Readme for Symantec™ Endpoint Protection and Symantec Network Access Control, version 11, RU 6, MP 3
Symantec Protection Center and Symantec Endpoint Protection Manager Web console issues
Symantec Endpoint Protection and Symantec Network Access Control Windows client issues
Please review this document in its entirety before you install or roll out Symantec Endpoint Protection, Symantec Network Access Control, or call for technical support. It describes known issues and provides additional information that is not included in the standard documentation or the context-sensitive help.
You can find the latest version of this Readme file by using the following link:
Symantec software requires specific protocols, operating systems and service packs, software, and hardware. All the computers to which you install Symantec software should meet or exceed the recommended system requirements for the operating system that is used.
See the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control for full system requirements.
Table: Symantec Endpoint Protection Manager system requirements summarizes the minimum requirements for the computer on which you install the Symantec Endpoint Protection Manager.
Table: Symantec Endpoint Protection Manager system requirements
Table: Symantec Endpoint Protection Manager remote console system requirements summarizes the minimum requirements for the remote computer on which you run the Symantec Endpoint Protection Manager console.
Table: Symantec Endpoint Protection Manager remote console system requirements
Table: Symantec Endpoint Protection Manager Web Console system requirements summarizes the minimum requirements for the remote computers on which you run the Symantec Endpoint Protection Manager Web Console.
Table: Symantec Endpoint Protection Manager Web Console system requirements
|
Component |
Requirement |
|---|---|
|
Browser |
Internet Explorer 7 or later, with Enhanced Security Configuration disabled |
Table: Windows client software system requirements summarizes the minimum requirements for the computers on which you install the client software for either Symantec Endpoint Protection or Symantec Network Access Control on Windows.
Table: Windows client software system requirements
Table: Mac client software system requirements summarizes the minimum requirements for the computers on which you install the Mac client software.
This release includes the following new document:
See Latest documentation .
This section contains information about upgrades, installation, uninstallation, and repair issues.
If you are running a release before RU6, a best practice is to upgrade Symantec Endpoint Protection Manager first, before you upgrade client software. Doing so automatically adds the latest client packages, and upgrades the management console to the latest functionality.
If you are unsure of your Symantec AntiVirus version, after migration run the following command from a command prompt:
SERVICE_NAME: SPBBCDrv
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Auto-upgrade is the term used to describe the process of adding a new client installation package to a group. When you add a new installation package to a group, the Symantec Endpoint Protection Manager automatically upgrades the clients in the group to the new version of the client software. You can add new client packages to groups from both the Clients and Admin pages in the console.
The auto-upgrade process uses mdef25builder.exe on the computer that runs the Symantec Endpoint Protection Manager. This process creates the smallest possible upgrade package. You can see mdef25builder.exe running in the Task Manager during the auto-upgrade process.
If you upgrade Maintenance Release 2 (MR2) clients to RU6 with Symantec Endpoint Protection Manager MR2 or later, mdef25builder.exe starts running in a couple of minutes. If you upgrade MR0 or MR1 clients to RU6 with any Symantec Endpoint Protection Manager, you must first run LiveUpdate on the Symantec Endpoint Protection Manager. Although LiveUpdate might not download new content, LiveUpdate updates the Symantec Endpoint Protection Manager content catalog, and then mdef25builder.exe will run.
It takes mdef25builder five or more minutes to appear in the Task Manager once you add a new package to a group. The auto-upgrade processing time on the Symantec Endpoint Protection Manager takes a minimum of 30 minutes when you add a new package for the first time. Subsequent package additions to other groups do not take this long if the clients in the group run the same legacy software. When mdef25builder.exe disappears from the Task Manager, the package downloads to clients in a minute or more if you do not specify a schedule. If you specify a schedule, the package downloads to clients according to the schedule. You can schedule upgrades for Symantec Endpoint Protection and Symantec Network Access Control clients upgrading from MR2 to RU6 only. Do not set up a schedule for upgrades from earlier maintenance releases, or the upgrade will not run. Scheduled auto-upgrades use the clock on the client computers.
You can schedule an auto-upgrade between 00:00 and 23:59 in the same day, but not between one day and the next. For example, an upgrade between 00:02 to 05:00 runs, but an upgrade between 22:30 of day 1 to 05:30 of day 2 fails.
When you schedule an upgrade for MR2 clients, in the Add Client Install Package dialog box, you can use either the From and To values, or the "Distribute upgrades over" values, but not both at the same time.
To verify that a package is downloading to clients, look for the \Program Files\Symantec\Symantec Endpoint Protection\Download folder to appear and be populated with either a .dax or .zip file. When the file disappears, the upgrade process is starting on the clients. The process can take 10 or more minutes.
You can import an installation package into Symantec Endpoint Protection Manager and assign the package to a group. After you assign the package, the auto-upgrade process might take up to four hours to begin updating clients in the group.
To force the auto-upgrade process to start immediately, run LiveUpdate on the Symantec Endpoint Protection Manager. Although LiveUpdate might not download new content, LiveUpdate forces the auto-upgrade package to generate and begin updating the clients.
If you add Release Update 6 client packages to a Symantec Endpoint Protection Manager that runs Maintenance Release 1 or earlier (prior to upgrading to RU5), the auto-upgrade fails for clients that run Maintenance Release 1 or earlier.
