Symantec Endpoint Protection Changelog

What's new in Symantec Endpoint Protection 14.3.3384.1000

Dec 5, 2020

Protection Features:
Includes the new Symantec Mac Agent and the Symantec Linux Agent that can be installed and managed from either the on-premises Symantec Endpoint Protection Manager or the Integrated Cyber Defense Manager cloud console.
Installing the Symantec Endpoint Protection client for Mac
Installing the Symantec Agent for Linux 14.3 RU1
Prevents new and unknown threats on the macOS by monitoring nearly 1,400 file behaviors in real time. The new Mac Agent includes these behavioral protection capabilities. Behavioral protection, or SONAR, uses artificial intelligence and advanced machine learning for zero-day protection to effectively stop new threats.
Managing SONAR
Blocks untrusted non-portable executable (PE) files such as PDF files and scripts that are not yet identified as a threat. In the Exceptions policy, click Windows Exceptions
> File Access
Prevents web threats based on the reputation score of a web page. The Intrusion Prevention policy includes URL reputation filtering, which blocks web pages with reputation scores below a specific threshold. Reputation scores range from -10 (bad) to +10 (good). The Enable URL Reputation
option is enabled by default.
You can force Symantec Endpoint Protection to learn an application based on the application's hash value. In the Exceptions policy, click Windows Exceptions
> Application
> Add an Application by Fingerprint
Protects endpoints and users from web-based attacks on malicious sites using the Network Traffic Redirection feature. Network Traffic Redirection redirects all network traffic (any port) or just web-based traffic (ports 80 and 443) to the Symantec Web Security Service, which allows or blocks network traffic and SaaS application access based on the enterprise policy. The Network Traffic Redirection policy has a new redirection method called the tunnel method. The tunnel method automatically redirects all Internet traffic to the Symantec WSS, where the traffic is allowed or blocked based on the Symantec Web Security Service policies. The tunnel method is considered a beta feature. You should perform thorough testing with your applications against your WSS policies. Broadcom has a beta website that offers a testing guide and a place to leave feedback on your experience. Log on to the following website using your Broadcom credentials: Validate.broadcom.com.
Configuring Network Traffic Redirection
The Integrations policy was renamed to the Network Traffic Redirection policy.
Provides support for MITRE-enriched events in Symantec EDR. Leverage the MITRE ATT&CK framework to provide context into what is happening in your environment.
Provides support for the following Symantec EDR events, which expose more visibility into the endpoints:
AMSI events provide visibility of threat actor methods that can evade traditional command-line interrogation methods.
ETW events provide visibility into events happening on managed Windows endpoints.
Includes the ability to run both the Windows Defender and Symantec Endpoint Protection on the same computer. The Auto-Protect scan runs after Windows Defender and can detect any threats that Windows Defender misses. The Coexist with Windows Defender
option ensures that Auto-Protect runs in case Microsoft Defender is disabled. To disable the option, click the Virus and Spyware Protection policy > Miscellaneous
> Miscellaneous
tab.
Attack chain mitigation is now supported for hybrid-managed clients.
Symantec Endpoint Protection Manager:
The embedded database was updated to the Microsoft SQL Express database. The SQL Server Express database stores policies and security events more efficiently than the default embedded database and is installed automatically with the Symantec Endpoint Protection Manager.
Best practices for upgrading from the embedded database to the Microsoft SQL Server Express database
During the installation or upgrade of the Symantec Endpoint Protection Manager, the Management Server Configuration wizard:
Automatically installs LiveUpdate content.
Provides an option to use TLS certificate for secure communication between SQL Server and the Symantec Endpoint Protection Manager.
LiveUpdate uses a new engine in Symantec Endpoint Protection Manager
, which is optimized to run on the cloud console.
LiveUpdate Administrator release notes and new fixes
The Automatically uninstall existing third-party security software
option that was not available in 14.3 MP1 is available again in 14.3 RU1 with an updated version. This option is used to uninstall third-party security software. To access this option, click Admin
page > Packages
> Client Install Settings
Third-party security software removal in Endpoint Protection 14
Third-party security software removal in Endpoint Protection 14.3 RU1
The Client Deployment Wizard that is used to deploy client packages must have its credentials verified and able to connect to the Symantec Endpoint Protection Manager. If the verification process fails, the client deployment process stops to keep Active Directory user accounts from being locked.
Installing Symantec Endpoint Protection clients with Remote Push
The Computer Status logs and reports now lets you select a range for the Client version
and IPS version
fields. The Product version
filter was renamed to Client version
The Disable the notification tray icon
option is available for clients that run on a terminal server and that cause high CPU usage and memory usage. You can now disable the notification area icon, also known as the system tray icon, to prevent multiple instances of user session processes (like SmcGui.exe and ccSvcHost.exe) from running. You enable this option on the Clients
> Policies
tab > Security Settings
> General
tab.
Updated the whitelist and blacklist mode to reflect the allow and block functionality. On the Clients
page > Policies
tab > System Lockdown
dialog box, the application file lists changed from Whitelist Mode
and Blacklist Mode
to Allow Mode
and Deny Mode
On the Admin
page > Servers
tab > Configure External Logging
> General
tab, the Master Logging Server
option changed to Primary Logging Server
The System
log type > Administrative
log and the Audit
log lists the computer name.
Client firewall logs are collected so that you get fewer notifications on the cloud console.
Replaced the Oracle Java SE with the OpenJDK.
Updated the third-party components JQuery to a newer version.
Client and platform updates:
The Windows client supports Windows 10 20H2 (Windows 10 version 2009).
The Mac client supports macOS 11 (Big Sur).
Moved the legacy Mac client installation packages to the AdditionalPackages folder.
Features Removed:
The Risk severity
and Risk Distribution by Severity
options were removed from notifications and reports.
The CASMA
tab and Analyze
command were removed, as this functionality was deprecated in 14.3.
The Mac client no longer supports macOS 10.13.
Documentation:
The Symantec Endpoint Protection Manager Help is now online and located at: Symantec Endpoint Protection Installation and Administration Guide

