Known issues and workarounds for Symantec Endpoint Protection (SEP)

The items in this section apply to this release of Symantec Endpoint Protection.
The Issue column displays the version number when the issue appears. For example, [14.3 RU1] means that the issue applies to version 14.3 RU1 and later. When these issues are fixed, they appear in the fix-it notes. See:

Upgrade issues

Known upgrade issues
Issue
Description and solution
The following error message appears: "Symantec Endpoint Protection version 14.3 RU2 for Win64bit is the latest package. You cannot delete it." [14.3 RU2]
You cannot delete the Client Install Package when packages from multiple builds appear in the Symantec Endpoint Protection Manager. As of 14.3 RU2, LiveUpdate can download multiple client installation packages with a different build number, which appear in the
Admin
page >
Install Packages
>
Client Install Package
table. [SEP-72531]
AutoUpgrade fails if you use the 14.3 RU2
Upgrade to English if currently installed language is unsupported
option to upgrade clients with an unsupported language to English. [14.3 RU2]
This issue occurs for clients that you manually upgraded from a supported to an unsupported language in 14.3 RU1 MP1 and earlier, such as upgrading a Czech client to a Japanese client on a Japanese operating system. And then used to the
Upgrade to English if currently installed language is unsupported
option to upgrade the unsupported language to English in 14.3 RU2. [SEP-72490]
This issue is caused because the client language uses the language of the supported operating system (in this case, Japanese). AutoUpgrade expects to use the supported language and not English.
To work around this issue, try the AutoUpgrade again and turn off the
Upgrade to English if currently installed language is unsupported
option.
When exporting a client installation package from a 14.3 RU2 Symantec Endpoint Protection Manager (SEPM), the following warning message appears: "The client installation package does not have content." [14.3 RU2]
This issue occurs when communication between the Symantec Endpoint Protection Manager and the console being used to export the package is disrupted. See:
An error appears when importing the most recent client installation packages into an older version of Symantec Endpoint Protection Manager. [14.3 RU2]
Symantec Endpoint Protection 14.3 RU2 clients cannot be managed by a 14.3 RU1 MP1 or earlier Symantec Endpoint Protection Manager. [SEP-72292]
After upgrading a Symantec Endpoint Protection Manager to 14.3 RU2, php-cgi.exe crashes with an error in the event viewer [14.3 RU2]
This issue occurs with the 17.4.1.1 version of the Microsoft ODBC Driver for SQL Server. [SEP-70385]
To work around this issue, download and install the 17.7.2 version of the Microsoft ODBC Driver for SQL Server on Windows:
For more information, see:
After upgrading to Symantec Endpoint Protection Manager 14.3 RU2, "The client computer has been renamed" notifications may appear [14.3 RU2]
After upgrading from an older version of Symantec Endpoint Protection Manager to 14.3 RU2, administrators may start receiving "The client computer has been renamed" notifications. This issue is applicable only to Mac clients. See:
A
Symantec Endpoint Protection Manager
in a dark network downloads old Client Intrusion Detection System (CIDS) content to new clients because LiveUpdate does not run during an upgrade [14.3 RU1]