To resolve this issue, upgrade the Symantec Endpoint Protection Manager to Release Update 6 before you import or try to deploy Release Update 6 client packages by using auto-upgrade.
Client computers that take a long time to automatically upgrade to Release Update 6 may need to be restarted. This occurs on client computers that run Windows Vista or Windows Server 2008.
If you upgrade Symantec Endpoint Protection clients that are Network Access Control-enabled, the installation may not finish. This occurs when the client is configured to perform 802.1x authentication. Second, this issue occurs only if the exported client installation package is located on the network, and you launch the installation package from the client.
The problem occurs because to upgrade a client, the installation process stops the smc client and snac client services. If the client services are stopped, the LAN Enforcer cannot authenticate the client computer. If the LAN Enforcer cannot authenticate the client computer, the client computer is not allowed to access the network and the rest of the installation files.
Use the following steps to complete the URL auto-upgrade of clients from Maintenance Release 1 to Release Update 5.
To use a Web server to auto-upgrade clients from Maintenance Release 1 to Release Update 6
For example, the URL might look like the following:
http://192.168.1.118/setup.exe or http://mywebsite.com/setup.exe
If you install or upgrade the Symantec Endpoint Protection client by running the installation files from a shared drive, the network connection gets dropped momentarily. The drop occurs when privileges are elevated to perform the installation.
If the installation or upgrade is on a LAN, the network connection is restored. If the installation or upgrade is over a VPN connection, the network connection is not restored, and users will have to re-authenticate.
This issue occurs because a network driver must be replaced during the upgrade. The issue disappears after you restart the computer.
Enable the option to store client packages unzipped when you migrate from Symantec Policy Manager Maintenance Release 8 to Symantec Endpoint Protection Manager Release Update 5.
In the console, on the Admin page, click Servers and then select the site. On the LiveUpdate tab in the Site Properties dialog box, make sure that "Store client packages unzipped to provide better network performance for upgrades" is enabled. When this option is enabled, the %SEPM% \Inetpub\ClientPackages\XXXXXXXXXXX\Full\ folder is created on the server during the upgrade process. If this option is not checked and the folder is not created, the migration fails.
When using auto-upgrade to migrate previously auto-upgraded clients to Symantec Endpoint Protection Maintenance Release 4, you must remove the legacy client installation packages before you add the new package.
In the Symantec Endpoint Protection Manager console, the legacy packages are located on the Clients page on the Install Packages tab. If you do not remove them, when you attempt to add a new package, you get an error message asking you to remove the legacy client packages first. The removal of the legacy packages does not affect the existing legacy clients.
If you install a Symantec Network Access Control unmanaged client on a computer, and then install a Symantec Endpoint Protection client as an upgrade on the same computer, you must manually restart the computer. No restart prompt appears. The Symantec Endpoint Protection client status appears red until this restart occurs.
Upgrading Symantec Network Access Control client software fails if the client computer has not been restarted since the installation of the previous version of Symantec Network Access Control.
For example, the clients running Maintenance Release 1 must be restarted at least once after installation before upgrading to Maintenance Release 4, or the upgrade to Maintenance Release 4 fails.
If you use the URL method to auto-upgrade MR3, MR4, or MR4 MP1 clients, the upgrade is attempted three times before it stops and fails. To work around this issue, you can use the Symantec Endpoint Protection Manager instead of a URL to auto-upgrade MR3, MR4, and MR4 MP1 clients.
Upgrading a Symantec Endpoint Protection client that does not contain Proactive Threat Protection causes a message that Windows is configuring SEP to appear. After the first message, a series of other messages appear while an installation repair replaces a missing file. Once the series of messages is finished, the installation completes successfully.
Root Cause: PHP files that are modified (as shown in the time stamp) will not get replaced by MSI during an overinstall since they are unversioned files and MSI has a rule that notes unversioned files that get modified outside of the installer, and does not replace them in the next installation. This is useful for text files like .ini files, but causes the Symantec installation to fail.
Resolution: Do not modify a PHP file. Symantec does not support unwarranted modification of Symantec PHP files. If there is a reason to modify temporarily, save the original, make the modification, and restore the original later.
This failure is caused by a change in SQL Server 2008 configuration.
Users can see a significant improvement in file performance over networks by implementing the following steps.
On Symantec Endpoint Protection Manager, enable the network cache, which is disabled by default: Click , and then click to enable the box.
On the Symantec Endpoint Protection client, enable the network cache, which is disabled by default. Click .
As with the server, another option is to click and click to clear .
During the client installation, you might get an invalid drive error message, for example, "Error 1327.Invalid Drive U:\" if the target location of the Documents folder has been reassigned using a drive mapping. This issue has been identified on Windows Vista.
If the Documents folder has been reassigned using a drive mapping, complete the following steps before running the installation program:
This error message does not appear and these steps are not required if the Documents folder has been reassigned using a UNC path.
If you run an existing on-demand client in Firefox and try to install the latest version of the on-demand client, the installation fails. Close the Firefox browser and then start the installation.
When you install the on-demand client with Firefox 3.0, make sure that you enable the NPlug-in in the Add-ons panel during the installation. If you do not enable the plug-in first, you cannot install the on-demand client.
This can happen if Symantec Endpoint Protection is installed with Network Threat Protection on a DHCP server.
