ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

New fixes and component versions in Symantec Endpoint Protection 14.2 RU1 MP1

book

Article ID: 151121

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

This document lists the new fixes and component versions in Symantec Endpoint Protection (SEP) 14.2 RU1 MP1 (14.2.1.1). This information supplements the information found in the Release Notes.

Download the full release through MySymantec. For details, see Download the latest version of Endpoint Protection.

You can also download client-only patches through Symantec Endpoint Protection 14.2 RU1 MP1 client-only patches.


New fixes

SQL Server experiences performance issues after an upgrade to 14.2 MP1

Fix ID: ESCRT-900

Symptoms: After you upgrade from Symantec Endpoint Protection 12.1.7454.7000 (schema version 12.1.6.11) to 14.2.1023.0100 (schema version 14.2.0.2), you see excessive CPU utilization on the SQL Server when Application Learning is enabled.

Solution: Added type conversion to the SQL statement to prevent this performance issue.
 

Non-uniqueness of 4-digit policy numbers causes issues with Splunk

Fix ID: ESCRT-855

Symptoms: Because some of the policy numbers received from Symantec Endpoint Protection Manager by Splunk begin with the same four digits, Splunk shows the clients in the wrong groups.

Solution: Added the client group name to external system-client logging to allow Splunk to operate properly.
 

Clients do not switch locations when using DNS Lookup criteria with Location Awareness

Fix ID: ESCRT-1710, ESCRT-1773, ESCRT-1801

Symptoms: Location Switching may intermittently fail when it relies on DNS Lookup as a criteria within Location Awareness.

Solution: Improvements made to Location Awareness functionality so that it now properly results in a location switch when DNS Lookup is used as the criteria.
 

SEP 14.2 RU1 client HI check fails on reboot

Fix ID: ESCRT-1581

Symptoms: When using a Symantec Endpoint Protection Host Integrity policy, the Host Integrity check fails when a version 14.2 RU1 client is rebooted.

Solution: Updated the code to discard any old status requests if a new status request was already received. This update ensures that the right status is returned for a Host Integrity check.
 

System Lockdown Whitelisting stops working after an upgrade to 14.2 RU1

Fix ID: ESCRT-1446

Symptoms: After an upgrade to version 14.2 RU1, system lockdown no longer blocks items that are not in the file fingerprint lists. Blacklist mode works as expected. Only Whitelist mode is affected.

Solution: Corrected an invalid buffer location, which allows the right policy to be used.
 

SEP clients stop communicating with SEPM until smc.exe restarts

Fix ID: ESCRT-842, ESCRT-718

Symptoms: Symantec Endpoint Protection clients stop communicating and no longer send status to Symantec Endpoint Protection Manager. If the Symantec Endpoint Protection service restarts, then the clients communicate again.

Solution: Fixed an issue where the client was prevented from communicating due to an OpState message to Symantec Endpoint Protection Manager.
 

Duplicate header in external Syslog output causes problems with syslog filters

Fix ID: ESCRT-805

Symptoms: External logging output for the System Client-Server Activity Log contains duplicate column headers for Domain Name. This duplication causes problems with filtering the data.

Solution: Fixed the column header for the System Client-Server Activity Log.
 

Unable to search client by computer name from SEPM

Fix ID: ESCRT-686

Symptoms: A search by computer name in Symantec Endpoint Protection Manager fails. An index hint forces the query to use a specific index, which causes a performance issue.

Solution: Optimized and fixed the query used when searching for a client.
 

SEP clients stop communicating with SEPM after an upgrade and LiveUpdate runs, until smc.exe restarts

Fix ID: ESCRT-672

Symptoms: Symantec Endpoint Protection clients stop communicating with Symantec Endpoint Protection Manager after an upgrade and after LiveUpdate runs. If the service smc.exe restarts, then clients communicate again.

Solution: Fixed an issue where the client was prevented from communicating due to a LiveUpdate check.
 

SEP client policy serial number incorrect on SEPM

Fix ID: ESCRT-649

Symptoms: Symantec Endpoint Protection clients have a different policy serial number than Symantec Endpoint Protection Manager, which appears to have an old policy.

Solution: Addressed the User Interface issue to properly reflect the correct policy serial number.
 

Upgrade to SEPM 14.2 MP1 fails during schema update

Fix ID: ESCRT-542

Symptoms: The Symantec Endpoint Protection Manager upgrade fails during the schema update.

Solution: Fixed the upgrade routine when adding IPv6 range hosts to the firewall rule in the schema.
 

SEP client cannot upload user information to SEPM on a Japanese OS

Fix ID: ESCRT-338

Symptoms: On a Japanese OS, the user info for the Symantec Endpoint Protection clients never upload to Symantec Endpoint Protection Manager.