When a 14.3 RU1 Symantec Endpoint Protection Manager cannot access either the Internet or a LiveUpdate Administrator (LUA) server, it keeps old, incompatible content in its cache. This old content is normally delivered to the new clients. To update the content in the management server's cache, you manually download certified virus definitions and CIDS .jdb files. [SEP-69125]
To make sure that the new clients do not get old content, manually install a CIDS .jdb file on SEPM before you install new clients or upgrade old clients. See:
Cannot log on to Symantec Endpoint Protection Manager (SEPM) when the network interface card is disabled [14.3 RU1]
If after you install Symantec Endpoint Protection Manager, you cannot log on to the console and the following error message appears:
Unexpected server error
This issue may occur if the computer's network interface card is disabled when you installed the SEPM, which keeps the server certificate from being generated. [SEP-67040]
To find out if SEPM was installed with a disabled network interface card, look at the server certificate. See:
When you uninstall SEPM and use the option to remove the default database and leave the SQL Server Express instance, the following error appears: "
An error occurred while trying to connect to the database server
" [14.3 RU1]
If you uninstall the Symantec Endpoint Protection Manager and select the
Remove only the DB and leave the SQL Server Express instance installed with SEPM
option, you may see the following error: "
An error occurred while trying to connect to the database server
."  This issue occurs after you add the credentials for the default user DBA and may be related to user privileges. [SEP-68670]
To work around this issue, perform the uninstallation by running the SEPM setup.exe file and clicking the
Remove only the DB and leave the SQL Server Express instance installed with SEPM
option during uninstallation.
A SQL Server upgrade from version 2017 to version 2019 fails with FIPS mode enabled [14.3]
You may see the error: "The following error has occurred. An error occurred while installing extensibility feature with error message: AppContainer Creation Failed with error message NONE, state. This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." This occurs if you have a FIPS-enabled Symantec Endpoint Protection Manager 14.3 and you upgrade from the Microsoft SQL Server 2017 to 2019. [SEP-61473]
To work around this issue, disable FIPS at the operating system level:
  1. In
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    , click
    Local Security Policy
    >
    Local Policies
    >
    Security Options
    , and disable
    System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
  2. Upgrade from SQL Server version 2017 to version 2019.
  3. After SQL Server upgrades successfully, re-enable FIPS.
For more information, see:
Custom names may prevent the firewall policy from updating during an upgrade to 14.2 or later
For an upgrade to Symantec Endpoint Protection 14.2 or later, firewall policies cannot incorporate the changes for IPv6 if you changed some default names. The default names include the names of default policies and default rule names. If the rules cannot be updated during the upgrade, the IPv6 options do not appear. Any new policies or rules that you create after the upgrade are not affected.
If possible, revert any changed names back to the default. Otherwise, ensure that any custom rules that you added to a default policy do not block IPv6 communication in any way. Ensure the same for any new policies or rules that you add.