For information about configuring Network Threat Protection to allow DHCP traffic, see
See the Technical Support Knowledge Base article:
Addressing Symantec Endpoint Protection compatibility issues.
Do not install the on-demand client on computers that run Panda 2009 software on Windows Vista 64-bit. If you install the client, you might encounter unexpected results.
In the Management Server Configuration Wizard, you can choose the type of database authentication that you want to use. You can choose between SQL Server Authentication or Windows Authentication. If you select SQL Server Authentication, the Symantec Endpoint Protection Manager sends the user name and password to the database in clear text. If you select Windows Authentication, the Symantec Endpoint Protection Manager uses the Microsoft NT LAN Manager (NTLM) authentication protocol to encrypt the password and send it to the database. The Microsoft SQL Server must be configured to accept Windows Authentication.
If ThinkVantage Client Security Solution 8.2 is installed on the client computer and Windows User Access Control is enabled, the client installation can fail.
If you use the Find Unmanaged Computers dialog box to deploy the client software on x64 operating systems, the installation might not work. The result of the installation states that the installation was successful, but it is not.
To work around this issue, use the Migration and Deployment Wizard to deploy the client software on x64 computers.
If you configured LiveUpdate settings in the Symantec Endpoint Protection Manager to download client software update packages, you see that the last numeral of the package version number appears as a zero in the Symantec Endpoint Protection Manager console. For example, if the package version number is 11.0.2000.1423, the version number that appears on the Client Install Packages page is 11.0.2000.0. Once the package is deployed to the clients, you can see the package's complete version number in the About box on the clients.
In the Symantec Endpoint Protection Manager console, client installation packages display the package version number, such as 11.0.4000.1567. Installation packages always have a unique numeral in the third position such as 11.0.4000.x and 11.0.4002.x. To display the package version number, click Admin > Install Packages > Client Install Packages, and then look at the Version column.
This version number display method is used when you add new packages to Symantec Endpoint Protection Manager in one of the following ways:
You can also add a package to Symantec Endpoint Protection Manager a fourth way, by running LiveUpdate from Symantec Endpoint Protection Manager. If the latest package is available from Symantec by LiveUpdate, and LiveUpdate is configured to download these packages, the package also appears in the Client Install Packages list. However, packages added through LiveUpdate display the version number differently than packages added the other ways. A package added through LiveUpdate displays the last numeral of the version number as zero, such as in 11.0.4000.0.
However, if you add a package through LiveUpdate, Symantec Endpoint Protection Manager does not prevent you from adding the same package by selecting the two files from the installation media. Therefore, be sure that you do not add the same package from installation media. Or, if you have added the package using any method other than LiveUpdate, running LiveUpdate does not add a duplicate package.
If you are adding packages from installation media and are in doubt about adding a duplicate package, open the \SEP\setup.ini file. This file lists the version of Symantec Endpoint Protection that is on the installation media.
You can install the client with the cache on or off. If you install the client with the cache on, you can also specify a custom location.
To install with the cache off, use the following MSI command:
msiexec /I "MSI FILE" CACHEINSTALL=0
To install with the cache on (default) and to specify a custom location for the install cache, use the following MSI command:
msiexec /I "MSI FILE" CACHEINSTALL=1 CACHED_INSTALLS="cache location"
On 32-bit and 64-bit Windows Vista, Windows 2008 Server R2, and Windows 7 operating systems, you should not select Interactive mode when you do the following:
Interactive installations on 32-bit and 64-bit Windows Vista, Windows 2008 Server R2, and Windows 7 operating systems produce inconsistent results, including failure. When you install on these operating systems, use the silent installation feature.
On 32-bit Windows Vista (Service Pack 0 or Service Pack 1), when you remotely deploy Symantec client software, such as with the Push Deployment Wizard, the interactive and some unattended installation types trigger Windows Vista user prompts. The first user prompt appears as "A program can't display a message on your desktop." To complete the installation, users must select "Show me the message," click through the Symantec client installation prompts, and then automatically log off Windows Vista before the installation completes. When the user logs on again, the user selects "Show me the message" again, and the client installation completes.
The Windows Vista user prompts appear during the following upgrade scenarios:
Using a Symantec Endpoint Protection Manager exported package that is marked as Interactive
Using a Symantec Endpoint Protection Manager or a Migration and Deployment Wizard exported package that is marked as Unattended AFTER an Interactive package was attempted (and stopped or canceled)
Using the console's auto-upgrade feature and a preinstallation check failed or a pending restart is needed
Using an incorrect or preinstallation checked and blocked package on the following operating systems:
Using an incorrect or preinstallation checked and blocked package for the following reasons:
The Windows Vista prompts do not appear during the following upgrade scenarios:
When you choose the silent installation type for all Windows Vista remote deployments
When you choose an unattended installation type that does not fail a preinstallation check
When you deploy unmanaged software from a client software DVD installation directory, which is an interactive installation type. The deployment acts as a silent installation type.
Do not install Network Threat Protection on client computers that currently run third-party firewalls. Two firewalls that run on one computer at the same time can drain resources, and the firewalls might have rules that conflict with each other. Third-party firewalls include Microsoft ISA firewall and Windows Firewall.
On virtual machines running Windows Vista, copying large files to network shares might take longer when Symantec Endpoint Protection Network Threat Protection (NTP) is enabled. Disabling IPv6 improves performance.