New in Symantec Endpoint Protection 14.3.558.0000 (May 17, 2020)

New in Symantec Endpoint Protection 14.2.5587.2100 RU2 MP1 (Apr 15, 2020)

New in Symantec Endpoint Protection 14.2.5569.2100 (Jan 28, 2020)

New in Symantec Endpoint Protection 14.2.5323.2000 (Nov 14, 2019)

What's new in this version:
Added the following operating system support:
Windows 10 19H2 (version 1909)
macOS 10.15 (Catalina)
Upgraded multiple third-party components to newer versions.
New fixes:
SES clients automatically upgrade to client versions available on the Latest channel
Fix ID: ESCRT-2338
Symptoms: Symantec Endpoint Security (SEP 15) clients automatically upgrade to the latest available version, despite the Auto-Upgrade setting being disabled.
Solution: Changed null policy behavior so that Auto-Upgrade is disabled by default.
14.2 RU1 MP1 clients are unable to failover from Proxy connection to Direct connection
Fix ID: ESCRT-2323
Symptoms: 14.2 RU1 MP1 clients only attempt to connect to the parameters defined for System Proxy for SEPM communication.
Solution: Direct connection is now attempted prior to using the System Proxy connection.
14.2 RU1 MP1 Mac endpoints are unable to update definitions when a proxy is defined
Fix ID: ESCRT-2319
Symptoms: 14.2 RU1 MP1 Mac endpoints fail to connect to LiveUpdate when a System Proxy is configured.
Solution: Client configuration updated to properly honor the System Proxy configuration.
Client logs do not display the IP address used during the last SEPM connection attempt
Fix ID: ESCRT-2300
Symptoms: Clients page of the SEPM does not display the correct IP address in the Last Connected field.
Solution: Updated SEPM reporting to show the correct Last Connected IP address.
Windows 2019 Terminal Server hangs and no longer services RDP sessions
Fix ID: ESCRT-2277
Symptoms: Terminal Server running Windows Server 2019 hangs intermittently and is no longer able to serve RDP sessions.
Solution: Addressed a deadlock between MountVol and Auto-Protect.
SEPM Database backups fail after upgrading to 14.2 RU1 MP1
Fix ID: ESCRT-2251
Symptoms: SEPM built-in Database Backup utility displays the error “Network connectivity to the database server is not available.” for 14.2 RU1 MP1 with Microsoft SQL databases.
Solution: Updated JDBC implementation support to prevent an unexpected exception.
Windows Security Center displays a red “X” when the Firewall is disabled by policy
Fix ID: ESCRT-2220
Symptoms: When the SEP Firewall is intentionally disabled by policy the Windows Security Center displays a warning.
Solution: Corrected the status sent to Windows Security Center when the Firewall is installed, but in a disabled state via policy.
Automatic Exclusions are not present for Exchange 2013 and Exchange 2016
Fix ID: ESCRT-2143
Symptoms: Exchange 2013 and Exchange 2016 do not have the same exclusions as previous versions of Exchange.
Solution: Added complete Auto-Exclusion support for Exchange 2013 and Exchange 2016.
CentOS 7.5 crashes when installing the 14.2 RU1 Linux client
Fix ID: ESCRT-2118
Symptoms: Installing 14.2 RU1 on CentOS 7.5 with kernel version 3.10.0.862 results in a system crash.
Solution: Updated auto-compile script to build and load the proper Auto-Protect kernel modules.
Deception logs do not display an IP address for Local IP
Fix ID: ESCRT-2114
Symptoms: Local IP field incorrectly shows 0.0.0.0 for the IP address in Deception logs.
Solution: Updated Application Control logging to ignore non-valid IP addresses.
Replication Partner audit events are missing detail in External Logging
Fix ID: ESCRT-2046
Symptoms: After deleting, adding, or editing a replication partner, External Logging does not contain any of the details.
Solution: Added the event type in the event description for replication partner events in External Logging.
ccSvcHst.exe crash observed while machine is experiencing low memory conditions
Fix ID: ESCRT-2016
Symptoms: Intermittent ccSvcHst.exe crash is observed on machines with extremely low memory conditions and high load.
Solution: Modified memory allocation requirements for logging structures.
ccSvcHst.exe crash observed while logging many traffic events
Fix ID: ESCRT-1987
Symptoms: Intermittent ccSvcHst.exe crash observed on machines where many traffic events are logged and process memory exhaustion occurs.
Solution: Modified memory allocation requirements for logging structures.
RESTAPI exception types “Application to Monitor” and “Tamper Protection” are not supported
Fix ID: ESCRT-1973
Symptoms: Attempts to create exception items for “Application to Monitor” and “Tamper Protection” via RESTAPI are unsuccessful.
Solution: Added support for the above exception types when using the RESTAPI.
An error “Symantec Endpoint Protection services are stopped.” is displayed after reinstalling
Fix ID: ESCRT-1971
Symptoms: After a reinstall or upgrade of Symantec Endpoint Protection, if a rollback occurs further installation attempts are met with the error “Symantec Endpoint Protection services are stopped.”.
Solution: If a rollback occurs, the ccSettings key is only removed if it’s not pre-existing.
Windows Server 2016 intermittent hang with SEP 14.2 RU1
Fix ID: ESCRT-1953
Symptoms: Intermittent hang observed on Windows Server 2016.
Solution: Addressed a deadly embrace between MountMgr and Auto-Protect.
CentOS 7.6 crashes when installing the 14.2 RU1 Linux client
Fix ID: ESCRT-1933
Symptoms: Installing 14.2 RU1 on CentOS 7.6 with kernel version 3.10.0.957 results in a system crash.
Solution: Updated auto-compile script to build and load the proper Auto-Protect kernel modules.
