Known Issues for
Symantec Endpoint Security

Symantec Endpoint Security
Known issues after the migration to Google Cloud Platform (GCP)
Issue #
In Symantec Endpoint Protection Manager version 14.3 MP1 and lower, the bridge functionality will not work after the migration to GCP.
For more information, see the following KB article:
After the migration to GCP, the bridge uploader log shows the following error:
http error: 503 (Service Unavailable)
After some time, the error gets fixed automatically. You can use the DNS flush manually to resolve the 503 error immediately.
CDM-63546, SEPGCP-5789
After the migration to GCP, the synchronization information is not displayed properly:
  • On the
    Device Management
    page, the
    Last Sync Status
    shows "
    " and the time of the
    Next Sync
    is not shown.
  • On the
    Access and Authentication
    page, the time of the
    Next Sync
    is not shown.
This issue has no functional impact and after some time the accurate information will be shown.
Known issues in
Symantec Endpoint Security
Issue #
In the Symantec Endpoint Protection LiveUpdate Content policy, if you set the content type to
Select a revision
and then convert the Symantec Endpoint Protection client to a cloud-managed client, the content does not update on the client. To avoid this issue, make sure you set the content option to
Use latest available
before you convert the client.
For more information, see:
Working in the cloud console using multiple browser tabs is not supported and may cause an unexpected logout on the currently active tab. This logout is caused by the cloud console session timeout on one of the other tabs that is open in the background.
To keep the session timeout in sync on all tabs, disable the
Throttle Javascript timers in background
option in Google Chrome or Microsoft Edge browser.
Upgrading your macOS from 10.15 to 11.0 before upgrading the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 creates duplicate devices in cloud console.
To avoid duplicates, you must upgrade the client before upgrading the operating system (i.e. upgrade the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 and then upgrade macOS from 10.15 to 11.0.).
You might use a custom folder as the location to install multiple applications. In some cases an application might also automatically generate additional folders on installation. The
Discovered Items > Applications
page shows any application installed to the custom folder also includes any additional application folders. For example, you install Firefox and Safari to the same folder location. If the Safari installation generated additional folders, then Discovered Items shows the custom folder as well as all of the Safari folders as part of the Firefox application.
If you block any of the applications with such folder associations, you might block other applications that you do not want to block.
For 14.2 agents, Behavioral Application Isolation event details do not show actor process or parent process information. The information does appear in event details for 14.3 agents.
For 14.2 agents, events details show the associated policy as the Default Antimalware policy rather than a Behavioral Application Isolation policy. For 14.3 agents, the details show the correct policy.
After you enroll a
Symantec Endpoint Protection Manager
domain, agents that are installed in virtual environments are listed as physical devices rather than the virtual devices. To find agents installed in virtual or physical environments, go to
; on the
Managed Devices
tab, look for
Form Factor
A MEM policy that you lock in
Symantec Endpoint Protection Manager
does not show as locked in the cloud console.
To work around this issue, lock the policy in the cloud console.
When you unlock the Antimalware policy in the cloud console, the Download Insight option
Automatically trust any file downloaded from a trusted Internet or Intranet site
does not unlock in the
Symantec Endpoint Protection
The Firewall policy in the cloud console does not unlock on the client unless the Intrusion Prevention policy in the cloud console is also unlocked.
When you unlock the MEM policy and the Intrusion Prevention policy in the cloud console, the option
Display Intrusion Prevention and Memory Exploit Mitigation notifications
still shows as locked on the
Symantec Endpoint Protection
CCD-1699, CCD-1698
Agent deployment through Workspace ONE only works when a user with local administrator rights is logged on to the device. If no user is logged on to the device or the logged-on user doesn’t have local administrator rights, installation fails. You may see that the installation failed because the device had not enrolled within 72 hours of deployment.
This behavior occurs when any app is deployed through Workspace ONE.
To work around this behavior, log on to the device as a user with local administrator rights.
Devices that
Symantec Endpoint Protection Manager
manages are always shown as
Managed by Endpoint Protection Manager
in the
Device Security Status
This behavior is expected. Only the devices that are managed in the cloud console are assessed for risk by the
Endpoint Security
Symantec Endpoint Protection
clients report a security event alert,
Block access to autorun.inf
. However, if
Endpoint Security
does not have an Application Control policy, so it is not clear why the client generated this alert.