The restart prompt appears after installation if you install client packages configured with the reboot option disabled and you use the following MSI command:
msiexec /I "Symantec AntiVirus.msi" REBOOT=suppress
To make sure the reboot option does not appear after installation, use setup.exe instead to install the client packages or use the following MSI command:
When you upgrade client computers by running the Windows MSP executable from a command window, the installer displays a message that instructs you to close the cmd.exe application and click Retry. This message appears on the Core Server installations of Windows Server 2008.
When the message appears, close the command window, and then click Retry to continue with the upgrade.
If you install Symantec Endpoint Protection Manager and select to install a database on Microsoft SQL Server 2005 64-bit edition, the installer does not correctly locate the file named bcp.exe. The Management Server Configuration Wizard looks for bcp.exe in the directory named %SystemDrive?=%\Program Files\Microsoft SQL Server\90 \Tools\Binn. This directory is correct for Microsoft SQL Server 2005 32-bit edition, but is incorrect for the 64-bit edition.
The correct directory, which you must manually type, is %SystemDrive%\Program Files\Microsoft+ SQL Server\90\Tools\Binn. For example, C:\Program Files\Microsoft+ SQL Server \90\Tools\binn.
Symantec Endpoint Protection Manager uses TCP 9090 to display the Symantec Endpoint Protection Manager console. If other software is listening on this port, you cannot log on to the Symantec Endpoint Protection Manager console. Note that Symantec IM Manager uses TCP port 9090. If you are required to run Symantec Endpoint Protection Manager console on a computer that also requires other software that uses TCP port 9090, you can change the port for Symantec Endpoint Protection Manager console.
To change TCP port 9090, edit the following file with WordPad (Notepad does not correctly show the XML line feeds):
\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
Search for port=9090 and change 9090 to a different TCP port number. Save the file, and then restart Symantec Endpoint Protection Manager with the Administrative Tools > Services utility. You can then log on to the Symantec Endpoint Protection Manager console.
Be aware, however, that changing port 9090 partially disables the online Help system. Every time you use Help, you will have to change 9090 in the URL to the changed port number to display the Help text.
See The default port for Enforcer communication with Symantec Endpoint Protection Manager is 8014.
Symantec Endpoint Protection does not work properly when Norton Confidential is on the same computer. If Symantec Endpoint Protection is installed first, Norton Confidential does not install and is blocked. If Norton Confidential is installed first, Symantec Endpoint Protection does install. If you install both software programs on the same computer, Symantec Endpoint Protection does not properly process the application white list. The application white list contains the signatures of the applications that are permitted to run on computers by Proactive Threat Protection.
By default, email protection for Lotus Notes and Microsoft Outlook is not installed when you install Symantec Endpoint Protection from the DVD. To install Lotus Notes or Microsoft Outlook email protection, customize the installation and check the email program that you want to protect. Internet Email protection is never installed on server operating systems for performance reasons.
Symantec AntiVirus protection installation files for Linux are included on the supplementary installation DVD. The installation files are in the directory named SAVFL, which includes installation and user documentation. Symantec AntiVirus for Linux is supported in unmanaged mode only.
LiveUpdate Server installation and Symantec Network Access Control client installation in directories that contain the double-byte character set (DBCS) is not supported.
If you install LiveUpdate Server in a directory that contains double-byte characters, LiveUpdate Server does not work properly. Installing LiveUpdate Server to a DBCS directory indicates a customized installation path. If you install LiveUpdate Server to the default path on a DBCS operating system, LiveUpdate Server works properly.
If you install Symantec Endpoint Protection Manager from a DVD, and later choose to repair the Symantec Endpoint Protection Manager, a message that prompts you to insert the installation DVD appears.
On Windows 2008 systems, you repair by clicking Start > Settings > Control Panel > Programs and Features, right-click Symantec Endpoint Protection Manager, and then click .
On computers that run Windows 7 or Vista, when you use the task, if you use the non-built-in local administrator user's credentials to remote push a client, and your target computers are listed on the Unknown Computers tab, then you are not allowed to remote push the client to those computers.
This only happens with a command-line installation, using the "ReallySuppress" flag, and only on Windows Vista.
Solution: Do not use command-line installation for this case. Instead, export a package that is configured to run silently. No error prompt appears.
When a Limited Administrator creates a custom package with a specific group assignment, that assignment fails. The clients that install that package are assigned to the Default Group.
Solution: To set assignments in a custom package, a System Administrator must create the package.
Problem: You get "certificate mismatch" when you click when doing replication
To prevent this error, you need to click before Replication takes place.
Trigger condition: Two Sites (Site A and Site B) are Replication Partners. The first server (which does replication) of Site A updates a new Certificate.
Correcting certificate mismatch for successful replication
If you attempt to uninstall the instance of Symantec Endpoint Protection Manager that is set up for replication, first disable replication. Then, restart the computer on which you want to uninstall Symantec Endpoint Protection Manager, and perform the uninstallation.
If you attempt to uninstall the Symantec Endpoint Protection Manager that was replicating and you receive a log file error, cancel the uninstallation, restart the computer, and then uninstall the Symantec Endpoint Protection Manager.
If you use Remote Desktop on a computer that runs Windows Vista to uninstall Symantec Endpoint Protection on a computer that runs Windows Vista, the uninstallation does not work.
