Document ID:2007121216360648 Last Modified:11/04/2009

Release notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x

Situation:

This article documents the changes and fixes in each update to Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x.

Solution:

As updates to Symantec Endpoint Protection are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top. Note: To download the latest release of Symantec Endpoint Protection, read the following document: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x. This document should be read in conjunction with the appropriate Readme files: Readme_SEP.txt Readme_SNAC.txt Readme_appliance.txt Readme_trialware.txt Release Update 5 (RU5) What's new in this version The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use. Symantec Endpoint Protection Manager now supports the following operating systems: Microsoft Windows Server 2008 Service Pack 2 (all editions except for Itanium) Microsoft Windows Server 2008 R2 (all editions except for Itanium) Symantec Endpoint Protection Manager can now be used with Microsoft SQL Server 2008. The Symantec Endpoint Protection or Symantec Network Access Control client now supports: Microsoft Windows 7 (all editions except for Itanium) Microsoft Windows Server 2008 R2 (all editions except for Itanium) Microsoft Windows Vista Service Pack 2 The size of the exported client installation package has been reduced. You can configure the following features for the Group Update Provider: Limit the amount of bandwidth that the Group Update Provider can use when the Group Update Provider downloads content from the management server. You can define a Group Update Provider by using rules and conditions, such as an IP address or host name. You can configure a single Group Update Provider in a single LiveUpdate Policy that applies across multiple groups for multiple clients. Define clients to connect to a Group Update Provider within the same site to improve performance. Identify which clients act as Group Update Providers. The client now includes a Download Support Tool command on the Help and Support menu. Users on the client can download a support tool from the Support Web site that helps to diagnose the common issues that they might encounter on the client. Symantec Network Access Control includes the following enhancements: New Host Integrity templates support Altiris 7, BigFix Enterprise Suite, and new versions of additional third-party products. End users with a valid RADIUS logon but a computer with no client installed can be blocked from your company's network. You can configure when the command-line interface on the Enforcer times out. Components included in this version Component Version Symantec Endpoint Protection 11.0.5002 Symantec Network Access Control 11.0.5002 Auto-Protect 10.3.0.15 Avengine 20081.1.1 Behavior Blocking 3.3.0.015 ccEraser 2007.0.1.6 COH 6.1.9.44 Common Client 106.5.0.10 DecABI 1.2.5.130 Defutils 4.1.1 ECOM 81.3.0.13 VxMS (MS Light) 5.2.0.4 LiveUpdate 3.3.0.92 LiveUpdateAdmin 2.2.1.16 Microdefs 2.7.0.13 QServer 3.6.20 WpsHelper 12.0.1.41 SyKnAppS 3.0.3.3 SymEvent 12.8.0.11 SymNetDrv 7.2.5.9 Teefer2 11.0.5 Product fixes by category Symantec Endpoint Protection Antivirus and Antispyware This section describes the customer fixes for Antivirus and Antispyware since the release of MR4 MP2 (11.0.4.4200). Under the guest account, Symantec Endpoint Protection clients report multiple warnings Fix ID: 1128048 Symptom: Under the guest account, Symantec Endpoint Protection clients report that Antivirus and Antispyware Protection does not function correctly. Solution: Corrected status query to accommodate guest (minimal) privileges. Updated hardware key due to MAC address change causes Symantec Endpoint Protection client re-registration with Symantec Endpoint Protection Manager Fix ID: 1397560 Symptom: Multiple entries for Symantec Endpoint Protection clients on the console, duplicate hardware keys for different clients, and multiple clients that share the same hardware key. Solution: The algorithm to create the hardware key was changed so the hardware key should not change with minor hardware changes, such as the disabling of NICs. Smcgui.exe crashes for a Restricted user Fix ID: 1528962 Symptom: Smcgui.exe crashes when logging on as a Restricted user. Solution: Improved object handling. Location awareness only works when the Primary DNS suffix matches the condition Fix ID: 1529689 Symptom: On Windows 2000, Location Awareness fails to switch when configured on a specified network interface. Solution: Change to Location Awareness. TPM Device not displayed in the Symantec Endpoint Protection Manager Fix ID: 1536046 Symptom: The Symantec Endpoint Protection client was not able to correctly identify the TPM chip vendor. Solution: Changed the client to handle failures better when attempting to retrieve the TPM chip vendor information. Decomposer version is blank in the Symantec Endpoint Protection client user interface Fix ID: 1540746 Symptom: Under Help and Support, the Decomposer version is blank. Solution: Corrected the location to retrieve the Decomposer version. Unable to disable the "Threats were detected while you were logged out" message Fix ID: 1542336 Symptom: With all notifications disabled, if a virus is discovered as part of a scheduled scan while the user is logged out, the user is notified that threats were discovered when the user logs in. Solution: Added an option to toggle the client-side notification of the message. Smcgui.exe unexpectedly takes foreground focus Fix ID: 1558158 Symptom: On Windows XP embedded computers, Smcgui.exe unexpectedly takes foreground focus. Solution: Changed Smcgui.exe to not take foreground focus in invisible mode. The Symantec Endpoint Protection client fails heartbeat with Error Code=87;AH or Error Code=0;AH Fix ID: 1603851 Symptom: With a large number of IP addresses configured on the Symantec Endpoint Protection client, the registration information exceeds size limitations and the client is not able to register with the server. Solution: Set a limit of 16 IP addresses on the client. 64-bit Symantec Endpoint Protection clients do not pass Host Integrity check Fix ID: 1651293 Symptom: 64-bit Symantec Endpoint Protection clients connecting through Juniper VPN are blocked by the Juniper Host Checker because the Juniper Host Checker does not recognize that the client successfully passed the Host Integrity check. Solution: Corrected the location where Host Integrity results are read. Scheduled LiveUpdate does not run at random times as expected Fix ID: 1651364 Symptom: Scheduled LiveUpdate does not run at random times as expected. Solution: Fixed algorithm to randomize the start times. Scheduled LiveUpdate still launches LuAll.exe although the "Use a LiveUpdate Server" option is unchecked Fix ID: 1652473 Symptom: After migration, LiveUpdate still uses LuAll.exe to download content from an internal or external LU server, regardless of whether the Use a LiveUpdate Server option is checked. Solution: Scheduled LiveUpdate settings are cleared and the Symantec Endpoint Protection client uses the LiveUpdate policy from the Symantec Endpoint Protection Manager. Log forwarding settings for Scan Aborted, Scan Started, and Scan Stopped do not work properly Fix ID: 1664764 Symptom: Regardless of the log forwarding setting in Symantec Endpoint Protection Manager, the Symantec Endpoint Protection clients always forward the Scan aborted, Scan started, and Scan stopped logs. Solution: Corrected the log forwarding to not always forward Scan logs. Eraser Engine displays Version 0.0 Fix ID: 1668299 Symptom: The Protection Content Versions report and Help show clients' Eraser Engine version as 0.0. Solution: Removed the dependency on Proactive Threat Protection content to be present while Eraser Engine version is calculated. LiveUpdate tries to contact external LiveUpdate Servers despite policy setting Fix ID: 1678207 Symptom: The Use a LiveUpdate Server setting is not honored, which causes Symantec Endpoint Protection clients to download content from external LiveUpdate servers. Solution: The Use a LiveUpdate Server setting is checked before attempting to download content. A Group Update Provider leaves TCP connections in the CLOSE_WAIT state, preventing Symantec Endpoint Protection clients from updating Fix ID: 1679515 Symptom: With limited concurrent download connections configured, TCP connections can be exhausted if Symantec Endpoint Protection clients do not terminate sessions cleanly. Solution: Architectural changes were made to the Group Update Provider to handle clients that do not terminate sessions cleanly. Remediation options for Email Auto-Protect are grayed out in the Symantec Endpoint Protection client Fix ID: 1704540 Symptom: The Remediation options for Email Auto-Protect are visible and grayed out on the Symantec Endpoint Protection client, but do not appear in the Symantec Endpoint Protection Manager. Solution: The Remediation options for Email Auto-Protect are not configurable and have been removed. Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account Fix ID: 1729073 Symptom: Smcgui.exe crashes on Windows 2000 when users are logged in as Guest account. Solution: Enhanced error handling in Smcgui.exe on Windows 2000. Location awareness switches based on "Primary DNS Suffix" provided by domain controller Fix ID: 1732720 Symptom: Location awareness switches based on the Primary DNS Suffix provided by the domain controller. Solution: Location awareness switching by DNSSuffix will only switch through the Connection-specific DNS suffix provided by DHCP. SMC.exe uses entire CPU core and client/manager communication fails after migrating or installing the Symantec Endpoint Protection client Fix ID: 174134 Symptom: After upgrading a Symantec Endpoint Protection client, communication with the Symantec Endpoint Protection Manager fails because the default gateway is not in the same subnet. Solution: Enhanced the process to find the best route to the server after the gateway IP address changes. Symantec Endpoint Protection client user interface has inconsistent behavior when restoring items displayed in Quarantine Fix ID: 1783193 Symptom: The Restore and Delete buttons remain grayed out in the client View Quarantine windows when certain items are selected but are available in right-click context menu. Solution: Fixed to have consistent behavior when viewing in Quarantine view and right-click context menu. Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager Fix ID: 1543985 Symptom: Symantec Endpoint Protection clients cannot update antivirus definitions from the Symantec Endpoint Protection Manager. Solution: Added a dependency relationship for SMC service and System Event Notification service at startup. MSI Repair function reverts the Symantec Endpoint Protection Manager/IIS port to 8014 from non-default Fix ID: 1601640 Symptom: MSI repair causes the Symantec Web server port to revert to the default value. Solution: Added a custom Web site port setting to the conf.properties file during a repair install. Symantec Endpoint Protection client upgrade warnings are inconsistent Fix ID: 1638457 Symptom: Symantec Endpoint Protection client upgrade warnings on 64-bit upgrades are inconsistent with 32-bit upgrade warnings. Solution: Changed the 64-bit upgrade warnings to be consistent with the 32-bit upgrade warnings. Symantec Endpoint Protection Manager Home page shows the virus definition date as 1/1/1970 Fix ID: 1391394 Symptom: On a clean Symantec Endpoint Protection Manager installation before running LiveUpdate, the Symantec Endpoint Protection client virus definition date shows as 1/1/1970 on the console Home page. Solution: The client virus definition date is properly initialized. RTVScan.exe does not release memory until after the scan completes Fix ID: 1427192 Symptom: When very large containers are scanned, memory continues to grow until the scan completes. Solution: Memory usage is reduced by not storing unnecessary data during the scan. Outlook Auto-Protect has problems with attachments containing non-ASCII letters in the file name Fix ID: 1529690 Symptom: Attachments with non-ASCII characters cannot be opened. Solution: Added functionality to retrieve the UNICODE file name attribute to correctly create the target file name. Microsoft Word files are deleted as soon as they are opened on a local partition Fix ID: 1536936 Symptom: Microsoft Word files are deleted as soon as they are opened on a local partition. Solution: Auto-Protect was modified to do non-buffered I/O on NTFS file system. Crash occurs during process termination with bug check 8E Fix ID: 1545269 Symptom: System crashes during process termination with bug check 8E. Solution: Auto-Protect was changed to better handle scans during process termination. An application fault occurs in RTVScan.exe due to corrupted data in the registry Fix ID: 1592186 Symptom: An application fault in RTVScan.exe occurs when it attempts to read an unexpected date value in the registry for a scheduled scan. Solution: Checks were added to validate the date value. Administrator scheduled scans are not running at specified times Fix ID: 1594128 Symptom: With missed events disabled, scheduled scans are not correctly flagged as missed events. Solution: Enhanced missed event detection to account for the user environment when detecting missed events. Users suddenly cannot access shared files with Auto-Protect enabled Fix ID: 1594214 Symptom: Users suddenly cannot access shared files with Auto-Protect enabled. Solution: Enhanced Auto-Protect to better handle client file accesses to a server. Symantec Endpoint Protection crashes in RTVscan when performing multi-threaded scan Fix ID: 1639778 Symptom: An application crash occurs in RTVscan when run with multi-threaded or hyper-threaded options enabled. Solution: Additional checks were added to prevent an application crash. Symantec Endpoint Protection does not detect eicar.com when it is downloaded using Google Chrome Fix ID: 1673766 Symptom: Using Chrome, threats are downloaded without detections while using selected file extension settings in Auto-Protect. Solution: Added the .TMP and .PART extensions (for Firefox) to the default extension list for Auto-Protect. Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server Fix ID: 1675715 Symptom: Auto-Protect does not detect threats that are copied to a network share or a mapped network drive on Windows 2003 or 2008 Server. Solution: Enhanced Auto-Protect to better handle client file accesses to a network share or a mapped network drive. Crash on Windows Vista with bug check 7f Fix ID: 1738584 Symptom: Crash on Windows Vista with bug check 7f. Solution: On Windows Vista, enhanced Auto-Protect to better handle situations of low kernel stack memory. Coh32.exe has an application error with the message "The instruction at '0x044be849' referenced memory at '0x000000000'" Fix ID: 1744359 Symptom: On Windows 2000, when running a process from a mapped drive, the Windows system cannot determine the mapped drive and causes a crash in COH32. Solution: Additional checks were added to better handle this situation. Symantec Endpoint Protection Email Auto-Protect does not work properly when using Secure POP3 (POP3S) port 995 Fix ID: 1509203 Symptom: Symantec Endpoint Protection Email Auto-Protect does not work properly when using POP3S port 995. The Symantec Endpoint Protection email proxy modifies SSL v2 Client Hello, preventing POP3S SSL mail connections in some cases. Solution: Fixed the email proxy to not modify SSL v2 Client Hello. Symantec Endpoint Protection Firewall This section describes the customer fixes for the firewall since the release of MR4 MP2 (11.0.4.4200). Firewall does not block traffic to or from Juniper SA Network Connect virtual NIC Fix ID: 1262087 Symptom: Juniper SA Network Connect virtual NIC does not specify a media type, causing Teefer2 to not bind to the adapter. Solution: Added Juniper SA Network Connect virtual NIC media type to Teefer2. With NICs that use a TCP offload engine, Symantec Endpoint Protection with Network Threat Protection enabled causes networking problems, such as connection failures and performance degradation Fix ID: 1389258 Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data. Solution: Teefer2 corrected to preserve checksum data. DNS resolution fails while connected via Microsoft VPN Fix ID: 1442277 Symptom: Teefer2 causes packet loss with TCP/UDP checksum offload by not preserving checksum data. Solution: Teefer2 corrected to preserve checksum data. System crashes with STOP 7E during Symantec Endpoint Protection client installation Fix ID: 1532340 Symptom: When Teefer2 is loaded, it accesses a list of system modules. When these system modules are changed while Teefer2 is processing them, the system crashes. Solution: Improved handling of the system data. Last Download Time shows an erroneous date Fix ID: 1538048 Symptom: The "Last Download Time" that is uploaded from the Symantec Endpoint Protection client side is incorrect. Solution: The client's Last Download Time is properly initialized. Firewall rule unable to block application with use of DNS Host or DNS Domain types in Host Groups Fix ID: 1540750 Symptom: When configuring the Host Group to use a DNS host name or DNS domain, the rule does not block traffic. Solution: Additional checks were added to identify the correct IP address to use when sending RDNS packets. Crash in sysplant.sys caused by stale data Fix ID: 1541319 Symptom: A crash occurs when Sysplant attempts to access stale internal data. Solution: Fixed Sysplant to properly identify and not store stale internal data. Disabling the Browse files and printers on the network option through Network Threat Protection has no effect Fix ID: 1543964 Symptom: When a user disables "Browse files and printers on the network" and "Share my files and printers with others on the network" under Network Threat Protection options, the user is still able to access and share folders. Solution: A missing default file rule was added to the policy file. With a dial-up adapter, firewall rules are not applied while using Internet Explorer Fix ID: 1544028 Symptom: With a dial-up adapter, network traffic is tunneled through WANARP instead of the correct application, Internet Explorer. Solution: Fixed to identify the correct application. The Symantec Endpoint Protection client is unable to maintain a network connection through the 802.1x enforcement after the Cisco VPN client 3.6.6 dials up Fix ID: 1544442 Symptom: With Cisco VPN clients, EAP packets are being blocked by Network Threat Protection. Solution: Modified Network Threat Protection to only block EAP packages when 802.1x authentication mode is set to a 3rd party supplicant. Sysplant prevents Cygwin compiler from building code Fix ID: 1556624 Symptom: Cygwin cannot compile source code if Symantec Endpoint Protection is installed with Application and Device Control enabled. Solution: Resolved a conflict between the Symantec Endpoint Protection client and Cygwin. Clients report Denial of Service attack (IP Fragmentation overlap) when no overlap is occurring Fix ID: 1586674 Symptom: When connected over a VPN, a false positive Denial of Service detection (IP fragmentation overlap) causes the Web site to be blocked for 10 minutes. Solution: Corrected how the last IP fragmentation packet is identified to properly calculate the packet length. Host integrity configuration file is corrupted on Windows Vista Fix ID: 1587248 Symptom: On Windows Vista, Application and Device Control causes Host Integrity checks to fail with errors in the security log, indicating that the Host Integrity configuration file is corrupt. Solution: Application Device Control was corrected to allow Host Integrity checks to succeed. Sysplant causes CosmoCall Agent software to crash Fix ID: 1592206 Symptom: With Application and Device Control installed, CosmoCall Universe 4.5 software does not launch and returns the error message "CosmoCall Universe 4.5 has encountered a problem and needs to close." Solution: Corrected compatibility issue with CosmoCall Universe. On Windows Vista, Application and Device Control is not able to log DLL injection attempts to IExplorer.exe Fix ID: 1653904 Symptom: A client with an Application and Device Control policy to block DLL injections blocks successfully, but does not display a notification or add an entry to the logs. Solution: Both a notification and log entry are successfully created. System Lockdown exclusions are not honored, which causes strange characters in file path Fix ID: 1677455 Symptom: System Lockdown exclusions are not honored, which causes strange characters to appear in file paths, as seen in "Unapproved Applications Only" logs. Solution: Changed how the file path is obtained to avoid strange characters. Symantec Endpoint Protection detects Jolt2 DoS attack when Altiris agent sends large amounts of ICMP packets to the Altiris server Fix ID: 1677459 Symptom: Symantec Endpoint Protection detects a Jolt2 DoS attack when the Altiris agent sends large amounts of ICMP packets to the Altiris server. Solution: Symantec Endpoint Protection clients will not detect Jolt2 DoS attack with systems patched with the corresponding Microsoft update. A crash caused by sysplant.sys, bug check 1000008E occurs Fix ID: 1723596 Symptom: A crash caused by sysplant.sys, bug check 1000008E occurs. Solution: Enhanced Sysplant to better handle exceptions. Symantec Endpoint Protection Manager This section describes the customer fixes for Symantec Endpoint Protection Manager since the release of MR4 MP2 (11.0.4.4200). The Symantec Endpoint Protection Manager cannot use registry key (default) as a file path in a Host Integrity check Fix ID: 1543123 Symptom: The user interface does not allow the use of the registry key (default) as a file path for a Host Integrity check. Solution: Removed restriction that disallows the use of registry key (default). Policy settings never update after creating a new management server list using specific Japanese strings Fix ID: 1739908 Symptom: Policy settings never update after creating a new management server list using specific Japanese strings. Solution: Enhanced Enforcer parser. Home, Monitors, and Reports pages are blank on the remote console after updating Java to version 1.6 Update 11 Fix ID: 1473464 Symptom: When using a remote console, some Symantec Endpoint Protection Manager pages are blank after updating to Java 1.6 update 11. Solution: Upgraded the version of Java Desktop Integration Components (JDIC). Windows 2008 is identified as Vista in scm-server logs Fix ID: 1503238 Symptom: Windows 2008 is identified as Vista in server logs. Solution: Updated the Java version. Replication error - violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER' occurs Fix ID: 1534861 Symptom: Replication fails with the error "Violation of PRIMARY KEY constraint 'PK_SEM_COMPUTER'." Solution: Synchronized replication merging process, so that only one replication merging process is run at a time. User Account Control prompt on Windows 2008 Server or Vista when using a remote console does not reflect the status of UAC Fix ID: 1536901 Symptom: When opening the remote console for Symantec Endpoint Protection Manager on Windows 2008 Server or Vista, the user is prompted to disable UAC when UAC is already disabled. Solution: The user prompt was changed. IPS Exclusions do not work for DNS host and DNS Domain used with Host Groups Fix ID: 1538126 Symptom: After creating Host Groups with DNS host and DNS domain, selecting the associated Host Groups to create IPS Host Exclusions does not work. Solution: Defining the host by MAC address, DNS host, and DNS domain is not supported. A message was added to warn the user. Saved filter converts commas to "*2C" Fix ID: 1538175 Symptom: In reporting saved filters, commas are converted to"*2C". Solution: When loading saved filters from the database, commas are no longer converted. Replication occurs over a proxy server if a LiveUpdate proxy is defined Fix ID: 1538199 Symptom: If a LiveUpdate proxy is defined, replication is attempted over the proxy server and fails. Solution: Use connection-wise proxy setting instead of setting system property. New Software Package notification email contains multiple redundant lines Fix ID: 1539834 Symptom: When a user creates notifications for new software downloads, the email contains duplicate descriptions over a period of time. Solution: SQL query corrected and updated email format to now include time, download description, and which server downloaded the content. A broken link appears in the dbvalidator.log Fix ID: 1543995 Symptom: A broken link appears in the dbvalidator.log. Solution: Added a verification to check whether the policy is in use. User is prompted to change Administrator password at Reporting logon when set to never expire Fix ID: 1545139 Symptom: Although the Symantec Endpoint Protection Manager Administrator's password is set as "Password never expires," the user is prompted to change the password after 60 days. Solution: Corrected the configuration to not request password change when set to never expire. Negative number appears in Detection Action Summary report Fix ID: 1555834 Symptom: The Detection Action Summary report displays negative numbers due to mismatched database records. Solution: Corrected the data parsing to avoid mismatched database records. French localized Symantec Endpoint Protection Manager cannot create scheduled reports due to incorrect date format Fix ID: 1587237 Symptom: On French localized Symantec Endpoint Protection Managers, scheduled reports cannot be created due to an incorrect date format. Solution: Specified the date format before saving the scheduled report to the database. Sorting by date in Client Status page generates scrambled results Fix ID: 1587874 Symptom: When trying to apply a filter/sort based on "Last Update Time," dates are not sorted correctly. Solution: Changed the data type to date comparison sorting. The Symantec Endpoint Protection Manager client table Sort button stops working and does not toggle Fix ID: 1587920 Symptom: The Sort button stops working randomly when attempting to sort elements on the Symantec Endpoint Protection Manager Clients tab. Solution: Avoid multiple mouse listeners for the same table header. The Search Client option allows limited administrators to run commands on computers in groups with no access rights Fix ID: 1589447 Symptom: The Search Client option shows computers in groups that limited administrators do not have permissions to access. Solution: Only show the allowed groups to limited administrators. Duplicate client records in the database point to groups that no longer exist, causing communication failures Fix ID: 1589472 Symptom: Duplicate client records in the database point to groups that no longer exist, causing communication failures. Solution: During replication, clients without a valid group ID are cleaned. Default size of the Symantec Endpoint Protection Manager user interface does not allow all filters to be seen or selected when adding a Scheduled Report Fix ID: 1592013 Symptom: Not all filters are visible when creating Scheduled Reports. Solution: Added a scrollbar to the filter selection when the number of filters is greater than 7. System Administrator Scheduled Reports inappropriately visible across Symantec Endpoint Protection Manager Domains Fix ID: 1592959 Symptom: System administrator permissions are retained for Domain administrators, which makes previously created reports accessible. Solution: System administrator permissions are not longer retained after logging off the Symantec Endpoint Protection Manager domain. Learned applications paths are incorrect Fix ID: 1593025 Symptom: The use of a backslash '\' instead of a forward slash '/' in learned application paths causes firewall rules to function incorrectly. Solution: During profile compilation, incorrect path separation characters are corrected. Replication fails when the password for the Symantec Endpoint Protection Manager account used for replication contains the % character Fix ID: 1593159 Symptom: Cannot authenticate with special characters in the Symantec Endpoint Protection Manager account password, causing replication failures. Solution: Corrected to allow authentication to succeed with the use of special characters. Improper end time in exported scan logs Fix ID: 1593319 Symptom: The Symantec Endpoint Protection Manager console correctly displays the start and end time but the end time is incorrectly shown in exported logs. Solution: Avoided trimming the end date data after it is retrieved from the database. Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash Fix ID: 1595804 Symptom: Symantec Endpoint Protection Manager reports show file paths with a forward slash when it should be a backslash. Solution: Corrected Symantec Endpoint Protection Manager reports to show backslashes. Notification batch script does not finish successfully Fix ID: 1595961 Symptom: When configuring a notification to run a batch script, the script is executed but does not complete successfully. Solution: Allowed the server task to wait for the batch script to complete before termination. Data truncation errors appear in the logs Fix ID: 1597067 Symptom: Data truncation errors appear and error logs are created in the antivirus log directory. Solution: Added more error checking to check the log session GUID for validity. Replication fails with "Duplication of Primary key" Fix ID: 1597521 Symptom: Replication fails with "Duplication of Primary key". Solution: Duplicate data with the same key values are only included once. Scheduled reports return a list of report recipients with extra space Fix ID: 1597537 Symptom: While editing the recipient list for scheduled reports, the error message "Invalid characters have been removed from the list of emails." appears even though no changes are made. Solution: The email recipient list is saved without additional spaces. "No entries" in Monitors > Logs> Computer status on embedded replication partner (with SQL) Fix ID: 1597713 Symptom: No date is shown for Computer status logs when related data is available in database. Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time. Unmanaged Detector does not acknowledge excluded computers and IP phones Fix ID: 1600943 Symptom: IP address ranges that should be excluded appear in the results of unmanaged computers notifications. Solution: Corrected data retrieval from the database to filter excluded IP ranges. Host compliance log details are truncated when a Host Integrity policy has a large number of requirements Fix ID: 1601779 Symptom: With a SQL database, host compliance log details are truncated when a Host Integrity policy has a large number of requirements. Solution: Host compliance log details are no longer truncated. A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked Fix ID: 1631487 Symptom:A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked. Solution: Fixed various user interfaces in the console to limit administrator access. 64-bit Windows XP in exported Computer Status Export logs is incorrect Fix ID: 1633311 Symptom: In the Computer Status Log, Symantec Endpoint Protection clients running 64-bit Windows XP show as "Other". Solution: Added Windows XP Professional x64 Edition in the logs. The raw data dump from the External Logging options does not contain column header identifiers Fix ID: 1633619 Symptom: The raw data dump from the External Logging options does not contain column header identifiers. Solution: Added header information on all logs created by the External Logging feature. Clients are not deleted from historical data and skew reports Fix ID: 1639520 Symptom: Legacy clients and servers no longer on the network still show in the Security Status report with out-of-date definitions. Solution: Added additional checks for legacy clients and servers with improper status updates. LiveUpdate errors are listed as warnings instead of errors Fix ID: 1652423 Symptom: In the Symantec Endpoint Protection Manager logs, LiveUpdate errors are listed as warnings instead of errors. Solution: Changed LiveUpdate errors from Warning to Error. Single client does not receive the commands sent from Symantec Endpoint Protection Manager Fix ID: 1654964 Symptom: In the Symantec Endpoint Protection Manager, a command issued to a single client with a hardware key starting with 00 is not run by the client. Solution: A hardware key starting with 00 is no longer identified as an unavailable client. Behavior of outbreak notifications is inconsistent Fix ID: 1656397 Symptom: Overlapping single risk and outbreak conditions do not trigger outbreak notifications when expected. Solution: Algorithm changed to better detect overlapping risks or outbreaks. With Simplified Chinese, garbage characters appear in attack logs Fix ID: 1664719 Symptom: With Simplified Chinese, garbage characters appear in Symantec Endpoint Protection Manager Network Threat Protection logs. Solution: Added UTF-8 encoding for SQL Server 2000. Changes to the maximum number of clients displayed per page in the default view are not preserved in other views Fix ID: 1665823 Symptom: Changes to the maximum number of clients displayed per page in the default view are not preserved in other views. Solution: Synchronize the settings when saving display filters for each view. Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs Fix ID: 1669897 Symptom: Duplicate Centralized Exceptions policies appear when adding exceptions via risk logs. Solution: To avoid duplicates, only the shared Centralized Exception policies are displayed. Event times are shown as "1970/01/01 08:00:00" [TimeZone:+8] in notification email Fix ID: 1672629 Symptom: Email alerts for event notifications show as "1970/01/01..." even though the Symantec Endpoint Protection Manager console shows the correct event time. Solution: Corrected the date and time format conversion for email notifications. The Symantec Endpoint Protection Manager quits when displaying a large log of unapproved applications Fix ID: 1673860 Symptom: The Symantec Endpoint Protection Manager quits due to a Java heap space error when viewing Unapproved Applications Only on the System lockdown page that exceed 290K records. Solution: Unapproved Applications Only logs are limited to displaying the last 20,000 records. Users can still view all the logs from the Application and Device Control Logs report. Symantec Endpoint Protection Manager client status "Last Check-in" date/time is calculated inconsistently Fix ID: 1673951 Symptom: In the Symantec Endpoint Protection Manager, client "Last Check-in" date/time shows as Symantec Endpoint Protection Manager date/time until the client checks in as part of the regular heartbeat. Solution: When the date is unavailable from the client, the server timestamp is used as the client's last check-in time. Client status is displayed incorrectly in the Symantec Endpoint Protection Manager console Fix ID: 1677244 Symptom: Client status is displayed incorrectly on the Home page Status Summary, but correctly on the Clients tab. Solution: Corrected the query to retrieve client status from the database. Moving users between OUs within Active Directory is not correctly reflected on the Symantec Endpoint Protection Manager interface Fix ID: 1678457 Symptom: Users created with display names greater than 64 characters are truncated, causing updates to fail. Solution: Limit the display name to 64 characters. The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migration Fix ID: 1679706 Symptom: The Symantec Endpoint Protection Manager no longer accepts RISK logs from legacy Symantec AntiVirus servers after migrating to Symantec Endpoint Protection Manager 11.0 MR4 MP2. Solution: Fixed agent log collection. The number of clients in an email notification and the corresponding report do not match Fix ID: 1701459 Symptom: The number of clients in an email notification and the corresponding report do not match. Solution: Synchronized email notification and the corresponding report. Long policy description entries cause events to be dropped Fix ID: 1710139 Symptom: Long policy description entries cause events to be dropped. Solution: Set a limit of 256 characters for policy description field. The Symantec Endpoint Protection Manager is slow to apply policy changes after importing 10,000 OUs Fix ID: 1714092 Symptom: The Symantec Endpoint Protection Manager experiences sluggish performance when importing large numbers of OUs. Solution: Enhanced the performance of Active Directory synchronization. Initial replication fails with the notification "The transaction log for database 'sem5' is full" Fix ID: 1714303 Symptom: Initial replication fails with the notification "The transaction log for database 'sem5' is full". Solution: Increased the max database transaction log size based on the company size selected during the Symantec Endpoint Protection Manager Installation Wizard. Bad CurrentSequenceNum registry value contributing to .dat.err file build up on MR4 MP2 Symantec Endpoint Protection Manager Fix ID: 1716657 Symptom: Truncation errors cause the accumulation of .dat.err files in the agentinfo folder. Solution: Fixed the truncation errors. Virus alerts emails do not contain the file and file patch that was infected Fix ID: 1719962 Symptom: Virus alerts emails do not contain the file and file patch that was infected. Solution: Added information about the file and file path to virus alerts email. The string "\r\n" in the description field on the client properties in Symantec Endpoint Protection Manager causes data truncation error when replicating Fix ID: 1720809 Symptom: The string "\r\n" in the description field on the client properties in the Symantec Endpoint Protection Manager causes data truncation error when replicating. Solution: Multi-line descriptions are completely read by the Symantec Endpoint Protection Manager. Duplicate clients in the Symantec Endpoint Protection Manager Fix ID: 1722503 Symptom: After importing Active Directory OUs, duplicate clients appear in the Symantec Endpoint Protection Manager. Solution: Deleted duplicate clients during replication. Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1 Fix ID: 1723779 Symptom: Symantec Endpoint Protection Manager "Single Risk" notifications do not send email for Proactive Threat Protection risk detection of BloodHound.SONAR.1. Solution: If you use non-defaults in a Antivirus and Antispyware Policy for TruScan Proactive Threat Scans (that is, not Log-Only), a potential risk is considered as a Security Risk in order to trigger the single risk notification. SystemBiosVersion registry value results in a Symantec Endpoint Protection Manager error "An invalid XML character" Fix ID: 1725075 Symptom: An invalid XML character in the SystemBiosVersion registry value causes the client to fail to register with Symantec Endpoint Protection Manager. Solution: Invalid characters are removed. When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed Fix ID: 1732819 Symptom: When the maximum number of clients displayed per page is set to over 1,000, only 1,000 clients are displayed. Solution: Limited the maximum number of clients to display to 1000 clients. Client search by IP address only returns the first IP address even though the computer has more than one Fix ID: 1733240 Symptom: Client search by IP address only returns the first IP address even though the computer has more than one. Solution: Changed to allow multiple IP address client searches. "Unable to communicate with Reporting component" when you log onto the Symantec Endpoint Protection Manager remote console under certain conditions Fix ID: 1740140 Symptom: With two Symantec Endpoint Protection Manager consoles set up up to use different IIS ports, remote console login does not work on the second Symantec Endpoint Protection Manager and returns the error "Unable to communicate with Reporting component". Solution: During remote logon, the corresponding IP address and IIS port are correctly obtained. Symantec Endpoint Protection Manager Home Page "Security Status . Attention Needed" lists old data in details Fix ID: 1745613 Symptom: Symantec Endpoint Protection ManagerHomePage "Security Status . Attention Needed" lists old data in details. Solution: The algorithm to create the hardware key was changed such that the hardware key should not change with minor hardware changes, such as disabling of NICs. Symantec Endpoint Protection Manager Active Directory sync at root OU produces duplicate clients. AD sync at sub OUs produces no duplication Fix ID: 1745722 Symptom: Symantec Endpoint Protection Manager Active Directory synchronization at root OU produces duplicate clients caused by a carriage return in the computer description. Solution: Removed unnecessary carriage return from computer description. Java .1 errors when installing Symantec Endpoint Protection Manager to remote database using Windows Authentication Fix ID: 1764453 Symptom: After Symantec Endpoint Protection Manager installation using Windows Authentication, the Semsrv process does not stay started, causing console login to fail with Java .1 error. Solution: Removed database instance name from domain name, so that the IIS anonymous account can be configured properly. Symantec Network Access Control This section describes the customer fixes for Symantec Network Access Control since the release of MR4 MP2 (11.0.4.4200). Client peer to peer authentication blocks other clients' access to its share folder Fix ID: 1483035 Symptom: Configuring the peer's address was not using the correct IP address. Solution: Corrected to use the client's IP address. SNAC.EXE and Services.exe take up to 40% of CPU Fix ID: 1519912 Symptom: After boot up, SNAC.exe and Services.exe are consuming up to 40% of the CPU. Solution: Corrected NAP service monitoring. IP is not released when On-Demand client is exited Fix ID: 1557687 Symptom: After the On-Demand client is exited, the client does not release the production IP. Solution: Before exiting, the client sends a notification to all plug-ins. User is unable to connect to the network via VPN when using the Gateway Enforcer On-Demand plug-in Fix ID: 1638565 Symptom: User is unable to connect to the network with Jiangnan VPN via the Gateway Enforcer. Solution: Added support for Jiangnan VPN. Client has delayed access to network resources during the boot up sequence Fix ID: 1640120 Symptom: A client has a quarantine IP address for about 1 minute even if Host Integrity check passes. Solution: Use WGX to receive and send heartbeat to Gateway and DHCP Enforcer when Windows networking system is not ready. DHCP Appliance does not supply secure mask 255.255.255.255 Fix ID: 1586761 Symptom: The Enforcer Appliance does not replace the subnet mask given out by the Microsoft DHCP server with a 32-bit mask. Solution: Added a CLI command to enable secure.netmask in DHCP Enforcer. Users taking considerable amount of time to switch from Quarantine to Production scope Fix ID: 1587480 Symptom: After being placed into the Quarantine DHCP scope, users are taking a considerable amount of time to be correctly switched into the Production scope. Solution: DHCP status is updated when authentication status changes. The Gateway Enforcer switches continuously switches between standby and active Fix ID: 1592129 Symptom: The Gateway Enforcer continuously switches between standby and active due to failed ARP loop detection. Solution: Enhanced ARP loop detection on the Gateway Enforcer. The Enforcer loses trunking function after self reboot Fix ID: 1600101 Symptom: The Enforcer loses the trunking function after a self reboot. Solution: Trunking status is set to enable when failopen is enabled after a reboot. Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen Fix ID: 1708592 Symptom: Running the Symantec Network Access Control On-Demand Client and Checkpoint VPN causes a blue screen. Solution: Fixed compatibility issue with CheckPoint VPN. Guest Access does not work when using MAB & Transparent mode Fix ID: 1511304 Symptom:When in transparent mode with MAB enabled, guests are not allowed on the production network. Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request. RADIUS server rejects the user before PEAP authentication Fix ID: 1630710 Symptom: RADIUS server rejects the user before PEAP authentication. Solution: LAN Enforcer continues to PEAP authentication to mimic a RADIUS server. LAN Enforcer does not communicate with Great Bay scanning device correctly Fix ID: 1740074 Symptom: After deleting client MAC addresses from the Great Bay device, the client cannot authenticate using MAB (Dot1x). Solution: Detect if radius server is valid. If the radius server is invalid, Enforcer responds to the switches MAB request. Unable to connect to wireless, no Symantec Network Access Control, over PEAP authentication Fix ID: 1788308 Symptom: With Symantec Network Access Control in transparent mode over PEAP authentication, a client is unable to connect to wireless. Solution: Fixed to not handle PEAP packets when Symantec Network Access Control is set to transparent mode. Maintenance Release 4 Maintenance Pack 2 (MR4 MP2) This section describes the new features and fixes included in Maintenance Release 4 Maintenance Patch 2 (MR4 MP2) of Symantec Endpoint Protection 11.0 (also known as version 11.0.4202). This maintenance pack cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to MR4. It must be installed over Maintenance Release 4 (MR4), (MR4-MP1), or (MR4-MP1a). What's in this release This maintenance patch resolves in-field reported issues within Symantec Endpoint Protection client, Symantec Endpoint Protection Manager. These release notes also list updated and new Readme items for this release. Note: The latest available release of Symantec Network Access Control is MR4 MP1. There have been no customer fixes since the release of Symantec Network Access Control MR4 MP1. Component Version Symantec Endpoint Protection 11.0.4202 Symantec Network Access Control 11.0.4010 AutoProtect 10.2.10.2 Avengine 20081.2 Behavior Blocking 3.3.7.15 ccEraser 2007.0.1.6 COH 6.1.8.8 Common Client 6.3.8.004 DecABI 1.1.1.39 Defutils 4.1.0.19 ECOM 61.3.0.17 VxMS (MS Light) 5.2.0 LiveUpdate 3.3.0.85 LiveUpdateAdmin 2.2.1.13 Microdefs 2.5.37.0 QServer 3.6.16 WpsHelper 11.0.717.804 SyKnAppS 2.5.12 SymEvent 12.5.3.2 SymNetDrv 7.2.3.302 Teefer2 11.0.697 Product Fixes by category Symantec Endpoint Protection: Antivirus/Antispyware RTVScan.EXE terminates unexpectedly when initiating a scheduled scan Fix ID: 1523740 Symptom: RTVScan.exe terminates unexpectedly when initiating a scheduled scan. Solution: A common client component, MSL, was updated to prevent the crash. Quarantine scan causes Auto-Protect detections in %temp% folder Fix ID: 1525749 Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files. Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now REPAIRABLE. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them. Intermittent Outlook crashes Fix ID: 1511242 Symptom: Outlook exits unexpectedly when using "Previous Item" or "Next Item" option. Solution: The Outlook plug-in was changed to keep track of the most recent ExchangeCallback Pointer correctly. Sysfer crashes Adobe Elements Fix ID: 1522283 Symptom: Sysfer crashes Adobe Elements when using context to convert .doc(x) files to PDF format. Solution: Changed a function to read a string-type parameter correctly so that the memory address is properly accessed. Windows 2008 x64 share connectivity problems Fix ID: 1442447 Symptom: After a period of time (hours to a day or so) file shares become unresponsive on Windows 2008 x64. Solution: Auto-Protect update. TempProfile_Nlnhook is created for each user that logs into a multi-user Lotus Notes installation Fix ID: 1519913 Symptom: A directory named "TempProfile_Nlnhook" is created in customer's Citrix Presentation Server environment under the user profile folder (%USERPROFILE%). Solution: Changed to use the CAccessToken class to get the currently logged in user name from the access token, and to send it to the LoadUserProfile () instead of the temporary directory name. CleanWipe fails to properly remove Symantec AntiVirus 10.2 from a 64-bit operating system Fix ID: 1532299 Symptom: Symantec AntiVirus still appears in Add/Remove Programs, the CleanWipe log will show various deletion errors, and key folders and files are left behind after using CleanWipe to remove Symantec AntiVirus 10.2. Solution: A different API is used to detect that Symantec AntiVirus 10.2 is installed on a 64-bit operating system. Proactive Threat Protection displays the status "Waiting for Update" after a client migration Fix ID: 1456698 Symptom: Proactive Threat Protection displays the status "Waiting for Update" after a client migration. Solution: After migration, Proactive Threat Protection should be "on" and should display the latest version. Antivirus performance is slow when scanning the procmail.log Fix ID: 1415668 Symptom: It may take a few minutes to scan the procmail.log file. Rtvscan.exe CPU usage increases up to 99%. Solution: Decomposer engine update. The Symantec Endpoint Protection installation fails with a "Return value 2" when CP_USASCII is disabled Fix ID: 1499625 Symptom: The Symantec Endpoint Protection installation fails. Solution: Symantec Endpoint Protection now uses CP_ACP instead of CP_USASCII when the installation path is validated during installation. CLT_INST temp folder is left behind whenever a remote install is done (through wizard or Find Unmanaged) Fix ID: 1527791 Symptom: A CLT_INST folder is left behind after installation. Solution: VPREMOTE now marks the CLT_INST folder for deletion upon next reboot. During migration from Symantec AntiVirus 10 MR 7 to Symantec Endpoint Protection 11 MR4 the installation removes all log-files from C:\Temp\Logs Fix ID: 1509069 Symptom: Upon completion of the installation, the log files are moved to %ALLUSERSPROFILE%\Symantec\Symantec Endpoint Protection\Logs. Solution: Updated the installer to use a unique temporary folder to store the Symantec logs. SMCGUI.exe causes users to lose windows focus Fix ID: 1460045 Symptom: SMCGUI.exe often stops and starts, causing a user to lose window focus. Solution: When loading a profile, a return value is checked to see if it is NULL upon calling a specific function. High paged pool memory usage for Auto-Protect Fix ID: 1511152 Symptom: Pool monitor shows high memory usage for SavE and SaEe pooltags. Solution: AV engine update. Stand-alone Quarantine Console installation cannot connect to any remote Quarantine Server Fix ID: 1506385 Symptom: Trying to connect to selected server fails with the following error message: Cannot connect to server <SERVER NAME>. Solution: The installer was changed to make the installation directory available to post-install script functions. A Defwatch scan does not run on Microsoft Windows Vista if no user is logged on to the computer Fix ID: 1508276 Symptom: The Defwatch scan does not run on Microsoft Windows Vista unless a user is logged on. Solution: If no user is logged on, an elevated access token is used to run the Defwatch scan. Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan Fix ID: 1486799 Symptom: Windows Security displays the warning "MALWARE PROTECTION out of date" after a user manually runs an Active Scan or a Complete Scan. Solution: Symantec Endpoint Protection was modified to allow the product to query the Windows Security Center information correctly. Users with local administrator privilege can bypass the Symantec Endpoint Protection uninstall password Fix ID: 1515363 Symptom: A user is able to bypass the uninstall password by using an undisclosed procedure. Solution: The MSI file was updated to prevent administrators from bypassing the uninstall password. While running CleanWipe (RunCleanWipe.bat) with the -silent switch, a dialog box prevents uninstallation from completing Fix ID: 1588132 Symptom: A modal dialog box appears indicating the Symantec AntiVirus has been uninstalled, and prevents the uninstallation from completing. Solution: Modified the MSIUnst.bat file to change a command line switch to MsiExec that removed the modal dialog. Auto-resume of content-package does not resume across reboots or restart of SMC.exe Fix ID: 1557479 Symptom: Content package download does not resume after either the computer or SMC.exe is restarted. Solution: Preserve the partially downloaded files and use the HTTP range header information to download the remaining bytes from Symantec Endpoint Protection Manager. Clients cannot download content from Group Update Provider (GUP) Fix ID: 1588869 Symptom: Clients attempt to connect to the GUP to download content, but the clients are rejected. The sylink.log shows "<GetLUFileRequest:>Send Request failed. Error code = 12152". The GUP allows for only 100 cached entries, and if that number was exceeded, the GUP fails and does not accept any new connections. Solution: Updated the GUP caching functionality to use to the administrator's configurations for file count or size. During installation of LiveUpdate, lucheck.exe returns an invalid error code Fix ID: 1545886 Symptom: Installing Symantec Endpoint Protection fails as a result of an lucheck.exe error. Solution: LiveUpdate component change. System performance decreases when virus definitions are downloaded Fix ID: 1488785 Symptom: When Symantec Endpoint Protection downloads and applies virus definitions, the system performance for other applications can become sluggish due to excessive disk I/O. Performance returns to normal after the virus definition upgrade is complete. Resolution: Several components were updated to significantly improve disk I/O during virus definition download and processing. Symantec Endpoint Protection: Firewall When a scheduled scan starts, SMC.exe intermittently crashes Fix ID: 1472880 Symptom: SMC.exe crashes when a scheduled scan starts. Solution: Additional checks were built into SMC to avoid crashes. Unable to daisy chain Remote Desktop Protocol (RDP) sessions with sysplant enabled Fix ID: 1499711 Symptom: When creating a second RDP session from within an existing RDP session, the second RDP session hangs. Solution: Subsequent RDP sessions are now established normally. Ping response times increase in releases since Symantec Endpoint Protection 11 MR3 Fix ID: 1510782 Symptom: The ping response time increased. Solution: The process ID of incoming ICMP packets was not set correctly. The process ID has been modified. DNS suffix-based location switching does not detect the "disconnected" status of the network card Fix ID: 1486618 Symptom: DNS suffix-based location switching does not detect the "disconnected" status of the network card when a user joins a domain. Solution: DNS suffix-based location switching now detects the "disconnected" status of the network card correctly. After enabling a "Block USB" write policy, files located on network shared folders take longer to open and save Fix ID: 1475460 Symptom: Access to files located on network shared folders is slow. Solution: The Application and Device Control cache was increased to improve performance. A third party management folder "Inbox" is created in the wrong location Fix ID: 1514511 Symptom: The third party management folder "Inbox" is created in the default location when Threat Protection is enabled and custom user shell folders are used. Solution: SMC.exe was changed to use "SHGetFolderPath", which allows the Inbox to be created in a custom folder rather than the default. SMC.exe CPU spikes when no user is logged in on virtual machines Fix ID: 1517849 Symptom: SMC.exe CPU processing time is greater than 10%. Solution: SMC.exe was incorrectly querying a process list twice. The extra call was removed and the existing call modified to increase performance. Symantec Endpoint Protection does not switch locations when using Dial-Up or PPP/SLIP interface Fix ID: 1530050 Symptom: You configure Symantec Endpoint Protection to switch locations when dial-up or PPP/SLIP interfaces are used. When the client switches interfaces, it does not automatically change locations as expected. Solution: Change to properly detect dial-up, PPP, SLIP, and PPoE network connections. Inconsistent behavior with NTP "Microsoft Windows Networking" settings Fix ID: 1509179 Symptom: Settings are not handled correctly in the Symantec Endpoint Protection GUI when a computer contains more than one network adapter. Solution: Modified the user interface to display the settings correctly. Symantec Endpoint Protection Manager Scheduled reports run with different parameters than the ones that were originally set Fix ID: 1505248 Symptom: Scheduled Reports for Top Risk Detections Correlation always use the default Group/RiskName filters (X-Y axis), even though a different parameter is used. Solution: Modified the PHP file to retrieve the filter to be used from the database. "Enable LiveUpdate Scheduling" should not work after unselecting "use a LiveUpdate server" Fix ID: 1595629 Symptom: "Enable LiveUpdate Scheduling" still works after unselecting "use a LiveUpdate server". Solution: LiveUpdate scheduling is disabled when LiveUpdate is not used and LiveUpdate UI options are disabled unless a user is allowed to configure the LiveUpdate schedule. Group names text in the group tree is truncated when exporting packages or assigning limited administrator rights Fix ID: 1528898 Symptom: Only part of the client-group name is visible. Solution: The label width of the tree renderer was extended to accommodate the need for additional space. An exported Computer Status report does not provide IPS definition information Fix ID: 1508289 Symptom: The information for the IPS definitions is missing from an exported Computer Status report. Solution: A new column called "IPS Version" was added to the exported Computer Status report. When using Windows Authentication for Microsoft SQL, no special characters are allowed in the password Fix ID: 1503301 Symptom: A user cannot input special characters in the password field. Solution: Special passwords are now allowed, including additional support for Windows Authentication mechanisms and improvements that affect IIS and the IIS configuration wizard to allow special handling of characters. NTP logs exported as CSV files from Symantec Endpoint Protection Manager cannot be processed correctly due to double quotes within the text field Fix ID: 1510799 Symptom: The column order and the values are incorrect after exporting the data to CSV format. Solution: Quotes were changed to double quotes for the column description. Deleting old packages generates errors in the Symantec Endpoint Protection Manager during manual LiveUpdate Fix ID: 1515458 Symptom: Removed packages fail to update. Solution: Filter out the suspended packages when initializing SesmContentCatalog. "Query Failed" appears in the Action Summary by Detection Count window on the Home Page of Symantec Endpoint Protection Manager when logging in with a Limited Administrator account Fix ID: 1538866 Symptom: The Action Summary by Detection Count window in the Home Page shows "Query Failed. Solution: A query was changed to prevent the failure from occurring. Slow process of DAT files in the Inbox\Agentinfo folder on the Manager Fix ID: 1513330 Symptom: Large numbers of files in the Inbox\Agentinfo folder. The number of files continually increases. Solution: Updates to Avman and Agentinfo processing along with SQL batching of statements, and configurable multi-threading to the Agentinfo processing. Client does not report the correct IP address when a NIC is assigned more than one IP address Fix ID: 1511355 Symptom: Client properties may reveal an IP-address of "0.0.0.0". Solution: Symantec Endpoint Protection Manager displays the IP address that the client uses to connect to Symantec Endpoint Protection Manager. Symantec Endpoint Protection comprehensive risk report shows incorrect month Fix ID: 1512110 Symptom: Comprehensive risk reports shows threats as occurring in the wrong month when a report of more than one month is run. Solution: SQL script update. Symantec Endpoint Protection Manager replication fails with ASA error 193: "Primary Key for Table 'COMMAND' is not unique" when using an embedded database Fix ID: 1533903 Symptom: Replication fails when the HARDWARE key is NULL. Solution: Made changes to the query that finds the data. Large number of BCP queries during DAT-file processing causes high CPU usage on SQL Server Fix ID: 1533966 Symptom: SQL Server will show high CPU usage in conjunction with a Symantec Endpoint Protection Manager database. Solution: The code was modified to address database deadlock issues. Symantec Endpoint Protection Manager displays error "Object cannot be found [0x16010000]" when going to Policies > Policy Components > Host Groups Fix ID: 1533012 Symptom: You are unable to edit a Firewall/IDS policy. Solution: Update USN for reference when updating objects which contains references. Unable to edit policies, and an incorrect location use count for policies is displayed Fix ID: 1532253 Symptom: The location use count shows 0. Solution: The location use count should no longer display 0 unless it is truly not applied to any groups. Symantec Endpoint Protection 11 MR4 does not provide an option to deploy to clients using a URL Fix ID: 1516419 Symptom: The URL option is disabled. Solution: The URL option was enabled to support the handling of a single executable file. Client can't get the correct setup file after resetting the 3rd party URL to a correct location Fix ID: 1520249 Symptom: If a third party download URL is set to an incorrect setup file, after it fails to apply and a new URL that points to a correct file is set, the client continues to download from the original, incorrect URL. This persists until the client restarts. Solution: Sylink update to import a new URL after a failed download. Symantec Endpoint Protection Manager does not update content for clients after upgrading from MR4 to MR4 MP1 Fix ID: 1539713 Symptom: Content on clients is not updated after upgrading from MR4 to MR4 MP1. Solution: When moniker and sequence number are not synchronized between Inetpub, symcdata and registry, SesmLU needs the full folder and if necessary SesmLU will create this folder by extracting the related full.zip file. Replication fails with a reference to "Violation of PRIMARY KEY constraint 'PK_SEM_CONTENT'" Fix ID: 1534131 Symptom: Symantec Endpoint Protection Manager may log a PRIMARY KEY violation during replication. Solution: Symantec Endpoint Protection Manager replication was modified to prevent this error from occurring. Configuration wizard does not allow user to specify domain name Fix ID: 1522005 Symptom: User cannot type "\" for user name when using windows authentication. Solution: Allow domain extraction from the textbox and make PHP use real windows authentication mechanisms. Symantec Endpoint Protection Manager console experiences performance issues when PackageTask is running Fix ID: 1532312 Symptom: PackageTask memory usage is high. Solution: Optimized memory usage by the PackageTask process. Microsoft Excel is unable to parse an exported Computer Status report correctly due to a comma in the Service Pack column Fix ID: 1507303 Symptom: After introducing one or more computers that contain a comma in the Service Pack field, the data in the exported Computer Status report shifts to the right. Solution: The value was enclosed with double-quotes for service packs that contain a comma. When an Active Directory Sync mode-enabled Symantec Endpoint Protection Manager has clients in user mode, the Symantec Endpoint Protection Manager GUI shows duplicate client entries Fix ID: 1514585 Symptom: The Symantec Endpoint Protection Manager GUI displays duplicate client entries with the same user and computer names. Solution: Symantec Endpoint Protection Manager now displays the actual user name which registered and the last online user for the client instead of the current user for the agent. SESMLU connectivity to Tomcat can time out while a lock in the database is held, causing automatic notification of content availability to fail Fix ID: 1510207 Symptom: Certain content may not be updated automatically but can be updated manually. Solution: The default receive time-out value was increased (defaults to 30 minutes) and is now configurable through the registry: HKEY_LOCAL_MACHINE\Software\Symantec\Symantec_Endpoint_Protection\SEPM\LUReceiveTimeout (DWORD), which is the time in seconds that the timeout is set to. This value is set to 1800 seconds by default, and the minimum value that it will accept is 600 seconds. If a value lower than the minimum is set, the minimum value is used. The virus definition distribution reports in a replicated environment show the same report for each server Fix ID: 1523677 Symptom: The same virus definition distribution report will show for all servers. Solution: The virus definition distribution report now shows the correct information per server. Replication fails with remote sites after migrating to MR4 MP1 with string index out of range Fix ID: 1587973 Symptom: StringIndexOutOfBoundsException happens during replication. Solution: Turned off escapes in embedded database's BCP command. Symantec Network Access Control There have been no customer fixes since the release of Symantec Network Access Control MR4 MP1. Readme items "Error 1327. Invalid Drive" when installing Symantec Antivirus 10.2 after pointing "Documents" folder to a mapped drive Fix ID: 1589016 Symptom: "Error 1327. Invalid Drive" error is displayed during the installation of Symantec AntiVirus 10.2 for Windows Vista. Solution: For full details see readme_sep.txt section titled "Installing to a reassigned Documents folder displays Invalid Drive error message". Temporary Files should not be opened during automatic scan after updating virus definitions Fix ID: 1525749 Symptom: An auto-protect detection is triggered upon opening a temporary file (DWH****.tmp) that was created by an automatic scan after updating virus definitions. Solution: For full details see readme_sep.txt section titled "Temporary Files should not be opened during automatic scan". Hardware change may create duplicate clients in Default group Fix ID: 1528038 Symptom: Making hardware changes to a client computer that is in a group synchronized with Active Directory might cause the client to be duplicated and registered to the Default group. Solution: For full details see readme_sep.txt section titled "Hardware changes might create duplicate clients in the Default group". Auto-location's NIC description condition is not available for dial-up connections Fix ID: 1544958 Symptom: The auto-location NIC description is not available for dial-up connections. Solution: For full details see readme_sep.txt section titled "Auto-location's NIC description is not available for dial-up connections". IPv6 and Network Protection affects performance on Windows Vista virtual machines Fix ID: 1545253 Symptom: On virtual machines running Windows Vista, copying large files to network shares might take longer when Symantec Endpoint Protection NTP (Network Protection) is enabled. Solution: For full details see readme_sep.txt section titled "IPv6 and Network Protection affects performance on Windows VISTA virtual machines". Maintenance Release 4 Maintenance Pack 1a (MR4 MP1a) Symantec Endpoint Protection MR4 MP1a provides a fix for a specific problem that occurred in MR4 (11.0.4). This maintenance pack cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to MR4. It must be installed over MR4 or MR4 MP1. Components updated in this release Component Version Symantec Endpoint Protection 11.0.4014 Fixes in this release Symantec Endpoint Protection: Firewall After installing MR4 MP1, when a networked application is run, all connections to the client computer are dropped. Fix ID: 1530477 Symptom: Client loses network connectivity when Network Threat Protection is installed and an application is launched from a UNC path. Solution: API calls from the thread which were causing firewall deadlocks have been fixed. Maintenance Release 4 Maintenance Pack 1 (MR4 MP1) Symantec Endpoint Protection MR4 MP1 (11.0.4010) and Symantec Network Access Control MR4 MP1 (11.0.4010) provide customer fixes since the release of MR4 (11.0.4). This maintenance pack cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to MR4. It must be installed over Maintenance Release 4. What's in this release This Maintenance Pack resolves in-field reported issues within Symantec Endpoint Protection client, Symantec Network Access Control client, and Symantec Endpoint Protection Manager. These release notes also list updated and new Readme items for this release. Components in this release Component Version Symantec Endpoint Protection 11.0.4010 Symantec Network Access Control 11.0.4010 AutoProtect 