

Symptoms: The Symantec Endpoint Protection Download Insight (sometimes referred to as IronDB) does not update the status of a whitelisted file if you later blacklist the same file on Symantec Endpoint Detection and Response (EDR). The time-to-live (TTL) period is set to none in the IronDB.

Solution: Corrected the feature and command parameters to accept the whitelisted file definitions and update the status.

 

Simplified Chinese appears in Traditional Chinese SEPM

Fix ID: ESCRT-69

Symptoms: In a Symantec Endpoint Protection Manager that is localized for Traditional Chinese, Simplified Chinese appears in the Category type column.

Solution: Added a method to correctly identify the locale for this column header.

 

Selection in Copy Deployment Settings cause deselection of previous group

Fix ID: ESCRT-64

Symptoms: If you right-click a group under the Clients tab that has an installation package associated with it, and then click Copy Deployments Settings, you cannot click a second group without deselecting the first group.

Solution: Enabled multiple group selection for Copy Deployment Settings.

 

SEP custom scan cannot browse folders that contain 0x5c character code

Fix ID: ESCRT-59

Symptoms: When you create a custom scan task with Symantec Endpoint Protection localized for Japanese, if the folder name contains a double-byte character (eg "่กจ") that contains the 0x5c character code, the scan cannot browse the folder, even if there is a subfolder in it.

Solution: Changed to a function that supports a multibyte character set (MBCS).

 

SEPM Home page drill down reports return no data for limited admin

Fix ID: ESCRT-57

Symptoms: If you log on to Symantec Endpoint Protection Manager as a Limited Administrator and view the reports on the Home tab, the Up-to-date, Out-of-date, and Disabled reports return no data.

Solution: Added the permission filter in all sub queries in the reports.

 

EDR IP not removed from list of servers when EDR is used

Fix ID: ESCRT-55

Symptoms: The IP address for Symantec Endpoint Detection and Response (EDR) is not removed from list of servers when the EDR Private Cloud policy is removed using HTTP PATCH.

Solution: Corrected the algorithm that is used when manipulating the Symantec Endpoint Protection Manager private server list.

 

SEP client Bugcheck 0x9E in SRTSP64.SYS

Fix ID: ESCRT-53

Symptoms: A Microsoft SharePoint database server is in a cluster configuration that has Symantec Endpoint Protection 14.0.1 installed to it. Moving the cluster resource from active to the standby server fails and causes a crash with bugcheck 0x9E in SRTSP64.SYS.

Solution: Updated Auto-Protect to resolve some exclusive lock issues.

 

SEPM shows Mac clients instead of Windows 8.1 clients

Fix ID: ESCRT-43

Symptoms: If you filter clients in Symantec Endpoint Protection Manager for Windows 8.1, Mac clients display instead.

Solution: Added a filter case for Windows 8.1 clients and the SQL query details to support this new case.

 

SEPM experiencing SQL Server deadlocks

Fix ID: ESCRT-39

Symptoms: A SQL Server database deadlock occurs when Symantec Endpoint Protection Manager processes the opstate data for the scan records for external logging.

Solution: Updated code to avoid the deadlock when processing these records.

 

SEPM has path/character limitations for exporting SEP client packages for Mac

Fix ID: ESCRT-37

Symptoms: When you export a Mac client package from Symantec Endpoint Protection Manager, you have a limited selectable path length.

Solution: Increased the user selectable path for Mac packages to match Windows at 80 characters. Increased overall maximum path for exporting a Mac package to 190 characters.

 

Cannot view Help from SEPM web console

Fix ID: ESCRT-35

Symptoms: When you log on to Symantec Endpoint Protection Manager 14.0.1 with the remote web console, you cannot view the in-product context-sensitive Help.

Solution: Updated code to let the web browser keep using the IP address for the Help if the web console session was started with an IP address.

 

SEP Clients do not use proxy for LiveUpdate after upgrade to 14

Fix ID: ESCRT-33

Symptoms: After your Symantec Endpoint Protection clients upgrade from version 12.1 to 14, some of them stopped updating their definitions. These clients no longer used the LiveUpdate proxy settings.

Solution: Changed the way proxy settings populate for the LiveUpdate session.

 

SEP 14.2 kernel modules don't compile on CentOS 7

Fix ID: ESCRT-30

Symptoms: Symantec Endpoint Protection 14.2 does not build Auto-Protect kernel modules for CentOS 7 with kernel 4.15.

Solution: Made changes to Auto-Protect kernel module code so that they work on kernel 4.15.

