Problem
This article documents the changes and fixes in each update to Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x.
Solution
As updates to Symantec Endpoint Protection are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top.
Note: To download the latest release of Symantec Endpoint Protection, read the following document: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x.
This document should be read in conjunction with the appropriate Readme files:
Release Update 6 Maintenance Patch 3 (RU6 MP3)
What's new in this version
Symantec Endpoint Protection RU6 MP3 provides fixes since the release of RU6 MP2. This maintenance patch cannot be installed over any versions of Symantec Endpoint Protection or Symantec Endpoint Protection Manager prior to RU6. It must be installed over RU6, RU6a, RU6 MP1, or RU6 MP2.
Network file operations are slower when file system Auto-Protect is enabled
Fix ID: 1886713
Symptom: File I/O over the network is slower when file system Auto-Protect is enabled.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
File and share access is slower when connecting to Windows 2008 servers
Fix ID: 1939686
Symptom: Network access time is slower between Windows XP clients and Windows 2008 servers when accessing shares.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
File system Auto-Protect network scanning consumes excess network bandwidth
Fix ID: 2140818
Symptom: Network scanning of file system Auto-Protect causes excess bandwidth.
Solution: Auto-Protect was optimized to perform better on network operations when exclusions are used.
Domain controller or router is detected by Symantec Endpoint Protection as MAC spoofing
Fix ID: 2049673
Symptom: The first time a computer running Symantec Endpoint Protection is connected to a wired network, Symantec Endpoint Protection detects the domain controller or router as MAC spoofing. The following messages may appear in the Symantec Endpoint Protection log: "Active Response Major: Traffic from IP address <address> is blocked from <start time> to <end time>." or "Active Response Disengaged: Active Response that started at <start time> is disengaged. The traffic from IP address <address> was blocked for 600 second(s)."
Solution: The MAC spoofing detection will only alert after the second ARP response is detected.
Microsoft Excel files open slowly from Microsoft Outlook when third-party Outlook add-ons are installed
Fix ID: 2070109
Symptom: Microsoft Excel files are slow to open from Microsoft Outlook when certain third-party Outlook add-on is installed.
Solution: Auto-Protect was optimized to reduce certain file name normalization and file size query operations.
File copying dialog hangs when copying between Windows 7 and Windows 2008 computers
Fix ID: 2102159
Symptom: With Server Message Block Volume 2 (SMB2) enabled, file copies between Windows 7 and Windows 2008 may hang. The file copy dialog may never complete.
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
Symantec NetBackup communications lost when Symantec Endpoint Protection is installed
Fix ID: 2114674
Symptom: Network communications are lost when a client running Symantec Endpoint Protection is connected to a Netbackup media server, and the server is under high load (e.g. multiple jobs running).
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
Client connection to the server fails when proxy servers are configured
Fix ID: 2125088
Symptom: The Symantec Endpoint Protection client is unable to establish communication with the server when a proxy is used. The client logs may contain the messages "Unable to create Session with 'User Proxy' settings - Proxy Server: Error Code: 87" or "Unable to create Session with 'No Proxies' settings - Error Code: 87".
Solution: Symantec Endpoint Protection was not getting a proper INET session handle when a proxy is used due to a change in the Microsoft API call InternetOpen(). Symantec Endpoint Protection was modified to use INTERNET_OPEN_TYPE_DIRECT instead of INTERNET_OPEN_TYPE_PROXY.
System Lockdown fails when access to registry is hardened
Fix ID: 2132838
Symptom: System Lockdown is not working as expected. The Symantec Endpoint Protection logs contain the messages "Sysfer exception 1032 C:\WINDOWS\system32\svchost.exe" or "Sysfer exception 260 C:\WINDOWS\system32\lsass.exe ".
Solution: Lack of privilege to read certain registry values was causing an exception in Sysfer. Symantec Endpoint Protection was modified to correct the exception.
SMC.exe process consumes excessive virtual memory
Fix ID: 2137535
Symptom: A Symantec Endpoint Protection client acting as a GUP may leak virtual memory.
Solution: Symantec Endpoint Protection was modified to properly clean up an object that was not being destroyed when the client is a GUP.
Applications launch slowly over network shares
Fix ID: 2141780
Symptom: Applications running on a Windows 2008 server running Symantec Endpoint Protection are slow to load when file system Auto-Protect is enabled on the server and files on the server are encrypted.
Solution: When files on the server are encrypted, file system Auto-Protect generates an extra create call to LSASS to get the encryption key. This results in degraded performance as well as a situation in which Symantec Endpoint Protection's access to the file is denied.
An option has been added to allow Symantec Endpoint Protection to skip these scans, resulting in increased performance but decreased security. When the scans are skipped a machine not running Symantec Endpoint Protection will be able to copy a threat to the server. The threat will be detected by the server if it is accessed by any server application, by another client running Symantec Endpoint Protection, or by a manual scan on the server.
Customers may obtain the tool via Symantec Technical Support.
An alternative to the tool is to exclude encrypted files and folders using file system Auto-Protect exclusions.
GUP does not respond immediately to client requests when policy contains GUPs in different subnet
Fix ID: 2143552
Symptom: Clients do not immediately contact the nearest GUP when policy is applied containing a GUP in a different subnet. The client does not download from the GUP until the threshold has passed "Maximum time that clients try to download updates from a GUP before Symantec Endpoint Protection Manager".
Solution: The GUP is now considered ready for connections if the GUPLIST that includes the static GUP is not empty.