ccSvcHst.exe crash observed with SEP Firewall installed
Fix ID: ESCRT-1932
Symptoms: Intermittent ccSvcHst.exe crash is observed on machines with SEP Firewall installed.
Solution: Updated Traffic Security Engine parameters to improve file handling scenarios.
Linux File and Folder exceptions no longer work after enrolling SEPM with the SES Cloud Console
Fix ID: ESCRT-1926
Symptoms: Unable to create Linux File and Folder exceptions after enrolling an existing SEPM with the Symantec Endpoint Security Cloud Console.
Solution: Corrected a logic error to correctly separate Windows and Linux exceptions after SEPM Cloud enrollment.
Double Byte Character Set workgroup clients are unable to connect to the SEPM
Fix ID: ESCRT-1921
Symptoms: Clients receive an HTTP 412 error if the workgroup they reside in contains DBCS.
Solution: Changed the encoding used for certain fields to handle DBCS.
Large .2 files found in WindowsTemp folder with SEP installed
Fix ID: ESCRT-1887
Symptoms: Large temporary traffic log files with a .2 extension are found in the WindowsTemp folder.
Solution: Improved error handling when copying log files to temporary files.
External logging discrepancies when comparing with Risk report in a multiple SEPM environment
Fix ID: ESCRT-1866
Symptoms: In a site with load-balanced SEPMs, some logs are not processed to External logging dump files or Syslog servers.
Solution: Updated the USN mechanism used when processing client logs in a load-balanced SEPM configuration.
Upgrading to 14.2 RU1 results in changes to the SQL transaction log fixed size when auto-growth is disabled
Fix ID: ESCRT-1859
Symptoms: With auto-growth disabled, after a period of time the transaction log may become full and an error will be displayed during a SEPM upgrade to 14.2 RU1.
Solution: Added a new parameter to configure transaction log truncation during SEPM upgrade. Conf.Properties parameter: scm.upgrade.truncate.txnlog.enabled=false
ccSvcHst.exe crash observed with SEP Firewall installed
Fix ID: ESCRT-1853
Symptoms: Intermittent ccSvcHst.exe crash is observed on machines with SEP Firewall installed.
Solution: Updated Traffic Security Engine parameters to improve file handling scenarios.
Unable to save the layout of the Protection Technology view within the SEPM
Fix ID: ESCRT-1836
Symptoms: The selected column order for Protection Technology view is not preserved after logging out and logging back in to the SEPM.
Solution: Fixed the initialization of the table for the Clients panel.
“Query Failed” error when attempting to view the Computer Status logs
Fix ID: ESCRT-1829
Symptoms: When attempting to view the Computer Status log within the SEPM, the error message “Query Failed” is displayed.
Solution: Updated the table query to include the SERVICE_PACK column.
Mac icon missing in Server Control settings panel of the SEPM
Fix ID: ESCRT-1820
Symptoms: There’s no Mac icon in the Server Control settings panel, which is used to indicate platform supportability.
Solution: Added Windows and Mac icons to the appropriate settings.
RESTAPI policy commands fail if the policy type contains over 4,000 policies
Fix ID: ESCRT-1798
Symptoms: /api/v1/policies/summary RESTAPI fails when the policy type contains >4,000 policies.
Solution: Updated the way the policies are retrieved from the SEPM database.
Exported deception logs are missing the Caller Process
Fix ID: ESCRT-1795
Symptoms: After exporting Deception logs from the SEPM, some log entries contain a blank field for Caller Process Name.
Solution: Updated the query used when exporting Deception logs.
Unexpected Server Error displayed in the SEPM system log
Fix ID: ESCRT-1793
Symptoms: Intermittent Unexpected Server Error displayed in the SEPM system log in environments that have many Group Update Providers.
Solution: Updated queries related to the GUP_LIST table.
Limited Administrator is unable to export install packages after enrolling with the SES Cloud Console
Fix ID: ESCRT-1786
Symptoms: Limited Administrator accounts with Group/Package privileges are unable to export client installation packages after cloud enrollment.
Solution: Corrected Limited Administrator privileges when in a Cloud enrolled configuration.
Windows Server 2016 VMware virtual machine encounters a periodic system hang
Fix ID: ESCRT-1782
Symptoms: System hang observed on Windows Server 2016 virtual machines under certain conditions.
Solution: Updated the SEP client service to no longer attempt to display a window if there is no display connected.
Clients using a primary DNS suffix are not syncing with Active Directory imported clients
Fix ID: ESCRT-1774
Symptoms: Active Directory imported clients are showing offline under the OU structure and appear in the default group as online.
Solution: Updated the API used to obtain the Domain Name, so that it includes the complete DNS name.
Management Server Configuration Wizard does not allow the use of special characters when using Windows authentication
Fix ID: ESCRT-1765
Symptoms: Error displayed when attempting to use a % character in the DB user password for Windows Authentication.
Solution: Database User password validation updated.
Duplicate HWID found when running Powershell or RESTAPI to move clients
Fix ID: ESCRT-1747
Symptoms: MoveClient RESTAPI failing for user-mode clients.
Solution: Updated query so that only active clients bound with the HWID will be moved.
Memory leak in ccSvcHst.exe resulting in process crash
Fix ID: ESCRT-1744
Symptoms: ccSvcHst.exe crash observed after a period of time.