If you try the uninstallation from a computer that runs Windows Vista, a Windows Vista restart prompt appears, due to a pending change. If you restart Windows Vista and try to uninstall Symantec Endpoint Protection again, the Windows Vista restart prompt appears again, due to a pending change.
To work around this problem, you can uninstall Symantec Endpoint Protection from a computer that runs Windows XP. For example, you can start a Remote Desktop session from a computer that runs Windows XP and log on to a computer that runs Windows Vista and Symantec Endpoint Protection. You can then uninstall Symantec Endpoint Protection successfully.
This section contains information about migration.
You can find the latest information about migration at the following Web site:
http://www.symantec.com/endpointsecurity/migrate
The management server automatically upgrades a Symantec Sygate Protection Agent version 5.1 to a Symantec Endpoint Protection MR4 client by using a 32-bit client installation package, and not a 64-bit client installation package. This occurs only if you are migrating from Symantec Sygate Enterprise Protection MR8 MP1 or earlier to Symantec Endpoint Protection MR4.
The SSEP 5.1 MR8 agent cannot determine whether to request the 32-bit client installation package or the 64-bit client package for download from the management server. Therefore, the 32-bit client computer might receive the wrong package.
To work around this issue, create a group for 32-bit computers and a group for 64-bit computers. Then, deploy the appropriate package to each group.
Legacy Symantec AntiVirus and Symantec Client Security servers create and use a shared directory. The location of the shared directory is \\Program Files\SAV. The name of the share is VPHOME. In some instances, after migration to Symantec Endpoint Protection client, this directory and share is retained with read-only permission.
If you install a Symantec Network Access Control unmanaged client on a computer, and then install a Symantec Endpoint Protection client as an upgrade on the same computer, you must manually restart the computer. No restart prompt appears. The Symantec Endpoint Protection client status is colored red until this restart occurs.
This section contains information about Symantec Protection Center and the Symantec Endpoint Protection Manager Web console.
To run Symantec Protection Center or the Symantec Endpoint Protection Manager Web console, you must enable mixed content in Internet Explorer. To enable mixed content, click in the Security Warning dialog box that appears when you first log on.
Making these changes is not currently supported. Symantec recommends that you leave the text size at the default setting of Medium.
If you edit host configuration settings in Symantec Brightmail Gateway, the server stops responding. You must restart Symantec Protection Center from the initial launch page.
In some situations, Symantec Protection Center requires the use of a proxy server. To configure the proxy server,
edit the portal.properties file to include the appropriate settings. The portal.properties file is located in the <install_SEPM_directory>\tomcat\portal folder. These properties are specified only on the server. Nothing needs to be done on the client.
You can set the following properties:
Special guidelines:
The Symantec Endpoint Protection Manager must be installed on a private network. Example: the 192.168.0.xx network.
The proxy server is assumed to run on port 80. If another port is used, you must specify it.
After you set or modify the parameters in the portal.properties file, you must restart the Symantec Endpoint Protection Manager service.
This section contains information about Symantec Endpoint Protection Manager.
If you install the Symantec Endpoint Protection Manager on a French version of Windows Server 2008 or Windows Vista, some folder names appear in English.
If you use a proxy server to connect to Symantec LiveUpdate, you can configure Windows Authentication for the proxy server. In the Server Properties dialog box for the proxy server, on the Proxy Server tab, check When you enable Windows Authentication, use <user>@ <domain> or domain\user for the user name format.
The default port for non-encrypted communication (HTTP) with the Symantec Endpoint Protection Manager has been changed from 80 to 8014. Encrypted communications (HTTPS) continue to use port 443. This port setting applies to all types of Enforcers.
If you configure the console timeout feature on Windows Server 2008, the console might stop responding and not close properly. Also, the management server might not open the Home, Monitors, and Reports pages. This problem occurs when Windows Server 2008 User Account Control is enabled.
This issue occurs only on computers that run Sun JDK 6 upgrade 4 or earlier. To solve the issue, upgrade the JDK to version 6 update 5 or later. Version 6 update 14 is recommended. This issue is caused by a known Sun defect (id 6514454).
If the computer that logs on remotely does not have a JDK , Symantec Endpoint Protection automatically installs the correct version of the JDK.
If the database goes down for any reason, the management server notifies an administrator at the email address that you specify. However, if you do not specify the email address, the management server does not send a notification.
You can specify the email address when you install the management server or when you create an administrator account.
Client computer names that contain an equal sign (=) or double quote (") in the Computer description display an error in the scm-server-0.log.
If you set up two sites as replication partners, you must allow access for the replication servers in each site in the Server Properties dialog box. If you do not allow access, replication fails.
To allow access to the replication partner servers, see Chapter 14, Managing servers, of the Administration Guide for Symantec Endpoint Protection Manager and Symantec Network Access Control. Review the section on "Granting or denying access to remote consoles."
Symantec Endpoint Protection Manager provides I18n support for Microsoft SQL Server 2005 and later but not Microsoft SQL Server 2000. To provide I18n support for SQL Server 2000, the management server must enable batch mode processing.
A location awareness criterion that is based on a Check Point VPN connection is only supported with a Check Point VPN client version R56 or later.
If a network currently supports Check Point VPN client version R55 or lower, you must upgrade the Check Point VPN client to version R56 or later. Check Point VPN client version R56 or later supports location awareness on the Symantec Endpoint Protection Manager.