10.2.8 LiveUpdate 3.3.78 ccEraser 108.2.2.8 Avengine 20081.2 SyKnAppS 2.5.12 SymEvent 12.5.3.2 DecABI 1.1.1.39 ECOM 61.3.0.17 Defutils 3.3.20.0 LiveUpdateAdmin 2.2.1.13 Microdefs 2.5.37.0 SymNetDrv 7.2.3.302 Common Client 6.3.8.004 Behavior Blocking 3.3.7.15 COH 6.1.8.8 QServer 3.6.16 Teefer2 11.0.697 WpsHelper 11.0.717.804 VxMS 5.2.0 Product fixes by category: Symantec Endpoint Protection: Antivirus/Antispyware After restart, communication between the client and Symantec Endpoint Protection Manager is not established. Fix ID: 1443855 Symptom: Communication is not established immediately, or drops intermittently after restart. Solution: Registration information and the last known connected server are now saved in the registry on client shutdown. Large PowerPoint files open slowly with Symantec Endpoint Protection Auto-Protect enabled. Fix ID: 1432356 Symptom: It takes several minutes for a 5MB or larger Power-Point file to completely open on Vista. Solution: Fixed with an update to the Auto-Protect component. "Tamper protection alert" appears after upgrading from an older version. Fix ID: 1395857 Symptom: Tamper Protection alert pops up near the end of installation. Solution: Fixed with an update to the Behavior Blocking component. Symantec Endpoint Protection clients using the Outlook Scanner are unable to preview JPEG images sent from a Macintosh. Fix ID: 1461975 Symptom: Clients using the Outlook Scanner for Symantec Endpoint Protection are unable to preview JPEG images sent from a Macintosh machine. Solution: Implemented a check if this attachment is AppleDouble-encoded. If it is, it is not saved, allowing Outlook to handle it. LiveUpdate cannot update the virus definitions after an old Intelligent Updater is applied. Fix ID: 1407607 Symptom: Applying an Intelligent Updater of a couple weeks or older will prevent LiveUpdate from updating virus definitions. Solution: Fixed with an update to Intelligent Updater. Symantec Endpoint Protection client uninstallation does not remove LiveUpdate from the system in some migration patterns. Fix ID: 1441612 Symptom: After an unmanaged 11.0 MR2 Symantec Endpoint Protection client is migrated to 11.0 MR2 MP2 and uninstalled, Live Update will be left on the machine. Solution: LiveUpdate is now removed correctly upon uninstallation. Opening Microsoft Word 2007 "docx" files on Windows Vista takes longer than on Windows XP. Fix ID: 1399868 Symptom: Noticeable delays occur when trying to open Microsoft Word 2007 "docx" files on Windows Vista. Solution: Fixed with an update to the Auto-Protect component. Veritas clustering is unable to fail over due to Symantec Endpoint Protection locking volumes. Fix ID: 1439705 Symptom: Attempts to take a server offline are initially possible but cease to work after an undetermined length of time. Once you stop the Symantec Endpoint Protection service, taking the server offline works correctly again. Solution: Fixed in an update to the Common Client component. After uninstalling Symantec Endpoint Protection and restarting, some registry keys still exist. Fix ID: 1223463 Symptom: After uninstalling Symantec Endpoint Protection and restarting, some registry keys are left behind in the HKEY_CURRENT_USER hive. Solution: Added custom action to Symantec Endpoint Protection installer to enumerate and delete necessary registry keys during uninstall. LUALL CPU usage of 50% and memory size increases until system stops responding when LiveUpdate launches via a schedule. Fix ID: 1473616 Symptom: LUall.exe consumes CPU and memory starting at 50% until the system stops responding. Solution: Fixed hard loop when certain scenarios or states are detected during LiveUpdate. Offline Microsoft Office files opening as "corrupt" or "encrypted." Fix ID: 1442180 Symptom: When opening Office documents, the Office file conversion assistant will open and show what appears to be a corrupted (or encrypted) document. Solution: Fixed with an update to the Auto Protect component. Workstation freezes when copying over a network share. Fix ID: 1383615 Symptom: Copying files over a network share freezes the share or the workstation. Solution: Fixed with an update to the Behavior Blocking component. When migrating from Symantec AntiVirus 10.1.7, the installation pauses for up to five minutes at the end of the installation before completing. Fix ID: 1423539 Symptom: When migrating from Symantec AntiVirus 10.1.7 to Symantec Endpoint Protection 11.0 MR2, MR3, or MR4, the installation pauses for about 5 minutes at the end of the installation before actually completing. Solution: Improved the checks for proper registry key settings. Outlook Auto-Protect corrupts files with Unicode characters in the file name. Fix ID: 1405173 Symptom: Attachments with Unicode file names appear empty. Solution: If the file name passed to the Outlook Plug-in is invalid, Auto-Protect now lets Outlook write the attachment. MSL crash in Common Client. Fix ID: 1407121 Symptom: Logs show MSL crash in component Common Client 6.3.7. Solution: Fixed with an update to the Common Client component. UPHClean points to RTVScan.exe as the root cause of a profile unloading issue on Windows 2000 Professional. Fix ID: 1484409 Symptom: RTVscan does not shut down within the time allowed by the Windows 2000 system shutdown, causing a Userenv error. Solution: Added extra checks to verify if COM already initialized. Cleanwipe tool prompt asks, "Do you want to uninstall Windows related files that Symantec installed?" Fix ID: 1469385 Symptom: Cleanwipe presents a confusing prompt which asks, "Do you want to uninstall Windows related files that Symantec installed?". Solution: The prompt text has been changed to "Do you want to uninstall the files that Symantec installed under the Windows directory, if removing these files will not harm your system?" When Cleanwipe runs silently, the blank DOS box does not indicate that the tool is working. Fix ID: 1469470 Symptom: When Cleanwipe runs silently, the blank DOS box does not indicate that the tool is working. Solution: New command line parameter -showprogress is added, which displays verbose output to the command window. When Scheduled LiveUpdate configuration is used from the Symantec Endpoint Protection user interface, it is saved incorrectly. Fix ID: 1484916 Symptom: Set the weekly LiveUpdate schedule to a particular day. Re-open the LiveUpdate schedule dialog to see the day moved back 2 days. Solution: While saving the schedule in the registry, convert the local day index to the Symantec Endpoint Protection day index. USB hard drives can't be safely removed after context menu scan completes successfully. Fix ID: 1410194 Symptom: After running a scan with default settings, an attached USB hard drive can no longer be safely removed. If you terminate RTVScan.exe, you can then safely remove the drive. Solution: Fixed in an update to the Common Client component. Symantec Endpoint Protection displays two Symantec Tamper Protection Alerts when installing Backup Exec over the network. Fix ID: 1473579 Symptom: Tamper Protection Alerts occur during Backup Exec installation. Solution: Network installation no longer triggers Tamper Protection alerts. Symantec Endpoint Protection patching may cause "Resolve Source" after LiveUpdate of WpsHelper. Fix ID: 1505190 Symptom: Patching Symantec Endpoint Protection 11.0 may result in a "Resolve Source" during the patch process. Solution: Added WpsHelper to the full file patch list. High Explorer.exe CPU usage when touching exported Symantec Endpoint Protection client package. Fix ID: 1470577 Symptom: Explorer.exe has high CPU usage in Task Manager. Solution: Fixed in an update to the Auto-Protect component. Symantec Endpoint Protection: Firewall A managed Symantec Endpoint Protection client displays a "Collect User Info" pop-up before the delay time has elapsed. Fix ID: 1455613 Symptom: User information collection pop-up reappears, even though the delay time has not elapsed after logging in again or restarting. Solution: Save the delay time to Registry on firewall service stop, and restore its value on firewall service start. The Driver_Level_Protection_(DLP) doesn't work even when the option shows normal in Profile.xml. Fix ID: 1481759 Symptom: Cannot block IPX packets. Solution: Updated the handling of IPX packets. SMC.EXE application crashes when more than 16 DNS servers are configured in the TCP/IP properties. Fix ID: 1471456 Symptom: If a user creates more than 16 DNS servers, SMC.exe will crash. Solution: Add the boundary check when copying DNS servers from Netport to SMC. Teefer driver is still shown under network properties after upgrade to Symantec Endpoint Protection 11.0 MR3 or later. Fix ID: 1293420 Symptom: Teefer2 driver appears in the network properties. Solution: Teefer2 driver no longer appears in the network properties. Microsoft Expression Design 2 will not start when Application and Device Control policy is enabled. Fix ID: 1482773 Symptom: This .NET program crash when Application and Device Control is enabled. Solution: Updated a Symantec driver to prevent the crash. Application and Device Control causes custom application to fail on Windows 2000 computers. Fix ID: 1470672 Symptom: If Application and Device Control is enabled, "TASKING EDE" will fail to start on Windows 2000 SP4. Solution: Updated a Symantec driver to prevent the error. Portscan detections are inconsistent. Fix ID: 1456195 Symptom: Some port scan parameters result in inconsistent detections. Solution: Check all the TCP packets, regardless of the TCP flags. Application and Device Control causes Inova Lightlink software to fail. Fix ID: 1472582 Symptom: If Application and Device Control is enabled, Inova Lightlink software crashes. Solution: Application and Device Control was corrected to support such .NET applications. Unable to connect to any shares on Windows XP with Symantec Endpoint Protection MR 3 or later installed and Network Threat Protection enabled on Japanese-language operating system. Fix ID: 1447741 Symptom: On a Japanese language Windows XP operating system, ports 139 and 445 are blocked by default after Symantec Endpoint Protection 11.0 is installed. This does not occur on English Windows XP. Solution: Added TCP and UDP rules for file sharing. Symantec Endpoint Protection Manager Quick Reports show OS codes instead of OS names. Fix ID: 1447318 Symptom: Client inventory report shows an odd entry. Solution: Added appropriate localization entry for Windows 2003 Enterprise Domain Controller and Windows 2000 Advanced Server Domain Controller. Pillar Trim application does not start when Symantec Endpoint Protection is installed. Fix ID: 1482423 Symptom: This .NET program will crash when Application and Device Control is enabled. Solution: Application and Device Control was corrected to support such .NET applications. Application rules do not persist after restart. Fix ID: 1447262 Symptom: Once a user chooses which applications to allow or deny, they are added to the application list. This list is cleared when the computer is shut down. The user is presented with the alerts again the next time the applications are started Solution: Application rules now persist across restart. VNCon application will not start when Application and Device Control policy is enabled. Fix ID: 1473568 Symptom: VNCon application cannot run when the Application and Device Control Policy is in effect. Solution: Updated a Symantec driver to allow the application to run. If only one Symantec Endpoint Protection client exists, the client is unable to establish communication with Symantec Endpoint Protection Manager. Fix ID: 1486698 Symptom: A single client cannot communicate with the server. Solution: Improved handling of a single client count. Application and Device Control conflicts with DMES software. Fix ID: 1477161 Symptom: With Application and Device Control enabled and when DMES is running, the newly launched Internet Explorer will hang. Solution: A Symantec driver was modified to allow the application to run. Fingerprint no longer takes effect when an .exe file is moved to a new folder and the folder is re-named. Fix ID: 1295598 Symptom: With OS Protection enabled, add a rule to block an application running with file fingerprint. When renaming the folder containing the application the rule doesn't work. Solution: Fixed in OS Protection block rules. SMB protocol traffic is sent to the detection engine with a 1-6 minute delay. Fix ID: 1480679 Symptom: SMB protocol traffic triggers the Intrusion Protection signature, but traffic to the IPS engine is delayed by 1-6 minutes. Solution: Fixed in a component update. Computer stops responding with a blue screen while the computer is idle. Fix ID: 1480602 Symptom: Computer stops responding with a blue screen while the computer is idle. Solution: Fixed in a component update. Port client connection timeout from Symantec Endpoint Security Maintenance Release 3. Fix ID: 1486881 Symptom: Client timeout value for establishing connection with the server to download client packages is low and causes frequent failures, particularly if the network is slow between the client and Symantec Endpoint Protection Manager. Solution: Increased timeout value. Symantec Endpoint Protection continues downloading the same definition file when the disk is full. Fix ID: 1472608 Symptom: Even when the disk space is full, the client will make attempts to download and apply LiveUpdate content. Solution: Roughly estimate how much disk space is required before attempting the content download. Cannot configure Veritas Cluster Service (VCS) when Symantec Endpoint Protection is present. Fix ID: 1487863 Symptom: Cannot configure VCS with Symantec Endpoint Protection present. Solution: A Symantec driver was modified to allow the application to run. Symantec Endpoint Protection Manager Limited Administrator scheduled reports can become "invisible." Fix ID: 1472513 Symptom: Limited Admin's Scheduled reports can become "invisible." Solution: Kept the "created by" field when updating a report. Auto-refresh of Computer Status Logs causes different logs to be shown. Fix ID: 1469309 Symptom: When viewing the Computer Status Logs with the count per page at 1000 entries, enable auto-refresh at 30 second intervals. After a refresh, the row count drops dramatically (between 20-30). The full list is restored if auto-refresh is disabled. Solution: All entries are now viewable when auto-refresh is enabled. Server certificate is missing from the client's Sylink.xml. Fix ID: 1472560 Symptom: Some Symantec Endpoint Protection Manager sites and server certificates are missing in sylink.xml. Solution: Symantec Endpoint Protection Manager was modified to resolve the problem. Configured Notifications fail to be created as expected. Fix ID: 1446178 Symptom: No Application Device Control events trigger notifications, even when the option is configured. Solution: Added a new attribute to policies for checking whether a notification should be sent. Cannot open location-independent policies and settings for certain Symantec Endpoint Protection Manager client groups. Fix ID: 1474607 Symptom: Clicking Clients > Policies > General Settings does nothing. Solution: Get default attribute value if Symantec Endpoint Protection Manager cannot get optional one. In the Computer status log, the sort function does not work for the "Infected" column. Fix ID: 1453826 Symptom: In the Computer status log, the sort function does not work for the "Infected" column. Solution: Added a sort function to column "Infected." After repair, Symantec Endpoint Protection Manager malfunctions in some environments. Fix ID: 1470381 Symptom: User cannot log into the console after the installation is repaired. Solution: Back up files and restore them later, so that those files are always kept during repair and migrate installations. Replication fails after deleting the default domain. Fix ID: 1458968 Symptom: Replication fails after deleting the default domain. Solution: Bypass conflicting check when policy and policy component's Symantec Endpoint Protection Manager domain is deleted; add more null pointer checking. Firewall rules keep inheriting from the parent when opening the child firewall policy for editing. Fix ID: 1449215 Symptom: The rules in parent group keep growing when editing a subgroup firewall policy. Solution: Rules from the parent group are no longer saved. Virus Definition Distribution reports show many different sequence numbers for the same date/revision definitions. Fix ID: 1440933 Symptom: The Reports > Computer Status > Virus Definitions Distribution report shows 0 and XXXX(sequence number) for the same date/definitions. Solution: Removed the sequence from the grouping in the virus definitions report. When viewing a LiveUpdate policy, the "Last Modified" entry actually reflects when the policy was created. Fix ID: 1454394 Symptom: When you update the LiveUpdate Policy or LiveUpdate Content Policy, the "Last Modified" entry is not updated. Solution: Added code to update the LiveUpdate Policy and Content Policy. Slow Symantec Endpoint Protection Manager performance when assigning policies to a large number of groups. Fix ID: 1454359 Symptom: The console takes a long time when assigning policies to a large number of groups. Solution: Optimized code to remove unused objects and improve efficiency of queries. Console freezes when opening Policies tab in Symantec Endpoint Protection Manager. Fix ID: 1443849 Symptom: After replication, when switching to the policy tab, the policy tab will freeze or show wrong group information. Solution: When doing replication, if there are any other schemas, reference to them to eliminate hangs or incorrect data. Configured Notifications fail to be created as expected. Fix ID: 1459053 Symptom: On Symantec Endpoint Protection Manager, even if the "alert" flag has been set, no logs can be received from the client when an Operating System Protection policy is sent. Solution: Import "Alert" flag and copy this alert to registry. Heartbeat time configuration not synchronized with client number in the client group. Fix ID: 1473493 Symptom: If client-number/heartbeat is greater than 1000 in a one-minute timeframe, there will be communication problems. Solution: Added a warning dialog for short heartbeat settings. Symantec Endpoint Protection Manager query to SQL database is causing a very high CPU spike. Fix ID: 1460880 Symptom: A very high CPU spike appears in the task manager. Solution: Resolved a JDBC issue. Upgrade failure from Symantec Sygate Enterprise Protection MR9 to Symantec Endpoint Protection when the Manager has multiple domains. Fix ID: 1407636 Symptom: Error occurs during upgrade. Solution: Detect and clean up broken data before upgrade. Possible broken link after replication. Fix ID: 1480062 Symptom: Error: "No SemAgentPolicy GUID in Group Policy." Solution: When updating a group policy, update all the references' USNs so that they will be replicated together. Copied or moved Active Directory user continues to use the policy from the original group. Fix ID: 1453632 Symptom: Cannot register the client when there are duplicate clients with the same hardware key. Solution: Added source to register to the client ID marked first to eliminate this problem. After installing Symantec Endpoint Protection Manager on Windows XP Professional, there are two performance objects for "memory," and their counters have been changed. Fix ID: 1198477 Symptom: Two "Memory" performance objects appear when using Performance Monitor tool. Solution: Added registry values needed in the Symantec Endpoint Protection Manager installer. Replication server is missing partner's certificates. Fix ID: 1472563 Symptom: Some Symantec Endpoint Protection Manager sites and server certificates are missing in sylink.xml. Solution: Added source during replication process to help resolve the broken link during upgrade process. Replication error when trying to resolve a conflict. Fix ID: 1481287 Symptom: Replication fails after deleting default domain. Solution: Fixed conflicting check when policy and policy component's Symantec Endpoint Protection Manager domain is deleted. Unexpected console error 0x80010000 when unchecking Inherit Policies from the client policy tab in Symantec Endpoint Protection Manager. Fix ID: 1449208 Symptom: Error: "No SemAgentPolicy GUID in Group Policy." Solution: When updating a group policy, update all the references' USNs so that they will be replicated together. After replication, all Symantec Endpoint Protection Manager data on the client is marked as deleted when one record is deleted at its partner. Fix ID: 1488176 Symptom: Version will be different between partners. Solution: Added source during the replication process ensuring correct data deletion and avoiding making other data deletion errors. Non-English users see English text describing a Host Integrity condition. Fix ID: 1470295 Symptom: Non-English users see English text describing an HI IF condition. Solution: Provided translatable string for description. Symantec Endpoint Protection Manager service stops when unchecking Policy inheritance for client group. Fix ID: 1482253 Symptom: Symantec Endpoint Protection Manager server stops when unchecking Policy Inheritance feature. Solution: Added source to avoid recursive calls. Unable to complete the migration to Symantec Endpoint Protection 11.0 from Symantec Sygate Enterprise Protection 5.1. Fix ID: 1485857 Symptom: Exception errors during upgrade. Solution: Problematic exception has been removed. Console input field is one character too short . Fix ID: 1461702 Symptom: The console input field is incorrect. Solution: Now users can input a value equal or less than 4294967295(0xffffffff), same as the behavior of Registry Editor. Static date is displayed in Symantec Endpoint Protection Manager client installation package pane after migration. Fix ID: 1499357 Symptom: Creation Time column shows static date "January 9, 2009 4:35pm EST" for all packages created after migration. Solution: Set "Created Time" as current time during upgrade. Reports show conflicting IPS dates after replicating Symantec Endpoint Protection Managers via Computer Status report: IPS distribution. Fix ID: 1447222 Symptom: Reports show conflicting IPS dates. Solution: Removed the offending string and reset USN for all the tables which cannot be replicated during upgrade from MR4 to MR4 MP1. Hourly Scheduled Replications fails with "String index out of range: -1" Fix ID: 1476198 Symptom: Scheduled replication causes failure. Solution: Corrected the string index to resolve the issue. Symantec Endpoint Protection Maintenance Release 3 service crashes when exporting a client package. Fix ID: 1457431 Symptom: After replicating a site, an "Invalid Management Server List" error occurs when trying to export a client installation Package from a group that is originally communicating with the deleted site. Solution: In "Export Client Install Package", a dialog box is displayed asking the user to select a valid Management Server List to be used for the group if it is invalid. The dialog box will be displayed for any group having an invalid server list. In "Delete Remote Site", a dialog box is displayed preventing the user from proceeding if its default Management Server List is still being used by any group. In "Policy Summary Panel", before displaying the Communications Setting dialog, a dialog box is displayed if the Management Servers list is invalid for that group. When you navigate to the Monitors > Logs > Risk log and sort by User, only the first page sorts correctly. Fix ID: 1483276 Symptom: Navigate to Monitors > Logs > Risk and view the Risk log. Sort by User Name. Only the first page sorts the User Names, not additional pages of user names. Solution: Added sort function to the logs for multiple pages. Incorrect IPS failure information and computer count in the database. Fix ID: 1488007 Symptom: IPS failure information or computer count is different between partners when there is deleted Symantec Endpoint Protection Manager content. Solution: Enhanced filtering when there is deleted Symantec Endpoint Protection Manager content. Symantec Endpoint Protect Manager LiveUpdate cannot install virus definitions when it matches LuDownloadedContentArray.xml. Fix ID: 1478558 Symptom: Cannot install virus definitions. Solution: Changed the .xml file to eliminate this issue. Clients managed by other replication partners indicate no definitions are present when viewing the client properties. Fix ID: 1456697 Symptom: When clients are viewed from replication partners besides their own manager, the clients show "no definitions" or different versions. Solution: Removed the offending string and reset USN for all the tables which cannot be replicated during upgrade from MR4 to 11.0 MR4 MP1. Cannot select some groups in the advanced settings for computer status logs with long nested OUs. Fix ID: 1483311 Symptom: In Computer Status Logs Advance Setting, Group drop-down list, when you mouse over a group, it jumps to the top of the list of the drop-down. Solution: Since the horizontal scrollbar is available for longer OU names, resolved this by preventing the content from wrapping to the next line. Symantec AntiVirus Corporate Edition changes to "AhnLab V3 Internet Security" in custom Host Integrity policies. Fix ID: 1503283 Symptom: You see "AhnLab V3 Internet Security" selected instead of the expected choice "Symantec Endpoint Protection" in policies that were migrated from SPM 5.1 MR8. Solution: The UI was changed to accept both values, which now correctly map to "Symantec Endpoint Protection." Replication failure between SQL 2000 and embedded database. Fix ID: 1481901 Symptom: SQL exception occurs because Primary Key is not unique. Solution: Saved the multi-key in all columns for the table and added a cache. Symantec Endpoint Protection Manager 11.0 Maintenance Release 3 policies do not update. Fix ID: 1502048 Symptom: Broken link produced when trying to edit a command scan via Antivirus policy. You cannot open the Edit dialog, and see an exception when creating a policy for groups. Solution: Added additional policy checking upon creation and upgrade. Hourly Scheduled Replications fail 3 - 4 times a day. Fix ID: 1471437 Symptom: Replication failures can be seen in the reports. Solution: Eliminated possible deadlocks. The "agentinfo" folder does not get processed after 00:00 AM. Fix ID: 1476443 Symptom: You see "java.lang.OutOfMemoryError" in the scm_server.log Solution: Merged two SQL statements into one to avoid putting compliance IDs into memory. Replication partner cannot be set up again after migration from Symantec Sygate Enterprise Protection 5.x MR 9 to Symantec Endpoint Protection. Fix ID: 1501797 Symptom: Replication couldn't be set up again after upgrade. Solution: Fixed code so that it will handle the case of upgrade from 5.X. The "Command" column data does not sort correctly within the Command Status page. Fix ID: 1504788 Symptom: In the Command Status result page the "Command" column data does not sort correctly. Solution: Re-sort the "Command" in PHP code. Symantec Network Access Control SNAC.exe takes up to 100% CPU. Fix ID: 1474538 Symptom: SNAC.exe takes up to 100% CPU on single CPU computers after migration to MR4. Can take up to 50% CPU usage on dual core CPU. Solution: Removed an event handler which will reset the triggered event. When this issue happens, restarting the computer resolves this issue. Symantec transparent mode settings cannot be saved. After restart it resets to PEAP authentication type. Fix ID: 1476298 Symptom: If the user selects "Symantec NAC Transparent Mode" in the network property window, the setting is lost after restart. Solution: Made corrections within the registry. DHCP Plug-in Enforcer cannot get entire serverprofile.xml with 16,000 trusted MAC addresses from Symantec Endpoint Protection Manager. Fix ID: 1465088 Symptom: Policy is not effective in Integrated Enforcer if the policy contains large numbers of trusted MAC addresses. Solution: Use dynamic memory to receive policy from Symantec Endpoint Protection Manager. Sylink module crashes during auto-upgrade. Fix ID: 1487223 Symptom: Sylink crashes during upgrade. Solution: Improved the object handling. Readme items Peer to peer enforcer authentication doesn't work. Fix ID: 1483085 Symptom: Peer-to-peer authentication and host integrity policies block access to shared folders. Solution: For full details see the readme_sep.txt or readme_snac.txt section titled "Peer-to-peer authentication and host integrity policies block access to shared folders." Client fails to show tray icon when "Display the notification area icon" is checked. Fix ID: 1483345 Symptom: Missing tray icon. Solution: For full details, see the readme_sep.txt or readme_snac.txt section titled "Icons do not display in system tray." Maintenance Release 4 (MR4) What's in this release Symantec Endpoint Protection Manager now supports Windows 2008 Server. Symantec Endpoint Protection Manager now supports the following versions of Windows 2008 Server (all applicable 32-it and 64-bit versions): Windows Server 2008 Standard, Enterprise, DataCenter, Web, Small Business Server (Standard and Premium), and Essential Business Server (Standard and Premium). Specific Symantec Endpoint Security features include: The ability to resume downloads for maintenance releases and patches. The addition of traffic bandwidth configurations for the Group Update Provider (GUP). Support for 640 x 480 screen resolution. Specific Symantec Network Access Control features include: On-demand Agent can now be downloaded from Firefox version 3. Persistence options allow the On-demand Agent to stay on the client machine for a specified period of time. Without this option the agent is uninstalled when the computer restarts. Components in this release Component Version Symantec Endpoint Protection 11.0.4 Symantec Network Access Control 11.0.4 AutoProtect 10.2.7.11 Live Update 3.3.0.69 ccEraser 108.2.2.8 Avengine 20081.2 SyKnAppS 2.5.12 SymEvent 12.5.3.2 DecABI 1.1.1.39 ECOM 20081.2 Defutils 3.3.20.0 LiveUpdateAdmin 2.2.1.13 Microdefs 2.5.32.0 SymNetDrv 7.2.3.302 Common Client 106.3.7.9 Behavior Blocking 3.3.7.4 COH 6.1.8.8 Product fixes by category: Symantec Endpoint Protection: Antivirus/AntiSpyware A Full Scan with compressed files level set to 1 reports 0 files scanned. Fix ID: 1371190 Symptom: On the client UI, the total files scanned count either reflects an incorrect value or 0 (if the count was negative). Solution: Do not decrement the total scanned files count for files in archives past the maximum file scan depth. Miscellaneous files such as - slu****.tmp, mdf****.tmp, and CValidateCom.txt files are generated in Temp folder. Fix ID: 1298906 Symptom: Temp folders are left over in the Windows Temp folder. Solution: Delete Temp folder files. Temp files left over in the 7.5 folder after scans. Fix ID: 1405018 Symptom: After a scan, Symantec Endpoint Protection does not clean up all temporary files from the "7.5" folder. Solution: The heuristic scan engine was incorrectly holding on to the temporary files in the 7.5 folder during the scan. Modified the engine to prevent this issue from occurring. SymCorpUI error when trying to do a Symantec Endpoint Protection scan in safe mode on Windows 2000 SP4. Fix ID: 1300088 Symptom: After clicking Scan Now,a "SymCorpUI error" message appears, after which the "Run active" scan doesn't work. Solution: Passed API calls check in Win2k safe mode (without networking). Location-based scans that are defined in the policy trigger when locations switch. Fix ID: 1380226 Symptom: Having a scheduled scan in one location but not another results in the scan being triggered incorrectly. Solution: Fixed incorrect scan entries in the registry for these scheduled scans. Auto-Upgrade installation rolls back with Error 1308: Source file not found on OEHeur.dll. Fix ID: 1371851 Symptom: Client installations may fail while re-creating the delta package, or attempting to install a bad full package. Solution: Implemented better error checking to ensure that a good client package folder is created. If installations are failing, it is suggested that the 'full' directories corresponding to the package are removed. Installation fails when installing as part of Windows XP unattended install. Fix ID: 1383539 Symptom: Installation of Symantec Endpoint Protection as a part of an unattended Windows XP installation rolls back. Solution: Corrected registration of Symantec Endpoint Protection components with LiveUpdate during installation. Possible hang/crash after applying Active Directory folder exclusions on the server. Fix ID: 1406310 Symptom: After applying Active Directory folder exclusions on the server and during scanning of the system files, NTDS may encounter a hang or crash. Solution: This hang was caused by Auto-Protect trying to read from certain files. The hang occurred when Auto Protect does a scan of files in the clean file cache when new virus definitions arrive. This is resolved by disabling the Rescan the cache option by navigating to: AntiVirus/AntiSpyware Protection Settings > File System Auto-Protect > Advanced File Cache > Rescan the cache when new definitions load. File backups are at least 80% slower with Symantec Endpoint Protection installed. Fix ID: 1275606 Symptom: Poor backup performance when Symantec Endpoint Protection is installed. Solution: Modified the engine to prevent this issue from occurring by skipping files opened with backup semantics. The Symantec Endpoint Protection client interface wraps to the second monitor. Fix ID: 1304016 Symptom: Parts of the window are seen on the second screen. Solution: Resized the main frame to fit the display area of the first screen. 