Solution: Fixed a memory leak in ccSvcHst.exe related to Tamper Protection exclusions.
SEPM emails fail to send to a TLS 1.2 only email server
Fix ID: ESCRT-1723
Symptoms: SEPM is unable to send email notifications to a mail server configured to only support TLS 1.2.
Solution: Updated JavaMail to a version that supports TLS 1.2.
“Query Failed” error when attempting to view details within a Risk log on SEPM
Fix ID: ESCRT-1718
Symptoms: Localized SEPM versions display a “Query Failed” error when attempting to view the details of a Risk within the Risk log.
Solution: Updated SEPM to use dynamic locale.
Client uninstall password doesn’t work with certain special character combinations
Fix ID: ESCRT-1708
Symptoms: The client uninstall password defined in the SEPM isn’t accepted on the endpoint with certain special character combinations.
Solution: Corrected an issue that caused the uninstall password to not be recognized by the endpoint.
SMC -importconfig command doesn’t work if there is no user logged in
Fix ID: ESCRT-1691
Symptoms: When using the smc -importconfig command via a script that doesn’t require a logged in user, it isn’t accepted.
Solution: Added support for using smc -importconfig without a logged in user.
SEPM installation fails during Group Policy Object Policy Review
Fix ID: ESCRT-1689
Symptoms: Attempting to install the SEPM fails during the GPOPolicyReview action, which is due to GPResult taking an extended period of time to return results in some environments.
Solution: Increased the timeout for GPOPolicyReview to 15 minutes.
Location Awareness stops working after dropping sylink.xml on an endpoint
Fix ID: ESCRT-1685
Symptoms: Sylink.xml dropped/imported on an endpoint results in Location Awareness no longer working until services restart.
Solution: Location Awareness functionality is no longer interrupted when a Sylink.xml is dropped/imported.
During midnight database maintenance tasks some endpoints are incorrectly swept
Fix ID: ESCRT-1624
Symptoms: Some endpoints incorrectly swept during nightly database maintenance activities.
Solution: Corrected a logic error to better handle clients that have certain flags associated with them.
SEPM RESTAPI Primary Key violation error when sending commands to copied AD imported clients
Fix ID: ESCRT-1617
Symptoms: Failure to send RESTAPI commands to copied OU clients.
Solution: Updated queries to only apply to the active client.
Unable to view the HELP page from the SEPM Web Console in 14.2 RU1
Fix ID: ESCRT-1603
Symptoms: The in-product help page does not load when using the SEPM Remote Web Console.
Solution: Updated code to handle opening the HELP page when logged in using FQDN as host.
Clients configured to get updates from SEPM and LiveUpdate simultaneously do not make requests to the SEPM
Fix ID: ESCRT-1590
Symptoms: SEP endpoints configured to use both SEPM and LiveUpdate to retrieve content appear to always try LiveUpdate first.
Solution: Updated code to check the package type from SEPM before choosing to download between LiveUpdate or SEPM.
RESTAPI returns deleted results for computers that use AD synchronization
Fix ID: ESCRT-1579
Symptoms: RESTAPI to query OU clients returns all clients that share one HWID, including deleted ones.
Solution: Added support for copied OU clients when using RESTAPI queries.
Duplicated OS information in RESTAPI responses when using the GET computers command
Fix ID: ESCRT-1575
Symptoms: The RESTAPI command GET /api/v1/computers returns duplicated OS information.
Solution: Updated code to remove the duplicate return results.
14.2 RU1 LiveUpdate Engine changes to use HTTPS only results in client definition download issues.
Fix ID: ESCRT-1570
Symptoms: If the proxy defined in IE is updated, LiveUpdate Engine on the endpoint does not recognize the change until it is restarted.
Solution: Updated logic so that Proxy information is checked prior to attempting to run LiveUpdate.
Incorrect SQL user displayed when viewing remote site database server information
Fix ID: ESCRT-1556
Symptoms: When viewing the DB properties of a remote site from within the Symantec Endpoint Protection Manager, the username for the database of the local site is displayed instead of that for the remote site.
Solution: Database query modified to generate correct result
Various inconsistencies in dump file logging complicate automated parsing
Fix ID: ESCRT-1532
Symptoms: A number of inconsistencies in dump file logging were identified that make it difficult for parsing to be automated. For example, paths alternately made use of backslashes and forward slashes.
Solution: Various changes to improve consistency including adding header file path and description, proper escaping of application names, and correcting header names.
Setting for “Maximum number of rows in report table” cannot be saved in SEPM
Fix ID: ESCRT-1534
Symptoms: In Symantec Endpoint Protection Manager under logs and reports preferences, changes to the value for “Maximum number of rows in report table” cannot be saved. A user must manually enter this value when exporting a report.
Solution: Corrected preferences page so value can be saved successfully.
Error when moving a client using Rest API
Fix ID: ESCRT-1495
Symptoms: An error may be generated when copying clients that are Active Directory sync enabled.
Solution: Modified Rest API to properly handle clients managed through Active Directory sync.
Clients connect to SEPM if hostname contains DBCS characters
Fix ID: ESCRT-1428
Symptoms: The client fails connect to SEPM after receiving a HTTP 412 error if the hostname contains DBCS.