In Maintenance Release 2 or later, you can use the management console to change the number of content revisions to keep on the management server.
In previous versions of the Symantec Endpoint Protection Manager, you can change the number of content revisions by setting the scm.lucontentcleanup.threshold parameter in the conf.properties file. In Maintenance Release 2 or later, the parameter is removed from the file.
The default for the number of content revisions to keep is 3. If you upgrade from a previous release, the management console uses the scm.lucontentcleanup.threshold (if you set it in a previous release) instead.
The Symantec Endpoint Protection Manager server supports a uni-lingual user interface. This means that a specific language operating system can only install and run that same language on the Symantec Endpoint Protection Manager console. You must configure the user locale to be the same as the operating system language to use the Symantec Endpoint Protection Manager console.
A specific language Symantec Endpoint Protection Manager only supports the Symantec Endpoint Protection Manager console that is in English language or in the same specific language as the server.
Symantec Endpoint Protection Manager and the Symantec Endpoint Protection Manager console must both be configured to use a user locale that is the same as the operating system language.
If you repaired the Symantec Endpoint Protection Manager through the Support Information window in Add or Remove Programs, you cannot log on to the Symantec Endpoint Protection Manager again.
To correct this condition
After you configure database maintenance options, the new options are applied at midnight, and not immediately.
To configure the management server to apply the database maintenance options immediately, you can configure the conf.properties file.
To configure the config.properties file:
- Change scm.object.idletime=3600000 (in milliseconds) to a smaller number. The default is 1 month.
- Change scm.timer.objectsweep=900 (in seconds) to a smaller number. The default is once per day.
If an existing Symantec Sygate Enterprise Protection 5.x database is upgraded to this release, in rare cases the wrong details information may display. This problem only occurs if a great many client log entries were generated in the database in a very short span of time.
Do not add the name of an administrator by using double-byte characters in the Symantec Endpoint Protection Manager. If you use double-byte characters, the administrator can no longer log into the Symantec Endpoint Protection Manager console with an Internet browser. The attempt to log into the Symantec Endpoint Protection Manager console fails. However, the administrator can still log into the Symantec Endpoint Protection Manager Java console directly rather than using an Internet browser.
Tomcat does not recognize the localhost loopback IP address in IPv6. This problem occurs on computers that run Windows 2008, Windows Vista, and Windows 7. To work around this issue, use the IP address 127.0.0.1 in the URL instead of localhost.
For example, when you use http://localhost:9090/servlet/ConsoleServlet? ActionType=ConfigServer&action=CleanGroupPolicy to delete policy data in the Symantec Endpoint Protection Manager database, you should use 127.0.0.1 in the URL instead of localhost.
On Windows 2008 computers, a Java Development Kit (JDK) issue causes the Symantec Endpoint Protection Manager console to crash when you type simplified Chinese characters in a field. On 64-bit versions, this problem occurs when you type any number of characters. On 32-bit versions, it occurs only after you type 26 characters in a field. This problem occurs with Java Development Kit 1.6 and later, and may occur with earlier versions.
If you set up two sites as replication partners, and then add a secondary server to the first site, replication from the second site will not find the secondary server at the first site.
Solution: Restart the first site's primary server and re-run replication. The restart will reload the "localPartner" structure and replicate it.
This section includes information about working with policies in Symantec Endpoint Protection and Symantec Network Access Control.
The client may take a long time to download content from the Symantec Endpoint Protection Manager if it tries to connect to an invalid management server IP address. This condition can occur for a management server that has multiple IP addresses. Some management servers have multiple IP addresses because they have multiple NICs or VPN software installed. In the console, the default management server list for each management server contains all the available IP addresses for that server. In many cases, only one of those IP addresses is valid.
After the policy changes, the client randomly selects a server in the management server list from which to download the latest policy for load-balancing purposes. The client might not be able to connect to the server with that particular IP address. The client then tries to connect to each server in the management server list until it finds a valid server. These connection attempts delay the downloading of content.
To work around this issue, define a new management server list for the server. As an alternative, remove all the IP addresses from the existing list that the clients cannot reach. Then assign the management server list to a group: click followed by .
An unmanaged client cannot update any policy that has been deployed with older management server versions and a third-party tool. Although the third-party management tool has to update the policy in the content package, the client does not process the legacy policy file. This problem occurs if you run Symantec Endpoint Protection Manager Maintenance Release 2 or earlier with the Symantec Endpoint Protection clients Maintenance Release 4.
To work around this issue, update the management server to Maintenance Release 4 first before you deploy the policy file to the clients.
If you import a policy, provide a name that is no longer than 255 characters. Using a longer name results in an empty policy name.
The client may not apply virus definition content when you add all of the content types simultaneously on a client running a non-English operating system. If this condition occurs, you can fix it by adding the virus definition content again.
Some content may not be downloaded to the Symantec Endpoint Protection Manager computer during the first LiveUpdate session. To download the missing content, re-run the following command: LUALL
If your network environment already supports the proxy servers that are compliant with the HTTP 1.1 protocol or later, you can disregard this entry. After you have tried to download LiveUpdate for the first time, the following message may appear:
LU1863: Insufficient free disk space. There is not enough free disk
space for LiveUpdate to operate properly. Please free up disk space
on your computer and run LiveUpdate again.