Solution: Fixed DBCS and special characters that caused parsing issues in XML.
 

Computer properties are blank with DBCS characters in the field

Fix ID: ESCRT-522

Symptoms: After an upgrade of Symantec Endpoint Protection Manager to 14.2, any computer description field with double-byte (DBCS) characters becomes blank.

Solution: Fixed DBCS and special character parsing issues in XML.
 

Discrepancies when exporting agt_risk.tmp and agt_security.tmp files in SEPM

Fix ID: ESCRT-8

Symptoms: When using External Logging to dump client logs to a .dmp file from the Symantec Endpoint Protection Manager and it includes agt_risk and agt_security files, several inconsistencies may appear.

Solution: Added missing values to ensure consistency in the exported logs.
 

SEP client cannot connect to internet

Fix ID: ESCRT-286

Symptoms: When manually enabling Website Traffic Redirection (WTR) through the Client User Interface, Symantec Endpoint Protection clients are unable connect to the internet. LAN settings in Internet Explorer, under Tools > Internet options become locked.

Solution: Implemented a change so that Website Traffic Redirection (WTR) can only enabled on a managed client via a Symantec Endpoint Protection Manager policy.
 

GUP-related DBCS string is corrupted in system log of SEP client

Fix ID: ESCRT-250

Symptoms: The client’s system log shows corrupted characters for Group Updated Provider entries that use double-byte (DBCS) characters.

Solution: Remove an extra encode function for Group Update Provider-related strings.
 

Failover to a SEPM in a Priority 2 list is not randomized

Fix ID: ESCRT-1371

Symptoms: If both Symantec Endpoint Protection Managers in the Priority 1 list are disabled or unavailable, clients do not randomly pick a Symantec Endpoint Protection Manager from the Priority 2 list. Instead, they always failover to the first Symantec Endpoint Protection Manager in the Priority 2 list.

Solution: Corrected this load-balancing issue so that failover from one priority block to the next priority block is random.
 

LiveUpdate fails on the SEP client for Linux after an upgrade to 14.2 RU1

Fix ID: ESCRT-1385

Symptoms: After an upgrade to version 14.2 RU1, Linux clients cannot correctly process updates because the group avdefs is not present.

Solution: Corrected the criteria for removing avdefs during the uninstall phase of an upgrade.
 

SEPM client list shows addresses for disabled or disconnected adapters

Fix ID: ESCRT-1374

Symptoms: In Symantec Endpoint Protection Manager, the column IP Address in the list of clients shows APIPA addresses for disabled or disconnected adapters, instead of showing the last connected IP address or another valid IP address.

Solution: Added a check to the Symantec Endpoint Protection client in order to verify that the adapter is in a working state before adding it to the list.
 

SEP client for Linux fails to communicate with SEPM when NIC bonding is enabled for 14.2 MP1

Fix ID: ESCRT-988

Symptoms: As of version 14.2 MP1, the Symantec Endpoint Protection client for Linux can no longer communicate with Symantec Endpoint Protection Manager when NIC bonding is enabled.

Solution: Updated code to correctly process virtual NICs.
 

SEP clients cannot send OpState info to SEPM when it contains DBCS characters

Fix ID: ESCRT-854

Symptoms: The Symantec Endpoint Protection client cannot send OpState data to the Symantec Endpoint Protection Manager, because DBCS characters in the computer description are unable to be parsed.

Solution: Properly encoded the string in the computer description so that it can be parsed, which allows the OpState data to be sent for processing to the Symantec Endpoint Protection Manager.
 

SEP 14.2 clients do not update from Single GUP on different subnet

Fix ID: ESCRT-545

Symptoms: Symantec Endpoint Protection clients that run version 14.2 do not update from Single Group Update Providers when it is on a different subnet. The Symantec Endpoint Protection client version on the Group Update Provider has no effect on the issue.

Solution: Added code to verify whether the Group Update Provider is enabled before it processes the Group Update Provider List.
 

Event ID 80 appears in logs after every virus definition update

Fix ID: ESCRT-419

Symptoms: After every virus definition update, you see an Event ID 80 error in the Event Viewer. The error contains the following text: “Symantec Endpoint Protection has failed to load the latest virus definitions.”

Solution: Increased Auto-Protect event provider timeouts to prevent error conditions.
 

Some dates in some database tables use the incorrect date format

Fix ID: ESCRT-168

Symptoms: The database tables ALERTS and SCANS incorrectly show some dates in the month-day-year (MDY) format, when your environment otherwise uses the day-month-year (DMY) format.

Solution: Updated code so that while reading or writing the date data for these tables, the proper formatting function data types are used.
 

Infected files with file names that contain UTF-8 characters cannot be scanned on the Symantec Endpoint Protection Linux client

Fix ID: ESCRT-98

Symptoms: When you mount a drive with UTF-8 encoding, if the file name has UTF-8 characters, the Symantec Endpoint Protection Linux client is not able to scan the files.