 

Replication fails after permissions are stripped from the SEPM folders

Fix ID: ESCRT-28, ESCRT-22

Symptoms: Replication fails. You find that the Symantec Endpoint Protection Manager data folder permissions do not contain the Windows Authentication user that you use to log on to SQL Server.

Solution: Added the required permission to be set or reset when the Symantec Endpoint Protection Manager Configuration Wizard runs.

 

Cannot open SEP Client UI through Windows Defender Security Center in Windows 10

Fix ID: ESCRT-24

Symptoms: You are not able to open the Symantec Endpoint Protection client user interface through the Windows Defender Security Center in Windows 10. If you click Open Symantec Endpoint Protection, nothing happens.

Solution: Updated the code so that Symantec Endpoint Protection now registers the correct binary used to launch the user interface when opening the link through Windows Defender Security Center.

 

SEP for Linux cannot update definitions using FTP to the LiveUpdate server

Fix ID: ESCRT-21

Symptoms: An unmanaged Linux client that runs Symantec Endpoint Protection 14.0.1 that has port 80 blocked is not able to download LiveUpdate definitions from the FTP server.

Solution: Corrected the user name, password, and URL entries to ensure a proper FTP connection.

 

ccSvcHst.exe crashes with 0xC0000005 error

Fix ID: ESCRT-18

Symptoms: Symantec Endpoint Protection process ccSvcHst.exe crashes with the error 0xC0000005.

Solution: Added a check and an exception handler to avoid this crash.

 

New ongoing events overwrite the Security History

Fix ID: ESCRT-17

Symptoms: In the Symantec Endpoint Protection client, newly logged ongoing events overwrite the Connection Events Inspector in Security History.

Solution: Changed the persistence of Open Connection Events so that they do not get overwritten.

 

SEPM misidentifies Windows 10 Enterprise 2016 LTSB as Windows 10 Enterprise 2015 LTSB

Fix ID: ESCRT-15

Symptoms: Symantec Endpoint Protection clients installed on Windows 10 Enterprise 2016 LTSB report a different OS version of Windows 10 Enterprise 2015 LTSB.

Solution: Dropped the year designation and started gathering the build number of the operating system so that we properly discern operating systems.

 

SEP 14 MP2 client deadlock with SentinelOne

Fix ID: ESCRT-14

Symptoms: You have Symantec Endpoint Protection 14 MP2 and SentinelOne installed on the same computer. If both programs try to analyze the same file, a deadlock situation occurs.

Solution: Resolved the cause of the Auto-Protect deadlock to prevent a collision with SentinelOne.

 

ccSvcHst.exe crashes with error code c0000409

Fix ID: ESCRT-664

Symptoms: Symantec Endpoint Protection process ccSvcHst.exe crashes with the error c0000409, indicating a security check failure or stack buffer overrun.

Solution: Removed duplicated certificate records.

 

SEP for Linux AP modules fail to hook syscall table when running Vormetric software

Fix ID: ESCRT-6

Symptoms: In Symantec Endpoint Protection for Linux, Auto-Protect kernel modules symev and symap fail to load into the kernel if Vormetric software is also installed.

Solution: Changed the system calls to ensure that the kernel modules load so that initialization succeeds.

 

HTTP 403 error when SEP clients tries to connect to SEPM

Fix ID: ESCRT-828

Symptoms: After you upgrade Symantec Endpoint Protection Manager to 14.2 MP1, clients cannot connect. Troubleshooting reveals an HTTP 403 error.

Solution: Fixed the proxy settings to ensure that communication succeeds after upgrade.

 

SEP client not staying in a trusted location after upgrade to 14.2 MP1

Fix ID: ESCRT-332

Symptoms: After you upgrade Symantec Endpoint Protection to 14.2 MP1, you notice location awareness issues. Computers switch from trusted ethernet to untrusted ethernet without warning and occasionally switch back.

Solution: Fixed an issue with socket types that caused connection failures.

 

Mac Device Control logs duplicate entries when computer mounts disk images

Fix ID: ESCRT-891

Symptoms: Too many events seem to generate for Mac client computers for Device Control, even though physical devices connect less frequently. Entries generate when the Mac mounts a disk image.

Solution: Disk image mounts no longer result in events that are sent to Symantec Endpoint Protection Manager. 

 

Large number of clients are offline in SEPM dashboard despite sending opstate data

Fix ID: ESCRT-304

Symptoms: In Symantec Endpoint Protection Manager, many clients show as offline in the dashboard despite sending opstate data. Troubleshooting shows that the client heartbeat can’t check in with Symantec Endpoint Protection Manager.