Solution: Modified SEP client to allow it to properly connect to a SEPM with a hostname containing DBCS characters.
SEP agent not able to enroll with the cloud
Fix ID: ESCRT-1415
Symptoms: Client that had previously enrolled may not be able to re-enroll
Solution: Corrected setting of access token expiration timestamp in the SEP client.
CentOS 7.6 crashes when install SEP 14.2 RU1
Fix ID: ESCRT-1379
Symptoms: Auto Protect kernel modules must be built with CONFIG_TEPOINE supported GCC compiler or the kernel modules cannot load successfully.
Solution: Trigger autocompile of Auto Protect kernel modules for CentOS kernels.
URL in details of SEPM risk logs cannot be resolved
Fix ID: ESCRT-1373
Symptoms: Clicking the risk name URL in the Risk Logs resulted in an error page
Solution: Fixed risk information URL in reports.
Client counts not accurate in SEPM reports for limited admins
Fix ID: ESCRT-1347
Symptoms: Client counts are inaccurate in some reports if logged in as a limited admin.
Solution: Fixed filter query
Cannot view Connection Details within the SEP client Network Activity monitor
Fix ID: ESCRT-1342
Symptoms: When attempting to view connection details, the UI populates the screen with data before immediately returning to the application list.
Solution: Correct Connection Details screen so that it will remain in view after populating.
SEP client does not honor PreferredGroup parameter with sylink.xml
Fix ID: ESCRT-1336
Symptoms: When installing the client, the PreferredGroup parameter is not honored and the client does not appear in its intended group.
Solution: Changes in 14.2 modified the default reconnection preferences causing the client to return to its last-used group setting. Modified these to return to prior behavior.
Query failed error displayed in Symantec Security Response panel of SEPM home screen
Fix-ID: ESCRT-1270
Symptoms: Query failed error displayed in Symantec Security Response panel of SEPM home screen
Solution: Query fixed to display correctly.
SEP for Linux services are restarted prior to uninstall
Fix ID: ESCRT-1268
Symptoms: Services are restarted when attempting to uninstall the SEP for Linux client
Solution: Added a check for the status of services prior to uninstall to avoid issue.
FQDN for email server cannot contain numbers
Fix ID: ESCRT-997
Symptoms: When attempt to use an FQDN to specify an email server in SEPM, the FQDN fails validation if it contains numbers.
Solution: Correct validation logic to allow numbers as a part of FQDNs.
Cannot expand clients under Virus Definition Distribution in SEPM Daily Report
Fix ID: ESCRT-987
Symptoms: When running German-language SEPM, attempting to expand clients under Virus Definition Distribution fails.
Solution: Fixed queries used in the report.
SEPM Web console Linux client package export option exports wrong file types
Fix ID: ESCRT-912
Symptoms: Attempting to download DPKG package downloads RPM package.
Solution: Browser is caching small files. Added a nonce to downloaded package name to ensure the filename is unique.
SQL exception during ADSI task
Fix ID: ESCRT-909
Symptoms: A SQL exception occurs during ADSI task if computer description fields exceed 256 characters.
Solution: Modified AD sync routine to truncate computer description to 256 characters.
Attempting to copy/paste exception policy always copy Windows exception
Fix ID: ESCRT-864
Symptoms: Attempting to copy/past Mac or Linux exception policy fails as the Windows exception is always copied to the clipboard regardless of the platform selected.
Solution: Added platform info when copying items in Exception policy.
Sep clients do not cycle through the entire Management Server List after connection failures
Fix ID: ESCRT-759
Symptoms: When cycling through the MSL, the client will stop attempting connections if it attempts to connect to a SEPM for which it cannot verify the signature in index2.html
Solution: Modified behavior of client so it will continue to attempt connection to the next server in the MSL under these conditions.
In profile.xml locations show Reverse DNS = 0 when it should be set to 1
Fix ID: ESCRT-714
Symptoms: In profile.xml pusblished in data/outbox, some locations have the value Reverse DNS = 0 when it should be set to 1
Solution: Fixed the profile compilation of Reverse DNS in the Firewall policy.
SEP leaves a scheduled task "Symantec Cleanwipe" on machine after installing package that includes cleanwipe
Fix ID: ESCRT-707
Symptoms: After installing SEP with an install package which includes cleanwipe, cleanwipe is running as expected, the install package is installed correctly but a scheduled task named 'Symantec Cleanwipe' is left.
Solution:Cleaned up artifacts left by CleanWipe.
Unable to export computer status report
Fix ID: ESCRT-701
Symptoms: Unable to export computer status report
Solution: Refactored the query used in exporting Computer Status Logs.
Autoupgrade fails
Fix ID: ESCRT-692
Symptoms: Auto-upgrade to SEP 14.2.1015 version fails
Solution: Eliminate errant configuration information being written into client package.
Blank checkbox under site properties content type
Fix ID: ESCRT-671
Symptoms: An unlabeled checkbox is visible on the panel for LiveUpdate content type selection.
Solution: Corrected UI.
Contents of scheduled "Virus Definitions Distribution" report is not localized.
Fix ID: ESCRT-654
Symptoms: When using a non-English language SEPM, some content of the emailed scheduled Virus Definition Distribution report is in English.
Solution: Completed localization of the Virus Definition Distribution report.