Symantec Endpoint Protection Manager issues

Known Symantec Endpoint Protection Manager issues
Issue
Description and solution
Endpoint Protection (SEP) 14.2 RU1 MP1 and earlier clients do not honor the
Upgrade Schedule
settings in a Client Upgrade Policy [14.3 RU3]
Some EDR events do not appear on the client [14.3 RU1]
The Symantec Endpoint Protection client must run Windows 10 build 14393 or later to collect Symantec EDR Event Tracing for Windows (ETW) events. [SEP-67175]
The Network Traffic Redirection (Web and Cloud Access Protection) feature has some limitations [14.3 RU1]
  • The Symantec Web Security Service is delivered on IPv4 and not IPv6. [SEP-68700]
  • The tunnel redirection method:
    • Runs on Windows 10 x64 version 1703 and later (Semi-Annual Servicing Channel) only. This method does not support any other Windows operating systems or the Mac client. [SEP-67927]
    • Does not support HVCI-enabled Windows 10 64-bit devices. [SEP-67648]
    • Redirects outbound traffic from the
      Symantec Endpoint Protection
      client to the WSS before it gets evaluated by either the client's firewall or the URL reputation rules. Instead, that traffic is evaluated against the WSS firewall and the URL rules. For example, if a SEP client firewall rule blocks google.com and a WSS rule allows google.com, the client allows users to access google.com. Inbound local traffic to the client is still processed by the
      Symantec Endpoint Protection
      firewall. [SEP-67488]
    • The WSS Captive Portal is not available for the tunnel method, and the client ignores the challenge credentials. In a future release, SAML authentication in the WSS agent will replace the Captive Portal, and will be available in the
      Symantec Endpoint Protection
      client.
    • If a client computer connects to the WSS using the tunnel method and hosts virtual machines, each guest user needs to install the SSL certificate provided in the WSS portal.
    • Traffic for local network like your home directory or Active Directory authentication is not redirected.
    • Is not compatible with the Microsoft DirectAccess VPN.
The tunnel method is currently considered an early adopter release feature.
Duplicate client enrollment entries after the upgrade from 14.2.x to 14.3 MP1 and later [14.3 RU1]
Upgrading the Symantec Endpoint Protection clients from 14.2.x to 14.3 MP1 and later creates duplicate agent enrollment entries for these clients on the
Clients
page in Symantec Endpoint Protection Manager.
There is no functional impact and you can continue working with the new entries for 14.3 RU1 clients. Symantec Endpoint Protection Manager will remove older agent entries.
Allow URLs in Symantec Endpoint Security if you use the hybrid management option, proxy servers or a perimeter firewall [14.3]
With Broadcom’s acquisition of Symantec Enterprise Security, the URLs for client-to-cloud communication changed in 14.2.2.1. [CDM-42467]
You must upgrade your clients to version build 14.2.5569.2100 or later in the following situation
  • You use Symantec Endpoint Security to manage your clients and policies when your on-premises Symantec Endpoint Protection Manager domains are enrolled in the cloud console
  • You use proxy servers.
You allow the URLs in either fully cloud-managed or hybrid-managed agents, allow thein your proxy server and/or perimeter firewall. See:
The Symantec Endpoint Protection Manager remote console no longer supports the 32-bit Windows platform [14.3]
In 14.3 and later, you cannot log on to the Symantec Endpoint Protection Manager remote console if you run a 32-bit version of Windows. The Oracle Java SE Runtime Environment no longer supports 32-bit versions of Microsoft Windows. [SEP-61106]
If you see the following message, log on to Symantec Endpoint Protection Manager locally:
"This version of C:\Users\Administrator\Downloads\Symantec Endpoint Protection Manager Console\bin\javaw.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher."
"Failed to install Microsoft Visual C++ Runtime" error appears while you install Symantec Endpoint Protection Manager [14.3]
You may see the following error while installing the Symantec Endpoint Protection Manager on Windows 2012 R2: “Failed to install Microsoft Visual C++ Runtime” [SEP-60396]
To work around this issue, activate Windows and install the Windows updates. The Windows update installs the Visual C++ 2017 redistributable, which is a prerequisite for the Symantec Endpoint Protection Manager 14.3 installation on Windows 2012 R2.
Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows [14.3]
After you upgrade to or install a Symantec Endpoint Protection Manager version 14.3 that is enrolled in the cloud console, the management server no longer uploads logs successfully to the cloud. In the uploader.log you may see the following error:
<SEVERE> WinHttpSendRequest: 12175: A security error occurred
This issue is caused by a missing Microsoft update that provides support for TLS 1.1 and 1.2.
To solve the issue, install Microsoft update: KB3140245. For more information, see:
"Deployment in progress" still appears in Symantec Endpoint Protection Manager after the client receives an updated policy for Endpoint Threat Defense for AD [14.2 RU1 MP1 and later]
This behavior is expected. Endpoint Threat Defense for AD 3.3 policies are only supported on the client as of version 14.2 RU1 MP1.
You apply a policy for Symantec Endpoint Threat Defense for Active Directory 3.3 to a group. This group contains some clients that run Symantec Endpoint Protection 14.2 RU1 or earlier. These clients receive and apply the policy as expected, but the status in Symantec Endpoint Protection Manager continues to show the message Deployment in progress.