64-bit clients are sending Tamper Protection status to Symantec Endpoint Protection Manager as "Off" rather than as "Not Installed." Fix ID: 1412863, 1098328 Symptom: Symantec Endpoint Protection Manager shows Tamper Protection as Off rather than as Not Installed. Solution: Added new interface registration information to the installer. Custom service written in .NET bloats memory usage with Proactive Threat Protection installed. Fix ID: 1438181 Symptom: If the Windows service CMISImageHandler.exe is running, Symantec Endpoint Protection service grows from 14MBs to 68-71MBs. Solution: Resolved through a Confidence Online component update. Application Error after a push install. Fix ID: 1361697 Symptom: During push install process, user receives an error. Solution: This was caused by a timing issue during service shutdown. Added improvements to the cleanup process and added sanity checks to prevent this from happening again. Windows Security Center status is not updated for out-of-date definitions until a service cycle. Fix ID: 1405083 Symptom: Windows Security Center will not show correct status until the computer restarts. Solution: The definition status in Windows Security Center is now updated every 60 minutes. Symantec Endpoint Protection service starts and stops repeatedly on Windows 2000 Terminal Server. Fix ID: 1179755 Symptom: Repeated service starts and stops on Windows 2000 Terminal Server. Solution: Fixed NULL parameter causing the problem. The scroll bars at the bottom are slightly off the screen on the client. Fix ID: 1304020 Symptom: Parts of the window are seen on the second screen. Solution: Resized the main frame to fit the display area of the first screen. User registry hive in Symantec Endpoint Protection 11 MR 2 MP 2 and newer is locked after logging off of a RDP session. Fix ID: 1431936 Symptom: An error in logs states Symantec Endpoint Protection is holding on to the user hive registry. Solution: Disabled the scheduled scan service notify thread. Cannot save changes in Word 2000 files to FDD. Fix ID: 1201116 Symptom: Word cannot complete the save due to a file permission error. Solution: Modified the Auto Protect engine to prevent this issue from occurring. Constant 5% Rtvscan CPU usage. Fix ID: 1389006 Symptom: Constant 5% Rtvscan CPU usage seen from Process Explorer or Task Manager. Solution: Changed to cache the state of Auto-Protect ,thus reducing excessive calls which gather state information. The state is now updated once on startup, on change notification from Auto-Protect, and occasionally on the main timer, eliminating this issue. Symantec Endpoint Protection: Firewall Firewall rule ignored if Description field is populated for the Application List. Fix ID: 1284625 Symptom: If the Description field is set, the Firewall rule containing the description will not be triggered. Solution: Modified the firewall to correctly set the appropriate flags in the registry. CardSpace service fails to launch with client running. Fix ID: 1417019 Symptom: While trying to start the CardSpace service, a popup message states that the service was not able to start. Errors also appear in the System Event logs. Solution: Resolved via a component update. Laptops with Symantec Endpoint Protection and 4GB RAM stop responding. Fix ID: 1444613 Symptom: With Symantec Endpoint Protection installed on a laptop running Windows Vista Business 32-bit, upgrade the amount of RAM from 2-3 GB to 4GB. The laptop stops responding after 20-30 minutes. Solution: Resolved infinite loop in the firewall code. Sysplant blocks certain Network based apps. Fix ID: 1430654 Symptom: IRIS Practice Software is blocked by the firewall. Solution: Firewall now allows this software to run. Blue Screen while Incredibuild 3.2 is in use. Fix ID: 1431699 Symptom: With Symantec Endpoint Protection and Incredibuild 3.2 installed, the system stops responding with a blue screen. Solution: Removed the data structure that caused the problem. IncrediBuild 3.2 does not work unless Sysplant is disabled. Fix ID: 1394288 Symptom: After enable OSP policy, Microsoft Visual Studio can't compile program with IncrediBuild program. Solution: Application is now compatible. SMCinst.exe is not replaced when Symantec Endpoint Protection or Symantec Network Access Control Client is migrated using MSI patch. Fix ID: 1301423 Symptom: Smcinst.exe is not replaced when Symantec Endpoint Protection/Symantec Network Access Control client is migrated by MSI+MSP installation package. Solution: Latest Smcinst.exe is added to the MSI+MSP package, and is replaced upon successful migration. Wireless connections at 104Mb/second do not register with Location Awareness as Wireless connections. Fix ID: 1441489 Symptom: Auto Location Awareness does not work when using 104Mbps wireless network. Solution: Added 130Mbps/117Mbps to the list that detects when the wireless speed is not stable. Symantec Endpoint Protection client management system logs report incorrect IP address for the Manager. Fix ID: 1220138 Symptom: Incorrect IP address shows in the logs. Solution: If DNS cannot resolve the hostname, incorrect IP address is not reported. Smc.exe stops responding and reports errors citing address 0x00006ad0 under low memory conditions. Fix ID: 1372843 Symptom: Unexpected SMC crash encountered. Solution: Corrected the usage of the function causing the problem. Random, limited, or no connectivity on laptops with Symantec Endpoint Protection and Juniper VPN client. Fix ID: 1433195 Symptom: Network connections randomly have limited or no connectivity on laptops with Symantec Endpoint Protection and Juniper VPN client installed. Solution: Fixed a deadlock issue with the SMC process. Event "Connected to Symantec Endpoint Protection Manager (%1)" logs the wrong IP Address for the manager. Fix ID: 1387845 Symptom: In the System log on the client, the event "Connected to Symantec Endpoint Protection Manager" reports an IP address that is not the address of the Symantec Endpoint Protection Manager. Solution: If DNS cannot resolve the hostname, incorrect IP address is not reported. Last Download Time field never updates. Fix ID: 1423529 Symptom: "Last Download Time" in Symantec Endpoint Protection Manager Reports always shows "Never". Solution: Stopped zeroing out the last content check time inadvertently and started handling situations in which the value had not changed correctly. Google Chrome browser cannot be launched if the firewall is running. Fix ID: 1403244 Symptom: With Symantec Endpoint Protection installed, an application error occurs when launching Google Chrome. Solution: Application is now compatible. Errors with Google Talk Plug-in. Fix ID: 1441738 Symptom: The Google Talk plugin cannot be launched. Solution: Application is now compatible. Symantec Endpoint Protection Application and Device control prevents Wild Tangent software from running. Fix ID: 1422627 Symptom: After clicking "PLAY" button, "FATE.EXE" crashes. Solution: Application is now compatible. Firewall rules configured to "ASK" do not log incoming traffic. Fix ID: 1363282 Symptom: No incoming traffic is logged when configuration option is set to Ask. Solution: Fixed code that could not find the Process ID or App name. There is no dialog warning that Application and Device Control will not function unless TruScan is installed at install time. Fix ID: 1238501 Symptom: Application and Device Control will not function unless TruScan is installed. Solution: Removed dependency on TruScan. C++ runtime errors with Think Vantage Client Security Solution for Vista. Fix ID: 1267801 Symptom: Smc.exe crashes on boot up or service restart on Vista Enterprise laptops. Solution: Added the appropriate flag to avoid crashes and security issues. Unable to run whois from within Symantec Endpoint Protection client Traffic logs successfully more than once. Fix ID: 1370712 Symptom: Running whois from within Symantec Endpoint Protection client Traffic logs successfully more than once is not possible. Solution: Every time the detail dialog box was opened, the UI sent two requests. The issue was resolved by sending only one request. Application "Calyx Point" will not run with Sysplant enabled. Fix ID: 1408234 Symptom: Winpoint crashes when launched. Solution: Application is now compatible. Sysplant does not allow MATLAB 2008a software to launch. Fix ID: 1389109 Symptom: Run the Matlab exe. After two error message boxes, the process exits. Solution: Do not allow sysfer.dll into "matlab.exe" process. The firewall prevents the 3G HSDPA connection adapter from properly disconnecting. Fix ID: 1284609 Symptom: Attempts to re-establish a VPN connection with the client fail. Solution: Added additional checks on known ports used by 3G card driver allowing connections. "Block all traffic until firewall starts" prevents Vista hibernation. Fix ID: 1383703 Symptom: Configuring Symantec Endpoint Protection firewall to "Block all traffic until firewall starts and after firewall stops" will prevent Vista from sleeping or hibernating. Solution: Component update resolved this issue. Application and Device Control causes Microsoft Excel to give XMLoader errors. Fix ID: 1282072 Symptom: Unexpected results when clicking a button in Excel file. Solution: OSP prevents some processes from being executed normally. Event ID 6004 error appears in logs repeatedly on Symantec Endpoint Protection clients. Fix ID: 1259196 Symptom: System log shows Event ID 6004: "A driver packet received from the I/O subsystem was invalid. The data is the packet". Solution: Modify the WPS driver to remove the unnecessary hooking in XP. Reverse DNS lookup sometimes does not work. Fix ID: 1413853 Symptom: Firewall policy allowing traffic from those hosts matching a specified domain name are at times blocked by the firewall. Solution: No matter whether the first packet is incoming from or outgoing to a remote host, if domain name is configured in rule, RDNS is triggered. Upgrade should resume download where it left off. Fix ID: 1369301 Symptom: If network connectivity errors are encountered, the currently downloading client package will be deleted and download will start fresh when connectivity is restored. Solution: Package updates now use HTTP download resumption protocol. Conflict between Symantec Endpoint Protection and Checkpoint installation. Fix ID: 1421768 Symptom: Checkpoint's secure client (SC NGX R60 HFA2) does not finish installation and will eventually blue screen the computer if the customer has Symantec Endpoint Protection client installed. Solution: Resolved a problem in the firewall driver. Tamper Protection causing a deadlock when program is run from a mapped drive. Fix ID: 1422553 Symptom: With Windows 2000 Pro SP4 and Symantec Endpoint Protection AntiVirus/AntiSpam-only client installed, the system eventually stops responding when trying to browse folders within a program called "OpenFile.exe." Solution: Component update resolved this issue. Apparent firewall driver memory leak. Fix ID: 1406226 Symptom: Srtsp.sys driver memory leak and driver (ofant.sys) hangs and causes 20 other processes, including srtsp.sys, to stay locked. Solution: This was actually an Auto Protect hang issue during file reads, not a firewall memory leak. Resolved. Large temp files in the Symantec Endpoint Protection\LiveUpdate folder. Fix ID: 1391636 Symptom: Large temp files produced during content delta building and content download. Solution: Improved temp file cleanup. SMC.exe continually accesses rasphone.pbk. Fix ID: 1318905 Symptom: Smc.exe takes 100% of the CPU time regularly due to smc.exe accessing file rasphone.pbk. Solution: Corrected the need for smc.exe to continually access the *.pbk. Aventail client causes smc.exe appcrash in msvcr80.dll Fix ID: 1432369 Symptom: Installing Aventail VPN client results in SMC crash. Solution: Fixed a Windows APIs call failure and added a check to ensure that the call succeeded, to prevent a memory access violation. "Disable NTP" command sent to AntiVirus/AntiSpam-only client causes Symantec Endpoint Protection tray icon to show a red X. Fix ID: 1416668 Symptom: Sending a "disable NTP" command from Symantec Endpoint Protection Manager causes a red X to be displayed on the tray icon. Solution: When the command to disable NTP is received by the client, it checks that the firewall is installed and no longer displays the red X. Symantec Endpoint Protection with custom policy causes uninstallation hangs. Fix ID: 1223775 Symptom: Using Windows XP SP2 or Vista, uninstalling with a custom policy hangs. Solution: Component update resolved this issue. GUP throttling enhancement. Fix ID: 1414302 Symptom: GUP overloaded network when used across a wide area network. Solution: Added a configurable fixed delay to reduce overload. Blue screen error when starting computer. Fix ID: 1434623 Symptom: Symantec Endpoint Protection 11 MR3 generated a blue screen error on startup, referencing wpsdrvnt.sys. Solution: Corrected invalid memory condition error. Symantec Endpoint Protection Manager System Administrator accounts can be added and deleted but not modified through a remote Symantec Endpoint Protection Manager console. Fix ID: 1426040 Symptom: System administrator properties and password cannot be changed remotely. Solution: From the Symantec Protection Endpoint Manager console, you can now modify accounts. Database administrator name and password are not encrypted during communication. Fix ID: 1389362 Symptom: User is given the option to select Windows authentication to the database in the configuration wizard. Solution: The security data is encrypted now. Symantec Endpoint Protection Manager Host Integrity configuration does not have Windows Vista as an operating system selection. Fix ID: 996535 Symptom: Windows Vista is not an available option. Solution: Added Windows Vista to Symantec Endpoint Protection Manager Host Integrity configuration types. Scheduled replication occurs 30 minutes earlier than expected when Symantec Endpoint Protection Manager is in IST time zone. Fix ID: 1442805 Symptom: Scheduled replication occurs 30 minutes too soon when in IST time zone. Solution: Server now converts time based on both hours and minutes. Symantec Endpoint Protection Manager System Event Notifications do not report errors. Fix ID: 1362428 Symptom: The report shows 'Nothing to report'. Solution: Change the SQL query string used. Copied clients are not listed as expected in non-default views of Symantec Endpoint Protection Manager console. Fix ID: 1424210 Symptom: Copy a user or computer to the manually-created group from OU. Change the client view to one of the non-default choices (Client status, Protection technology, Network information, or Client system). The client list is blank in the imported OU and each client is listed twice in the manually-created group. Solution: Altered the SQL query used, improving the filter query results. Symantec Endpoint Protection Manager does not provide NTLM Authentication when running LiveUpdate. Fix ID: 1434288 Symptom: Launching LiveUpdate from Symantec Endpoint Protection Manager, using a proxy server configured for NTLM authentication, fails. Solution: Added a new UI check box that allows enabling the use of Windows Authentication. Some client reports do not include all client systems. Fix ID: 1227607 Symptom: The count of clients in some reports is incorrect. Solution: Modified the Product Version report to show all clients, even if they are not currently reporting status or if AntiVirus is not installed. There is a separate row in the dashboard action summary to show clients that are not reporting status. There are two new rows for the Site Status Report. One row shows computers that do not have clients. One row shows clients that are not reporting status. AntiVirus/AntiSpyware Policies for a group created during a legacy version migration can be exported but not imported. Fix ID: 1322745 Symptom: You receive an error message: "Failed to import the policy. Error: Invalid import file". Solution: Improved import process during migration from Symantec AntiVirus policy file or upgrading from MR3. Slow login with Symantec Endpoint Protection and Novell client software. Fix ID: 1447337 Symptom: With Novell client installed, logging on to the console is very slow. Solution: Improved login time with Symantec Endpoint Protection and Novell client software installed. New Management Server Lists default to port 80 instead of 8014 creating mismatch. Fix ID: 1437959 Symptom: MR3 fresh install package with a policy including a non-default Management Server list. The clients that were rolled out were unable to communicate with the Manager. Solution: Read http port and https port information at login time of Symantec Endpoint Protection Manager. "Last scanned time" shows 1970/01/01 08:00:00 in scan report. Fix ID: 1397861 Symptom: The last scan time show incorrect time. Solution: Converted the time to the correct format. Setting to accept legacy Symantec AntiVirus 10.x logs is deselected after migration. Fix ID: 1395850 Symptom: After setting LegacySupport configuration via the Preferences dialog on the homepage and then performing an upgrade, the configuration is lost. Solution: This preference is now honored and persists after migration. Renaming groups in Symantec Endpoint Protection Manager does not take effect until a policy change. Fix ID: 1416751 Symptom: Clients do not show the group name change until a policy change. Solution: Clients now show the group name change immediately. Status icon for client is not the correct status for all views except default via Symantec Endpoint Protection Manager. Fix ID: 1447203 Symptom: When selecting the Default view, the Client Status shows a red arrow. When selecting other views, it changes to a green dot. Solution: Default view now displays the accurate client status. Event times in scheduled and alert based reports are an hour later than correct times. Fix ID: 1299108 Symptom: Reports are an hour later than correct times. Solution: Added a condition to determine whether the system is using daylight saving time to decide how to compute the local time. Symantec Endpoint Protection Manager Notifications do not run batch files. Fix ID: 1427063 Symptom: Symantec Endpoint Protection Manager Notifications do not run batch files. Solution: Removed the function that prevented the process of batch or executable files. Javaw.exe takes up to 90% CPU during backup, and event is not logged. Fix ID: 1365401 Symptom: Backup task leads to 90% CPU usage and leads to Monitoring tab hangs. Solution: Use specified cache to read and write methods and write binary files to back up zip packages. The backup tool does not support writing to a log. SemSvc takes up to 90% CPU during backup. Fix ID: 1365396 Symptom: Backup task leads to 90% CPU usage, and leads to Monitoring tab hangs on Solution: Use specified cache to read and write methods and write binary files to backing up zip packages. Symantec Endpoint Protection clients report to incorrect Symantec Endpoint Protection Managers. Fix ID: 1418576 Symptom: Location-specific communication setting does not honor the preferred group and preferred mode. Symantec Endpoint Protection Client reports to Default Group. Solution: While exporting a package, preferred group information and preferred mode information is set to these location-specific communication settings. Sylink watcher log shows 400 responses when trying to download definitions from Symantec Endpoint Protection Manager. Fix ID: 1418637 Symptom: Client receives 400 bad requests in the Sylink Watcher log. Solution: Updated product to skip the content and package delta generation. Symantec Endpoint Protection Manager firewall policy editor does not gracefully handle blank rule names. Fix ID: 1301097 Symptom: If you blank a firewall rule name and click "OK". The editor warns that a name is required, but then quits without letting you make the change. If you try to import firewall rules with blank rule names, all the rules listed after the blank rule name cannot be imported into firewall policy without a warning message. Solution: Validate firewall rule panel before updating the firewall policy. Validate input dialog if a blank rule name exists in Import Firewall Rules. Symantec Endpoint Protection Manager "AgentInfo" folder fills with multiple .DAT files. Fix ID: 1261236 Symptom: Symantec Endpoint Protection Manager "AgentInfo" folder fills up with .DAT event files. Solution: Symantec Endpoint Protection Manager now better processes the events sent by the client so the folder will not fill up. Database admin name and password are not encrypted during connection. Fix ID: 790931 Symptom: With Symantec Endpoint Protection Manager and SQL 2000 DB installed on the same computer, during a connection from another manager to the manager with SQL installed, the database name and password are not encrypted. Solution: Name and password are now encrypted. Pull-down items within Symantec Endpoint Protection Manager Console show different wording. Fix ID: 1303194 Symptom: Pull-down items within Symantec Endpoint Protection Manager console show different wording. Solution: Improved the resource file responsible for making the display string identical with the other one, eliminating the problem. Home, Monitors, and Reports pages are blank on the remote console after updating Java to version 1.6 Update 10. Fix ID: 1450539 Symptom: After installing JDK or JRE 6 Update 10 from Sun, the Home, Monitors, and Reports pages are blank and will not load. Solution: Added workaround message in Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager remote console installation page. Symantec Endpoint Protection Manager reports generated in .MHT format display a blank page in Internet Explorer. Fix ID: 1281050 Symptom: Symantec Endpoint Protection Manager Reports generated in .MHT format display a blank page in Internet Explorer. Solution: By default, Auto-select is checked, which prevents this issue from occurring. Last Update Time does not match heartbeat time. Fix ID: 1316833 Symptom: When the client is offline, the last update time in the database does not reflect the last connect time to server. When the client is online for an extended period, the last update time may not change for quite some time. It does not post any client information to the server, and also has no state change. Solution: Added a new task to pull the client's last update time on a more frequent basis. Notifications are not triggered when the first Symantec Endpoint Protection Manager in an environment is stopped or removed. Fix ID: 1421789 Symptom: Email notification does not alert. Solution: Added a prioritized reporting server list into the site properties. "Query Failed" when exporting log data after sorting specific columns within Symantec Endpoint Protection Manager. Fix ID: 1381232 Symptom: "Query Failed" displays when exporting log data. Solution: Removed duplicate columns and added a lost column in SQL query statement when performing exports. Time Zone Offset is not listed correctly in Symantec Endpoint Protection Manager for clients whose zone has a fractional hour offset. Fix ID: 1364622 Symptom: Time Zone Offset is not listed correctly in Symantec Endpoint Protection Manager for clients whose zone has a fractional hour offset. Solution: The time changed on Symantec Endpoint Protection is now reflected correctly in Symantec Endpoint Protection Manager. "Per group" option on the Virus Infection and Virus Clean reports is missing. Fix ID: 1396514 Symptom: The Detection Action Summary report does not show the actions taken as a percentage of the total number of detections, nor does it show those statistics on a per-group basis. Solution: The Detection Action Summary report now has a new table showing the number of repaired, suspicious, and infected detections per group. It also shows those numbers as a percentage of the total detections for any one group. Attempting to view scans, risks, or computer status logs results in the inability to select a specific group. Fix ID: 1407987 Symptom: The dialog box and selection control jumps back to Global. Solution: Resolved by narrowing the width of dropdown list by 10% so that the max dropdown list width is 90%. Report files containing Japanese characters sent from Symantec Endpoint Protection Manager are corrupted. Fix ID: 1157909 Symptom: Scheduled report files (*.mht files) sent from Symantec Endpoint Protection Manager are corrupted. Solution: Updated the encoding to use the correct method, eliminating the issue. After upgrading to MR3, "Invalid log record: Too few fields" appears in logs. Fix ID: 1416913 Symptom: Unnecessary log messages and alerts are generated. Solution: Removed unnecessary logging "Query Failed" displays when exporting specific log data. Fix ID: 1426052 Symptom: This happens only when Symantec Endpoint Protection Manager uses MSSQL 2005, and does not happen if Symantec Endpoint Protection Manager uses Embedded DB. From the "Monitors" tab, any attempt to export "Log Type" Compliance Logs, Enforcer Client, Default filter, Past 24 hours, View log, or Export queries fails. Solution: Removed the duplicate column and added a lost column in SQL query statement used during export process. Apostrophe cannot be displayed on exported scan logs Fix ID: 1366835 Symptom: Specific characters encoded in the first line of the exported log files are not displayed. Solution: Fixed the display issue of specific characters in the log export. After deployment of MR3, performance issues with Remote Consoles Fix ID: 1437482 Symptom: Console slowness from remote consoles. Solution: Changed default settings and attributes to resolve the performance issue. Exported computer status logs report missing and incorrect information. Fix ID: 1414968 Symptom: Computer status logs show complete information in Symantec Endpoint Protection Manager Monitors page, but when the data is exported, it is missing column information. Solution: Exported logs now contain all columns and data. Exported Scan Log summaries show End Date/time references of 12/31/1969 for some scans. Fix ID: 1406234 Symptom: Exported Scan Log summaries show End Date-time references of 12/31/1969 for some scans. Solution: Display the log entries with state 'In Progress' other than '12/31/1969' or '01/01/1970'. Symantec Endpoint Protection Manager does not accurately list Active Directory OU members - Duplicate Clients in temp and OU groups. Fix ID: 1410087 Symptom: Duplicate entries appear in temporary group and also in OU group. Solution: Improved and optimized the replication process which handles finding and reporting the duplicate Computer Mode and User Mode entries. When Symantec Endpoint Protection Manager is using a custom server certificate, client auto-upgrade fails. Fix ID: 1314772 Symptom: The server certificate is an internally signed certificate using Microsoft Certificate Authority Server. The server CSR file was created using IIS to request a digital server certificate. After the CA-signed certificate was imported into IIS, the entire certificate (public and private key) was exported to a .pfx file. That .pfx file was imported into the policy manager under Admin > Servers > Manage Server Certificate. The certificate was applied prior to any client deployments. When deploying the client , the following appears: "Signature verification error: 2148073478" "Invalid Signature." Solution: Re-sign all of the affected files when Symantec Endpoint Protection Manager updates certificate. Symantec Endpoint Protection Manager client status icons are displayed incorrectly. Fix ID: 1409105 Symptom: Client online status is not shown properly. Solution: Improved the registration of clients with Symantec Endpoint Protection Manager so that now the reporting of which clients are online is accurate. Symantec Endpoint Protection Manager Monitor logs have incorrect packet details. Fix ID: 1382330 Symptom: Symantec Endpoint Protection Manager Monitor logs have incorrect data. Solution: Fixed the SQL statement used to ensure the details are correct. Symantec Endpoint Protection clients register with Symantec Endpoint Protection Manager in User mode instead of Computer Mode. Fix ID: 1421859 Symptom: Client packages exported with computer mode and a preferred group set appear in the wrong group and in user mode after install. Solution: That behavior is as designed if installing as a workgroup user, but registration now ensures that it does not accidentally change an entry from computer mode to user mode. [0x80020000] error when navigating to Clients > Policies > Communications settings. Fix ID: 1457416 Symptom: Navigating to a group's communication policy could crash the server under certain conditions. Solution: When accessing a default list, provide an empty one if site doesn't exist. Exception is generated every 14 seconds after replication failure. Fix ID: 1458441 Symptom: Repeated exceptions appear in the scm-server-0.log. Solution: When accessing a default list, provide an empty one if site doesn't exist. "Make all removable drives read-only" rule composed solely of wildcards causes all drives (including non-removable) to be read only. Fix ID: 1298890 Symptom: If an Application and Device Control "Make all removable drives read-only" composed only of wild cards "*" and no other defining parameters is assigned, the local hard drive (C:) is now Read-Only, as is any other media (removable or otherwise). Solution: Only removable drives are made read only when selecting this option. An inherited Live Update policy displays an incorrect Live Update policy setting. Fix ID: 1403339 Symptom: An inherited LiveUpdate policy displays an incorrect LiveUpdate policy setting, which is confusing. Solution: Incorrect settings have been eliminated when inheriting LiveUpdate policies. Symantec Endpoint Protection Manager does not accurately list Active Directory OU members Fix ID: 1380112 Symptom: Member display may not work properly in Symantec Endpoint Protection Manager during an Active Directory server synch. New users may fall into a Temporary group. Solution: Fixed Active Directory sync issue. Importing an AntiVirus/AntiSpyware policy from a migrated Symantec AntiVirus server group into a new domain fails. Fix ID: 1195565 Symptom: The import fails, the policy does not appear, and no error or exception is visible. Solution: The command scan policy component is now kept as private metadata when AntiVirus/AntiSpam policies are migrated from a Symantec AntiVirus server. Host Integrity rule title changes from "Symantec AntiVirus Corporate Edition" changes to "AhnLab V3 Internet Security" after migration to Symantec Endpoint Protection Manager. Fix ID: 1414333 Symptom: This is a policy migration issue from Symantec Sygate Policy Manager 5.1.x to Symantec Endpoint Protection Manager 11.0.x. If you make a Host Integrity policy of AntiVirus Enforcement on Symantec Sygate Policy Manager 5.1.8, then select "Symantec AntiVirus Corporate Edition" as the antivirus product to be checked, it will be changed to "AhnLab V3 Internet Security" after migration to Symantec Endpoint Protection Manager 11.0.x. Solution: Fixed the command scan policy component when we migrate antivirus policies from a legacy Symantec AntiVirus server. Last Update Time does not match heartbeat time. Fix ID: 1294572 Symptom: The Last Update Time is set when a site marks a client as offline. This looks as if the client were actually checked in at that time, but that is not the case. Solution: The "Last Online Time" (Clients properties) or the "Last Check-in" (Computer Status log) or the "Last update time" (Computer Status log details) refer to the same client property. This time is updated when one of the client's properties changes. For example, this time is updated to the current time when a client goes from online to offline, from offline to online, or when any one or more of its properties as shown in its Computer Status log details changes. This date/time value, therefore, is the time of last change on the client and is not updated every heartbeat. Use the "Online" property to determine whether a particular client is still communicating with Symantec Endpoint Protection Manager. Logged out client systems are missing the green dot icon when viewed from Symantec Endpoint Protection Manager. Fix ID: 1195364 Symptom: Symantec Endpoint Protection Manager does not show the green dot icon for clients which are offline. Solution: Altered the queries used during the Symantec Endpoint Protection Manager client audit process to fix this issue. Tomcat hangs when generating a scheduled report. Fix ID: 1379201 Symptom: The Java task that generates reports for either scheduled reporting or notifications hangs when it is unable to access IIS, and returns error code 502 or 503. Solution: Reporting's custom error pages are all static now. Other custom error pages are all IIS default pages. Discrepancies between the client and server on the Known Security Risk Exceptions list. Fix ID: 1201020 Symptom: Symantec Endpoint Protection Manager Console shows fewer known risks than the client user interface. Solution: Symantec Endpoint Protection Manager Console now loops to retrieve all known risks that match the client's data. While exporting the "Search for Applications" results, invalid characters or missing rows appear in the results of the query. Fix ID: 1439734 Symptom: Exported CSV file contains invalid characters or only has the header row. Solution: Certain characters were causing problems with exporting to CSV. By removing these characters, the issue was resolved. "Display notification icon" should only be available when "Display client UI" is enabled Fix ID: 1223896 Symptom: The "Display notification icon" checkbox is still available after unchecking "Display client user interface." Solution: The "Display notification icon" checkbox is disabled and unchecked when you uncheck "Display client user interface." "Object cannot be found [0x16010000]" error when navigating to Admin > Install packages. Fix ID: 1429789 Symptom: In Symantec Endpoint Protection Manager, navigating to Admin > Install packages causes an "object cannot be found" [0x16010000] error. When trying to export a client package encounter, the same error appears. Solution: Three-part solution involving updates to the client packages, UI improvements, and improvements to ensuring deleting and reading of the client packages. Cannot Set the Expiration Option to "Never" in Symantec Endpoint Protection Manager. Fix ID: 1440744 Symptom: In Symantec Endpoint Protection Manager, it is not possible to set an Administrator's password to "Never Expire." It remains set at the 60 days radio button. Solution: Can now set this option to Never. Logs seem to continue to grow with no end. Fix ID: 1212700 Symptom: Ersecreg.log and exsecars.log log file continue growing. Solution: Improved the logging. Symantec Endpoint Protection Manager client data is blank when client is logged off. Fix ID: 1422562 Symptom: The tabs "Clients" and "User info" at client properties are blank. Solution: Improved the registration of clients with Symantec Endpoint Protection Manager so that now the reporting of which clients are online is accurate. "Daisy chain" replication of