Definition download log from GUP always reports "Throttle speed: 0.00 Kbps"
Fix ID: ESCRT-650
Symptoms: Definition download log from GUP always reports "Throttle speed: 0.00 Kbps"
Solution: Corrected report so that throttle speed is accurately reported.
Repeated loss of network connectivity when Firewall is enabled
Fix ID: ESCRT-584
Symptoms: Client loses network connectivity for approximately two minutes at regular intervals if firewall is enabled.
Solution: Limit application learning AppInfoList to a maximum of 500.
SEPM schedule report configured for “Past Month” always misses the first day of the month
Fix ID: ESCRT-578
Symptoms: In some circumstances, SEPM scheduled reports configured for “Past Month” do not include the first day of the month.
Solution: Correct report.
Location-based blocking policy for USB printers cannot effectively toggle blocking
Fix ID: ESCRT-541
Symptoms: USB printers remain blocked when returning for an external location where printing is blocked to an internal location where printing is permitted.
Solution: Correct evaluation of USB blocking rules.
Cloud console not syncing whitelist exceptions to SEP clients
Fix ID: ESCRT-499
Symptoms: After SEPM enrolled to Cloud, Console still publish the ADC scan type of directory exceptions defined as ALL scan type in on-prem Exception policy.
Solution: Changed the publish algorithm behavior after SEPM has enrolled to Cloud.
Computer Status report missing Install Type
Fix ID: ESCRT-400
Symptoms: Install Type is missing from exported Computer Status report
Solution: Fixed report to include install type.
SymElam policy changes not reflected on client
Fix ID: ESCRT-399
Symptoms: Configuring the SymElam policy on SEPM to “Log the detection…” is not reflected on the SEP client.
Solution: Correct handling of this setting in construction of policy.
SEPM reported blocked traffic despite no rules configured for SEP for Mac Firewall
Fix ID: ESCRT-375
Symptoms: If all rules are removed for the SEP for Mac Firewall, the SEPM with report traffic is being blocked even though it is not.
Solution: Correct SEPM UI messaging.
Manual scan fails
Fix ID: ESCRT-354
Symptoms: Manual scan fails with “Scan Failure: Not enough free disk space to perform a scan.”
Solution: Corrected a problem where manual scans failed with disk space error when the username contained Unicode characters that do not match the current system locale.
IP addresses not ordered correctly on Clients tab
Fix ID: ESCRT-349
Symptoms: Sorting of IPv4 address does not work correctly on the Clients tab.
Solution: Corrected sorting algorithm.
Find Computers not available in Remote Deployment Wizard
Fix ID: ESCRT-326
Symptoms: Navigating to Find Computers does not display the Find Computers dialog box.
Solution: Add null check while reading NetworkInterface from IP address.
Scan dialog of admin scheduled scan does not appear
Fix ID: ESCRT-322
Symptoms: When connecting to SEP client via RDP, the scan dialog for admin scheduled scans does not appear.
Solution: Fix UI so that scan dialog can be accessed during an RDP session.
Delays in processing Agent Behavior logs
Fix ID: ESCRT-318
Symptoms: Processing of Agent Behavior logs delayed due to blocked transactions on SQL Server
Solution: Fixed the table switching for log tables.
Information missing or incorrect when scheduling LiveUpdate from the command line
Fix ID: ESCRT-309
Symptoms: Missing information when the LiveUpdate is scheduled a certain way from the command line and then viewed from the command line.
Solution: Change logic to display status correctly.
SEPFL does not scan more than 100 files in a folder.
Fix ID: ESCRT-288
Symptoms: When user tries to scan a folder, which has more than 100 files, using path with wildcards like '*', instead of scanning all the files in the folder, it will scan only 100 files.
Solution: Changed logic to notify the user that maximum input limit is reached and remaining files won't be scanned.
Password not accepted for UI and uninstall
Fix ID: ESCRT-276
Symptoms: Password info is removed from ccSettings and registry causing the client to not accept any password for the UI and uninstall.
Solution: Corrected a timing issue where SEP password information was removed incorrectly.
Cannot update definitions after upgrading to SEP 14.2
Fix ID: ESCRT-247
Symptoms: ACLs for several folders do not include semsrv, semwebsrv, semapisrv. As a result, SEPM is unable to write content to disk.
Solution: Configure ACLs for related folders by PermissionDefinitions
SEP client installed on SEPM server has trouble connecting to the local SEPM
Fix ID: ESCRT-244
Symptoms: A connection error message in SEP client "Troubleshooting->Server Connection Status"
Solution: Fixed SEPM to allow connection from a SEP client installed on the local system
Notifications link opens incorrect report in SEPM 14 RU1 MP2
Fix ID: ESCRT-220
Symptoms: Incorrect type of notification mailed out.
Solution: Set notification type for "file reputation" in upgrade.
SEP for Linux 14.2 cannot update definitions from LUA.
Fix ID: ESCRT-136
Symptoms: SEP for Linux fail to download definitions for 14.2 because it is attempting to download the wrong file.
Solution: Fix SEP for Linux client so that it downloads the correct file from LUA.
SEP client fails to determine correct user during IPS detection
Fix ID: ESCRT-51
Symptoms: IPS detection always uses the user name from main session in Security log even when user logs on from a remote RDP session uses different user name.
Solution: Correct reporting to get the correct user name and domain name.