You may have insufficient disk space. However, it is much more probable that this message appears in error because the proxy server is unable to send the correct Contents-Length header field. This error message may appear on Symantec Endpoint Protection Manager, a Symantec Endpoint Protection client, or a Symantec Network Access Control client. You may want to verify that the disk drive to which you downloaded LiveUpdate has sufficient disk space. If you verified that the disk drive has sufficient space, then most likely a proxy server caused the problem. If a proxy server receives an HTTP reply that does not include a Content-Length header field, then the above-listed message erroneously appears. The erroneous message appears on the computer on which the LiveUpdate has been downloaded.
The proxy servers that are compliant with HTTP 1.1 protocols automatically include Content-Length header-entity fields. The proxy servers that are compliant with HTTP 1.0 protocols do not automatically include Content-Length header-entity fields. You may want to ensure that the proxy servers in your network are compliant with the HTTP 1.1. protocol.
See the documentation that accompanies the proxy server for more information on how to make a proxy server compliant with HTTP 1.1 protocols.
LiveUpdate site settings are not replicated. These settings affect what Symantec Endpoint Protection Manager downloads and then distributes to clients. These settings include the following:
As a result, if you use replication, manually set LiveUpdate site settings so that they match on each replicating server.
If a managed client's virus definitions or Intrusion Prevention signatures are out-of-date and you have disabled all update methods for managed clients in the Symantec Endpoint Protection Manager, then the managed client does not report out-of-date content to the user. Managed client users are not warned in any way that their content is out of date.
After upgrading Symantec Endpoint Protection Manager to Symantec Endpoint Protection Manager with Symantec Network Access Control, LiveUpdate does not automatically update the Host Integrity templates.
To update the templates, you must explicitly check the Host Integrity templates check box in the Content Types to Download dialog box in the Symantec Endpoint Protection Manager console. In the console, click , and then click . Under View Servers, select a site, and then click . Click the LiveUpdate tab, and then click in the Content Types to Download group box.
Auto-demand scans do not apply Security Risk Exceptions to scans of Windows mount points or drives. So when the client scans volume content it does not exclude the specified files and folders.
For example, suppose that drive E:\ is mounted to C:\Mount and you create an exception for C:\Mount\Foo\. If the client scans E:\Foo\ or C:\Mount\Foo\, the on-demand scan does not exclude the folder content. And if you create an exception for E:\Foo\ and the client scans C:\Mount\Foo\, the folder content does not get excluded. However, if the client scans E:\Foo\, the on-demand scan does exclude the folder content.
Auto-Protect scans do not apply Security Risk Exceptions to scans of Windows mount points or drives. So when the client scans volume content it does not exclude the specified files and folders.
For example, if drive E:\ is mounted to C:\Mount and you create an exception for C:\Mount\Foo\, the Auto-Protect scans do not exclude the E:\Foo\ or the C:\Mount\Foo\ folder content.
If an excluded folder or file is a mount point, such as C:\Mount\Foo\, you must manually add the alternate path with the drive letter (such as E:\Foo\) to the Centralized Exceptions policy .
To find the paths for Exchange Server folder and file exceptions, refer to the following registry locations:
For more information, refer to the knowledge base article at the Technical Support Web site, which is located at the following URL: www.symantec.com/techsupp/
The default policy that you add includes the following changes:
All types of Auto-Protect are enabled.
On the tab, if the Display a warning when definitions are outdated setting is unchecked, the client might still display an outdated definitions message. You might need to specify a greater number of days and remediation attempts the client allows.
On virtual machines running Windows Vista, copying large files to network shares might take longer when Symantec Endpoint Protection's Network Threat Protection (NTP) is enabled. Disabling IPv6 improves performance.
When you add a new rule to a firewall policy , you can filter the learned applications. Filtering helps you more easily select an application for the rule. If you enter a path name for the application and click Next, the filter does not find the application. Instead, enter the executable name without the path to filter the applications.
If you click the command, it can take up to 1.5 minutes for the Firewall Policy Overview page to appear. This occurs if the management server contains 500 or more groups. The problem occurs because it takes time for the Firewall Policy Overview page displays all the groups and locations that the existing firewall policies are assigned to.
To work around this issue
<login locationCounting="true" option="more" vistaWarn="false" />
On the firewall policy Overview page, under Groups Using This Policy, the text "The group list is currently hidden" appears instead of the groups.
The system does not check syntax when you create custom IPS signatures in the management console. If the syntax is incorrect, the client generates the following message in the message console on the client:
FATAL: failed to apply a new IPS Library
The following error also appears in the client system logs:
Failed to apply IPS policy.
When you create custom IPS signatures, make sure that you follow the syntax rules in the context-sensitive help. A best practice is to create the rules and then run them in a test environment before you apply them to a production environment.
When you create and assign a Custom Intrusion Prevention signature, incorrect words appear in the Assign Intrusion Prevention Policy dialog box. In that dialog box, references to "Policy" should be "signature.
The Symantec Endpoint Protection Manager lets you delete a custom IPS variable without a warning, even if a signature still uses the variable. Before you delete a variable, make sure that you have removed it from the content of all signatures in a signature group.
In the Intrusion Prevention policy, you can add a single signature as an exception that the policy ignores. To add the exception, in the Intrusion Prevention policy, click Exceptions, and then click .