SmcGui.exe is unstable when the A.V.A. game is running
Fix ID: 2149778
Symptom: SmcGui.exe process crashes when the A.V.A. game is executed.
Solution: The Microsoft API call GetDC() returns a NULL pointer when the A.V.A. game is running. Symantec Endpoint Protection was modified to check for this condition.
SMC.exe is unstable when processing improper UDP packets
Fix ID: 2158106
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6 or RU6 MP1, the SMC.exe process terminates unexpectedly.
Solution: Improper UDP packets were causing an unhandled exception in SMC. SMC was modified to validate UDP packets correctly before processing them.
Error when navigating on French language Symantec Endpoint Protection Manager Client tab
Fix ID: 2161962
Symptom: On the French localized Symantec Endpoint Protection Manager, on the client tab of a group with a large number of clients, clicking the ">|" button to see the last page gives an error: Echec de laffichage des donnees de la page {0.EN_US}. Motif : chaine dentree : " 1 de 41".
Solution: An inconsistency in client UI pages was resolved to solve this issue.
LSASS.exe process usage spikes when files are accessed on a Windows Server 2003 system
Fix ID: 2166510
Symptom: LSASS.exe CPU usage spikes when files are accessed on a Windows Server 2003 system.
Solution: When files on the server are encrypted, file system Auto-Protect generates an extra create call to LSASS to get the encryption key. This results in degraded performance as well as a situation in which Symantec Endpoint Protection's access to the file is denied.
An option has been added to allow Symantec Endpoint Protection to skip these scans, resulting in increased performance but decreased security. When the scans are skipped a machine not running Symantec Endpoint Protection will be able to copy a threat to the server. The threat will be detected by the server if it is accessed by any server application, by another client running Symantec Endpoint Protection, or by a manual scan on the server.
Customers may obtain the tool via Symantec Technical Support.
An alternative to the tool is to exclude encrypted files and folders using file system Auto-Protect exclusions.
Windows Firewall status changes incorrectly if Network Threat Protection is not installed
Fix ID: 2168437
Symptom: Symantec Endpoint Protection is installed without Network Threat Protection (NTP). When switching locations to one which enables NTP, the windows firewall is disabled.
Solution: Symantec Endpoint Protection was modified to check the profile for NTP installation state before enabling or disabling Windows Firewall
Symantec Endpoint Protection client requests full.zip antivirus content instead of a delta
Fix ID: 2176922
Symptom: A newly installed Symantec Endpoint Protection client will download the full.zip antivirus content from the server when it should download a delta instead.
Solution: Symantec Endpoint Protection was modified to prevent a condition where a newer version of the usage.dat file could be overwritten by stale data.
Virus definition sequence number is reported inaccurately in the database
Fix ID: 2187364
Symptom: Virus definition sequence number is not accurately reported in the database.
Solution: Symantec Endpoint Protection was incorrectly setting the definition sequence number to 0 even if the definitions were in use. This value was propagated to the Symantec Endpoint Protection Manager database. Symantec Endpoint Protection was modified to check if the virus definitions are in use before setting the value to 0.
Symantec Endpoint Protection client location awareness changes location incorrectly
Fix ID: 2189866
Symptom: A Symantec Endpoint Protection client with location awareness enabled changes locations incorrectly.
Solution: If the TTL (time-to-live) on DNS responses is very short, Symantec Endpoint Protection may incorrectly detect a new location change. Symantec Endpoint Protection was modified to handle very short TTL on DNS responses.
GUPs request incorrect delta package from server
Fix ID: 2202771
Symptom: One client comes online after being off-line for some time. The client requests a delta from its GUP covering the off-line time span. All other GUPs on the same subnet incorrectly request the same delta from the server.
Solution: Microsoft changed the default receive timeout in Internet Explorer 7 from 3600 seconds to 30 seconds. This may cause client connections to be cancelled before the GUP can finish downloading the content from Symantec Endpoint Protection Manager. This results in the client switching to the next GUP. Symantec Endpoint Protection was modified to properly apply the correct timeout to the connection handle.
Network connections to an application server are disconnect
Fix ID: 2214576
Symptom: Clients running an application from an application server disconnect after upgrading to Symantec Endpoint Protection 11.0 RU5.
Solution: The Teefer2 driver was optimized to avoid a FIFO queue bottleneck when processing SMB2 packets.
Symcorpui.exe is unstable when running a manual scan on Windows 7 64-bit
Fix ID: 2229978
Symptom: Symcorpui.exe terminates unexpectedly when running a manual scan on Windows 7 64-bit.
Solution: Symantec Endpoint Protection did not have adequate rights to a registry key, resulting in an unhandled exception in Symcorpui.exe. Symantec Endpoint Protection was modified to prevent this crash.
Performance of file save operations to a network server degrades over time
Fix ID: 2239945
Symptom: Business applications that save to a network server eventually become very slow, then hang. When the slowdown or hang occurs, end users can temporarily remediate by stopping and starting the smc.exe process.
Solution: Auto-Protect was optimized to reduce certain file name normalization and file size query operations.
White-listing of Network Access Control clients does not work correctly
Fix ID: 2240825
Symptom: A device that should be white-listed is getting a quarantine configuration.
Solution: DHCP Enforcer was incorrectly comparing profile serial numbers in some environments. The Enforcer was modified to prevent this issue.
SmcGui.exe is unstable after using the command "smc -stop"
Fix ID: 2243925
Symptom: SmcGui.exe crashes after using the command "smc -stop".
Solution: Symantec Endpoint Protection was modified to use a different method for new thread creation to prevent the crash.
