Known Issues for
Symantec Endpoint Security

Symantec Endpoint Security
issues
Known issues after the migration to Google Cloud Platform (GCP)
Issue #
Issue
SEPGCP-6963
In Symantec Endpoint Protection Manager version 14.3 MP1 and lower, the bridge functionality will not work after the migration to GCP.
For more information, see the following KB article:
SEPGCP-6730
After the migration to GCP, the bridge uploader log shows the following error:
http error: 503 (Service Unavailable)
After some time, the error gets fixed automatically. You can use the DNS flush manually to resolve the 503 error immediately.
CDM-63546, SEPGCP-5789
After the migration to GCP, the synchronization information is not displayed properly:
  • On the
    Device Management
    page, the
    Last Sync Status
    shows "
    Failed
    " and the time of the
    Next Sync
    is not shown.
  • On the
    Access and Authentication
    page, the time of the
    Next Sync
    is not shown.
This issue has no functional impact and after some time the accurate information will be shown.
Known issues in
Symantec Endpoint Security
Issue #
Issue
SEP-72459
In the Symantec Endpoint Protection LiveUpdate Content policy, if you set the content type to
Select a revision
and then convert the Symantec Endpoint Protection client to a cloud-managed client, the content does not update on the client. To avoid this issue, make sure you set the content option to
Use latest available
before you convert the client.
For more information, see:
CDM-65955
Working in the cloud console using multiple browser tabs is not supported and may cause an unexpected logout on the currently active tab. This logout is caused by the cloud console session timeout on one of the other tabs that is open in the background.
Workaround:
To keep the session timeout in sync on all tabs, disable the
Throttle Javascript timers in background
option in Google Chrome or Microsoft Edge browser.
ESMAC-2012
Upgrading your macOS from 10.15 to 11.0 before upgrading the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 creates duplicate devices in cloud console.
To avoid duplicates, you must upgrade the client before upgrading the operating system (i.e. upgrade the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 and then upgrade macOS from 10.15 to 11.0.).
CDM-58203
You might use a custom folder as the location to install multiple applications. In some cases an application might also automatically generate additional folders on installation. The
Discovered Items > Applications
page shows any application installed to the custom folder also includes any additional application folders. For example, you install Firefox and Safari to the same folder location. If the Safari installation generated additional folders, then Discovered Items shows the custom folder as well as all of the Safari folders as part of the Firefox application.
If you block any of the applications with such folder associations, you might block other applications that you do not want to block.
SEP-62347
For 14.2 agents, Behavioral Application Isolation event details do not show actor process or parent process information. The information does appear in event details for 14.3 agents.
CDM-55787
For 14.2 agents, events details show the associated policy as the Default Antimalware policy rather than a Behavioral Application Isolation policy. For 14.3 agents, the details show the correct policy.
SEP-57645
After you enroll a
Symantec Endpoint Protection Manager
domain, agents that are installed in virtual environments are listed as physical devices rather than the virtual devices. To find agents installed in virtual or physical environments, go to
Endpoint
>
Devices
; on the
Managed Devices
tab, look for
Form Factor
.
SEP-54806
SEP-54808
A MEM policy that you lock in
Symantec Endpoint Protection Manager
does not show as locked in the cloud console.
To work around this issue, lock the policy in the cloud console.
SEP-54784
When you unlock the Antimalware policy in the cloud console, the Download Insight option
Automatically trust any file downloaded from a trusted Internet or Intranet site
does not unlock in the
Symantec Endpoint Protection
client.
SEP-54656
The Firewall policy in the cloud console does not unlock on the client unless the Intrusion Prevention policy in the cloud console is also unlocked.
SEP-54868
When you unlock the MEM policy and the Intrusion Prevention policy in the cloud console, the option
Display Intrusion Prevention and Memory Exploit Mitigation notifications
still shows as locked on the
Symantec Endpoint Protection
client.
CCD-1699, CCD-1698
Agent deployment through Workspace ONE only works when a user with local administrator rights is logged on to the device. If no user is logged on to the device or the logged-on user doesn’t have local administrator rights, installation fails. You may see that the installation failed because the device had not enrolled within 72 hours of deployment.
This behavior occurs when any app is deployed through Workspace ONE.
To work around this behavior, log on to the device as a user with local administrator rights.
SEP-45238
Devices that
Symantec Endpoint Protection Manager
manages are always shown as
Managed by Endpoint Protection Manager
in the
Device Security Status
widget.
This behavior is expected. Only the devices that are managed in the cloud console are assessed for risk by the
Endpoint Security
dashboard.
SEP-44689
Cloud-managed
Symantec Endpoint Protection
clients report a security event alert,
Block access to autorun.inf
. However, if
Endpoint Security
does not have an Application Control policy, so it is not clear why the client generated this alert.