Windows, Mac, and Linux client issues

Known Windows, Mac, and Linux client issues
Issue
Description and solution
Unexpected server error when logging into Endpoint Protection Manager and clients are no longer communicating after a system time change [14.3 RU3]
If you set the system clock back to a previous date and/or time, the following error may occur:
  • After you log on to the Symantec Endpoint Protection Manager, an Unexpected Server Error appears.
  • The clients do not communicate with SEPM, which reports a 503 error. [SEP-74510]
To work around this issue:
  • Manually restart the SEPM services.
  • Wait until the date/time on the system passes the original time on the system before you set it back.
Endpoint Protection 14.3 RU3 Web and Cloud Access Protection log reports Windows 10 Operating System on Windows 11 [14.3 RU3]
When the client user views the SEP client Web and Cloud Access Protection log, the log shows the operating system as Windows 10 when when the client is installed on a Windows 11 device. On the client console, click
Web and Cloud Access Protection
>
Options
>
View Logs
.)
Microsoft Edge browser and the Google Chrome browser are not able to launch after the
Validate image dependency integrity
mitigation technique is applied to the Windows 10 or 11 operating system. [14.3 RU3]
One of the mitigation techniques that Microsoft Edge uses to protect the Windows operating system is the
Validate image dependency integrity
technique. For Windows 10 or 11 computers that run the Symantec Endpoint Protection clients versions 14.2 RU2 MP1 or later, if this option is enabled, both Microsoft Edge and the Google Chrome web browsers do not launch. [SEP-75086]
To ensure that Microsoft Edge launches, disable the
Validate image dependency integrity
technique. For more information on mitigation techniques for Microsoft Edge, see: Customize exploit protection
You must restart the rebootless Windows client to obtain latest EDR events [14.3 RU3]
To make additional ETW events available in 14,3 RU3, you must restart the Symantec Endpoint Protection client. You must restart the client in the following situations: [SEP-73327]
  • If EDR is enabled and you update the client to RU3.
  • 14.3 RU3 is already installed and you enable or disable EDR. You must restart the client to enable or disable the newly added events.
Scan Engine fails to initialize after the Linux client upgrade. [14.3 RU3]
Scan Engine fails to initialize after upgrading Symantec Endpoint Protection client for Linux to version 14.3 RU3.
Workaround:
  1. Update the LiveUpdate Server with latest content that would have SEF 1.7.6.
  2. Uninstall Linux client 14.3 RU3 that is exhibiting the "Scan Engine initialization failure" error.
  3. Reinstall Linux client 14.3 RU3.
auditd
daemon will be enabled after the Linux client installation. [14.3 RU3]
Symantec Endpoint Protection client for Linux installer enables
auditd
daemon after the agent installation even if
auditd
daemon was disabled before the installation.
For collecting the network forensic information (EDR),
netstat
package is required on the Linux client. [14.3 RU3]
If the
netstat
package is missing on the Linux client, the forensic information is collected for all other types of events except for network events.
Possible connection issues on Mac devices. [14.3 RU2]
  • After upgrading the Mac agent using AutoUpgrade and restarting the device, the agent might fail to connect to the network.
    Workaround:
    Rerun the agent installation package.
  • After being in standby mode, a Mac device might lose its network connection with the following error: "Your connection was interrupted. A network change was detected."
    Workarounds:
    • If you use a docking station, renew the IP addresses manually at
      System Preferences > Network
      .
    • Unplug the docking station from your Mac device for a few seconds and then plug it in again.
Rosetta may block the Mac agent installation on Apple Silicon (M1) devices with the following error: "This version of Symantec Agent for Mac is not supported on Apple M1 chip." [14.3 RU2]
For more information, see:
Downloading and installing Mac agent using the Web link that was generated in Symantec Endpoint Protection Manager may fail. [14.3 RU2]
If an admin invites users to install the Mac agent 14.3 RU2 using the
Web Link and Email
option in Symantec Endpoint Protection Manager and the users download the package using this link in the Safari browser, the installation of the Mac agent may fail with the following error:
"The application Symantec Endpoint Protection Installer can't be opened"
Workarounds:
  • After downloading the file, go to the
    Downloads
    folder, execute the following command, and then run the installation again:
    chmod +x ./Symantec\ Endpoint\ Protection/Symantec\ Endpoint\ Protection\ Installer.app/Contents/MacOS/Symantec\ Endpoint\ Protection\ Installer
  • Open Safari browser's
    Preferences
    and on the
    General
    tab, uncheck the option
    Open "safe" files after downloading
    .  Then download the installer package, and run the installation.
If you automatically upgrade a client with an unsupported language to English, the client continues to display the date settings for definitions in English [14.3 RU1 and later]
To work around this issue, uninstall the legacy client and manually install a new English client installation package. In addition, a fix is expected for clients that are upgraded automatically. [SEP-72481]
The standalone Symantec WSS Agent blocks the Symantec Endpoint Protection client installation if you install SEP on the same computer as the WSS Agent
