Known Issues for Symantec Endpoint Security
Symantec Endpoint Security
Symantec Endpoint Securityissues
In Symantec Endpoint Protection Manager version 14.3 MP1 and lower, the bridge functionality will not work after the migration to GCP.
For more information, see the following KB article: In SEPM 14.3 MP1 and lower, the bridge functionality will not work after the migration to GCP
After the migration to GCP, the bridge uploader log shows the following error:
http error: 503 (Service Unavailable)
After some time, the error gets fixed automatically. You can use the DNS flush manually to resolve the 503 error immediately.
After the migration to GCP, the synchronization information is not displayed properly:
This issue has no functional impact and after some time the accurate information will be shown.
Working in the cloud console using multiple browser tabs is not supported and may cause an unexpected logout on the currently active tab. This logout is caused by the cloud console session timeout on one of the other tabs that is open in the background.
Workaround:To keep the session timeout in sync on all tabs, disable the
Upgrading your macOS from 10.15 to 11.0 before upgrading the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 creates duplicate devices in cloud console.
To avoid duplicates, you must upgrade the client before upgrading the operating system (i.e. upgrade the Symantec Agent for Mac from 14.2/14.3 to 14.3 RU1 and then upgrade macOS from 10.15 to 11.0.).
You might use a custom folder as the location to install multiple applications. In some cases an application might also automatically generate additional folders on installation. The
Discovered Items > Applicationspage shows any application installed to the custom folder also includes any additional application folders. For example, you install Firefox and Safari to the same folder location. If the Safari installation generated additional folders, then Discovered Items shows the custom folder as well as all of the Safari folders as part of the Firefox application.
If you block any of the applications with such folder associations, you might block other applications that you do not want to block.
For 14.2 agents, Behavioral Application Isolation event details do not show actor process or parent process information. The information does appear in event details for 14.3 agents.
For 14.2 agents, events details show the associated policy as the Default Antimalware policy rather than a Behavioral Application Isolation policy. For 14.3 agents, the details show the correct policy.
After you enroll a
Symantec Endpoint Protection Managerdomain, agents that are installed in virtual environments are listed as physical devices rather than the virtual devices. To find agents installed in virtual or physical environments, go to
Devices; on the
Managed Devicestab, look for
A MEM policy that you lock in
Symantec Endpoint Protection Managerdoes not show as locked in the cloud console.
To work around this issue, lock the policy in the cloud console.
When you unlock the Antimalware policy in the cloud console, the Download Insight option
Automatically trust any file downloaded from a trusted Internet or Intranet sitedoes not unlock in the
Symantec Endpoint Protectionclient.
The Firewall policy in the cloud console does not unlock on the client unless the Intrusion Prevention policy in the cloud console is also unlocked.
When you unlock the MEM policy and the Intrusion Prevention policy in the cloud console, the option
Display Intrusion Prevention and Memory Exploit Mitigation notificationsstill shows as locked on the
Symantec Endpoint Protectionclient.
Agent deployment through Workspace ONE only works when a user with local administrator rights is logged on to the device. If no user is logged on to the device or the logged-on user doesn’t have local administrator rights, installation fails. You may see that the installation failed because the device had not enrolled within 72 hours of deployment.
This behavior occurs when any app is deployed through Workspace ONE.
To work around this behavior, log on to the device as a user with local administrator rights.
Symantec Endpoint Protection Managermanages are always shown as
Managed by Endpoint Protection Managerin the
Device Security Statuswidget.
This behavior is expected. Only the devices that are managed in the cloud console are assessed for risk by the
Symantec Endpoint Protectionclients report a security event alert,
Block access to autorun.inf. However, if
Endpoint Securitydoes not have an Application Control policy, so it is not clear why the client generated this alert.
This behavior is expected. By default, the
Symantec Endpoint Protectionclient enables Application Control and the rule that blocks autorun.inf. You can disable this rule through
Symantec Endpoint Protection Manager, but at this time you cannot disable this rule through a policy in the cloud console.
When you view a Device Control alert and try to follow a hyperlink on it, you see an error message: "The operation can't be completed. An unexpected error occurred." The alert is not recent, but it is not yet old enough to be purged.
This behavior is expected. The navigational link on an alert no longer works if:
The event export API limits the total number of events that can be retrieved within a given query to 10K. Pagination beyond 10K results in an error. To work around this issue, use a shorter time range or select fewer feature names as part of the filter query. This action limits the number of events that are returned.
Since the API is based on event time, invoking the event export API using the last synced timestamp will miss any events that arrive late.
You might see these issues when you use the ICDx plug-in with
Symantec Endpoint Security.
A fix for these issues is planned for a future release.
With Application Hardening enabled in the
Symantec Endpoint Protectionclient, you are unexpectedly able to download PDF files if you use the Microsoft Edge browser. The prevention of the download of PDF files works as expected with other browsers.
A fix for this issue is planned for a future release.
Applications do not launch even after override because the associated processes of the overridden application are not added to the allowed list.
Override and blocked application notifications are not shown if the file path name is longer than 238 characters.
Out-of-the-box Application Isolation policies and Platform Isolation policies include rules in multiple policy options to protect the Windows registry paths for applications and the operating system. Administrators might also configure custom rules for these registry paths.
The registry rules only take effect when the option state is set to ON. Any registry operations are logged only when the
Access Log Settingfor the rules is set to
Log Major, or
With these policy rules and registry settings, there are known issues in the following scenarios:
Drill-down does not work for the
Isolation Coverage for Suspicious Detectionswidget.