This behavior is expected. By default, the
Symantec Endpoint Protection
client enables Application Control and the rule that blocks autorun.inf. You can disable this rule through
Symantec Endpoint Protection Manager
, but at this time you cannot disable this rule through a policy in the cloud console.
When you view a Device Control alert and try to follow a hyperlink on it, you see an error message: "The operation can't be completed. An unexpected error occurred." The alert is not recent, but it is not yet old enough to be purged.
This behavior is expected. The navigational link on an alert no longer works if:
  • You removed the external device that triggered the alert.
  • The device no longer has a
    Symantec Endpoint Protection
The event export API limits the total number of events that can be retrieved within a given query to 10K. Pagination beyond 10K results in an error. To work around this issue, use a shorter time range or select fewer feature names as part of the filter query. This action limits the number of events that are returned.
Since the API is based on event time, invoking the event export API using the last synced timestamp will miss any events that arrive late.
You might see these issues when you use the ICDx plug-in with
Symantec Endpoint Security
A fix for these issues is planned for a future release.
Known issues in Application Control and Application Isolation
Issue #
With Application Hardening enabled in the
Symantec Endpoint Protection
client, you are unexpectedly able to download PDF files if you use the Microsoft Edge browser. The prevention of the download of PDF files works as expected with other browsers.
A fix for this issue is planned for a future release.
Applications do not launch even after override because the associated processes of the overridden application are not added to the allowed list. See:
Override and blocked application notifications are not shown if the file path name is longer than 238 characters.
Out-of-the-box Application Isolation policies and Platform Isolation policies include rules in multiple policy options to protect the Windows registry paths for applications and the operating system. Administrators might also configure custom rules for these registry paths.
The registry rules only take effect when the option state is set to ON. Any registry operations are logged only when the
Access Log Setting
for the rules is set to
Log Major
, or
Log Trivial
With these policy rules and registry settings, there are known issues in the following scenarios:
  • A protect registry rule includes a
    The specified user is allowed to create, modify, or delete the registry values that are associated with the protected keys. An administrator is also allowed to rename the protected registry key.
  • A protect registry rule does not include a
    The add, modify, or delete key and value operations on registry paths that are configured in the rule are not reported. These protected registry (PREG) events are not logged. The registry paths, however, are protected.
Drill-down does not work for the
Isolation Coverage for Suspicious Detections
Application Isolation:
tab does not show all the application versions on an isolation-enabled device.
Go to
Discovered Items > Applications
and select an application. Select the
tab. The versions list does not show a different version of the application that is installed on your devices.
You might see this issue in the following scenarios:
  • An application is discovered on a device, and then you add a new device on which a different version of the application is discovered.
  • You install or uninstall an application on your existing devices.
Application discovery runs once every 24 hours. You might need to wait a period of time until application discovery completes before new or different versions appear in the versions list.
Internet Explorer crashes on Windows 10 RS6 when you run an AutoIt script to download files on a device that uses the following browser isolation policy settings:
  • Block the download of executable or content files
  • Allow user overrides
To work around this issue, change the policy setting to allow downloaded files.
Internet Explorer isolation policy does not prevent a user from opening and downloading a PDF file in an Internet Explorer browser window when Adobe Reader is installed on the endpoint.
If you enable
Download Restrictions for Internet Explorer > Block download of content files
, users can continue to open then download and save PDFs in Internet Explorer if Acrobat Reader is installed. When Internet Explorer opens a PDF in a browser window, Acrobat Reader is the process that launches the PDF so the isolation setting does not apply.
Turning on or off
Block download of content files
does not change Internet Explorer's usage of Acrobat Reader for PDF files in a browser window. Symantec does not recommend turning off the setting because it blocks the download of files when users select a PDF link in a browser window or when Adobe Acrobat Reader is not installed.
Known issues in Network Integrity and Traffic Redirection
If you change the Network Integrity policy name in the console, the Symantec Agent does not reflect the updated policy name.
This behavior occurs when you change the Network Integrity policy name without making any changes to the policy settings.
To work around this issue, change the policy name while modifying the policy settings.
On the
tab >
My Tasks
tab, the
Set up Secure Cloud Access
task remains in
state until you provide a valid WSS token on the
Web Security Service Integration
Also, on the
tab >
page, under
Endpoint Security
, the total
High Priority Tasks
count always identifies the above task as a pending task that requires your attention.