Symantec Endpoint Protection Manager causes incomplete data in the replication partners. Fix ID: 1405310 Symptom: Replication from a third site fails after installation of Symantec Endpoint Protection Managers that "daisy chain" multiple sites. Certain components such as packages and policies are missing. Some packages cannot be exported due to missing policies. The following error may occur: "Failed to replicate." Solution: All incomplete data in replication partners have been fixed. During upgrade, Symantec Endpoint Protection Manager deletes user-created batch files found in the 'bin' folder. Fix ID: 1413514 Symptom: Missing batch files. Solution: Fixed the function responsible for deleting the files by replacing it with a function more mindful of possible user-created batch files housed in this folder. User is unable to delete old client packages. Fix ID: 1431008 Symptom: Nothing happens after attempting to delete old 32-bit client packages. Solution: Corrected the issue with additional software package deployment checks. Cannot delete a custom installed feature set. Fix ID: 1371772 Symptom: When trying to delete a custom feature set, the following error appears: "This feature is currently in use; you cannot delete it!" Solution: Improved the process of deletion. Symantec Endpoint Protection Manager Application and Device Control log view is missing the "user" column. Fix ID: 1430747 Symptom: Symantec Endpoint Protection Manager does not present the user account in the "Details" of the selected event. Solution: Added User column in Results and Details page of ADC log. Symantec Endpoint Protection Manager Time/OS Time mismatch in non-DST Time zones. Fix ID: 1268881 Symptom: Symantec Endpoint Protection Manager does not account correctly for time zones without Daylight Saving Time. Solution: Changed the function used to return the correct current time. When using the Find Unmanaged Clients function, the client install fails. Errors appear in the server log. Fix ID: 1374314 Symptom: User cannot copy the package files to the export folder. The product fails to prepare the package. Solution: Destination folder did not exist when unzipping the full.zip to the export path. The fix was to create the folder. Replication fails and "Object cannot be found: [0x16010000]" error when going to Admin > Servers. Fix ID: 1417598 Symptom: User sees an "Object can't be found" error in Symantec Endpoint Protection Manager when entering the Admin >Servers tab. Solution: Symantec Network Access Control now always replicates all sites. Policy is not updated consistently. Fix ID: 1387071 Symptom: Switching to a group detail panel does not change the group name. Solution: Problem was caused by invalid translation of the code. This is now correctly parsed and resolves the issue. Homepage shows "Still Infected" count even though all infections are cleared on Computer Status log. Fix ID: 1408109 Symptom: When you clear infections using the Computer Status log "Clear Infected Status" option, it is still possible to see "Still Infected" counts in the Homepage "Action Summary by Detection Count." Solution: Added additional checks and updated queries used on the Homepage. Symantec Endpoint Protection Manager hangs when generating a scheduled report. Fix ID: 1362174 Symptom: Error appears when generating a scheduled report. Solution: Added static .htm error pages for PHP and updates to IIS configuration. Symantec Network Access Control Wireless Zero Configuration and related services stop with Network Access Control in Transparent mode. Fix ID: 1409097 Symptom: Wireless Zero Configuration and Wired Auto Configuration services stop when Network Access Control is set to Transparent mode on the client. Solution: Improved handling of the Identity response to eliminate the need to stop the Microsoft services and to prevent the "authentication failed" message in policy-based transparent mode. Slow login with Symantec Endpoint Protection and Novell client software. Fix ID: 1396418 Symptom: User may experience a three-second login delay if they use the Novell client or use login scripts, even if an 802.1x environment is not used. Solution: Make the wait timeout value configurable through Symantec Endpoint Protection Manager and disable the SNACNP.DLL if 802.1x is not configured in policy. Snac.exe stops responding when connecting to wireless AP in home environment, but not office. Fix ID: 1435705 Symptom: When a user attempts to connect to the Linksys wireless router at home, snac.exe stops responding. Solution: The SSID length that was passed into memory was too large. Snac.exe stops after about 30 seconds. Fix ID: 1409297 Symptom: Snac.exe stops after about 30 seconds, and a popup message appears. Solution: Symantec Network Access Control service was unable to receive incoming EAP packets, causing a false alarm. In turn, Symantec Network Access Control service was restarting. Compatibility updates for necessary drivers have been made to resolve this issue. Snac.exe application fault. Fix ID: 1425246 Symptom: During startup, computers that were upgraded to MR3 show the message "Faulting application SNAC.EXE, version 11.0.3001.155, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x0001b1fa." Solution: Fault has been resolved. Gateway Enforcer failover causes ARP flood. Fix ID: 1323897 Symptom: Symantec Network Access Control sends many ARP packets to both internal and external networks when failover occurs. Solution: Added data to the end of the ARP packet when it is forwarded by Enforcer. When another Enforcer receives this packet, it sees the added data and does not forward the packet again. "Add Trusted External IP Range" feature changes do not take effect. Fix ID: 1448412 Symptom: IP address or IP range info is not saved. Solution: When adding a new IP address or IP range in the trusted list, it now takes effect immediately. Users are unable to connect to network via Gateway Enforcer when using Jiangnan VPN. Fix ID: 1444422 Symptom: When connecting to the network via the Jiangnan VPN, you are unable to successfully communicate with Symantec Endpoint Protection Manager or authenticate to the network. Solution: Fixed the dll causing the issue. Unable to add more than 300 trusted IP addresses. Fix ID: 1448404 Symptom: Cannot add more than 300 rows successfully. Solution: Can now add more than 300 rows successfully. The syntax checking for Gateway Enforcer protocol filtering does not work correctly. Fix ID: 1250187 Symptom: The syntax checking for Gateway Enforcer protocol filtering does not work correctly. It will not allow you to type in "allow 802.3" and "allow 224.0.1.0/255.255.255.0", both of which are valid entries. Solution: Change was made to allow 802.3 for one independent protocol string, but not in protocol range. Client authentication will not fail to second RADIUS server if first RADIUS server is down. Fix ID: 1448406 Symptom: With LAN Enforcement using Symantec Network Access Control 6100 Enforcer 11.0.2000, the first attempt at client authentication will fail because LAN enforcer does not switch RADIUS server from 1 to 2 immediately. Solution: Change RADIUS server timeout to 3 seconds so that Enforcer will not send out RADIUS reject due to too many identity packets being received. Enforcer fails to match correct action rule during startup with Transparent Mode. Fix ID: 1448410 Symptom: In transparent mode, when the computer is starting up, the computer sends HI Pass, EAP unavailable, and Profile Unavailable. Solution: Mismatching of Client GUID issue has been fixed. Thirty second delay in client sending EAP packets results in unavailable resources. Fix ID: 1447050 Symptom: The Symantec Network Access Control module does not send EAP packet until 30 seconds after the network card service starts. Due to this, if any network service has to be started immediately after the logon screen and before Symantec Network Access Control finishes authentication, it will not be available and may cause downloaded failures (for logon scripts, for example). Solution: Delay has been resolved. LAN enforcer MAB local database can only store 450 MAC addresses. Fix ID: 1448400 Symptom: With a large amount of MAC addresses, an error message appears saying that the file size is too big. Solution: Modified the MAC range control to allow a user to input a large number of MAC addresses. LAN Enforcer does not fail over to secondary Radius server when primary Radius server goes offline. Fix ID: 1440873 Symptom: When the primary Radius server goes offline, the LAN Enforcer does not fail over to the secondary Radius server, resulting in clients not being authenticated. Solution: Resolved Radius failover function of LAN Enforcer for MAB authentication. Readme items The help topics for Damper settings state specifically that "Client List Changed" only has one setting, "Auto." Fix ID: 1365700 Symptom: The help states specifically that "Client List Changed" only has one setting, "Auto". Solution: For full details see readme section titled "The Configure Notifications help includes some incorrect information". Page 60 in MR4 Admin guide contains an incorrect description of last icon Fix ID: 1453627 Symptom: The last icon is a user mode icon. The PDF incorrectly states that it is in computer mode. Solution: Added a readme item correcting the Admin guide error. Maintenance Release 3 (MR3) Component versions in MR3 Major Components Symantec Endpoint Protection 11.0.3001.2224 Client Management Component 11.0.3001.2224 Symantec Network Access Control 11.0.3001.155 Symantec Endpoint Protection Manager 11.0.3001.2224 Minor Components Auto-Protect 10.2.6.5 Behavior Blocking 3.3.7.004 COH 6.1.6.3 Common Client 6.3.7.009 DecABI 1.1.1.39 Defutils 3.3.20.0 QServer 3.6.16 SyKnAppS 2.5.0.12 SymEvent 12.5.3.3 SymNetDrv 7.2.3.302 WpsHelper 11.0.717.804 Symantec Endpoint Protection client fixes Corrupted string in User Information when using Japanese string Fix ID: 1118892 Symptoms: When editing the "Set User Information Collection" field in the exported install package in Japanese, the string fields of the text are corrupted. Solution: Updated fields to accept double-byte characters. Cannot create an "ignore" exception for some proactive detections Fix ID: 1178830 Symptoms: Certain executables do not appear in the detected processes. You are unable to set the action to "ignore." Solution: Updated the firewall to recognize the executables and display them. 20-20 Design software does not load properly with Sysplant enabled Fix ID: 1178838 Symptoms: After installing the 20-20 Design software with Application and Device Control enabled, the Design.exe process fails after a few seconds. Solution: Application and Device Control was modified to allow the application to execute properly. Symantec Endpoint Protection service stops and starts repeatedly on Windows 2000 Terminal Server Fix ID: 1179755 Symptoms: The event log shows event ID 7031 after installing Symantec Endpoint Protection 11.0 to a Windows 2000 Terminal Server in Remote Administration mode. Solution: Addressed a crash in the startup sequence for RTVScan to properly load and improve start up performance. Unable to configure Application Control for Binary or DWORD registry values Fix ID: 1180455 Symptoms: When configuring Application Control for registry access, it will not block DWORD or Binary registry values. Solution: Updated the driver to properly monitor and control all registry key types. Symantec AntiVirus to Symantec Endpoint Protection 11.0 migrated scheduled LiveUpdate settings are not properly reflected in the Symantec Endpoint Protection 11.0 user interface Fix ID: 1185614 Symptoms: When migrating from Symantec AntiVirus to Symantec Endpoint Protection, the scheduled LiveUpdates appear with a default value. Solution: Updated the migration calls to properly migrate the LiveUpdate schedules. Terminal servers run multiple instances of ProtectionUtilSurrogate.exe Fix ID: 1185648 Symptoms: After installing Symantec Endpoint Protection 11.0 to a Terminal Server, a copy of ProtectionUtilSurrogate.exe is ran for each user that logs on. Solution: Symantec Endpoint Protection 11.0 now allows for a client to disable the extra components from loading in separate sessions. Cannot schedule LiveUpdate on a unmanaged 64-bit client Fix ID: 1196685 Symptoms: After installing Symantec Endpoint Protection 11.0 on an unmanaged 64-bit machine, you are unable to schedule any LiveUpdates. Solution: Fixed the storage location in the registry of the LiveUpdate schedule key. After upgrading from Symantec AntiVirus, the Symantec Endpoint Protection 11.0 client appears to have continuous QuickScans running Fix ID: 1199488 Symptoms: After migration, the user interface shows a QuickScan continually running, even after it was completed. Solution: All scans will be set to "done" on migration so that they will not run outside their schedule. High CPU utilization on Terminal Servers with multiple active sessions Fix ID: 1201882 Symptoms: Each session on a Terminal Server runs an instance of SMCGUI, which causes high CPU utilization. Solution: Symantec Endpoint Protection now allows for a client to disable the extra components from loading in separate sessions. Lexware software fails with Application and Device Control Fix ID: 1204295 Symptoms: After installing Symantec Endpoint Protection, the Lexware software no longer prompts for a password and does not launch correctly. Solution: Modified Application and Device Control to allow the application to execute properly. Mitek's Truss Engineering design software fails to load with Application and Device Control installed Fix ID: 1211062 Symptoms: After installing Symantec Endpoint Protection, the Mitek 20/20 software no longer loads properly. Solution: Application and Device Control was modified to allow the application to execute properly. Location Awareness fails to switch locations correctly when using wireless connections Fix ID: 1214058 Symptoms: When configuring a location to switch when a "Client computer uses Wireless" configuration, the client doesn't always switch properly. Solution: Updated the location switching engine to properly identify Wireless configurations. Unable to stop users from stopping a scan when configuring the client to be able to snooze a scan Fix ID: 1225607 Symptoms: To configure the client with the ability to snooze a scan, the "Allow user to stop a scan" box must also be unchecked. Solution: Added a checkbox to allow the administrator to provide the ability to pause a scan but not cancel it. Microsoft Dynamics application crashes in RDP session with Network Threat Protection enabled Fix ID: 1228312 Symptoms: Microsoft Dynamics application crashes in an RDP session when using Network Threat Protection, but works locally. Solution: Application and Device Control was modified to allow the application to launch properly. Active Scan fails to launch after definitions are updated Fix ID: 1228476 Symptoms: After new definitions are installed, the post-update Active Scan fails to launch. Solution: Changed the call used to launch the Active Scan to ensure that it launches as designed. Clients that cannot access the Group Update Provider (GUP) for updates fail over to Symantec Endpoint Protection Manager Fix ID: 1236384 Symptoms: If a client cannot receive an update from the GUP, it fails over to Symantec Endpoint Protection Manager even if that is not what the administrator desires. Solution: Added additional GUP configurations to allow administrators to specify that clients should never bypass the GUP. Unable to run Ice Sword rootkit detection tool with Symantec Endpoint Protection installed Fix ID: 1238015 Symptoms: When trying to launch the Ice Sword software with Symantec Endpoint Protection installed, an initialization error appears. Solution: Application and Device Control was modified to allow the application to launch properly. Symantec Endpoint Protection client does not write an event when NTP is re-enabled Fix ID: 128512 Symptom: When allowing a user to disable NTP temporarily but with an automatic re-launch, the disabled notification is logged, but an enable notification is not. Solution: Added an event log entry that states "Symantec Management Client has been activated" to be logged when the NTP component is re-enabled. Symantec Endpoint Protection client fails to communicate with manager when explorer.exe is not loaded Fix ID: 1247147 Symptoms: If explorer.exe is not loaded, the client will not communicate with Symantec Endpoint Protection Manager. Solution: Removed the dependency on explorer.exe. Multiple Systray icons appear after launching Citrix applications Fix ID: 1262984 Symptoms: Each time a client opens a Citrix application, an additional tray icon appears. Solution: Symantec Endpoint Protection now allows for a client to disable the extra components from loading in separate sessions. "Log files written to USB drives" only logs the first file copied Fix ID: 1263163 Symptoms: When copying multiple files to a USB drive, only the first file is logged. Solution: Added additional Tamper Protection logic to process all events. Uninstalling the email tools does not remove ccEmlPxy.dll Fix ID: 1263922 Symptoms: After uninstalling the email tools, the ccEmlPxy.dll file is left behind in the Symantec Shared directory. This may cause errors. Solution: Changed the uninstaller to remove all email plug-in related files during uninstall. Cannot save Word 2003 file changes to a cluster server Fix ID: 1265733 Symptoms: Word 2003 files will not save changes when attempting to edit from a cluster server share. Solution: Updated AutoProtect to handle network file share writes. Firewall rules created through learned applications do not block and write to log Fix ID: 1267057 Symptoms: When rules are created using the learned applications function the rule doesn't appear to work. Creating the rule manually is successful. Solution: Modified the firewall creation process to create the rule properly. SMC –stop command fails when User Account Control (UAC) is enabled Fix ID: 1268114 Symptoms: When attempting to stop the SMC service using "smc –stop" on Windows Vista with UAC enabled, the SMC service remains running. Solution: Changed the application to properly allow the –stop command to succeed with UAC. System log entry shows "Stop serving as the GUP" though client was never a GUP Fix ID: 1277545 Symptoms: Symantec Endpoint Protection clients appear to have stopped serving as a GUP even though they never were a designated GUP. Solution: Added a check to confirm that the client was a GUP prior to writing event log entries. With Remote Registry Service disabled, Symantec Endpoint Protection 11.0 MR2 fails to install Fix ID: 1278518 Symptoms: To complete a MR2 deployment from a remote computer, the Remote Registry Service must be running for the installation to succeed. Solution: Changed the prerequisite check to allow for the installation to continue without Remote Registry Service. Risk declared as clean but still shows a red 'X' Fix ID: 1280312 Symptoms: Even after Symantec Endpoint Protection 11.0 cleans a threat, the log icon still shows a red 'X'. Solution: Addressed the return codes so that threats that are successfully dealt with get a green check mark. IPS detections do not contain the IP of the local machine Fix ID: 1283095 Symptoms: Detections of outbound threats do not include the IP address of the Symantec Endpoint Protection client the detections are occurring on, but instead shows '0.0.0.0'. Solution: Changed the call made to gather the IP address to report the client IP correctly. SymCorpUI.exe hangs while scanning Fix ID: 1284416 Symptoms: In some situations a scan will cause a hang in SymCorpUI.exe. Solution: Check for NULL areas prior to using them as pointers. SMC crash on Windows XP Service Pack 2 with Nortel VPN Client installed Fix ID: 1288020 Symptom: On startup, SMC.exe fails. Solution: Addressed a crash in the 802.1x part of the firewall traffic scanning engine. Location Switching Criteria "Aventail SSL VPN" fails Fix ID: 1289968 Symptom: When configuring the Location Switching in Symantec Endpoint Protection to use the Network Connection Type "Aventail SSL VPN" the client will not properly switch locations when using the VPN software. Solution: Added logic to recognize the newer Aventail SSL VPN client. ccApp causes a runtime error during e-mail download Fix ID: 1290034 Symptoms: When using the Internet E-mail plug-in, downloading e-mail into Outlook Express may cause a ccApp runtime error. Solution: Addressed the crash in the Common Client scan engine. Consortium Conference Client Forum fails to open with Symantec Endpoint Protection installed Fix ID: 1290124 Symptoms: When using Application and Device Control, the Consortium Conference Client forum fails to run. Solution: Application and Device Control was modified to allow the application to launch properly. Windows 2008 dropping network shares with AutoProtect enabled Fix ID: 1290133 Symptoms: Network shares become unresponsive after installing Symantec Endpoint Protection MR2 with AutoProtect enabled on a Windows 2008 server. Solution: Modified Auto-Protect to address the problem. Cannot change System Recovery settings with Application and Device Control Fix ID: 1292400 Symptoms: With Application and Device Control installed, attempts to change the System Recovery settings in Windows cause an error. Solution: Modified Application and Device Control to allow the application to function properly. Delay occurs when logging out of a Remote Desktop session with Symantec Endpoint Protection installed Fix ID: 1295742 Symptoms: After installing Symantec Endpoint Protection with Application and Device Control enabled, there is an approximately one minute delay when logging out of a Remote Desktop Session. Solution: Application and Device Control was modified to allow the application to function properly. Symantec Endpoint Protection client reports that Network Threat Protection is active even though it is not installed Fix ID: 1295836 Symptoms: Network Threat Protection displays in the system logs as activated and provides an engine version in the client logs even though it is not installed. Solution: Changed the logging functionality not to log the incorrect statements and engine versions. Initial DHCP traffic is allowed even if a rule in place is configured to block all traffic Fix ID: 1297792 Symptoms: With a firewall rule configured to block all traffic on the wireless adapter, DHCP traffic is still allowed. Solution: Modified the firewall to correctly block the traffic. Users can snooze scans indefinitely Fix ID: 1297863 Symptoms: When a policy is configured to allow users to only scan three times, the user can right-click on the scheduled scan taskbar to continue snoozing the scan. Solution: Temporary pauses now honor the administrator's limits. . PTV America's VISSIM software fails to load with Application and Device Control installed Fix ID: 1298834 Symptoms: When Application and Device control is installed, the software process (vissim0.exe) begins to load and then disappears after a few seconds. Solution: Application and Device Control was modified to allow the application to function properly. Application and Device Control installed with ZENRIN its-moNAVI causes an application crash Fix ID: 1300452 Symptoms: With Application and Device Control installed, attempts to close the its-moNAVI application will cause a crash. Solution: Updated registry protection to allow the software to exit normally. Location Awareness displays as disabled in the client's troubleshooting user interface Fix ID: 1315921 Symptoms: Location Awareness always appears disabled in the Client Control Mode no matter whether autolocation is enabled. Solution: Corrected the verification calls to display the Location Awareness status correctly. Symantec Endpoint Protection user interface hangs when the operating system is set to Traditional Chinese language input Fix ID: 1316001 Symptoms: When Windows XP default input language is set to Traditional Chinese, Symantec Endpoint Protection UI stops responding to mouse clicks after a few clicks. Solution: Adjusted the user interface settings to ensure that the it does not lose focus and hang. Cannot deploy a client package without the out of date definition warnings appearing Fix ID: 1317002 Symptoms: Even if the administrator disabled the out of date definition dialog box, the warning will appear on new installations. Solution: Fixed the default setting to not display the dialog box when configured not to do so. Symantec Endpoint Protection 11.0 MR2 MP2 Outlook e-mail plug-in strips attachments Fix ID: 1317106 Symptoms: When trying to save attachments that are excluded from the File Type list, the file gets saved as a 0k file. Solution: Modified the Outlook hook to report the scanned state of the file back correctly so that Outlook can correctly save the file. Certain DOS applications fail with Application and Device Control enabled Fix ID: 1363281 Symptoms: Application and Device Control's "File and Folder access attempts" function causes some DOS applications to malfunction. Solution: Modified APIs used to handle system calls properly and allow applications to function. Oracle Discover 3.1 fails with Application and Device Control installed Fix ID: 1366803 Symptoms: With Application and Device Control installed, Oracle Discover 3.1 will appear to launch but will actually fail. Solution: Modified Application and Device Control to allow the application to function properly. Symantec Endpoint Protection Manager fixes Symantec Endpoint Protection Manager incorrectly parses the client inventory data forwarded from Symantec AntiVirus Reporting agents Fix ID: 1367356 Symptoms: When Symantec Endpoint Protection Manager is configured to parse legacy client logs, the system does not process the uploaded inventory log files correctly. Solution: Modified the log parsing process to handle 0-length lines and continue processing. Manager Server Configuration Wizard does not accept special characters Fix ID: 1126665 Symptoms: The initial installation accepts special characters, but when trying to log on to reconfigure the management server, the logon will fail. Solution: Special characters are no longer allowed during the installation process. Unable to configure the definition warning message in the manager Fix ID: 1182971 Symptoms: There is not a way to configure the out of date definition dialog message in the Policy Manager. Solution: Added a configuration option to change the text. Symantec AntiVirus server names and client groups are not listed for some server groups when using the Symantec Endpoint Protection Manager migration wizard Fix ID: 1188010 Symptoms: When the server group has the same name as the primary server, the server/client hierarchy for the group does not display in the Symantec Endpoint Protection Manager migration wizard. Solution: Changed the wizard's group import process to correctly display groups and policies. The Symantec Endpoint Protection Manager password lifetime is hard coded Fix ID: 1194677 Symptoms: The administrator cannot configure how long a password has before it expires and must be changed. Solution: Added a configuration option to allow the administrator to configure the password expiration timeframe. The list of Known Security Risk Exceptions is longer on the Symantec Endpoint Protection client than it is in Symantec Endpoint Protection Manager Fix ID: 1201020 Symptoms: The Symantec Endpoint Protection client has a larger list of Security Risks than Symantec Endpoint Protection Manager does. Solution: Updated the APIs used to enumerate the Risk Exception list. An export button is missing from the export search data dialog box Fix ID: 1203445 Symptoms: Page 73 of the Administrator guide directs the admin to click on an export button in the dialog box that doesn't appear in Symantec Endpoint Protection Manager. Solution: Added the dialog box. Symantec Endpoint Protection Manager fails to update virus definitions or policies to clients Fix ID: 1212533 Symptoms: Symantec Endpoint Protection Manager outbox/agent directory fails to update with new content, and clients remain out of date. Solution: Added a synchronizing mechanism to avoid multiple updates and replication while updating. Inconsistent notifications when configuring Risk outbreak notifications using a damper control Fix ID: 1214320 Symptoms: When configuring the Risk notifications using the damper configuration, the notifications aren't always consistent. Solution: Corrected a duplicate risk log entry to address duplicate notifications. GUP fails to update clients Fix ID: 1222412 Symptoms: The GUP appears to be requesting a Full.zip from the server when it doesn't exist. Solution: Addressed the server update compilation process to ensure updates are available to the GUP when requested. Symantec Endpoint Protection Manager limited administrators can still perform administrator tasks Fix ID: 1222797 Symptoms: A Limited Administrator in Symantec Endpoint Protection Manager still has the ability to block the addition of clients to a group and add install packages to groups by right clicking the white space on the Install Package tab and clicking Add. Solution: Updated the user interface panels to adhere to the user's permissions. Administrators log off time is always the same as the last log-in time Fix ID: 1225992 Symptoms: When viewing the Online Status of all Administrators from within Symantec Endpoint Protection Manager, the Last Log Off Time always shows identical to the Last Log On Time. Solution: Fixed the admin state to reflect the correct log off time. Installing Symantec Endpoint Protection Manager to a custom web site will remove similarly named directories from the default Web site Fix ID: 1226024 Symptoms: When installing to a custom Web site, installing or uninstalling Symantec Endpoint Protection Manager will remove similarly named directories that exist under the default website, even if they were not placed there by Symantec Endpoint Protection Manager. Solution: The default Web site will not be altered when installing into a custom Web site. Symantec Network Access Control Appliance shows online and connected to Symantec Endpoint Protection Manager even though required Symantec Network Access Control upgrade is not installed Fix ID: 1229194 Symptoms: Symantec Network Access Control Enforcer Appliance will show SPM Status online and connected even though the Symantec Endpoint Protection Manager does not have the required Symantec Network Access Control software upgrade installed. Solution: Modified Symantec Endpoint Protection Manager to display the Symantec Network Access Control appliance status correctly. Port 1812 error when installing Symantec Endpoint Protection Manager Fix ID: 1231532 Symptoms: Even if the LAN Enforcer is not being installed, Symantec Endpoint Protection Manager requires the 1812 port to be available before installing. Solution: Removed port 1812 check if the LAN Enforcer is not being installed. Synchronization and import errors occurs when deleting a Directory Server from the first Symantec Endpoint Protection Manager Fix ID: 1234447 Symptoms: When two or more Symantec Endpoint Protection Managers are installed in the same site and share the same database, deleting a Directory Server from the first Symantec Endpoint Protection Manager will cause the additional Symantec Endpoint Protection Managers to lose their connection and ability to synchronize with previously established Directory Servers and Organizational Units. Solution: Corrected the API that returns directory servers such that a null parameter correctly returns all Directory Servers. In the Policies tab, the feature "Replace the Policy" doesn't work for the IPS policy Fix ID: 1234753 Symptoms: When attempting to use the "Replace" Task on the Intrusion Prevention Policies pane under the Policies Tab in Symantec Endpoint Protection Manager, the dialog showing the replacement options working correctly, but the active policy is not replaced. Solution: Added logic to correctly handle the IPS policies. Unable to configure Symantec Endpoint Protection Manager to send e-mail notifications on a non-standard port Fix ID: 1239649 Symptoms: Symantec Endpoint Protection Manager is configured to send e-mail notifications on port 25, and if the administrator's mail server is using a different port, Symantec Endpoint Protection Manager cannot be reconfigured. Solution: Added a configuration option to allow the port to be configured. An option to save reports is not available in Symantec Endpoint Protection Manager Fix ID: 1246926 Symptoms: When running a report in the Endpoint Protection Manager and exporting the report, it automatically opens in a web browser and does not offer the option to save. Solution: Added a download dialog after selecting the export option. Scheduled LiveUpdate for Symantec Endpoint Protection Manager does not work within specified time frame Fix ID: 1259224 Symptoms: LiveUpdate fails to run when the minute which Symantec Endpoint Protection Manager chooses to run LiveUpdate is equal to the end time specified within the Symantec Endpoint Protection Manager LiveUpdate schedule. Solution: Modified the scheduler to handle overlapping LiveUpdate schedules. Special characters in client computer description cause error Fix ID: 1260350 Symptoms: Special characters in client computer description cause SAXParseException in scm-server-0.log. Solution: Added function to handle the special characters properly. After migrating Symantec Endpoint Protection Manager, policies and content are not being pushed to the client Fix ID: 1262832 Symptoms: Definitions and policies are not being sent to the client and a JavaNullException appears in scm-server-0.log. Solution: Added additional handling for broken links to continue processing content. Replication of the databases takes up large amounts of drive space Fix ID: 1263684 Symptoms: After running Symantec Endpoint Protection Manager for some time, there will be content versions that should be deleted, but are not, and it takes large amounts of database storage. Replication merges the data, taking up even more space. Solution: Added database clean-up functions to remove unneeded content. The reporting dashboard doesn't specify the amount of data that is being displayed Fix ID: 1264056 Symptoms: The reporting dashboard only shows the last 12 hours of data but it is not clear that that is what is