New in Symantec Endpoint Protection 14.2.4814.1101 (Aug 22, 2019)

New in Symantec Endpoint Protection 14.2.4811.1100 (Aug 6, 2019)

New in Symantec Endpoint Protection 14.2.4559.1100 (Jun 28, 2019)

New in Symantec Endpoint Protection 14.2.3335.1000 (May 22, 2019)

New in Symantec Endpoint Protection 14.2.3332.0100 (Apr 25, 2019)

New in Symantec Endpoint Protection 14.2.1031.0100 (Dec 5, 2018)

New in Symantec Endpoint Protection 14.2.1023.0100 (Oct 26, 2018)

New in Symantec Endpoint Protection 14.2.1015.0100 (Oct 5, 2018)

New in Symantec Endpoint Protection 12.1.6306.6100 (Feb 14, 2016)

New in Symantec Endpoint Protection 12.1.4013.4013 (Oct 31, 2013)

New in Symantec Endpoint Protection 12.1.3001.165 (Jul 24, 2013)

New in Symantec Endpoint Protection 12.1.2015.2015 (Nov 26, 2012)

Installation - The Client Deployment Wizard includes the following changes:
The Client Deployment Wizard includes the Communication Update Package Deployment option to push the communications file (Sylink.xml) to the client in a client installation package.
You use the Sylink.xml file to convert an unmanaged client to a managed client, or to manage a previously orphaned client. In previous releases, you needed to export the Sylink.xml file from the management server, and import Sylink.xml to each client.
The Client Deployment Wizard searches the network faster to find the computers that do not have the client software installed.
The Client Deployment Wizard includes the Automaticallyuninstallexistingsecuritysoftware option so that a security software removal feature can uninstall third-party security products from the client computer. The feature removes security software before the client installation package installs the client software. With version 12.1.2, the feature removes more than 40 additional third-party products.
You can download and run a new diagnostic tool on the management server and client to help you diagnose common issues before and after installation. The Symantec Help tool enables you to resolve product issues yourself instead of calling Support.
Remote Management:
Symantec Endpoint Protection provides public support to remotely manage and monitor the client and the management server.NewWebservices let you write your own tools to perform the following tasks remotely:
Run commands on the client to remediate threat situations.
Export policies from the server.
Apply policies to clients across servers.
Monitor license status and content status on the management server.
Documentation and other tools for remote monitoring and management support appear in the Web services SDK, located in the following folder on the installation disc: /Tools/Integration/SEPM_WebService_SDK
Windows 8 features:
Support for the Microsoft Windows 8 style user interface, including toast notifications for critical events.
Support for Windows 8 and Windows Server 2012.
Windows 8 Early Launch Anti-Malware (ELAM) support provides a Microsoft-supported way for anti-malware software to start before all other third-party components. In addition, vendors can now control the launching of third-party drivers, depending on trust levels. If a driver is not trusted, it can be removed from the boot sequence. ELAM support makes more efficient rootkit detection possible.
Protection features:
Virus and Spyware Protection:
Full support for the Microsoft Windows 8 style user interface.
Exceptions:
Added support for HTTPS in trusted Web domain exceptions.
Commonvariables in exceptions now apply to 64-bit applications as well as 32-bit applications.
LiveUpdate:
A link on the client Status page now lets end users quickly and easily confirm that the client has the most current content. The link displays the content version dialog box, where a new column lists the last time that the client checked each content type for updates. Users can be more confident that their client updates correctly and has the latest protection.
Virtualization:
Symantec Endpoint Protection includes the following virtualization improvements:
A VMware vShield-enabled Shared Insight Cache. Delivered in a Security Virtual Appliance, you can deploy the vShield-enabled Shared Insight Cache into a VMware infrastructure on each host. The vShield-enabled Shared Insight Cache makes file scanning more efficient. You can monitor the Security Virtual Appliance and client status in Symantec Endpoint Protection
Manager.
For managing Guest Virtual Machines (GVMs) in non-persistent virtual desktop infrastructures:
Symantec Endpoint Protection Manager includes a new option to configure the aging period for offline non-persistent GVMs. Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period.
Symantec Endpoint Protection clients now have a configuration setting to indicate that they are non-persistent GVMs. You can filter out the offline non-persistent GVMs in the Clients tab view in Symantec Endpoint Protection Manager.
Protection features:
Proactive Threat Protection:
Device Control now sends a notification and creates a log event each time it blocks a previously disabled device. Previously, Device Control sent a notification and log event only the first time the device was disabled.
System lockdown can now run in blacklist mode. You must configure system lockdown to display a blacklist mode as well as the default whitelist mode. The blacklist mode blocks only the applications on the specified list. Symantec Endpoint Protection Manager can automatically update the existing file fingerprint lists and application name lists that system lockdown uses for whitelisting or blacklisting.
Policies:
You can export all the policies, locations, and server settings for a domain. If you then import these policies and settings into a new domain, you do not need to recreate them.
LiveUpdate:
The LiveUpdate Settings policy includes an additional type of Group Update Provider (GUP) that allows clients to connect to Group Update Providers in a different subnet. This new type of GUP lets you explicitly define which networks each client may connect to. You can configure a single LiveUpdate policy to meet all your requirements.