This behavior is expected. By default, the
Symantec Endpoint Protection
client enables Application Control and the rule that blocks autorun.inf. You can disable this rule through
Symantec Endpoint Protection Manager
, but at this time you cannot disable this rule through a policy in the cloud console.
EPMP-57868
When you view a Device Control alert and try to follow a hyperlink on it, you see an error message: "The operation can't be completed. An unexpected error occurred." The alert is not recent, but it is not yet old enough to be purged.
This behavior is expected. The navigational link on an alert no longer works if:
  • You removed the external device that triggered the alert.
  • The device no longer has a
    Symantec Endpoint Protection
    client.
CDM-42510
The event export API limits the total number of events that can be retrieved within a given query to 10K. Pagination beyond 10K results in an error. To work around this issue, use a shorter time range or select fewer feature names as part of the filter query. This action limits the number of events that are returned.
Since the API is based on event time, invoking the event export API using the last synced timestamp will miss any events that arrive late.
You might see these issues when you use the ICDx plug-in with
Symantec Endpoint Security
.
A fix for these issues is planned for a future release.
Known issues in Application Control and Application Isolation
Issue #
Issue
SAEP-30639
With Application Hardening enabled in the
Symantec Endpoint Protection
client, you are unexpectedly able to download PDF files if you use the Microsoft Edge browser. The prevention of the download of PDF files works as expected with other browsers.
A fix for this issue is planned for a future release.
Applications do not launch even after override because the associated processes of the overridden application are not added to the allowed list. See:
Override and blocked application notifications are not shown if the file path name is longer than 238 characters.
SAEP-31161
Out-of-the-box Application Isolation policies and Platform Isolation policies include rules in multiple policy options to protect the Windows registry paths for applications and the operating system. Administrators might also configure custom rules for these registry paths.
The registry rules only take effect when the option state is set to ON. Any registry operations are logged only when the
Access Log Setting
for the rules is set to
Log
,
Log Major
, or
Log Trivial
.
With these policy rules and registry settings, there are known issues in the following scenarios:
  • A protect registry rule includes a
    Username
    parameter.
    The specified user is allowed to create, modify, or delete the registry values that are associated with the protected keys. An administrator is also allowed to rename the protected registry key.
  • A protect registry rule does not include a
    Username
    parameter.
    The add, modify, or delete key and value operations on registry paths that are configured in the rule are not reported. These protected registry (PREG) events are not logged. The registry paths, however, are protected.
Drill-down does not work for the
Isolation Coverage for Suspicious Detections
widget.
4161174
Application Isolation:
Versions
tab does not show all the application versions on an isolation-enabled device.
Go to
Discovered Items > Applications
and select an application. Select the
Versions
tab. The versions list does not show a different version of the application that is installed on your devices.
You might see this issue in the following scenarios:
  • An application is discovered on a device, and then you add a new device on which a different version of the application is discovered.
  • You install or uninstall an application on your existing devices.
Application discovery runs once every 24 hours. You might need to wait a period of time until application discovery completes before new or different versions appear in the versions list.
CDM-35380
Internet Explorer crashes on Windows 10 RS6 when you run an AutoIt script to download files on a device that uses the following browser isolation policy settings:
  • Block the download of executable or content files
  • Allow user overrides
To work around this issue, change the policy setting to allow downloaded files.
CDM-38969
Internet Explorer isolation policy does not prevent a user from opening and downloading a PDF file in an Internet Explorer browser window when Adobe Reader is installed on the endpoint.
If you enable
Download Restrictions for Internet Explorer > Block download of content files
, users can continue to open then download and save PDFs in Internet Explorer if Acrobat Reader is installed. When Internet Explorer opens a PDF in a browser window, Acrobat Reader is the process that launches the PDF so the isolation setting does not apply.
Turning on or off
Block download of content files
does not change Internet Explorer's usage of Acrobat Reader for PDF files in a browser window. Symantec does not recommend turning off the setting because it blocks the download of files when users select a PDF link in a browser window or when Adobe Acrobat Reader is not installed.
Known issues in Network Integrity and Traffic Redirection
Number
Issue
If you change the Network Integrity policy name in the console, the Symantec Agent does not reflect the updated policy name.
This behavior occurs when you change the Network Integrity policy name without making any changes to the policy settings.
To work around this issue, change the policy name while modifying the policy settings.
On the
Endpoint
tab >
My Tasks
tab, the
Set up Secure Cloud Access
task remains in
Pending
state until you provide a valid WSS token on the
Endpoint
>
Settings
>
Web Security Service Integration
page.
Also, on the
Endpoint
tab >
Home
page, under
Endpoint Security
, the total
High Priority Tasks
count always identifies the above task as a pending task that requires your attention.