displayed. Solution: Added a time display on the user interface. Computer Status Log [Detail] and [Export] link do not have correct date/time Fix ID: 1266588 Symptoms: When viewing "Computer Status Logs", different values for the same attributes are displayed depending whether the [Details] or [Export] links are chosen. Solution: Corrected the functions used to gather the date/time stamps. Symantec Endpoint Protection Manager auto log sweep does not log when it runs Fix ID: 1271370 Symptoms: Auto log sweep is not logged in the Symantec Endpoint Protection Manager log, while a manual log sweep is. Solution: Added logging functionality. Host Group name does not change in the Firewall Policy interface Fix ID: 1274460 Solution: Changed the call made to gather the object name. Find Unmanaged Computers not returning Symantec AntiVirus version installed after discovery Fix ID: 1274524 Symptoms: After the discovery finishes and the client is discovered and shows up in the "unmanaged Computer" tab, the Software Column is not populated with the information about the client Symantec AntiVirus that is installed. Solution: Added code to recognize legacy Symantec AntiVirus and Symantec Client Security versions. Downloaded Command filter in reporting does not report anything Fix ID: 1275389 Symptoms: Reporting on the Event Type - Downloaded Command, the Report does not generate any information, even if the client has successfully downloaded and run a command. Solution: Changed the report to properly display executed commands. Symantec Endpoint Protection Manager Administrator is able to view restricted data Fix ID: 1278495 Symptoms: A Symantec Endpoint Protection Manager Administrator (not a System Administrator) is able to view data in some reports that is outside of the Symantec Endpoint Protection Manager domain to which they belong. Solution: Updated code to properly handle the advanced filters. "Failed to export to Group" when exporting installation packages Fix ID: 1282747 Symptoms: When you export a Symantec Endpoint Protection 11.0 installation package with Symantec Endpoint Protection Manager, the operation will appear to be successful, but the following error will be displayed: "Failed to export to Group <Group Name>". Solution: Addressed an export failure that would occur if the exporting path or group name contains more than one consecutive space. Installing Symantec Endpoint Protection Manager to a SQL database with a custom DSN port, Symantec Endpoint Protection Manager log on will fail until Symantec Endpoint Protection Manager is configured to use a static port Fix ID: 1284996 Symptoms: When a site is reconfigured with a different SQL port or with different database instance name, the DSN used for reporting will not display reports or may display an error dialog . Solution: Symantec Endpoint Protection Manager now recognizes the custom port and properly updates ports and database instance names. The "change password" link is missing from the Admin\Tasks Fix ID: 1285143 Symptoms: When signing in with an Active Directory authenticated account, navigating to the Admin Tab and choosing any of the accounts will not display the "Change Administrator Password" option. Solution: Corrected the logon functionality and the "Change Administrator Password" link is displayed and works correctly. Query fails on the computer status log page when the max limit is set to 1000 rows Fix ID: 1287094 Symptoms: Using a long query string where specifying each of 1000 32-char GUIDs causes the query to fail. Solution: Optimized the query to handle the long query strings. Limited Admin restricted to one group can view all learned applications globally in a Symantec Endpoint Protection Manager site Fix ID: 1292279 Symptoms: A limited administrator with full access to only one sub-group has the ability to choose the Global group when searching for learned applications. Solution: Changed the call made to only gather the groups the administrator has access to. Several policy changes generate broken links Fix ID: 1293296 Symptoms: A few of successive changes in the policies in Symantec Endpoint Protection Manager causes the database to contain broken links. Solution: Updated the code utilized to verify the inheritance configuration for Symantec Endpoint Protection Manager policies. "Unable to read xml file" error in SesmLU.log when Symantec Endpoint Protection Manager using non-default data folder Fix ID: 1299042 Symptoms: During installation of Symantec Endpoint Protection Manager, change the path of the Symantec Endpoint Protection Manager Data folder in the Management Server Configuration Wizard to a location other than the auto-detected location, and after running LiveUpdate errors occur in SesmLu.log. Solution: Modified how the server.xml location is loaded by SesmLu. Temp files build up on server when backing up sem5 database Fix ID: 1299067 Symptoms: The server hard drive fills up with .temp files when backing up database. Solution: Added a buffer parameter in the backup operation. OU import fails with errors when importing from the domain level through LDAP Fix ID: 1300113 Symptoms: When importing from the domain level, a "Failed to connect to the Directory Server. Verify that the server name and port are correct" error may appear. Solution: Modified the import process to handle unique characters like '%2F'. Restored backup does not sync Settings.LiveUpdate file and Symantec Endpoint Protection Manager user interface configuration Fix ID: 1302032 Symptoms: After restoring a Symantec Endpoint Protection Manager backup, the proxy settings are not synchronized with the LiveUpdate settings file. Solution: Forced a sync during the database backup sequence. Cannot deploy clients to Organizational Units that have commas in the name Fix ID: 1317112 Symptoms: When you import an Active Directory OU that has a comma in the name, that OU or other OUs below it are not usable for Symantec Endpoint Protection Manager client deployment. Any clients deployed to them will be installed to the temporary group. Solution: Modified the function to parse OU names with commas in them correctly. Risk log does not show up in Symantec Endpoint Protection Manager Fix ID: 1317130 Symptoms: If a risk event is stored in the database with a blank name, the risk logs will no longer forward to Symantec Endpoint Protection Manager database. Solution: Added additional checks to avoid the server log corruption. Tomcat hangs when generating scheduled report Fix ID: 1318193 Symptoms: Java task that generates reports for either scheduled reporting or notifications hangs when it is unable to access IIS with error code of 502 or 503. Solution: Updated error code pages to allow Symantec Endpoint Protection Manager to continue processing. Symantec Endpoint Protection Manager > Monitor > Logs does not maintain report after command initiated using custom filter Fix ID: 1320751 Symptoms: Symantec Endpoint Protection Manager > Monitor > Logs does not maintain report after initiated command using custom saved filter. A "No Entries" message is displayed after clicking the start button for the specified command, and clients are no longer visible in logs report. Solution: Corrected the filter name so that it can be properly saved and reused. Assigning a policy to a group takes too long Fix ID: 1323714 Symptoms: Slow performance when trying to assign a policy to a group when Symantec Endpoint Protection Manager is managing a large number of groups. Solution: Optimized the database processing to handle large numbers of groups. Symantec Endpoint Protection Manager OU Import issues if "Description field" contains escape characters \n, \u, \N, or \O Fix ID: 1364410 Symptoms: Computer descriptions imported from Active Directory with certain characters will cause import failures or partial client deletions. Solution: Added escape solution and better encoding translation. System Administrator cannot view reports created by Administrators in Symantec Endpoint Protection Manager Fix ID: 1366587 Symptoms: Scheduled reports created by an Administrator with default permissions cannot be viewed by the System Administrator. Solution: Altered the query used to view reports to display the reports for which the administrator has permissions. Display filter does not retain changed settings after closing Symantec Endpoint Protection Manager Fix ID: 1371799 Symptoms: In Symantec Endpoint Protection Manager, under the Clients view, attempts to set a display filter to allow the viewing of more or less than 30 clients will be reset after Symantec Endpoint Protection Manager is closed and reopened. Solution: New values are now remembered in later sessions. Exporting the Application and Device Control Logs crashes due to invalid characters Fix ID: 1395288 Symptoms: The Export function crashes when invalid characters are included in Application and Device Control logs. Solution: Symantec Endpoint Protection Manager no longer uses XML to temporarily export logs. Symantec Network Access Control fixes Gateway Enforcer set to Fail Open and disable settings will not save after reboot Fix ID: 1285052 Symptoms: Gateway Enforcer Fail Open is disabled prior to reboot. After reboot, the Fail Open status is set to enabled again. Solution: New values are now remembered after reboot. Maintenance Patch 2 for Symantec Endpoint Protection Maintenance Release 2 (MR2 MP2) This section describes the fixes in Maintenance Patch 2 for Maintenance Release 2. About Maintenance Patch 2 This Maintenance Patch cannot be installed over the 11.0.0 or 11.0.1 versions of Symantec Endpoint Protection Manager. It must be installed over Maintenance Release 2, either with or without Maintenance Patch 1. For information about how to obtain the latest build of Symantec Endpoint Protection, read the following document: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x. Components included in Maintenance Patch 2 Major components Component Version Symantec Endpoint Protection 11.0.2020.56 Client Management Component 11.0.2020.21 Symantec Network Access Control 11.0.2020.8 Symantec Endpoint Protection Manager 11.0.2020.26 Minor components Component Version AMS 6.12.0.148 Auto-Protect 10.2.4 Behavior Blocking 3.3.7 COH 6.1.2.3/6.1.3.20 Common Client 106.3.6.9 DecABI 1.1.1.39 DefUtils 3.3.11.0/3.3.16.0 ECOM 61.3.0.17 QServer 10.1.8.8000 SyKnAppS 2.5.0.12 SymEvent 12.5.3.3 SymNetDrv 7.2.1.110 Teefer2 11.0.1836.12 WpsHelper 11.0.717.804 VxMs (MSLight) 5.1.1.0 New fixes in Maintenance Patch 2 Symantec Endpoint Protection Manager fixes Unable to delete older Install Packages after migrating to MR2 Fix ID: 1255413 Symptom: After migrating from the MR1 build of Symantec Endpoint Protection Manager to the MR2 build, packages cannot be deleted from Admin > Install Packages. Solution: Modified Symantec Endpoint Protection Manager to better detect when packages are in use, and allow the administrator to delete unused packages. After migrating to Symantec Endpoint Protection Manager MR2, unable to export MR2 client install packages Fix ID: 1265816 Symptom: Replication marks the content as "Nul" for packages, so those packages can not be exported from the console. Solution: Addressed null packages to allow for the proper exports of packages. Domains that have been deleted from Symantec Endpoint Protection Manager are still showing up in Reporting Fix ID: 1269092 Symptom: When opening Reports > Advanced Settings > Domain, domains that have been deleted from Symantec Endpoint Protection Manager appear. Solution: Fixed deleted domain entries in the database. Centralized Exception appears 14 times in Symantec Endpoint Protection Manager interface Fix ID: 1272374 Symptom: Administrators who have no privileges on one domain see the Centralized Exception list owned by this domain when the administrator tries to add Centralized Exceptions by risk logs. Solution: If the logged in administrator is the system administrator, the Centralized Exceptions created in all domains are shown; if the logged in administrator is a domain administrator or limited administrator, only the Centralized Exceptions in the specific domain are shown. Domain administrator can view groups that belong to another domain Fix ID: 1273368 Symptom: Domain administrator can view groups that belong to another domain when clicking on group hint box on notification and advanced filters. Solution: Updated query to include domain_id that domain administrator belongs to, as well as to add the legacy domain IDs. A case sensitive security check prevents the command/policy publishing from completing Fix ID: 1275710 Symptom: Symantec Endpoint Protection Manager fails to publish commands and/or policies, resulting in clients not receiving them. Solution: Replaced the case sensitive check with a case insensitive one. The antivirus definition version shown in the Symantec Endpoint Protection Manager console does not match the definition version shown in the client UI Fix ID: 1276588 Symptom: On the Symantec Endpoint Protection Manager console, clients that have not been rolled out a particular antivirus definition version show that they are using that version. Solution: Corrected an initialization error in the Symantec Endpoint Protection Manager AV operational status SAX parser. Mdef25builder blocks other Symantec Endpoint Protection Manager processes Fix ID: 1276873 Symptom: While creating delta, the mdefbuilder process blocks policy publishing. Solution: Removed the mdefbuilder process from the synchronization block, so that it will not block other processes such as publishing policies. Internal site-wide "is LiveUpdate running" flag is set incorrectly Fix ID: 1280150 Symptom: The Symantec Endpoint Protection Manager denies requests to launch LiveUpdate, stating that it is already running. Solution: Added an additional validation step on the site-wide "is LiveUpdate running" flag which resets it as needed. Slow imports from Active Directory OUs and creating locations Fix ID: 1290262 Symptom: With a large (over 1000) number of groups or locations, the console would become sluggish in several places in the Policies and Clients tabs. Solution: Batched multiple requests for information into a single call to the Symantec Endpoint Protection Manager. 0Kb .dax files appear on the Symantec Endpoint Protection Manager Fix ID: 1292255 Symptom: Mdefbuilder builds 0-byte dax files when it cannot generate a Delta package. Therefore, when client switches from one site to another site, 0-byte dax files get generated if the target LU content revision doesn't exist in the agent connected site. Solution: Addressed LU content download flags and delta generation process. Symantec Endpoint Protection client fixes Application List not saved properly after restart Fix ID: 1179501 Symptom: Symantec Endpoint Protection Firewall does not remember the Applications that access the internet when the rule is set to "Ask." Solution: Resolved initialization issues to save the firewall application list correctly. Application error CCMExec.exe when upgrading from 10.2 MP1 Fix ID: 1211174 Symptom: When deploying a client package to upgrade a 10.2 client, a CCMExec.exe error appears on the client. Solution: Addressed sysfer installation issue so as not to cause the application error. Symantec Endpoint Protection client does not switch from External location when switching from wireless to Ethernet connections Fix ID: 1220727 Symptom: When connecting to the Ethernet connection for the internal location, the client does not successfully switch locations. Solution: Addressed DNS Lookup code to allow connection switch. Number of files in the SharedUpdates directory does not decrease Fix ID: 1236474 Symptom: A large number of objects accumulate in the SharedUpdates directory Solution: Updated Group Update Provider (GUP) to delete objects correctly after the size or date threshold is reached. Intermittent ccSvcHst error on shutdown Fix ID: 1238114 Symptom: Intermittent ccSvcHst memory error appears on system shutdown. Solution: Addressed shutdown faults in client components. Petrel2008 software doesn't launch when Symantec Endpoint Protection Application & Device Control installed Fix ID: 1257774 Symptom: Petrel2008 software does not function with Symantec Endpoint Protection 11.0 Application and Device Control. Solution: Addressed sysfer conflict with the Petrel software. IntelliJ IDEA software does not function with Application and Device Control installed Fix ID: 1260166 Symptom: IDEA software fails to connect with Application and Device Control installed. Solution: Addressed conflict between Application and Device Control and the IDEA software. Ping time and CPU utilization increase with Symantec Endpoint Protection MR2 on Vista Fix ID: 1261384 Symptom: CPU usage becomes very high when receiving multiple ping packets. Solution: Set the owner of ping packets to the correct state to avoid extended packet processing times. Symantec Endpoint Protection Manager shows in reports that agent has Network Access Control installed when it does not Fix ID: 1266426 Symptom: When the agent registers with Symantec Endpoint Protection Manager after the product installation, it reports that Network Access Control is installed when it is not. After next heartbeat, the agent sends its correct agenttype info and reports display the correct value. Solution: Changed PHP query to not to use "SNAC" as the product type if enough information is not available. Instead, "NONE" is used as the product type until all the data is available. On Windows 2000 without Terminal Services, users may receive a default profile during logon Fix ID: 1266776 Symptom: Users will receive a default profile during logon. Solution: Improved Symantec Endpoint Protection client's triggering mechanism for logon and logoff. Sysplant.sys causes application Quintiq to crash Fix ID: 1320412 Symptom: After installing Symantec Endpoint Protection 11.0, the Quintiq application will no longer run without unexpected errors. Solution: Updated Sysplant to remove conflict. Point Patch 1 for Symantec Network Access Control Maintenance Release 2 Maintenance Patch 1 Point Patch 1 is a patch specific to Symantec Network Access Control. It can only be installed over Maintenance Release 2 with Maintenance Patch 1. Symantec Network Access Control fixes in Point Patch 1 Symantec System Health Agent (SHA) is not running after restart Fix ID: 1267397 Symptom: Microsoft Network Access Protection (napstat.exe) displays the message "SHA Not Present." The detailed message is "A system health agent (SHA) that may be required for full network access is not present on this computer. Please contact your network administrator. ID 100848." Solution: Made a change to bind the Symantec SHA (ID 100848) correctly with the Microsoft Network Access Protection Agent. NAP Enforcer: Ignoring "Verify Client UID" does not work Fix ID: 1269383 Symptom: Symantec Network Access Control Agent cannot get a normal IP address if the agent is not connected to Symantec Endpoint Protection Manager, even if the "Verify Client UID" setting is turned off in Symantec Endpoint Protection Manager. Solution: Send Host Integrity Information to Enforcer even if the agent is not connected to Symantec Endpoint Protection Manager. Agent built-in authentication fails when upgrading a Windows XP SP2 computer to Windows XP SP3 Fix ID: 1234014 Symptom: HI (Host Integrity) and PROFILE information on an endpoint are unavailable after Windows XP SP2 is upgraded to Windows XP SP3. Solution: Symantec Network Access Control EAP values in the registry are reset after an endpoint is upgraded to Windows XP SP3. Upon restarting after XP SP3 installation, the Symantec Network Access Control service resets the correct EAP values in the registry. NAP Agent does not communicate with Enforcer if "DHCP Enforcement" configured after Symantec Network Access Control Agent started on XP SP3 Fix ID: 1240376 Symptom: Microsoft Network Access Protection (NAP) does not work until either the Symantec Network Access Control service or the computer is restarted. Solution: Detect and bind the Symantec SHA whenever the Microsoft Network Access Protection Agent is started. Maintenance Patch 1 for Maintenance Release 2 (MR2 MP1) This section describes the fixes in Maintenance Patch 1 for Maintenance Release 2. About Maintenance Patch 1 This Maintenance Patch cannot be installed over the 11.0.0 or 11.0.1 versions of Symantec Endpoint Protection Manager. It must be installed over Maintenance Release 2. For information about how to obtain the latest build of Symantec Endpoint Protection, read the following document: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x. Components included in Maintenance Patch 1 Component Version AMS 6.12.0.148 Auto-Protect 10.2.4.2/10.2.4.3 Behavior Blocking 3.3.6.7/3.3.6.8 ccEraser 20072.0.1.7 COH 6.1.2.3/6.1.3.20 Common Client 106.3.6.9 DecABI 1.1.1.39 Defutils 3.3.11.0/3.3.16.0 Deuce Engine 2007-06-06-1 ECOM 61.3.0.17 Intelligent Updater 5.0 (Release .006) LiveUpdate 3.3 (Release .002) LiveUpdateAdmin 2.1.2 (Release .002) LiveUpdateCCPA 1.0 (Release .002) LOTS Manager 3.3 (Release .001) Microdefs 2.5 (Release .007) SyKnAppS 2.5.0.12 SymEvent 2.5.3\3 SymNetDrv 7.2.1 Teefer2 11.0.1836.12 WpsHelper 11.0.717.804 VxMS (MSLight) 5.1.1.0 New fixes in Maintenance Patch 1 Symantec Endpoint Protection Manager fixes Symantec Endpoint Protection Manager fails to update virus definitions or policies to clients Fix ID: 1212533 Symptom: Symantec Endpoint Protection Manager downloads the updates correctly but does not update the clients. Solution: Resolved synchronization error between LiveUpdate process and database replication. In a replication environment, after a few days, both sites' Symantec Endpoint Protection Manager publishing tasks show exceptions Fix ID: 1222330 Symptom: After updating definitions in a replication environment, "Unexpected server error" entries appear in the server log files. Solution: Changed code to continue instead of causing an exception when encountering a content "broken link." Newly added site slows down server and console Fix ID: 1257786 Symptom: After adding additional servers to a site, the performance of the console and compiling group policies becomes noticeably slower. Solution: Added performance increases to speed up functionality in large group environments. When the Symantec Endpoint Protection Manager replication data is over 2 GB, replication fails Fix ID: 1219223 Symptom: When the replicating data.zip size is over 2 GB, replication fails. Solution: When restoring or replicating, Symantec Endpoint Protection Manager now decompresses the zip file to a temp folder first, then updates the DB. The unmanaged detector does not reflect the client status correctly Fix ID: 1201280 Symptom: When a client is enabled as an unmanaged detector and the system is restarted, the unmanaged detector function is disabled. Solution: Addressed the merging of client information into the database so that the LAN sensor information is not lost. In environments with more than 1,000 groups, updating content takes a long time Fix ID: 1229073 Symptom: With 1000 groups, it can take up to an hour and a half, during which any change made to the groups configuration, including adding a new group, is not processed. Solution: Changed the update process to greatly increase performance. Computer Status shows "No Definitions" for clients that do have current definitions Fix ID: 1240543 Symptom: When checking logs from Symantec Endpoint Protection Manager > Monitors > Logs > Computer Status > View Log, the [Definitions Date] field shows "No definitions" even when the client has the latest definitions. Solution: Updated the agent to properly report the PATTERN_IDX status. Symantec Endpoint Protection Manager creates 0-byte .DAX files, causing clients to request full definition update Fix ID: 1250838 Symptom: Instead of providing delta updates to the clients, the clients will request full definition sets. Zero-byte .DAX files are in the contents folder. Solution: Allow the server to compile the new content before publishing the data. Policy creation failure due to package broken links Fix ID: 1256146 Symptom: Policy compilation issues prevent policies from being created and deployed. Solution: If there are any exceptions that occur during the client package retrieval from the database, they are logged and the updates continue. Site Properties dialog fails to open Fix ID: 1255484 Symptom: If the retry intervals are set too low, Symantec Endpoint Protection Manager fails to open the site properties. Solution: If the configuration is below the required minimum value, it is reset to the minimum value. Network Providers in My Network Places has more than one instance of Symantec SNAC Network Provider Fix ID: 1150373 Symptom: When changing the client set feature from Symantec Endpoint Protection Manager, each change adds another instance of Symantec SNAC Network Provider. Solution: Updated the code to no longer add unneeded SNAC Network Provider entries to the registry. Symantec Endpoint Protection client fixes RTVscan.exe crashes with faulting module msvcr80.dll fault add: 0x000046b4 Fix ID: 1247109 Symptom: Error in the application logs: Faulting application Rtvscan.exe, version 11.0.1000.1112, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x000046b4. Solution: Added additional exception handling. Normal Users cannot disable firewall, even when allowed to by administrator Fix ID: 1241207 Symptom: Restricted users are unable to disable the firewall, even though they're configured to be able to do so through the console. Solution: Restricted users cannot stop services, but can disable the firewall if they are allowed to do so by the administrator. A request for a restart is displayed even though no updates are needed Fix ID: 1247970 Symptom: Even though Network Threat Detection is not installed, the user is prompted to restart the computer because there is a Network Threat Detection update that needs to be applied. Solution: Added additional codes to display why restarts are needed. Outlook stops unexpectedly when using "Next Item" button repeatedly Fix ID: 1222352 Symptom: When using the "Next Item" button in Outlook to move from message to message, Outlook crashes after reviewing 5-10 messages. Solution: Changed client so as not to cache the callback pointer when browsing messages. Maintenance Release 2 (MR2) This section describes the new features and fixes included in Maintenance Release 2 of Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0. About Maintenance Release 2 for Symantec Endpoint Protection and Symantec Network Access Control Symantec Endpoint Protection 11.0.2 and Symantec Network Access Control 11.0.2 provide enhancements on top of the existing 11.0 functionality to support the Microsoft Windows 2008 Server. In addition to providing compatibility with the new operating system, this release adds compatibility to the Microsoft Network Access Protection (NAP) framework. Fixes for customer problems and minor enhancements since the release of Symantec Endpoint Protection and Symantec Network Access Control are included this release. This release also adds support for Windows Vista Service Pack 1 and XP Service Pack 3. New features Support for Microsoft Windows 2008 Server clients Support for Windows Server 2008 Standard/Enterprise/Datacenter/Web (32-bit or x64 edition), including Server Core installation, has been added to the Symantec Endpoint Protection and Symantec Network Access Control clients. Symantec Endpoint Protection Manager and the deployment tools have also been modified to support the management of Symantec Endpoint Protection and Symantec Network Access Control clients that run on Windows Server 2008. However, the management components cannot be installed on a computer running Windows Server 2008. Compatibility with Microsoft Network Access Protection (NAP) Framework Customers can build Symantec Network Access Control-only or multi-vendor policy compliance solutions using Microsoft's Network Access Protection (NAP) technologies. This feature lets customers leverage a standards-based (TNC-compliant) and Microsoft-supported network access control framework. This framework supports 802.1x, DHCP, Microsoft VPN, and IPSec technologies to control network access. In addition to the previously supported methods, Symantec Network Access Control customers gain the use of IPSec as a compliance method. IPSec is an endpoint-centric method designed to build trust relationships between domain members. For customers who want to leverage this technology, a major advantage for Symantec Network Access Control is the ability to control all aspects of admission control policy in a single policy console, instead of requiring customers to deploy multiple policy servers and management plug-ins. Improved resource utilization in Symantec Endpoint Protection client and Symantec Endpoint Protection Manager The MR2 release reduces the client footprint and resource utilization of the Symantec Endpoint Protection Manager in order to enhance the user experience, especially in small and medium-sized business environments. Administrators have the option to increase the space and memory allocation of the server to fit their business environment. Enhanced Device Control supports Device ID This feature lets you set a policy for a specific device that is allowed or not allowed to be attached to the endpoints, which helps ensure that USB memory sticks are not used unless they are approved by your security policy. Components included in Maintenance Release 2 Component Version Comments Auto-Protect 10.2.3 Certified on Windows 2008 Behavior Blocking 3.3.6\008 ccEraser 20072.0.1.7 COH 6.1.3\020 Common Client 6.3.6\009 DecABI 1.1.1 Defutils 3.3 (Release .002) Deuce Engine 2007-06-06-1 ECOM 20071.3 Intelligent Updater 5.0 (Release .006) LiveUpdate 3.3 (Release .002) LiveUpdateAdmin 2.1.2 (Release .002) LiveUpdateCCPA 1.0 (Release .002) LOTS Manager 3.3 (Release .001) Microdefs 2.5 (Release .007) SyKnAppS 2.5 Certified on Windows 2008 SymEvent 12.5.3\3 SymNetDrv 7.2.1 Certified on Windows 2008 New fixes in Maintenance Release 2 Symantec Endpoint Protection Manager fixes Symantec Endpoint Protection embedded database takes too much hard disk space Fix ID: 1193157 Symptom: Over time, the embedded database continues to grow in size under normal operations. Actual used disk space is under 1GB, while unused disk space allocated to the database grows to almost 2 GB. Solution: Unused disk space allocated to the embedded database is cleaned up more efficiently. New customers who upgrade to MR2 will not experience this problem. For existing customers who are experiencing this problem and upgrade to MR2, the database size does not shrink automatically. You must use a command line tool (dbunload.exe) to fix the problem. For more information, read the document How to shrink the embedded database using the Dbunload tool. Port leak on Symantec Endpoint Protection Manager Fix ID: 1183253 Symptom: Symantec Endpoint Protection Manager becomes deaf as Symantec Endpoint Protection clients download updates, CLOSE_WAIT sockets are not closed, and the server is out of ports and becomes deaf to the console. As this continues, at some point you can no longer remote desktop to the server. When the server is full, 3500 sockets are in CLOSE_WAIT, almost all the rest are in TIME_WAIT, and there are 15 or so talking to the database and clients. As time passes, the CLOSE_WAIT sockets slowly rise. Solution: Symantec Endpoint Protection Manager process no longer has CLOSE_WAIT states after clients download updates, preventing the leaked ports from monopolizing all the server's ports. Port Leak in Symantec Endpoint Protection Manager Fix ID: 1193251 Symptom: An HTTP port leak (80) that regularly occurs to a server managing thousands of clients under normal load. If allowed to continue, this leak will eventually bring down the server. First the console becomes unusable, then you cannot connect via remote desktop. Solution: Reviewed and modified Symantec Endpoint Protection Manager port 80 usage. Localized Symantec Endpoint Protection Manager migration from 11.0.0 to 11.0.1 erases LiveUpdate Inventory Fix ID: 1206983 Symptom: The LiveUpdate inventory is erased after a localized migration of Symantec Endpoint Protection Manager from 11.0.0 to 11.0.1. This does not occur on U.S. English migration. Solution: LiveUpdate catalog was fixed so that this problem does not occur. There is also a workaround that can be applied: From the command line, navigate to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\, and then run the command: lucatalog.exe –update Unexpected exception occurs on Symantec Endpoint Protection Manager Fix ID: 1191813 / 1192650 Symptom: Numerous errors that state "An unexpected exception has occurred on Symantec Endpoint Protection Manager" occur. Searching a computer/user objects take from 5-10 minutes. Logging in to Symantec Endpoint Protection Manager takes 2-3 minutes (usually 5-10 seconds). Copying a computer object to another group takes 5-10 minutes and sometimes results in the Symantec Endpoint Protection Manager freezing. Solution: Made modifications to the DB and Secars.dll to address these delays and unexpected exceptions. Site replication fails due to deadlocks Fix ID: 1180681 Symptom: Replication fails between multiple sites. The SQL database is deadlocking on certain queries. Solution: Transaction queries and logic were updated to prevent the deadlocks from occurring. Database deadlocks causing multiple problems Fix ID: 1178096, 1178099 Symptom: Multiple deadlocks in database cause attempts to log in to Symantec Endpoint Protection Manager to fail. Deadlocks also cause functionality problems between multiple sites. Solution: Optimized performance of Active Directory synchronization algorithm so that database deadlocks do not occur. Symantec Endpoint Protection Manager user name and password in clear text in registry during LiveUpdate Policy Rolldown Fix ID: 1006376 Symptom: User name and password are not encrypted in the registry during LiveUpdate Policy Rolldown and can be retrieved through regmon. Solution: User name and password are now encrypted during transfer, and then unencrypted when read out to the host file. Database sweep does not remove content which is marked for deletion on replication site Fix ID: 1223074 Symptom: After content which is marked for deletion is deleted from one site, it is replicated to another site and