New in Symantec Endpoint Protection 12.1.1101.401 (Nov 6, 2012)

New in Symantec Endpoint Protection 12.1.671.4971 (Jul 20, 2011)

Unrivaled security. Blazing performance. Built for Virtual Environments:
We've worked hard to further the unrivaled security and blazing performance for which Symantec Endpoint Protection is known. Built for virtual environments it has dramatically improved performance, and a new state-of-the-art protection system – Symantec Insight. Symantec Endpoint Protection 12.1 includes hundreds of new features for improved security, performance and management.
Symantec Insight:
Symantec Insight is the only system in the world that tracks the age, prevalence and security rating of nearly every program file on the internet. Because Insight knows what files are new or changed, Insight takes the most important advantage of cyber-criminals, their ability to generate millions of unique threats, and turns it against them.
Real Time SONAR 3: Replacing Symantec’s TruScan technology, this version of SONAR examines programs as they run, identifying and stopping malicious behavior even of new and previously unknown threats.
Browser Intrusion Prevention: Integrates into leading browsers to scan for attacks directed at browser vulnerabilities.
Antivirus for Mac and Linux
Faster central console: Optimized database to increase responsiveness.
Smart Scheduler: Stays out of your way by performing non-critical security tasks when your computer is idle.
Enhanced client deployment: Improved wizards and more deployment options will allow new installs and upgrades to be faster and easier than ever before.
Built for Virtual Environments: Enhanced to help protect your virtual infrastructure. Symantec Endpoint Protection can white list baseline images, maintain a shared scan cache, randomize scans and updates, scan offline images and automatically identify and manage virtual clients.
SEP Manager Integration with Symantec Workflow: Optimizes efficiency, enforces processes and policies, and automates redundant tasks by integrating the SEP Manager with Symantec Workflow.
Faster central console: Optimized database to increase responsiveness.
The Symantec Endpoint Recovery Tool and Power Eraser: The Symantec Endpoint Recovery Tool repairs severely infected PCs. The tool creates a self-booting CD or USB stick with Symantec's most powerful malware removal technology. The tool boots the computer into a specialized, virus free state so that malware can be safely removed.
Advanced Reporting and Analytics: Symantec Endpoint Protection now includes The Altiris IT Analytics Symantec Endpoint Protection Pack. ITA complements and expands upon the traditional reporting offered by Symantec Endpoint Protection by incorporating multi-dimensional analysis and robust graphical reporting in an easy to use dashboard.

New in Symantec Endpoint Protection 11.0.6300.803 (Apr 4, 2011)

Single Agent and Single Console:
Delivers a single agent for all Symantec Endpoint Protection technologies and Symantec Network Access Control. Delivers a single integrated interface for managing all Symantec Endpoint Protection technologies and Symantec Network Access Control. All allow for a single communication method and content delivery system across all technologies.
Provides operational efficiencies such as single software updates, single policy updates.
Provides unified and central reporting.
Provides unified licensing and maintenance.
Requires no change to the client when adding Symantec Network Access Control enforcement.
Multi-platform Support:
Symantec Endpoint Protection now protects Windows, Mac OS X and Linux endpoints.
Single Sign-on Web Console:
Efficiently manage your environment with a single sign-on web console that provides administrators full configuration management, report generation, and consolidated dashboard views across multiple Symantec protection technologies.
Manage Easily
Unified Management and Administration
Automatically remove existing solutions, install new clients, and report on them
Manage Windows and Mac clients from the same console
Proactive Threat Scanning:
Behavioral-based protection that protects against zero-day threats and threats not seen before. Unlike other heuristic-based technologies, TruScanTM Proactive Threat Scan scores both the good and bad behavior of unknown applications, providing a more accurate malware detection.
Accurately detects malware without the need to set up rule-based configurations.
Helps lower the number of false positives.
Advanced Rootkit Detection and Removal:
Provides superior rootkit detection and removal by integrating VxMS (Veritas Mapping Service—a Veritas technology), thereby providing access below the operating system to allow thorough analysis and repair.
Detects and removes the most difficult rootkits.
Saves time and money and productivity lossses associated with re-imaging infected machines.
Application Control:
Allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.
Prevents malware from spreading or harming endpoints.
Locks down endpoints to prevent data leakage.
Device Control:
Controls which peripherals can be connected to a machine and how the peripherals are used. It locks down an endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices.
Prevents sensitive and confidential data from being extracted or stolen from endpoints (data leakage).
Prevents endpoints from being infected by viruses spread from peripheral devices.
The Symantec Endpoint Recovery Tool:
The Symantec Endpoint Recovery Tool repairs severely infected PCs. The tool is a self-booting CD with Symantec's most powerful malware removal technology. The tool boots the computer into a specialized, virus free state so that malware can be safely removed.
Optimal Client and Server Performance:
Optimized client boot times and application load times enables comprehensive protection and better performance for all customer sizes and environments
Secure Virtual Environments:
Symantec Endpoint Protection 11.0.6 adds resource utilization leveling to ensure that simultaneous scans or updates won't impact the performance of virtual environments. Utilization leveling includes an option to randomize when scans and updates take place, preventing resource contention and leveling CPU resources. In addition, SEP's performance optimized scan engine includes IO aware Scan Tuning, and multithreading for optimal performance.
Advanced Reporting and Analytics:
Symantec Endpoint Protection now includes The Altiris IT Analytics Symantec Endpoint Protection Pack. ITA complements and expands upon the traditional reporting offered by Symantec Endpoint Protection by incorporating multi-dimensional analysis and robust graphical reporting in an easy to use dashboard.