This behavior occurs when you do not want to configure the Web Security Service integration for your account, and try to configure the
Traffic Redirection
quick steps that requires a valid the WSS token to complete the task.
Known issues in the 14.2 cloud console
Issue #
Issue
If you rename
My Company
group, the group name does not change in
Symantec Endpoint Protection Manager
.
Known Issues in Endpoint Detection and Response
Issue#
Issue
N/A
The get file feature is resulting in UPLOAD_TO_ATP_FAILED instead of specific error codes such as: ACCESS_DENIED, SUCCEEDED_NOT_FOUND etc.
Similarly, Get Non Pe File with incorrect credentials gives error: "Upload to ATP Failed" instead of Other error codes
A fix is in-progress.
N/A
When in search Edit mode, and entering a quick filter or attribute values with special characters  ( Space, *, ( , ) ,  [ ,  ], ) the search may fail.
Solution:
Special characters must be escaped. To escape these character use the \ before the character.
CDM-59593
When attempting to connect to endpoint you see the error:
Unable to process your request. Please try later.
Cause:
The token allotted to the agent does not have the required privilege.
Solution:
It can take up to 24 hours for the token to refresh with the correct privileges.
CDM-59408
In some cases, only part of the Live Shell session is downloaded.
Issue is under investigation
CDM-59337
Running the '
history
' command in a Live Shell session shows some non-executed commands in the result. This is expected behavior with older Windows PowerShell versions (2.0 ~ 4.x)
CDM-58656
Commands requiring user inputs do not work in Live Shell.
This is expected behavior. You cannot run PowerShell Commands that require user inputs in a Live Shell session.
CDM-59244
In some cases, a script pasted into a Live Shell terminal window will not display correctly. For instance, you may see multiple question marks. In such cases, press Enter twice to get a proper result.
CDM-59075
Some commands are echoed back to the Live Shell console.
This is expected behavior. Some versions of Windows will echo commands and others will not. This is a PowerShell issue.
CDM-59073
Running the tree command in a Live Shell session shows special characters in the result.
Issue is under investigation.
CDM-59285
Agent having older EDR content (version less than 4.1.0.x) will not return correct error code when Live Shell is tried for that device.
For instance, the error "
Unable to process your request. Please try later."
is displayed.
Once the latest content is updated on the agent by Live Update, this issue will not occur.
CDM-58892
Live Shell session terminates when the page is refreshed. This is the intended behavior
CDM-59107
Commands resulting with data that has special characters in the response (e.g. Chinese characters) are not displayed correctly. PowerShell also does not display them correctly.
This is an issue where Java does not support unsigned bytes and so cannot convert them properly.
SEDR-82684
Quarantine file does not work for Microsoft and Symantec signed binaries even if the status is displayed as success.
SEDR-84353
On the
Investigate
page
Group By
, multiple devices with same name are seen after you delete the device from the device details page.
Workaround:
To see the
Devices
, navigate to the
Device and Managed Devices
.
SEDR-79019
For devices with multiple NICs, you cannot search for events using IPv4, IPv6 and MAC of the NICs.
Workaround
:
Use Device IP field or free form search using the text filter.
SEDR-84184
For the Custom Search Field Compliance Rule Criteria Id, you cannot search for values 5, 15, and 25.
SEDR-84338
Failed to show data on the
Investigate
page when you log-in using custom Administrator credentials who does not have
Investigate
page view privilege.
SEDR-84377
On the Isolation Events widget if you click anywhere on the X-axis, you are not redirected to the Investigate page.
SEDR-84295
Sometimes, incorrect device name is shown in the
Group by>Device groups
events that are reported by Silent submissions using the device UID.
4248791
File names having localized characters are not shown properly on CDM console.
SEDR-84782
The Date range of the calendar application for the
Get File
wizard does not consider milliseconds.
SEDR-84480
On the
Investigate
page for the Event type 8027 (Process  Detection Events), a GUID value is shown in the Device Name column instead of the device hostname. If you click on the GUID value, it opens the device details page
SEDR-86816
When using the "Not Equals" query operator, records with a value: NULL are not displayed
This is as designed. The "Not Equals" query operator only returns records with a non-null value specified in the query.
4252243
NOT operator with
Registry_Value_Result_Data
is not working as expected.
4249980
Clicking on some files does not show the corresponding file details page. The request errors out with file not found error. To build the file inventory, enable the Symantec Application Control feature.
4254022
n the
Investigate
page, queries using the field "User Idle" do not return expected results.
4254030
Some queries in free form search displays a validation error because special characters are not escaped properly. As a workaround, use the Custom filter option, or avoid using special characters in the query.
4252335
Queries with "Matches" operator needs to have special characters escaped using " \".
4250916
Search result export does not export the Description field.
4249983
Content pending.
DPE-6521
Duplicate conclusions are sometimes present when there are multiple events associated with an incident.