not deleted. Database Sweep is slightly different in replication environment. Content is deleted only after a replication cycle has been completed. Solution: Data that has been deleted from one site is not updated on the other site. Group Folders are not created or take too long to create Fix ID: 1191851, 1201662 Symptom: When you have a large number of existing groups, creating new groups fails as SemSvc.exe runs a check on all existing folders (one folder for each group). After over an hour, the new group is not created. When viewing created groups, some contained 2 files, while others contained over 20 files. In some instances, creating a group would take over an hour. Solution: Added a condition that optimizes creation of groups, so that groups and group folders are created and created in a timely manner. Import of policy from one Symantec Endpoint Protection Manager domain to another fails Fix ID: 1183186 Symptom: After clicking "Import" to import a policy from one Symantec Endpoint Protection Manager domain to another, the action fails with no error message. This particularly happens when attempting to import firewall policies that use rules which apply to host groups that are not present in the new domain, or when importing policies from a migrated Symantec AntiVirus server group into a new domain. Solution: Import action failed because new domain did not contain the same host group names. This problem is resolved by implementing the following: create host group if it doesn't exist in new domain, adding error handling messages if an error does occur, and merging host groups if user selects to overwrite existing policy for already existing groups. Agents do not appear in Symantec Endpoint Protection Manager Fix ID: 1178101 Symptom: Agents do not appear correctly in the Symantec Endpoint Protection Manager. Appears problem is tied with Active Directory synchronization. If Symantec Endpoint Protection Manager is restarted, agents will show up correctly. However, after Active Directory synchronizes with Symantec Endpoint Protection Manager, the agents will display offline again, which occurs every 24 hours. Solution: Modified the order of how objects are processed so that agents appear correctly as "online" in the Symantec Endpoint Protection Manager. Agent logs are not being replicated between Symantec Endpoint Protection Managers Fix ID: 1178100 Symptom: Client, system, security, traffic, packet, and behavior logs are not replicated from one Symantec Endpoint Protection Manager to another. Solution: Logs can now be replicated between Symantec Endpoint Protection Manager. AntiVirus logs appear to cause out of memory error that kills Symantec Endpoint Protection Manager Fix ID: 1200327 Symptom: Symantec Endpoint Protection Manager is rendered useless. Solution: Logic was changed to handle anomaly processing regarding logging to now use the remediation path instead of the anomaly description member which is overloaded as a path value and service description value. High CPU utilization when Symantec Endpoint Protection Manager builds definitions Fix ID: 1191801 Symptom: When microdefinitions are being built on the Symantec Endpoint Protection Manager, CPU utilization reaches up to 95% and renders the server and console unusable. Solution: When microdefinitions are being built, maximized the amount of CPU usage that is being utilized at 50%. Users can change this figure by adding/changing the scm.delta.cpu.usage parameter in the conf.properties file to a decimal number between 0 and 1, where 1 represents 100% usage and 0.5 represents 50% usage. AntiVirus and Antispyware policy templates Fix ID: 1210445 Symptom: Customer would like more AntiVirus and Antispyware policy templates from which to choose. Solution: Symantec Endpoint Protection Manager contains new AntiVirus and Antispyware policy templates. There are now three templates from which to choose: high performance, high security, and the default (which balances performances and security). Symantec Endpoint Protection Manager loses connection with client Fix ID: 1209380 Symptom: After Symantec Endpoint Protection client initially connects to Symantec Endpoint Protection Manager, it immediately disconnects. The client does not download definitions or policies. Solution: Fixed problem with Symantec Endpoint Protection Manager files that are not being processed correctly. Client groups do not function properly Fix ID: 1209569 Symptom: After creating a client group, attempting to create an installation package that is managed by the client group fails. Solution: During the creation of the client group, the LiveUpdate folder is created, which was previously not created. Symantec Endpoint Protection Manager LiveUpdate does not update content after system clock was previously set to a future date Fix ID: 1198451 Symptom: From Symantec Endpoint Protection Manager, user changes system clock to a future date and then runs LiveUpdate. After restoring date to current time, attempts to run LiveUpdate fail. Attempts to uninstall or reinstall LiveUpdate, with or without Product.Inventory.LiveUpdate, do not resolve the problem. Setting the time to the future causes problems for policy download as well. Solution: A recovery tool, updatedbtime.bat, is available in the Tools folder that resets the time stamps in the database to correct the problem. After running the tool, LiveUpdate problem should go away. Disaster Recovery procedure conflicts with remote software and is difficult to follow Fix ID: 1207080 Symptom: Restoring client communications without a database backup involves logging into Symantec Endpoint Protection Manager and traversing to Admin > Domains >About, and then pressing and holding Shift + Ctrl + Alt. When accessing remotely, this action creates conflicts. This process also is difficult to follow as only certain areas of the About box can trigger the expected result. Solution: Added an "Advanced" button that hides the disaster recovery input area so that no conflicts arise from using Shift + Ctrl + Alt, while also making it easier to access the area for user to provide the necessary information. Procedures to migrate embedded database to remote SQL server causes communication with client to break Fix ID: 1211785 Symptom: After following steps in documentation to migrate embedded database to remote SQL server, Symantec Endpoint Protection clients no longer communicate with Symantec Endpoint Protection Manager. Solution: Revised documentation to correctly migrate database over to remote SQL server. This involved including a step to restore the keystore. Virus Definitions bar chart and IPS Signatures chart on Symantec Endpoint Protection Manager home page do not display Fix ID: 1190971 Symptom: Charts on the home page appear blank. Solution: Modified code to ensure that chart information is displayed as expected on the Home Page. Cannot export agent packages from Symantec Endpoint Protection Manager Web console Fix ID: 1204496 Symptom: When attempting to export an agent package from the Symantec Endpoint Protection Manager Web console, the user receives an error stating that exporting failed. Solution: Agent packages can now be exported from Symantec Endpoint Protection Manager Web console. ClientRemote Utility not functional Fix ID: 1198284 Symptom: Attempts to install a Symantec Endpoint Protection client package with the ClientRemote utility fails with inability to authenticate using domain administrator and local administrator credentials. Error message states that it is an invalid account. When accessing workstation and C$ share, can see that share is using the domain administrator account. Solution: Added checks in the ClientRemote utility to attempt to authenticate via domain\username, and then target\username before returning error code. This allows local administrator credentials to be used when distributing into a domain. Communication between Symantec Endpoint Protection Manager and client breaks after moving clients to a different Organizational Unit (OU) Fix ID: 1195419 Symptom: Duplicate Symantec Endpoint Protection client entries appear in the SQL database, and therefore break client/manager communication as clients attempt to communicate with the deleted OU. Solution: SQL Database is cleaned up of old non-existing Active Directory groups/OUs to ensure that clients communicate with existing groups. Users deleted from Symantec Endpoint Protection Manager groups that are synchronized from Active Directory (AD) Fix ID: 1203581 Symptom: Objects copied from group imported from Active Directory and then copied to Symantec Endpoint Protection Manager group disappear from Symantec Endpoint Protection Manager AD group, Symantec Endpoint Protection Manager group, or both. Solution: Symantec Endpoint Protection Manager now keeps one entry in OU group and one entry in non-OU group to resolve duplicate agents, and to resolve objects from being deleted. Cannot connect remotely to Symantec Endpoint Protection Manager that is installed behind a firewall with Network Address Translation (NAT) Fix ID: 1174651 Symptom: When attempting to use the remote Symantec Endpoint Protection Manager outside the private network, you can perform initial logon steps, but cannot access the console. The error message shows "Hostname Mismatch. The name on the site does not match the name on the certificate." Solution: In NAT environment, connecting remotely uses the local address as the server IP address instead of the HTTP host to connect to Java. LiveUpdate downloads are not always randomized Fix ID: 1193767, 1193770 Symptom: After switching from push to pull mode, randomization of LiveUpdate downloads does not occur. Solution: During pull mode, LU content download is randomized. By default, the thread waits for one minute before performing the download. Therefore randomization is done for clients that have pull mode interval of more than one minute. Changing remote console port blocks Symantec Endpoint Protection Manager/Symantec Endpoint Protection communication Fix ID: 1187451 Symptom: Changing the remote console port from 9090 (server.xml) will block clients deployed after the change from registering and communicating with Symantec Endpoint Protection Manager. Solution: Documentation amended to explain how to modify server.xml for the port change to work. Within server.xml, change scm.http.port=<new Port>, and scm.server.http.port=<new Port> Changed in Administrator's Guide, Installation Guide, and Readme. Migration – After restoring database after migration, two management servers appear in Symantec Endpoint Protection Manager Fix ID: 1216751 Symptom: Backing up database of Symantec Endpoint Protection 11.0.0, uninstalling Symantec Endpoint Protection Manager 11.0, installing Symantec Endpoint Protection Manager 11.0 MR1, and then restoring the database results in two management servers listed in Symantec Endpoint Protection Manager under Admin > Servers. Solution: Changed code to use server name that is kept in the database. Command to cancel scans does not cancel all scans Fix ID: 1181265 Symptom: If a user runs a scan or an admin-configured scheduled scan is running on Symantec Endpoint Protection client, attempting to cancel scan from Symantec Endpoint Protection Manager with "cancel all scans" command is not successful. Solution: Allow administrator to cancel all scans from Symantec Endpoint Protection Manager whether they are initiated by Symantec Endpoint Protection Manager or user. On Symantec Endpoint Protection Manager Home Page, status of Symantec Endpoint Protection client shows AntiVirus Engine is off Fix ID: 1183055 Symptom: From Symantec Endpoint Protection Manager, multiple Symantec Endpoint Protection clients show that the Antivirus Engine is off from the Home Page > Status Summary. A local check shows that the antivirus engine is on, the definitions are current, and there are no other problems. Solution: Fixed to present correct state of Symantec Endpoint Protection clients in Symantec Endpoint Protection Manager. Symantec Endpoint Protection Manager hangs when performing certain operations Fix ID: 1208845 Symptom: Unchecking "Inherit policies and settings from the parent group Global" for the Temporary group freezes the management console. Solution: Code changes to prevent Symantec Endpoint Protection Manager from hanging/freezing when performing these operations. Import of certain OU information from LDAP server fails Fix ID: 1180685 Symptom: If OU information contains certain characters, importing information from LDAP server fails with error: "LDAP XML Saving Failed. The character ' ' is an Invalid XML character." Solution: Characters previously deemed as invalid are now valid. Windows 2000 Symantec Endpoint Protection clients appear as Unknown Computers in Symantec Endpoint Protection Manager Fix ID: 1201891 Symptom: Running "Find Unmanaged Computers" from Symantec Endpoint Protection Manager finds Symantec Endpoint Protection Clients running on Windows 2000 as "Unknown Computers." Solution: Correlated results of the Find Unmanaged Computers with the information already known about Symantec Endpoint Protection clients in the database to correctly identify Windows 2000 Symantec Endpoint Protection Clients. Some non-shared policies cannot be disabled Fix ID: 1181447 Symptom: When policies are converted from shared to non-shared, the policies can no longer be disabled. The "enable this policy" check box is grayed out. Solution: "Enable this policy" setting activated for the following policies: firewall, intrusion prevention control, and application and device control. User cannot disable Antivirus and LiveUpdate policies. Corrupted XML in the Symantec Endpoint Protection Manager database Fix ID: 1187858 Symptom: Users are experiencing inconsistencies because of corrupt XML in the Symantec Endpoint Protection Manager database. Solution: Tool was created that validates the XML in the Symantec Endpoint Protection Manager database and alerts when there are broken links or references in the XML. Cannot log into to Symantec Endpoint Protection Manager after upgrading JRE to 1.6.x Fix ID: 1155395 Symptom: After upgrading JRE to 1.6.x, attempting to log into Symantec Endpoint Protection Manager fails. Solution: Added logic to Symantec Endpoint Protection Manager that recognizes JRE 1.6.x and later versions so that users can upgrade JRE and use Symantec Endpoint Protection Manager without interruption. Need error handling when multiple attempts of clients to download LiveUpdate content from server fail Fix ID: 1187497 Symptom: Network becomes completely saturated with failed download attempts of virus definitions to Symantec Endpoint Protection clients. In some cases many clients are requesting LiveUpdate content from IIS/Symantec Endpoint Protection Manager. If the clients encounter a network error, they retry very quickly. If the network is under heavy load then the clients encounter errors, the downloads fail, and they continue to retry the downloads. Solution: A "backoff" algorithm was implemented that coexists with the incremental download mechanism for LiveUpdate content. This algorithm ensures that network bandwidth is never stretched to the point of rendering the customer's network unusable. Devices may not work when Extreme switch is used in network environment Fix ID: 1201306 Symptom: If a device, such as a printer, is connected to the same port as the Extreme switch, and since the printer does not use EAP, it would be authenticated by its MAC address. Since this is not a EAP RADIUS packet, the Extreme switch does not provide the correct "Message-Authenticator" to the LAN Enforcer. Therefore the LAN Enforcer modifies the "Authenticator" field, which is rejected by the FUNK Radius server, thus the printer (or other device) is never allowed to work. Solution: Changed code to allow functionality. Home and Monitors tabs don't work correctly if TEMP and TMP environment variables point to different folders Fix ID: 1177149 Symptom: Accessing the Home or Monitors tabs brings up a blank page when the TEMP and TMP environment variables point to different folders. Solution: Instead of relying on the TEMP and TMP environment variables, Symantec Endpoint Protection Manager now uses a custom folder for the temporary PHP session files that are used when accessing the various tabs from Symantec Endpoint Protection Manager. The new custom folder is located at: c:\Documents and Settings\All users\Application Data\Symantec\Symantec Enterprise Protection Manager\PHP\temp. Online status of administrators always shows Offline Fix ID: 1186783 Symptom: When an administrator logs in to the Symantec Endpoint Protection Manager, its Online Status always shows as offline. Solution: Modified code to remove a duplicate session that caused the incorrect status. Need to apply limits to all events to ensure hard disk does not get filled up Fix ID: 1201915 Symptom: Without limits, hard disk may be flooded with events that eventually fill the disk to its capacity. This could potentially occur if the database goes down. Solution: All event inboxes are included in calculations to ensure that they do not fill the hard disk to its capacity. Centralized Exceptions does not function in exceptional situations Fix ID: 1179354 Symptom: When creating a centralized exception for a directory that starts with a lower case n in the directory name, the exclusion does not work properly. This behavior also effects file exclusions and Tamper Protection exclusions. Garbage characters replace the "\n" and placing an infected file in the folder causes an alert to trigger even though that folder is supposed to be excluded. Solution: Exceptions handle "\n" so that garbage characters are not created and exceptions work as expected. Symantec Endpoint Protection Manager Process Event Log entries populated on Windows SBS Server Fix ID: 1200391 Symptom: Event Log of Symantec Endpoint Protection Manager populated with "Create Log File Error" and "Failed to start Radius Server" on a daily basis. Solution: Added a new check for Symantec Endpoint Protection Manager process that ensures its availability before attempting to create a log file or bind to a Radius port, thereby these event log error entries are not triggered. Cancelling "Add Package" operation causes unexpected error message and/or system hang Fix ID: 1190678 Symptom: If you cancel the "Add Package" operation while it is extracting the CAB file, you may get unexpected error messages and/or it may cause the management console to freeze. Solution: Code changes to prevent error messages from popping up and Symantec Endpoint Protection Manager to freeze when cancelling "Add Package" operation. Symantec Endpoint Protection client cannot be added to specified group if group name contains spaces Fix ID: 1203005 Symptom: When deploying a Symantec Endpoint Protection client installation package with a specified group that contains a space in the group name, the client is added to the temporary group. Solution: Spaces are now allowed in group names, so clients are placed in correct group after installation through the installation and migration wizard. Cannot save report "Attacks Over Time" Fix ID: 1179569 Symptom: Attempting to save the report "Attacks Over Time," which is accessed from Network Threat Protection > Attacks Over Time > Group option, fails. You must have data in the report to encounter this error. Solution: Fixed the backend parsing to allow users to save this report. Cannot configure "Check Floppies for Boot Viruses" from the Symantec Endpoint Protection Manager Fix ID: 1158888 Symptom: Option to enable/disable "Check Floppies for Boot Viruses" is not available in the antivirus policy from the management console. Because this feature is available and configurable from the client, it should also be configurable from the management console. Solution: "Check Floppies for Boot Viruses" is included in the antivirus policy, and is therefore configurable from the management console. Maximum size of incoming log queues is too large (256GB) Fix ID: 1201927 Symptom: Leaving unrestricted incoming log size could result in depletion of hard disk space. Solution: Incoming log queue size is now limited to approximately 4GB. Server GUI changes after clients send "User Information Collection" Fix ID: 1205251 Symptom: User Info tab on the client properties changes after the user fills out User Information Collection dialog. Solution: Accommodated differences in amount of information by adding a minimum size to these components. LiveUpdate Help button unresponsive Fix ID: 1191152 Symptom: Help button for "LiveUpdate Settings policy server settings" pane does not open the Help page. Solution: Fixed Help button to access correct Help page. Non-translated character strings on Report pages Fix ID: 1132611 Symptom: After creating reports from the management console, hovering mouse over pie chart reveals character strings that have not been translated to the localized language. Solution: Strings have been localized so that they appear in the correct language. Incorrect Help information and links from Symantec Endpoint Protection Manager Fix ID: 1164216, 1125095 Symptom: Steps to turn on "Collecting user information" are incorrect. Help instructs user to go to Client button, when setting is found on the Admin button. Also link for more information "About Remote Sites" points to incorrect page. Solution: Help was fixed to correctly navigate to how to turn on "Collecting user information" and now correctly points to information "About Remote Sites." Computer Name with Chinese characters displays incorrectly Fix ID: 1180680 Symptom: If a computer's name has Chinese characters, it does not display correctly. Solution: Computer name displays Chinese characters correctly. Reports generated in Chinese .MHT format display a blank page when opened with Internet Explorer Fix ID: 1192458 Symptom: Symantec Endpoint Protection Manager scheduled report delivers the report to a dedicated mailbox in .MHT format. Clicking on this file and opening it with Internet Explorer (default) brings up a blank page. Solution: Added meta tag to code to address the problem. User cannot separate port numbers with spaces from Remote and Local Ports drop-down list Fix ID: 1195487 Symptom: From a firewall policy > Rules Page, adding a port does not let you separate multiple ports with spaces. Solution: User can separate multiple ports by using commas and spaces. For example: (80, 800, 1024-49) Garbage characters in Server Reporter panel Fix ID: 1180678 Symptom: On localized Chinese build, garbage characters appear in several pages of the Symantec Endpoint Protection Manager, including "Policies" and "Monitoring." Solution: Garbage characters removed from the affected pages. Truscan log column truncated Fix ID: 1201483 Symptom: Column in Truscan log is truncated, distorting the log's appearance. Solution: Column fixed to display correctly. Incorrect font displayed on Symantec Endpoint Protection Manager Admin page Fix ID: 1098613 Symptom: From the Symantec Endpoint Protection Manager Admin page, several words are displayed in the serif font which is difficult to read in Japanese. Solution: Font style corrected on the Admin page. Symantec Endpoint Protection client fixes TMP folders in virus definitions folder eventually consume all available drive space Fix ID: 1177176 Symptom: Symantec Endpoint Protection clients create tmp folders in the C:\Program Files\Common Files\Symantec Shared\VirusDefs folder. When new definitions arrive, the problem stops, but starts again at random times on some computers. TMP folders are created in 5 and 10 minute intervals, eventually consuming all available space on the drive. Solution: LiveUpdate code modified to clean up temporary folders and registry values in the case of failures during the update process. Symantec Endpoint Protection Outlook Plug-in breaks all Outlook attachments Fix ID: 1190655 Symptom: Whether the Outlook Plug-in is turned off or on, all Outlook attachments are broken when opened from a computer with Symantec Endpoint Protection client installed. Solution: Ensured that Outlook attachments can be opened on Symantec Endpoint Protection Clients with Outlook Plug-in installed. Symantec Endpoint Protection client scans do not scan any or all files Fix ID: 1200900 Symptom: Attempts to run a full scan results in Symantec Endpoint Protection client scanning only approximately 1,000 files. Attempts to run a scan with "scan enhancements" unchecked results in 0 files scanned. Solution: Updated the Common Client component that resolves the inconsistent scanning problem. Windows blue screen error Fix ID: 1159668 Symptom: Windows computer with Symantec Endpoint Protection 11.0 client installed encounters blue screen with an "Unexpected_Kernel_Mode_Trap (7f)." Solution: Code fixed to address driver problems. 64-Bit Windows 2003 Server blue screen error Fix ID: 1169684 Symptom: Computer encouters blue screen with reference to cceraser.dll. Solution: Fixed problem with new release of Symantec Eraser engine. Symantec Endpoint Protection client maintains accelerated heartbeat for too long Fix ID: 1204176 Symptom: When the Symantec Endpoint Protection client is in pull mode, and enters an accelerated heartbeat (polls server every minute) due to content pending download, the client does not exit out of the accelerated heartbeat fast enough after the content is downloaded. Solution: Accelerated heartbeat exit criteria has been modified to the following: client falls back to normal heartbeat interval once Symantec Endpoint Protection Manager delivers the pending LiveUpdate content/Client Package OR if the time elapsed in accelerated mode is twice the push/pull mode interval. Symantec Endpoint Protection client migration problems Fix ID: 1211603 Symptom: On Symantec Endpoint Protection client, migration from Symantec Endpoint Protection 11.0 RTM to later MR hangs. User is prompted several times to upgrade, selects OK, and then client stops responding. Solution: Modified installation package to handle necessary Windows files appropriately, and updated LiveUpdate catalog. Update Schedule for Symantec Endpoint Protection client is not updated Fix ID: 1195527 Symptom: Once a Symantec Endpoint Protection client gets an update schedule from the Symantec Endpoint Protection Manager, it will keep the update schedule even if the server changes it. For example, if the server is configured to have all clients update within 10 days and the client picks a schedule for 8 days from now, the client will keep the 8 day schedule even if you change the server to have clients update immediately before the 8 days elapse. Solution: New Update schedule from server now supersedes previous update schedule already on the Symantec Endpoint Protection client. Installing Application Control without Proactive Threat Scan blocks nothing Fix ID: 1194067 Symptom: Functionality of Application Control is non-existent without Proactive Threat Scan. Solution: Removed Application Control's dependency on Proactive Threat Scan so that it can function independently. With Sysplan enabled, SMC.exe crashes after Windows login Fix ID: 1200628 Symptom: The following errors occur: "sms.exe – Application Error : The instruction at "0x6f029b8f" referenced memory at "0x038d0000." The memory could not be read." "Rundll32.exe – Application Error : The application failed to initialize properly (0xc0000005). Click on OK to terminate the application." "Explorer.exe – Application Error window The application failed to initialize properly (0xc0000005). Click OK to terminate the application." Solution: Fixed algorithm that relates to regular expression matching and corrected errors that missed some judgment conditions, resulting in SMC.exe not crashing with these error messages. Symantec Endpoint Protection client GUI crashes when importing rules to an unmanaged Symantec Endpoint Protection client Fix ID: 1178530 Symptom: After modifying rules, encrypting rules, and then importing rules back to unmanaged Symantec Endpoint Protection client using command line "smc.exe –importadvrule c:\newrules.sar," client GUI crashes. Solution: Modified XML parser so that edits made to policy in this manner do not crash the Symantec Endpoint Protection client. Specifically, how it handles the existence or non-existence of Byte Order Marks (BOMs) in the XML files. Migration from SPA 5.1 to Symantec Endpoint Protection 11.0 causes firewall to fail to load Fix ID: 1226009 Symptom: After migrating from SPA 5.1 to Symantec Endpoint Protection 11.0 client, no MSI errors are indicated. Upon restart, firewall service fails to load with error "Failed to start the firewall application. Error code returned: 0x80070102." Symantec Management client service also fails to load at startup and cannot be started. Solution: Correct file is being copied over during migration that prevents the problems from occurring. SPA 5.1 now successfully migrates to Symantec Endpoint Protection 11.0.2 without the errors listed above. Failed migration from 10.1 MR7 to 11.0 MR1 on French Operating Systems Fix ID: 1195284 Symptom: Migration fails from 10.1 MR7 to 11.0 MR1 on French operating systems with the following error: "cba.dll is missing." Also appears that for specific common files, newer versions exist in 10.1 MR7 than in 11.0 MR1, thereby causing the failed migration. Solution: To avoid this scenario, ensure components should not replace newer component files with older versions when the MSI product version moves forward. System crashes when application/device control is installed Fix ID: 1209194 Symptom: Customer has Papyrus software installed on same computer as Symantec Endpoint Protection client with application/device control installed. The computer crashes. Solution: Application/device control views dlls based on the last few characters (tail) of their name. Some dlls have the same last few characters and can cause problems with Symantec Endpoint Protection accessing invalid memory areas. Fix applied to ensure application/device control to compare the full file name of dlls. Symantec Endpoint Protection client does not scan files with certain special characters Fix ID: 1213701 Symptom: Files with special characters are not scanned. Solution: Changed code to include scanning of special characters. Legacy scheduled scans run on client after migration to Symantec Endpoint Protection, but cannot be viewed or modified from the Symantec Endpoint Protection Manager Fix ID: 1220783 Symptom: After migrating a Symantec AntiVirus 9.x or 10.x client to Symantec Endpoint Protection, scheduled scans previously configured for the Symantec AntiVirus clients run on the newly-migrated Symantec Endpoint Protection client. An administrator cannot see these legacy scans in the Symantec Endpoint Protection Manager and cannot configure the scans. Legacy scans are stored in the registry and not removed (or correctly migrated) for the Symantec Endpoint Protection client. Solution: Legacy scheduled scans defined by the administrator are now migrated. When legacy clients are migrated to Symantec Endpoint Protection, they find their legacy scheduled scans, and these scans are visible and configurable from the Symantec Endpoint Protection Manager. Current date of Proactive Threat Protection definitions is not displayed on the Symantec Endpoint Protection client Fix ID: 1218123 Symptom: From the Symantec Endpoint Protection client user interface, the Proactive Threat Protection definition date is not displayed. They are displayed only after an initial process is scanned. Solution: Display correct Proactive Threat Protection definitions date at all times, including before Proactive Threat Protection scans any processes. Application Device Control Exclusions Fix ID: 1167148 Symptom: Adding "Devices excluded from blocking" for human interface devices after already blocking USB does not work. Solution: Implemented new device control USB additions that addressed policy discrepancies for Application Device Control exclusions. Tray icon crashes when user logs in to computer Fix ID: 1216558 Symptom: A scheduled scan runs when the user is logged off computer. The scheduled scan detects an infected file. After the user logs on to the computer, the Symantec tray icon (smcgui.exe) crashes. Solution: Changed code to handle this scenario. Symantec Endpoint Protection client creates virus notification later in the log on process to avoid the crash. Host Integrity firewall rule does not detect Norton Internet Security 2008 Fix ID: 1196203 Symptom: Host Integrity check for Norton Internet Security 2008 fails, stating that the system is not running a firewall. Solution: Host Integrity check now recognizes NIS 2008 as a firewall. Symantec Endpoint Protection client configuration information is not stored correctly Fix ID: 1192670 Symptom: After applying new feature set to Symantec Endpoint Protection client, registry backups are replaced with path to SysRasMan.dll instead of rastls.dll. Solution: This problem is caused by the installer continually overwriting the backup registry keys. Installer now detects this behavior and circumvents it from occurring. Installer also detects a migration from a broken system and repairs/resets registry keys back to defaults. Checkpoint VPN software breaks Symantec Endpoint Protection Manager/client communication Fix ID: 1200105 Symptom: Regardless of order of installation, Symantec Endpoint Protection client communication is disrupted when Checkpoint VPN software is installed on the client. After all necessary reboots, Symantec Endpoint Protection gold shield loses the green dot. It sometimes stays up for a minute or two at startup, but disappears shortly. Restarting the SMC service allows it to communicate again, but only for a heartbeat or two. Solution: Modified code that makes Checkpoint VPN compatible with Symantec Endpoint Protection client. After installing Symantec Endpoint Protection client to computer that has Cisco VPN/Checkpoint (True Vector Driver), computer cannot connect to VPN Server Fix ID: 1177043 Symptom: Uninstalling Symantec Endpoint Protection client does not resolve the problem. Customer must reinstall Cisco VPN and True Vector. Receives error in the Application Event Logs: "TrueVector driver: Driver install or load failure: LoadNTDeviceDriver. Win32 error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." Solution: Removed legacy code that is not necessary for Symantec Endpoint Protection