This behavior occurs when you do not want to configure the Web Security Service integration for your account, and try to configure the
Traffic Redirection
quick steps that requires a valid the WSS token to complete the task.
Known issues in the 14.2 cloud console
Issue #
If you rename
My Company
group, the group name does not change in
Symantec Endpoint Protection Manager
Known Issues in Endpoint Detection and Response
The get file feature is resulting in UPLOAD_TO_ATP_FAILED instead of specific error codes such as: ACCESS_DENIED, SUCCEEDED_NOT_FOUND etc.
Similarly, Get Non Pe File with incorrect credentials gives error: "Upload to ATP Failed" instead of Other error codes
A fix is in-progress.
When in search Edit mode, and entering a quick filter or attribute values with special characters  ( Space, *, ( , ) ,  [ ,  ], ) the search may fail.
Special characters must be escaped. To escape these character use the \ before the character.
When attempting to connect to endpoint you see the error:
Unable to process your request. Please try later.
The token allotted to the agent does not have the required privilege.
It can take up to 24 hours for the token to refresh with the correct privileges.
In some cases, only part of the Live Shell session is downloaded.
Issue is under investigation
Running the '
' command in a Live Shell session shows some non-executed commands in the result. This is expected behavior with older Windows PowerShell versions (2.0 ~ 4.x)
Commands requiring user inputs do not work in Live Shell.
This is expected behavior. You cannot run PowerShell Commands that require user inputs in a Live Shell session.
In some cases, a script pasted into a Live Shell terminal window will not display correctly. For instance, you may see multiple question marks. In such cases, press Enter twice to get a proper result.
Some commands are echoed back to the Live Shell console.
This is expected behavior. Some versions of Windows will echo commands and others will not. This is a PowerShell issue.
Running the tree command in a Live Shell session shows special characters in the result.
Issue is under investigation.
Agent having older EDR content (version less than 4.1.0.x) will not return correct error code when Live Shell is tried for that device.
For instance, the error "
Unable to process your request. Please try later."
is displayed.
Once the latest content is updated on the agent by Live Update, this issue will not occur.
Live Shell session terminates when the page is refreshed. This is the intended behavior
Commands resulting with data that has special characters in the response (e.g. Chinese characters) are not displayed correctly. PowerShell also does not display them correctly.
This is an issue where Java does not support unsigned bytes and so cannot convert them properly.
Quarantine file does not work for Microsoft and Symantec signed binaries even if the status is displayed as success.
On the
Group By
, multiple devices with same name are seen after you delete the device from the device details page.
To see the
, navigate to the
Device and Managed Devices
For devices with multiple NICs, you cannot search for events using IPv4, IPv6 and MAC of the NICs.
Use Device IP field or free form search using the text filter.
For the Custom Search Field Compliance Rule Criteria Id, you cannot search for values 5, 15, and 25.
Failed to show data on the
page when you log-in using custom Administrator credentials who does not have
page view privilege.
On the Isolation Events widget if you click anywhere on the X-axis, you are not redirected to the Investigate page.
Sometimes, incorrect device name is shown in the
Group by>Device groups
events that are reported by Silent submissions using the device UID.
File names having localized characters are not shown properly on CDM console.
The Date range of the calendar application for the
Get File
wizard does not consider milliseconds.
On the
page for the Event type 8027 (Process  Detection Events), a GUID value is shown in the Device Name column instead of the device hostname. If you click on the GUID value, it opens the device details page
When using the "Not Equals" query operator, records with a value: NULL are not displayed
This is as designed. The "Not Equals" query operator only returns records with a non-null value specified in the query.
NOT operator with
is not working as expected.
Clicking on some files does not show the corresponding file details page. The request errors out with file not found error. To build the file inventory, enable the Symantec Application Control feature.
n the
page, queries using the field "User Idle" do not return expected results.
Some queries in free form search displays a validation error because special characters are not escaped properly. As a workaround, use the Custom filter option, or avoid using special characters in the query.
Queries with "Matches" operator needs to have special characters escaped using " \".
Search result export does not export the Description field.
Content pending.
Duplicate conclusions are sometimes present when there are multiple events associated with an incident.