Solution: Fixed the cause of the failed heartbeat from the client.

 

Broken database links found in SEPM database

Fix ID: ESCRT-668

Symptoms: The tool DBValidator reports broken links in the Symantec Endpoint Protection Manager database.

Solution: Fixed an issue with the LuDownloadedContentArray filter.

 

Scheduled scan start time for Mac client on Japanese OS always saved as -12 hours

Fix ID: ESCRT-669

Symptoms: You schedule a scan on the Symantec Endpoint Protection client on Mac for a Japanese version of macOS. However, the scan is actually scheduled for twelve hours earlier. For example, if you schedule it for 14:00 (2 PM), it actually schedules at 02:00 (2 AM).

Solution: Fixed a data parsing issue.
 

ARP cache poisoning alerts appear for Macs after an upgrade to 14.2 MP1

Fix ID: ESCRT-902

Symptoms: After you upgrade the Symantec Endpoint Protection client software for Mac to version 14.2 MP1, you see many ARP cache poisoning alerts appear in Symantec Endpoint Protection Manager for the Mac client computers. These alerts appear even with anti-MAC spoofing disabled.

Solution: Updated code so that if anti-MAC spoofing is disabled, logging for ARP cache poisoning alerts is disabled.

 

Component versions

The build number for this release is 14.2.3332.1000. The refresh release build number is 14.2.3335.1000; component versions do not change for the refresh release build.

Red text indicates components that have updated for this release.

Component

DLL File

DLL Version

SYS File

SYS Version

AutoProtect

srtsp64.dll

15.0.7.178

srtsp64.sys

15.7.0.170

BASH Defs

BHEngine.dll

Seq#= 20170926.001

11.5.1.29

BHDrvx64.sys

11.5.1.29

BASH Framework

BHClient.dll

10.4.2.24

N/A

-

CC

ccLib.dll

13.4.0.26

ccSetx64.sys

13.4.0.26

CIDS Defs

IDSxpx86.dll

Seq#= 20190121.500

17.0.0.410

IDSviA64.sys

17.0.0.410

CIDS Framework

IDSAux.dll

15.2.5.29

N/A

-

CP3

version.txt

2.6.0.79

N/A

-

CX

cx_lib.dll

3.0.3.25

N/A

-

ConMan

version.txt

2.1.7.10

N/A

-

D2D

version.txt

1.2.1.5

N/A

-

D2D_Latest

version.txt

1.5.0.51

N/A

-

DecABI

dec_abi.dll

2.3.5.10

N/A

-

DefUtils

DefUtDCD.dll

5.1.0.31

N/A

-

DuLuCallback

DuLuCbk.dll

1.8.1.17

N/A

-

DuLuxCallback

duluxcallback.dll

2.15.0.7

N/A

-

ERASER

cceraser.dll

118.2.1.9

eraser64.sys

118.2.1.9

IRON

Iron.dll

7.0.7.12

Ironx64.sys

7.0.7.11

LUX

Lux.dll

2.15.0.19

   

LiveUpdate

LUEng.dll

2.6.2.8

N/A

-

MicroDefs

patch25d.dll

6.1.1.4

N/A

-

SDS Engine

sds_engine_x86.dll

Seq#= 20190302.001

1.8.0.244

N/A

-

SIS

SIS.dll

91.12.4400.5000

N/A

-

STIC Defs

stic.dll

Seq#= 20190302.002

1.8.0.244

N/A

-

SymDS

DSCli.dll

6.2.0.25

N/A

-

SymEFA

EFACli64.dll

6.3.3.36

SymEFASI64.sys

6.3.2.8

SymELAM

ELAMCli.dll

2.0.1.143

SymELAM.sys

2.0.1.85

SymEvent

Sevntx64.exe

14.0.6.30

SymEvent.sys

14.0.6.27

SymNetDrv

SNDSvc.dll

15.2.3.3

symnets.sys

15.2.2.31

SymScan

ccScanW.dll

14.2.3.20

N/A

-

SymVT

version.txt

10.0.1.4

N/A

-

Symulator

version.txt

1.6.0.153

N/A

-

TCSAPI

version.txt

1.6.0.25

N/A

-

Titanium

titanium.dll

2.4.1.17

N/A

-

WLU (Symantec Endpoint Protection Manager)

LuComServerRes.dll

3.3.203.28

N/A

-