client to address communication problem and associated error. Cisco's stateful firewall does not start with Symantec Endpoint Protection client (Antivirus/Antispyware only) installed Fix ID: 1197749 Symptom: Cisco stateful firewall does not start since Cisco believes that the Symantec Endpoint Protection firewall component is installed as well. Cisco detects Fwsvpn.dll and prevents Cisco VPN Client Stateful firewall from loading. This then leads to a Cisco policy violation when the client attempts to establish a VPN connection without the VPN Client Firewall enabled. Solution: Removed Fwsvpn.dll from installed files, and therefore problem with Cisco Stateful firewall not starting no longer exists. Symantec firewall team deemed removal of Fwsvpn.dll to be safe as it is no longer needed to address a specific problem with Symantec and Zone Alarm. Some Third-Party applications fail to load when Symantec Endpoint Protection client is installed Fix ID: 1209639 / 1180417 Symptom: After installing Symantec Endpoint Protection client with default settings, some third party applications fail to load. Default setting under Communications Settings for Global > Upload >Upload a list of applications that the clients have run" is checked. When Symantec Endpoint Protection performs its check, it touches the license file of third party application and causes it to fail to load. Solution: Default setting of "Upload a list of applications that the clients have run" is not checked by default so that this problem does not occur. This default setting is only for newly installed Symantec Endpoint Protection management servers and clients. If users migrate from previous versions, the setting of the previous version will also be migrated. Symantec Endpoint Protection client does not correctly exclude Windows mount points Fix ID: 1165797 Symptom: After creating a mount point and then excluding it in the Symantec Endpoint Protection client, performing a scan on the mount point will result in detecting infected files when they should actually be excluded. Solution: Fixed API that addresses this problem. Note: This fix is not available for Windows 2000. Proactive Threat Protection displays incorrect status on Symantec Endpoint Protection client Fix ID: 1162794 Symptom: From Symantec Endpoint Protection client, under Proactive Threat Protection, it displays "Waiting for Updates," even though no updates are expected. Solution: Status of Proactive Threat Protection displays correctly in the user interface. Proactive Threat Scan errors after Symantec Endpoint Protection client service starts Fix ID: 1189167, 1207606 Symptom: After about 1 hour of the Symantec Endpoint Protection service starting up (this is the default proactive threat scan frequency), Proactive Threat Scan triggers the following errors 9 and 14. Solution: Added a new registry key that indicates whether Proactive Threat Scan is installed so that scans are only attempted when Proactive Threat Scan is available. Symantec Client Firewall migration tool does not run when an older version of Java is installed Fix ID: 1196059 Symptom: Symantec Client Firewall migration tool does not run on a computer with an older version of Java installed. Solution: Checks implemented into Symantec Client Firewall migration tool to expect either of the following two conditions to be fulfilled: The JRE path for the public Java install is updated in the PATH environment variable and is either version 1.5 or greater OR the tool runs from the Symantec Endpoint Protection Manager bin directory. No notification of location change Fix ID: 1191379 Symptom: After configuring locations from Symantec Endpoint Protection Manager and defining a message, Symantec Endpoint Protection client does not receive a notification stating that the client's location changed. Solution: Symantec Endpoint Protection client is notified when location has changed. Unmanaged Symantec Endpoint Protection client should not have option to Update Policy Fix ID: 1184273 Symptom: After installing an unmanaged client package on a client computer, and then right-clicking on the Symantec Endpoint Protection tray icon, user can click on the Update Policy setting and receive the following message "Requesting Update Policy from the Symantec Endpoint Protection Manager." This is misleading as the client is not attached to Symantec Endpoint Protection Manager. Solution: Whether installed from the CD or unmanaged client package, an unmanaged Symantec Endpoint Protection client does not have the option to "Update Policy" by right-clicking the Symantec Endpoint Protection icon in the system tray. Active Response is triggered even when the IDS signature is set to allow Fix ID: 1180686 Symptom: When Active Response is checked within an IDS rule, Active Response is triggered regardless of severity or whether the traffic is allowed or blocked. Solution: Active Response module modified to monitor both severity and action. If the action is allowed, Active Response is not triggered. Active Response is triggered for blocked traffic. If the action severity is "Info" or "Normal," Active Response is not triggered. Active Response is triggered for "Critical," "Major," and "Minor." Tray Icon color is grey on Windows 2000 Computers Fix ID: 1184772 Symptom: After installing Symantec Endpoint Protection client to a Windows 2000 computer, the Symantec system tray icon is grey, rather than in color. Solution: Tray icon is now in gold color on Windows 2000 computers German Symantec Endpoint Protection client user interface displays default retention time for logs as 14 years Fix ID: 1185711 Symptom: Symantec Endpoint Protection client incorrectly shows that default retention time for logs is 14 years, when in reality it is 14 days. Solution: Fixed German translation problem so that Symantec Endpoint Protection displays the correct time. DBCS characters in Symantec Endpoint Protection client Security Logs do not display correctly Fix ID: 1187968 Symptom: DBCS characters appear as garbage characters after upgrading Firefox internet browser in the Symantec Endpoint Protection client security log. Solution: Characters appear correctly in the log. Untranslated strings Fix ID: 1127029 Symptom: Untranslated strings exist in Host Integrity alerts on Symantec Endpoint Protection client and Quarantine client location name in Symantec Endpoint Protection Manager. Solution: Translated strings for Host Integrity alerts. Symantec Network Access Control client fixes Symantec Network Access Control Enforcer Plugin service fails Fix ID: 1201298 Symptom: If more than 51 trusted MAC addresses are added to the DHCP Plugin profile, the Plugin service fails. Solution: Maximum number of trusted MAC addresses was increased to 16384 addresses to prevent this problem from occurring. Checkpoint VPN client connections blocked by Agent Symantec Network Access Control service Fix ID: 1187895 Symptom: After enabling Symantec Network Access Control, cannot create VPN tunnel. With Symantec Endpoint Protection client enabled only, there is no problem. Solution: Agent Symantec Network Access Control service updated to ignore the Checkpoint VPN adapter if it is found, so that VPN tunnels can be created. Focus removed from current window on Symantec Network Access Control-enabled Symantec Endpoint Protection clients Fix ID: 1203494 Symptom: For Symantec Network Access Control-enabled Symantec Endpoint Protection clients, every time the DHCP lease is renewed, focus is removed from the current window. User must select window to regain focus. Solution: The problem occurred because SmcGui.exe launched explorer.exe hidden in the background whenever the IP lease is renewed. This action was corrected to maintain focus on current window. Migrating Symantec Network Access Control 11.0 client to Symantec Network Access Control 11.0 MR1 client without restart crashes computer Fix ID: 1184978 Symptom: After migrating Symantec Network Access Control 11.0 to Symantec Network Access Control 11.0 MR1 client without restarting, the following errors occur: On Windows XP 32-bit, services.exe crash and the system shuts down and restarts automatically; On Windows XP 64-bit, Symantec Network Access Control service could not be installed. Solution: Fixed where Symantec Network Access Control installation looks for registry keys, and thus prevents crashes. Symantec Network Access Control MR1 CD (CD2) gives error when running setup.exe Fix ID: 1195530 Symptom: Attempting to upgrade Symantec Endpoint Protection Manager from CD2 gives the following error: "Symantec Endpoint Protection Manager is already installed on this computer." No other details about version or client packages are included. Solution: Modified installer to allow Symantec Endpoint Protection Manager upgrade. Symantec Network Access Control client does not switch to normal DHCP address after passing Host Integrity check Fix ID: 1217348 Symptom: Symantec Network Access Control client is moved to Quarantine after failing Host Integrity check. When client is remediated and passes HI check, it should switch to a normal DHCP address, but it does not. Client is left with quarantine IP address with net mask 255.255.255.255 Solution: Symantec Network Access Control client switches to normal DHCP address once it passes Host Integrity check. Japanese Symantec Network Access Control client remains in quarantine after it passes Host Integrity check Fix ID: 1221537 Symptom: Japanese Symantec Network Access Control client fails Host Integrity check and is moved to quarantine. After Symantec Network Access Control client passes Host Integrity check, it remains in quarantine, when it should be in default location. Solution: Added a localization variable that prevents this situation from occurring, so that the Japanese Symantec Network Access Control client can move to default location after passing Host Integrity check. Symantec Network Access Control Gateway Enforcer Advanced Configuration settings overwritten when new policy is applied to client Fix ID: 1183238 Symptom: If you make an advanced configuration change on the Enforcer client (i.e. configure advanced legacy allow), the setting will take effect. However, as soon as any (unrelated) Enforcer Group configuration change is applied to the Enforcer, the previous Advanced Configuration changes are overwritten with default values. Solution: Added ability to configure "AllowLegacyClient" from the server console for Gateway, LAN, DHCP, and Integrated Enforcers. Changed the default value of "Allow Legacy Client" to false. Fixed user interface to honor the default value if it is not set by Enforcer during registration. Symantec Network Access Control Enforcer "User_Class" disabled after stopping and starting Enforcer Fix ID: 782827/1200266 Symptom: With "User_Class" enabled, stop and start the Enforcer. User_Class setting is changed to disabled. Solution: Policy Manager modified to generate the correct user profile so that User_Class setting retains its setting when the Enforcer is stopped and restarted. Tray icon on Symantec Network Access Control client has invalid configuration option Fix ID: 1173972 Symptom: With the 802.1x option not enabled, Symantec Network Access Control client tray icon shows "Re-Authentication" option as a valid option. Solution: Grayed out Re-Authentication option when 802.1x option is not checked or when "Use the client as an 802.1x supplicant" is unchecked. DHCP Symantec Network Access Control Enforcer does not detect changed remote host name in log Fix ID: 1167808 Symptom: From a dual boot computer, logging off of hostname A and then logging into hostname B results in DHCP Enforcer logs displaying hostname A. Stopping and restarting the Enforcer service brings about the expected result: DHCP Enforcer logs displaying hostname B. Solution: Instead of using cache entry to determine hostname that is currently logged in, use first packet from the booting Symantec Endpoint Protection client to determine hostname. Incorrect message appears on Symantec Network Access Control client when performing check Fix ID: 1195490 Symptom: From Symantec Endpoint Protection (or Symantec Network Access Control) client, click Status > Network Access Control > Options > Check Now. Message box that appears says "Check the Messages for results." It should state "See the Security Log for results." Solution: Message box was changed to display the correct information. Misleading Symantec Network Access Control Enforcer client log entry Fix ID: 1201307 Symptom: Enforcer client log on the Symantec Endpoint Protection Manager shows "no response from RADIUS server" even though the RADIUS server is responsive. Solution: Log entry is inappropriate, and was changed from "No response from RADIUS server" to "RADIUS server cannot..." Maintenance Patch 1 for Maintenance Release 1 (MR1 MP1) This section describes the fixes in Maintenance Patch 1 for Maintenance Release 1. About Maintenance Patch 1 Maintenance Patch 1 updates only Symantec Endpoint Protection Manager. It does not need to be installed to clients. This Maintenance Patch cannot be installed over the original 11.0.0 version of Symantec Endpoint Protection Manager. It must be installed over Maintenance Release 1, or onto a computer with no Manager installed. For information about how to obtain the latest build of Symantec Endpoint Protection, read the following document: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x. You can use the Maintenance Patch 1 installer to install the Manager on computers that do not already have Symantec Endpoint Protection Manager. The Manager contains client installation packages for Symantec Endpoint Protection Maintenance Release 1. Symantec Endpoint Protection Manager fixes Agents do not appear in Symantec Endpoint Protection Manager Fix ID: 1178101 Symptom: Agents do not show up correctly in Symantec Endpoint Protection Manager. If Symantec Endpoint Protection Manager is restarted, agents will show up correctly. However, after Active Directory synchronizes with Symantec Endpoint Protection Manager, the agents will display offline again. This occurs every 24 hours. Solution: Modified the order of how objects are processed so that agents appear correctly as "online" in Symantec Endpoint Protection Manager. Port leak on Symantec Endpoint Protection Manager Fix ID: 1183253 Symptom: Symantec Endpoint Protection Manager becomes deaf as clients download updates, CLOSE_WAIT sockets are not closed, and the server is out of ports and becomes deaf to the console. As this continues, at some point you can no longer remote desktop to the server. When the server is full, 3500 sockets are in CLOSE_WAIT, almost all the rest are in TIME_WAIT, and there are 15 or so talking to the database and clients. As time passes, the CLOSE_WAIT sockets slowly rise. Solution: Symantec Endpoint Protection Manager process no longer has CLOSE_WAIT states after clients download updates, preventing the leaked ports from monopolizing all the server's ports. Symantec Endpoint Protection Manager Management Console Home Page: Virus Definitions Bar chart and IPS Signatures chart do not display Fix ID: 1190971 Symptom: Charts on the Home Page appear blank. Solution: Modified code to ensure that chart information is displayed as expected on the Home Page. Group Folders are not created or take too long to create Fix ID: 1191851, 1201662 Symptom: When you have a large number of existing groups, creating new groups fails as SemSvc.exe runs a check on all existing folders (one folder for each group). After over an hour, the new group is not created. When viewing created groups, some contain 2 files, while others contain over 20 files. In some instances, creating a group would take over an hour. Solution: Added a condition that optimizes creation of groups, so that groups and group folders are created and created in a timely manner. Import of policy from one Symantec Endpoint Protection Manager domain to another fails Fix ID: 1183186 Symptom: After clicking "Import" to import a policy from one Symantec Endpoint Protection Manager domain to another, the action fails with no error message. This particularly happens when attempting to import firewall policies that use rules which apply to host groups that are not present in the new domain, or when importing policies from a migrated Symantec AntiVirus server group into a new domain. Solution: Import action failed because new domain did not contain the same host group names. This issue is resolved by implementing the following: create host group if it doesn't exist in new domain; adding error handling messages if an error does occur, and merging host groups if user selects to overwrite existing policy for already existing groups. Maintenance Release 1 (MR1) This section describes the fixes in Maintenance Release 1 of Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0. Components Component Version AutoProtect 10.2.2.5/10.2.2.6 AVComp 2.0.58.0 Behavior Blocking 3.3.3.015 ccEraser 20072.0.1.6 COH 6.1.2.054 Common Client 106.6.3.2 DecABI 1.1.0.37 Defutils 3.3.11.0 Deuce Engine 3.0.2.2007-06-06_01 ECOM 71.1.0.11 Intelligent Updater 5.0.25 LiveUpdate 3.3.0.61 LiveSubReg 2.4.2 LiveUpdateAdmin 2.1.77 LiveUpdateCCPA 1.0.2 LOTS Manager 3.3.0.61 Microdefs 2.5.36.0 Packager 1.2.3.924 QServer 3.5.76 SAV 11.0.1000.1112 SAV for Linux 1.0.3.8 Scan And Deliver 2005.15.0.14 SESCMC 11.0.1000.1091 SESM 11.0.1000.1049 SyKnAppS 1.5.3.7 SymEvent 12.4.0.25 SymNetDrv 7.2.0.15 SymSentry 2.1.101 SymStat 24.0.0.0 Teefer2 11.0.690 WpsHelper 11.0.717.804 VxMS (MSLight) 5.0.71.0   Symantec Endpoint Protection fixes Compatibility with Checkpoint VPN Fix ID: 964738 Symptom: Installation of Checkpoint VPN will either fail or VPN client will not function when Device Control is installed with Symantec Endpoint Protection client. Solution: Modified white list to remove incompatible reference to sr_service.exe Performance of Outlook e-mail Protection Fix ID: 1087587 Symptom: Performance degradation on system when Outlook Auto-Protect plugin is enabled. Solution: Modified the Outlook plugin so that it scans attachment when they are selected for open rather when the message is selected to be read Accessing remote network shares after the installation of Symantec Endpoint Protection Fix ID: 1124570 Symptom: Altering the installation of Symantec Endpoint Protection with Network Threat Protection, users cannot access remote network shares. Solution: Modified default rule set for the "Self Managed" client to prevent traffic from being blocked. Wireless communication blocked by default with stand-alone client Fix ID: 1146977 Symptom: Rule generated that allows EAPOL was set to block by default. Stand-alone client does not have access to set this rule in the UI. Solution: Modified the UI so that a stand-alone user can change the EAPOL to allow or block. It is set to allow by default on the stand-alone client. Symantec Endpoint Protection client install fails at 75% install Fix ID: 1149379 Symptom: Symantec Endpoint Protection client install fails at 75% install Solution: Removed component attempting to stop and restart the service. A reboot prompt will occur when Symantec Network Access Control is installed so that the Wireless Zero Configuration service can stop and start with the operating system rather than having the Symantec Network Access Control install attempt to perform the action. Windows NT Event contains many LiveUpdate entries Fix ID: 1154429 Symptom: LiveUpdate Events fill Windows System Log with multiple entries. Solution: Created a local cache of content sequence numbers. Logs are not created unless the LiveUpdate product inventory is changed. Access to network share are lost after installing Symantec Endpoint Protection client on Windows Server Fix ID: 1154729 Symptom: Access is lost to Windows Server 2003 shares after files are copied to the server that has Symantec Endpoint Protection client installed on it Solution: AutoProtect was modified to detect such conditions and prevent the deadlock from occurring Symantec Management Client (SMC.exe) uses more cpu when user is not logged into system. Fix ID: 1131386 Symptom: SMC service spikes the CPU then reaches a steady state of 40-50% cpu when the users logs out. Solution: SMC spiked the cpu looking for a logged in user. Modified the search function so that it will use less cpu time. Importing OU structure from eDirectory LDAP server Fix ID: 1129941 Symptom: Importing OU structure from eDirectory synchronizes the root objects but does not pull objects beneath the root. Solution: Modified the search parameters to return the normal and operational parameter as an operational parameter so that objects will be imported correctly. Synchronization with Active Directory fails when conflict records exist. Fix ID: 1138805 Symptom: Organizational Units do not import correctly from Active Directory if conflict entries are encountered during the import process. Solution: Modified importing code so that invalid entries are skipped. Skipped entries are logged to the debug log. Client connecting with Symantec Endpoint Protection Manager Fix ID: 1123148 Symptom: Kernel memory leak in WPS Helper driver prevents IIS from accepting connections. Solution: Resolved memory leak Floppy drive scanning Fix ID: 1161393 Symptom: Floppy drives are scanned on shutdown even though administrator selects them not be scanned Solution: The option will be set correctly to the desired configuration Description for Auto-Protect setting was switched. Fix ID: 1162823 Symptom: The Auto-Protect setting "Scan when a file is accessed or modified" was incorrectly switched with the setting, "Scan when a file is accessed". Solution: Changed the UI so that each setting has the correct description. GroupWise 7.X installation fails with Symantec Endpoint Protection installed. Fix ID: 1165265 Symptom: Installing Symantec Endpoint Protection with Application and Device Control prevents GroupWise 7.x from launching correctly. Solution: Modified application and device control policy so that it was using the correct operating system folder. Deployment Wizard prompts for username and password on every computer Fix ID: 1167447 Symptom: Deployment Wizard (Client Remote) is prompting for username and password for each computer that is selected to have the client deployed to even when the credentials are the same. Solution: Now using the authentication cache to eliminate unnecessary re-entering of user/password info when deploying multiple clients. This is similar to the way that ClientRemote worked in 10.x Error when running Configuration Wizard to install an additional site for replication Fix ID: 1175545 Symptom: When running the Management Server Configuration Wizard to install an additional site for replication (using SQL 2005), the wizard interrupts with a data truncation error. Solution: Handled DateTime field correctly with French version of SQL Symantec Endpoint Protection Manager no longer downloads definitions after being updated with rapid release .jdb file. Fix ID: 1163481 Symptom: After updating Symantec Endpoint Protection Manager with a rapid response .jdb file, it would no longer process the newer certified definitions brought down through LiveUpdate. Solution: Modified the logic on Symantec Endpoint Protection Manager so that it processed the .jdb definitions as the newest definitions. Protective Threat Protection signatures not updating on client Fix ID: 1167523 Symptom: Symantec Known Application list not updating when client was configure to get content from Symantec Endpoint Protection Manager. Solution: Setting the correct values for LiveUpdate server when client is pulling content from Symantec Endpoint Protection Manager. SEP client is not showing icon in the system tray Fix ID: 1145044 Symptom: The yellow shield icon in the system tray was not being displayed. All users will see is the green circle when the client is communicating with the manager. Solution: Corrected logic condition which caused icon to not be displayed. Logging into Symantec Endpoint Protection Manager when it is installed on the same system as Backup Exec Continuous Protection Server causes error Fix ID: 1142597 Symptom: Communication error is received when attempting to log into Symantec Endpoint Protection Manager after Symantec Endpoint Protection Manager is installed on the same computer as Backup Exec Continuous Protection Server. Solution: This was caused by a port conflict on 8443. Installation wizard was modified to detect the port in use and to select an alternate port. This solution will work for any application that has already bound port 8443. Compatibility issue with Microsoft SQL profiler tool Fix ID: 1146828 Symptom: Application popup: PROFILER90.EXE - Application Error : The application failed to initialize properly (0xc0000005). Click on OK to terminate the application. Solution: Resolved compatibility issue with sysplant driver. Client User Interface status will show red when the Lotus Notes e-mail protection is not installed. Fix ID: 1139886 Symptom: The status on the main client user interface will display red when the Lotus Notes plugin is not installed with the client. Solution: Modified the client status so that it will exclude the Lotus Notes e-mail protection if it is not installed on the client. Application Control is disabled when Network Threat Control is disabled Fix ID: 1008642 Symptom: When user selects to disable Network Threat Protection, Application Control protection is disabled. Solution: Modified controls so that disabling Network Threat Protection does not disable Application Control Device Control is disabled when Network Threat Protection is disabled Fix ID: 1008655 Symptom: When user selects to disable Network Threat Protection, Device Control protection is disabled. Solution: Modified controls so that disabling Network Threat Protection does not disable Device Control Deploying clients to active directory groups Fix ID: 1123131 Symptom: Deploying client packages to computers appearing in a active directory group appear in the temporary group. Solution: Modified the sylink file so that it is not overwritten by an "unmanaged" sylink file. Startup Scan running after Migration from SCS to SEP v11.0 Fix ID: 1127065 Symptom: A startup scan runs even though it was originally set to disabled prior to the migration. Solution: Modified the attribute on migration so that the startup scan would not run if configured to not do so. Stand-alone client install does not function when exported from Symantec Endpoint Protection Manager Fix ID: 1148518 Symptom: All files and folders were missing the first character when files are extracted to the temp directory. This prevented the client installation package from executing correctly. Solution: Modified path export function to remove extra patch separator so that all files had the correct characters Locked Auto-Protect settings do not propagate to client Fix ID: 1153011 Symptom: Client GUI used the read-only attribute to prevent changes from being made rather than displaying a grey state Solution: Client GUI will display the proper locked state when access to control is set to lock from Symantec Endpoint Protection Manager. Block rule for CD/DVDs no longer functions after migrating SEP v11.0 over SSEP 5.1 server Fix ID: 1154818 Symptom: Block rule for CD/DVDs does not trigger after migrating to SEP v11.0 from SSEP 5.1. Solution: Updated the upgrade mechanism to set new domain for devices so that policy is successful migrated. Missing Network Threat Protection component when logging in as restricted user Fix ID: 1155546 Symptom: Network Threat Protection does not show up in main client UI after switching from an administrator account to a restricted account. Solution: Modified session processing logic so that it was tolerant to error in operating system API. Symantec Auto-Upgrade Agent service fails to start Fix ID: 1167997 Symptom: Error Message(s): Service Control Manager popup error: "At least one service or driver failed during system startup" Error Event ID 7000 in the Windows system event log. Source: Service Control Manager. Description: The Symantec Auto-upgrade Agent service failed to start due to the following error: "The system cannot find the file specified." Solution: No longer setting the smcinst.exe service to Automatic when the service is already installed Client Group information in the Troubleshooting section displays the client group name only Fix ID: 1168861 Symptom: The entire path of the client group is not displayed in the troubleshooting section. Solution: Modified the display so that the entire client group path will be shown. Schedule Scans not running when user is logged off Fix ID: 1169275 Symptom: On windows 2000 systems, schedule scans were not running when user logged off, if configured to do so. Solution: Modified logon code to check for smcgui rather than vptray. Client UI would not display new definition date Fix ID: 1171767 Symptom: On Windows Vista, SEP Client UI would not update virus definition date after they were downloaded Solution: Modified check for VirusDefs so that the directory change notification was received correctly Exporting client troubleshooting data Fix ID: 1054802 Symptom: Information that appeared in the client Troubleshooting section could not be exported Solution: The ability to export troubleshooting data has been added to the SEP client Displaying clients in the Virus Definition Distribution table Fix ID: 1104932 Symptom: Clients that did not have Network Threat Protection module installed are listed in the Virus Definition Distribution Table. Solution: The report correctly filters out clients that should not be displayed if the technology is not installed Configuring missed LiveUpdate events Fix ID: 1105014 Symptom: Client UI did not include the setting to allow a LiveUpdate event to be run when the computer was off during the scheduled time. Solution: The client scheduled LiveUpdate UI was updated to include the missed event option. Setting policy to allow user to modify LU schedule Fix ID: 1110115 Symptom: Setting the option "Allow the user to manually launch LiveUpdate", would not enable this feature on the client Solution: Setting the option in the Console will allow the end user to modify the LiveUpdate schedule Firewall does not enable when changing locations Fix ID: 1139747 Symptom: Firewall does not enable when it computer changes to a new location if the user disabled it in the old location Solution: Firewall will be enabled when it detects a new location System Lockdown generates a large amount of log events that are forwarded to the management server Fix ID: 1139876 Symptom: A large number of the same events will appear in the control logs when System Lockdown is configured in log only mode. Most of these events will be for the same files. Solution: A damper control has been added which will prevent identical log entries from displaying if they occur within the same 60 seconds. RTVScan.exe application error Fix ID: 1162150 Symptom: An error dialog appears with the following information; RTVscan.exe Application Error - Unknown exception (0xc00000fd) occurred in the application at location 0x65ec9abc Solution: Modified shutdown thread to wait for proper termination rather than depend on a delay cycle Client updates definitions from quarantine location Fix ID: 1053078 Symptom: Client does not switch to using LUA to download definitions when it is in a quarantine location Solution: Client will successfully switch the policy to allow it to pull definitions from LUA Auto-Protect option is not set correctly on the client Fix ID: 1108152 Symptom: Enabling the option to "Check floppies when the computer shuts down" would disable the feature on the client. Solution: Modified settings for the configuration file so that it was applied correctly at the client Showing the correct status on the client UI for AntiVirus and antispyware Fix ID: 1117515 Symptom: When a restricted user opens the main client UI, they see red X's for AntiVirus and antispyware status as well as protective threat protection Solution: Since restricted users do not have the rights on the system to change the status, the red X is not displayed. Report "Clients with Latest policy" does not show clients with older policies Fix ID: 1158086 Symptom: Report "Clients with Latest policy" does not show clients with older policies. Solution: Added the latest policy serial number as a reference so that all policies would be displayed. Viewing reports with the time range, "Past 24 hours" results in an error message Fix ID: 1159662 Symptom: On the first of the month, if any log or report is selected with the time range set to "Past 24 hours" the user will get a message, " Your Start Date must be greater than the end date." Solution: Modified logic in the filter to correctly adjust for the shift in days Symantec Network Access Control fixes Incompatibility with Symantec Network Access Control and L2TP VPN connection Fix ID: 1158037 Symptom: Incompatibility with Symantec Network Access Control and L2TP VPN connection. Solution: Symantec Network Access Control was modified to detect whether PPTP or L2PT VPN connections are being used so that original EAP dlls are used rather than SymRasMan.dll for authentication

References:

This document is available in the following languages: Brazilian-Portuguese: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/br_docid/20080818084150935 French: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/fr_docid/20080818084241935 German: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/de_docid/20080818084345935 Italian: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/it_docid/20080818084413935 Polish: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/pl_docid/20080818084451935 Hungarian: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/hu_docid/20080818084520935 Russian: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/ru_docid/20080818084549935 Czech: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/cz_docid/20080818084616935 Spanish: http://service1.symantec.com/SUPPORT/INTER/ent-securityintl.nsf/es_docid/20080818085219935 Simplified Chinese: http://service1.symantec.com/SUPPORT/INTER/ent-securitysimplifiedchinesekb.nsf/cn_docid/20080306101904968 Traditional Chinese: http://service1.symantec.com/SUPPORT/INTER/ent-securitytraditionalchinesekb.nsf/twdocid/20080306102914967 Korean: http://service1.symantec.com/SUPPORT/INTER/ent-securitykoreankb.nsf/kdocid/20080818150721966