The Network Traffic Redirection (NTR) component uses the same files as the standalone Symantec WSS Agent (WSSA). NTR is installed by default in both Symantec Endpoint Protection and the Symantec Endpoint Security cloud console. If the NTR feature is installed on an endpoint, WSSA cannot be installed. Similarly, if WSSA is installed, the NTR feature does not install.
You can remove the Network Traffic Redirection feature from existing endpoints without having to uninstall the whole client by using one of the following methods:
  • In Symantec Endpoint Protection Manager, create a Client Install Feature Set that does not include NTR and apply it to the endpoints. See:
  • The following command line option uses the client installation file to remove NTR:
    setup.exe /s /v" REMOVE=NTR /qn"
Upgrade installation package that is used for clean installation installs default feature set. [14.3 RU1 MP1 and earlier]
If you create an upgrade installation package with
Maintain existing client features when updating
option checked, and use this package to do a clean installation, the default feature set will be installed on your client device.
If you want to install a custom feature set, you must create a separate installation package for the clean installation.
Unsupported upgrade path creates duplicate devices in cloud console. [14.3 RU1]
Upgrading your macOS from 10.15 to 11.0 before upgrading the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 creates duplicate devices in cloud console.
To avoid duplicates, you must upgrade the client before upgrading the operating system (i.e. upgrade the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 and then upgrade macOS from 10.15 to 11.0.).
Incorrect messages in the Symantec Agent for Linux installer log. [14.3 RU1]
In some cases, the agent installer logs incorrect messages related to a non-matching driver version or a required reboot.
These messages do not affect the functionality of the agent.
On a SuSe Linux device, zypper removes the SEP Linux client packages while removing the 'at' package. [14.3 RU1]
On a SuSe Linux device, the command 'zypper remove at' removes the SEP Linux client packages because the 'at' package is added as a required dependent package and the zypper commands automatically attempt to remove the SEP client packages 'sdcss-kmod' and 'sdcss-sepagent' as the packages with unused dependencies.
Workaround:
To remove the 'at' package, run the following command: rpm -e --nodeps at
Upgrade issue on macOS 10.15 and later [14.3 MP1]
On macOS 10.15 and later, the
Install Symantec Endpoint Protection to Remote Computers
feature in the Client Deployment Wizard fails to upgrade the Symantec Endpoint Protection client from older versions to version 14.3 MP1.
Workaround:
Use
Symantec Endpoint Protection Manager Auto Upgrade
to perform the Symantec Endpoint Protection client upgrade on macOS 10.15 and later.
The Symantec Endpoint Protection 14.3 Windows client installation may fail unless you first install SHA-2 support [14.3]
If you run legacy operating system versions (Windows 7 RTM or SP1, Windows Server 2008 R2 or R2 SP1 or R2 SP2), you are required to have SHA-2 code signing support installed on your devices to install Windows updates released on or after July 2019. Without SHA-2 support, the Windows client installation sometimes fails. The installation may fail whether you install clients for the first time or automatically upgrade from a previous release. [SEP-61175/61403]
To get Microsoft enforced SHA-2 code signing support, see:
The Symantec Endpoint Protection Windows client does not run when installed on Windows 10 1803 with UWF enabled [14.3]
If the Symantec Endpoint Protection client runs on the Windows 10 RS4 1803 32-bit operating system when the Unified Write Filter (UWF) is enabled and protecting the drive on which the Windows client is installed, the client does not run properly. This Windows operating system contains a UWF defect that prevents the Windows client from running.
To work around this issue:
Mac clients that enable WSS Traffic Redirection do not honor custom proxy settings for LiveUpdate [14.2 RU1 MP1 and later]
You have configured your managed Mac clients for Symantec Endpoint Protection 14.2 RU1 MP1 or later to use custom proxy settings for LiveUpdate through External Communications Settings. After you enable WSS Traffic Redirection (WTR) for your Mac clients through the Symantec Endpoint Protection Manager policy, however, you find that LiveUpdate traffic no longer honors your custom proxy settings. Instead, LiveUpdate attempts a direct connection.
To work around this issue, only use custom proxy settings for LiveUpdate when WSS Traffic Redirection is disabled.
Microsoft Edge unexpectedly allows PDF downloads with Hardening enabled [14.2 RU1 MP1 and later]
With Application Hardening enabled in the Symantec Endpoint Protection client, you are unexpectedly able to download PDF files if you use the Microsoft Edge browser. The prevention of the download of PDF files works as expected with other browsers.
A fix for this issue is planned for a future release.
For resolved issues, see:

Documentation

You can find documentation on the Broadcom Symantec Security Tech Docs Portal.
To find Endpoint Protection documentation, click the
Symantec Security Software
tab, then click
Endpoint Security and Management
>
Endpoint Protection
.
To find a PDF file, release notes, or the Symantec Endpoint Protection Manager database schema, go to the Related Documents page. In the future, Broadcom will be adding legacy PDF files and translated PDF files.