Solution: Added UTF-8 support to the Symantec Endpoint Protection Linux client.
 

BSOD with BugCheck D1 occurs with SEP 14.0 RU1 installed

Fix ID: ESCRT-45

Symptoms: Symantec Endpoint Protection 14.0 RU1 may result in a Windows crash with BugCheck D1 on SymNets.sys when the endpoint is under heavy CPU and network load.

Solution: Updated the code so that the SYMNETS.SYS properly handles loopback traffic.
 

BSOD with Error 0xc0000005 occurs with SEP 14.0 RU1 MP1 installed

Fix ID: ESCRT-10

Symptoms: A race condition in Symantec Endpoint Protection 14.0 RU1 MP1 may result in a Windows crash with Error 0xc0000005 on Sysplant.sys.

Solution: Added mutex support to provide synchronization and re-entrant access, to avoid the potential for a system crash under race conditions.
 

SEP client repeatedly fails to load SDS definitions initially

Fix ID: ESCRT-814

Symptoms: The Symantec Endpoint Protection client fails to load SDS definitions. Eventually, the client loads these definitions.

Solution: Added a check to ensure the correct definition types load correctly for certain code paths.
 

Crash in libcurl-wintls.dll and ccSvcHst.exe when FIPSMODE is enabled

Fix ID: ESCRT-1659

Symptoms:  In envrionments where FIPSMODE is enabled on a Windows Server 2012 R2 client computer, the Symantec Endpoint Protection client crashes intermittently. Crash reports indicate an issue with libcurl-wintls.dll and ccSvcHst.exe.

Solution:  Fixed a null pointer check to prevent the crash.
 

An upgrade of SEPM to 14.2 RU1 causes unexpected restart requests on non-upgraded clients

Fix ID: ESCRT-1626

Symptoms:  When you upgrade Symantec Endpoint Protection Manager to version 14.2 RU1, the connected clients that still run version 14.2-MP1 unexpectedly restart.

Solution: Updated the code so that the feature sets of the 14.2 MP1 AutoUpgrade package are not updated when upgrading Symantec Endpoint Protection Manager to version 14.2 RU1.
 

SEP for Mac malfunctions after copying a firewall rule from Windows

Fix ID: ESCRT-652

Symptoms: You copied select rules from the Symantec Endpoint Protection Firewall rules for Windows and pasted them into the Mac Firewall rules. When the policy is applied to the client’s group, Symantec Endpoint Protection fails to apply the new policy. Symantec Endpoint Protection becomes disabled and no longer accepts new policies. To restore functionality, you must reinstall the client software.

Solution: Removed the ability to copy and paste firewall rules across different OS platforms.
 

SEP for Mac shows unsolicited ARP traffic detections on SEPM but not on the clients

Fix ID: ESCRT-799

Symptoms:  In Symantec Endpoint Protection Manager, you see frequent ARP detection notifications for Symantec Endpoint Protection clients for Mac with a remote address of 0.0.0.0, and the MAC address is reported as NA. You do not see the detections on the Mac client computers.

Solution: Updated the code to honor the setting for ARP spoofing and for notifications. IPS events now send the correct MAC addresses.
 

SEP for Mac blocks ARP traffic and does not log it, even when ARP spoofing is disabled

Fix ID: ESCRT-1294

Symptoms: Symantec Endpoint Protection blocks ARP traffic even though the setting for ARP spoofing is unchecked.

Solution: Updated code so that ARP traffic is blocked only if IPS is enabled.
 

After installing a localized SEP 14.2 RU1 client, it incorrectly appears in the Default group

Fix ID: ESCRT-1517

Symptoms: You install a version 14.2 RU1 client that you exported from Symantec Endpoint Protection Manager. Both client and manager are in the same localized language, such as Traditional Chinese or Japanese. However, instead of appearing as expected in the preferred group that is defined in the installation package, the client appears in the Default group.

Solution: Updated code to correctly parse the preferred group name.
 

SEP For Mac WTR has Internet connectivity issues, including 502 Bad Gateway responses

Fix ID: ESCRT-1519

Symptoms: You enabled Website Traffic Redirection on your Symantec Endpoint Protection clients on Macs. Afterwards, you see bad_gateway errors displayed on the browser, when you start browsing websites.

Solution: Updated WTR traffic requests to get a direct connection to target URLs instead of bad_gateway errors, to ensure continued browsing access to websites with no interruption.
 

SEP For Mac prompts for authorization on Mac client computers with WTR enabled

Fix ID: ESCRT-1528

Symptoms: After you enable Website Traffic Redirection, you see frequent authentication prompts from the operating system.

Solution: Added a failover mechanism to prevent these additional prompts.
 