Versionstab does not show all the application versions on an isolation-enabled device.
Discovered Items > Applicationsand select an application. Select the
Versionstab. The versions list does not show a different version of the application that is installed on your devices.
You might see this issue in the following scenarios:
Application discovery runs once every 24 hours. You might need to wait a period of time until application discovery completes before new or different versions appear in the versions list.
Internet Explorer crashes on Windows 10 RS6 when you run an AutoIt script to download files on a device that uses the following browser isolation policy settings:
To work around this issue, change the policy setting to allow downloaded files.
Internet Explorer isolation policy does not prevent a user from opening and downloading a PDF file in an Internet Explorer browser window when Adobe Reader is installed on the endpoint.
If you enable
Download Restrictions for Internet Explorer > Block download of content files, users can continue to open then download and save PDFs in Internet Explorer if Acrobat Reader is installed. When Internet Explorer opens a PDF in a browser window, Acrobat Reader is the process that launches the PDF so the isolation setting does not apply.
Turning on or off
Block download of content filesdoes not change Internet Explorer's usage of Acrobat Reader for PDF files in a browser window. Symantec does not recommend turning off the setting because it blocks the download of files when users select a PDF link in a browser window or when Adobe Acrobat Reader is not installed.
If you change the Network Integrity policy name in the console, the Symantec Agent does not reflect the updated policy name.
This behavior occurs when you change the Network Integrity policy name without making any changes to the policy settings.
To work around this issue, change the policy name while modifying the policy settings.
My Taskstab, the
Set up Secure Cloud Accesstask remains in
Pendingstate until you provide a valid WSS token on the
Web Security Service Integrationpage.
Also, on the
Endpoint Security, the total
High Priority Taskscount always identifies the above task as a pending task that requires your attention.
This behavior occurs when you do not want to configure the Web Security Service integration for your account, and try to configure the
Traffic Redirectionquick steps that requires a valid the WSS token to complete the task.
If you rename
My Companygroup, the group name does not change in
Symantec Endpoint Protection Manager.
When attempting to connect to endpoint you see the error:
Unable to process your request. Please try later.
Cause:The token allotted to the agent does not have the required privilege.
Solution:It can take up to 24 hours for the token to refresh with the correct privileges.
In some cases, only part of the Live Shell session is downloaded.
Issue is under investigation
Running the '
history' command in a Live Shell session shows some non-executed commands in the result. This is expected behavior with older Windows PowerShell versions (2.0 ~ 4.x)
Commands requiring user inputs do not work in Live Shell.
This is expected behavior. You cannot run PowerShell Commands that require user inputs in a Live Shell session.
In some cases, a script pasted into a Live Shell terminal window will not display correctly. For instance, you may see multiple question marks. In such cases, press Enter twice to get a proper result.
Some commands are echoed back to the Live Shell console.
This is expected behavior. Some versions of Windows will echo commands and others will not. This is a PowerShell issue.
Running the tree command in a Live Shell session shows special characters in the result.
Issue is under investigation.
Agent having older EDR content (version less than 4.1.0.x) will not return correct error code when Live Shell is tried for that device.
For instance, the error "
Unable to process your request. Please try later."is displayed.
Once the latest content is updated on the agent by Live Update, this issue will not occur.
Live Shell session terminates when the page is refreshed. This is the intended behavior
Commands resulting with data that has special characters in the response (e.g. Chinese characters) are not displayed correctly. PowerShell also does not display them correctly.
This is an issue where Java does not support unsigned bytes and so cannot convert them properly.
Quarantine file does not work for Microsoft and Symantec signed binaries even if the status is displayed as success.
Group By, multiple devices with same name are seen after you delete the device from the device details page.
To see the
Devices, navigate to the
Device and Managed Devices.
For devices with multiple NICs, you cannot search for events using IPv4, IPv6 and MAC of the NICs.
Use Device IP field or free form search using the text filter.
For the Custom Search Field Compliance Rule Criteria Id, you cannot search for values 5, 15, and 25.
Failed to show data on the
Investigatepage when you log-in using custom Administrator credentials who does not have
Investigatepage view privilege.
On the Isolation Events widget if you click anywhere on the the X-axis, you are not redirected to the Investigate page.
Sometimes, incorrect device name is shown in the
Group by>Device groupsevents that are reported by Silent submissions using the device UID.
File names having localized characters are not shown properly on CDM console.
The Date range of the calendar application for the
Get Filewizard does not consider milliseconds.
Investigatepage for the Event type 8027 (Process Detection Events), a GUID value is shown in the Device Name column instead of the device hostname. If you click on the GUID value, it opens the device details page
When using the "Not Equals" query operator, records with a value: NULL are not displayed
This is as designed. The "Not Equals" query operator only returns records with a non-null value specified in the query.
NOT operator with
Registry_Value_Result_Datais not working as expected.
Clicking on some files does not show the corresponding file details page. The request errors out with file not found error. To build the file inventory, enable the Symantec Application Control feature.
Investigatepage, queries using the field "User Idle" do not return expected results.
Some queries in free form search displays a validation error because special characters are not escaped properly. As a workaround, use the Custom filter option, or avoid using special characters in the query.
Queries with "Matches" operator needs to have special characters escaped using " \".
Search result export does not export the Description field.
Duplicate conclusions are sometimes present when there are multiple events associated with an incident.