SEP For Mac location switching does not work with a VPN

Fix ID: ESCRT-1576

Symptoms: When you connect to a VPN from an external network, location switching for Symantec Endpoint Protection does not work as expected.

Solution: Updated the matching logic to switch to a VPN location when connecting to a VPN.
 

SEP For Mac shows 503 Gateway error or captive portal prompts when using WTR

Fix ID: ESCRT-1308

Symptoms: When you enable Website Traffic Redirection for Symantec Endpoint Protection clients for Mac, you see messages in the browser that the service is not available or bad_gateway errors.

Solution: Added additional validation when restoring network settings.
 

SEP For Mac shows proxy authentication messages repeatedly throughout the day with WTR enabled

Fix ID: ESCRT-1307

Symptoms: When you enable WSS Traffic Redirection for Symantec Endpoint Protection clients for Mac, proxy errors and authentication dialogs intermittently appear on the Mac client computer.

Solution: Updated the code to prevent these authentication issues.
 

SEP For Mac blocks some captive portals on the Mac with WTR enabled

Fix ID: ESCRT-1447

Symptoms: When you enable Website Traffic Redirection for Symantec Endpoint Protection clients for Mac, you can no longer connect to one of the captive portals.

Solution: Updated code to allow direct connections when captive portal authentication triggers, so that it is not required to resolve the target URL.

Additional fix for 14.2.4815.1101

Users are unable to access some applications after an upgrade to 14.2 RU1 MP1

Fix ID: ESCRT-2418

Symptoms: After upgrading to version 14.2 RU1 MP1, some users are unable to access applications like MMC.exe, RegEdit.exe, or apply Windows Updates.

Solution: Properly clean up ClDS artifacts the Windows CatRoot directory on install, upgrade, or uninstall.

Component versions

The build number for this release is 14.2.4811.1100. 

Red text indicates components that have updated for this release.

Component

DLL File

DLL Version

SYS File

SYS Version

AutoProtect

srtsp64.dll

15.7.6.14

srtsp64.sys

15.7.6.12

BASH Defs

BHEngine.dll

Seq#= 20170926.001

11.5.1.29

BHDrvx64.sys

11.5.1.29

BASH Framework

BHClient.dll

10.4.2.24

N/A

-

CC

ccLib.dll

13.4.0.26

ccSetx64.sys

13.4.0.26

CIDS Defs

IDSxpx86.dll

Seq#= 20190524.061

17.1.0.222

IDSviA64.sys

17.1.0.222

CIDS Framework

IDSAux.dll

15.2.5.29

N/A

-

CP3

version.txt

2.7.0.139

N/A

-

CX

cx_lib.dll

3.0.3.25

N/A

-

ConMan

version.txt

2.1.8.5

N/A

-

D2D

version.txt

1.2.1.5

N/A

-

D2D_Latest

version.txt

1.5.0.51

N/A

-

DecABI

dec_abi.dll

2.3.5.10

N/A

-

DefUtils

DefUtDCD.dll

5.1.0.31

N/A

-

DuLuCallback

DuLuCbk.dll

1.8.1.17

N/A

-

DuLuxCallback

duluxcallback.dll

2.15.0.7

N/A

-

ERASER

cceraser.dll

118.2.1.9

eraser64.sys

118.2.1.9

IRON

Iron.dll

7.0.7.12

Ironx64.sys

7.0.7.11

LUX

Lux.dll

2.15.0.19

   

LiveUpdate

LUEng.dll

2.6.2.8

N/A

-

MicroDefs

patch25d.dll

6.1.1.4

N/A

-

SDS Engine

sds_engine_x86.dll

Seq#= 20190625.006

1.9.0.258

N/A

-

SIS

SIS.dll

91.12.4400.5000

N/A

-

STIC Defs

stic.dll

Seq#= 20190308.019

1.8.0.83

N/A

-

SymDS

DSCli.dll

6.2.0.25

N/A

-

SymEFA

EFACli64.dll

6.3.3.38

SymEFASI64.sys

6.3.3.35

SymELAM

ELAMCli.dll

2.0.1.145

SymELAM.sys

2.0.1.85

SymEvent

Sevntx64.exe

14.0.6.30

SymEvent.sys

14.0.6.27

SymNetDrv

SNDSvc.dll

15.2.4.3

symnets.sys

15.2.4.3

SymScan

ccScanW.dll

14.2.3.20

N/A

-

SymVT

version.txt

10.0.1.4

N/A

-

Symulator

version.txt

1.6.0.197

N/A

-

TCSAPI

version.txt

1.6.0.25

N/A

-

Titanium

titanium.dll

2.4.1.17

N/A

-

WLU (Symantec Endpoint Protection Manager)

LuComServerRes.dll

3.3.203.28

N/A

-