From the list of signatures that appear, you can select a single signature or select all. If you select a single signature, the button should be enabled, but is not.
To work around this issue, click . The option is enabled. You can then select individual signatures and the option continues to be enabled.
When a proactive threat scan detects a process that runs from a network or a mapped drive, the event appears in the client computer's log. However, the management server does not register this event, so the event does not appear in the logs in the management console. You also cannot create an exception for the process because it does not appear in the list of detected processes for centralized exceptions.
Application and Device Control Policies let you create Application Control rules. Application Control rules let you block registry keys from being created on client computers. If you create an Application Control rule that blocks all access to HKEY_LOCAL_MACHINE (HKLM) registry entries, and if a user uses Regedit.exe to create a registry entry under HKLM, Regedit.exe crashes. This crash happens only on Windows Vista.
The Application and Device Control policy blocks storage volumes on Windows XP only and not on the Windows 2000 or Windows Vista operating systems.
The Application and Device Control policy does not block human interface devices (HIDs) such as PS2 devices. This functionality is by design. The human interface device blocking functionality works as follows:
If you configure a rule in an Application and Device Control policy to block DVD drives, the rule only blocks hardware DVD drives. It does not block virtual DVD drives. The policy blocks the hardware DVD drives by using a globally unique identifier (GUID). Virtual drives do not have GUIDs.
Hardware links (available in Windows Vista) cannot be blocked or triggered using Application Control and Device Control Protection. This issue affects Symantec Endpoint Protection users who try to create Application and Device Control Policies that are applied to hard links to files, folders, or applications on Windows Vista 32-bit platforms. You know that this problem has occurred if your rules do not trigger.
Do not use symbolic links for clients that run Windows Vista. Apply Application and Device Control policy rules directly to a partition or a path.
This occurs because the tool used for adding white list items is in the system context, and not the user context. For example, adding the Windows XP entry '%temp%' refers to 'c:\Windows\Temp' and not 'c:\Documents and Settings\<username>\Local Settings\Temp'.
Best practice: When adding white list entries, use the explicit path whenever possible.
This is caused by a difference in the way that Windows 7 codes its read requests, as opposed to how they are coded in Windows XP. Symantec does not anticipate a fix and recommend against attempting to block entire folders.
This section includes information about Host Integrity policies, which are available only with Symantec Network Access Control.
If a client computer runs the Kaspersky Anti-Virus software, a custom requirement detects that a Kaspersky antivirus or antispyware signature file is up to date. However, if the Kaspersky real-time protection is disabled or is updating the signature file, the custom requirement cannot correctly detect the signature date.
When you upgrade Symantec Endpoint Protection Manager with Symantec Network Access Control, the Quarantine zone for each location does not contain policies. Before you can add any policies to the Quarantine zone, you must first add a Host Integrity policy to the location. You can then add policies to the Quarantine Zone, such as LiveUpdate and Firewall policies.
If you add LiveUpdate and antivirus and antispyware policies to the Quarantine zone, you cannot withdraw (delete) them from the Quarantine Zone. If you attempt to withdraw these two policy types, a prompt appears, and lets you know that withdrawing these policies is not supported. To delete these policies from the Quarantine zone, withdraw the Host Integrity policy from the location. Deleting a Host Integrity policy deletes all policies from Quarantine zone. Then, to add policies to the Quarantine zone, add a Host Integrity policy back to the location. You can withdraw the other policy types normally.
If the Host Integrity policy includes either a predefined requirement or custom requirement to detect whether the Windows KB867460 patch is installed on the client computer, both requirements fail on the client computer.
To work around this issue:
- Add a predefined patch requirement that specifies the patch name as S867460 (instead of the KB867460 patch) and the operating systems on which this patch can be installed, such as Windows XP Professional.
- Add a custom requirement for the "Patch: Patch condition" that specifies the S867460 patch instead of the KB867460 patch.
The "maximum wait time" for any function to run a program or a script cannot be greater than 4294967 seconds. The custom Host Integrity policy displays an error in the security verbose log when this value is exceeded. Use a value equal to or less than 4294967 seconds.
The Host Integrity "show message" function on Symantec Endpoint Protection Manager has the following limitation. Do not use the following characters on any operating system: ^, =, or tab.
Custom Host Integrity rules for registry values do not work correctly. This is because of the transient nature of user sessions.
Certain characters cannot be used in a Host Integrity policy IF-THEN file comparison custom requirement. For this type of custom requirement, you cannot use the percent (%) sign and pound sign (#) characters in the file name and path.
From the Symantec Endpoint Protection Manager console, check the Host Compliance Logs. When the Host Integrity Check fails, the event is logged as "Event Type: Host Integrity failed." The Reason column always displays the message, "Process is not running Signature is out of date." This error message appears on any Symantec Endpoint Protection Manager operating system.
On Windows Vista computers, Host Integrity checking cannot detect the antispyware status of Norton Internet Security 2009 versions prior to 16.2 if the antispyware feature is disabled. To avoid this issue, make sure that Windows Vista client computers are running Norton Internet Security 2009 version 16.2 or later.
This section contains material that is related to monitoring and reporting issues.
When you run Windows XP with none of its service packs installed, and use Microsoft Internet Explorer version 6.0 with none of its service packs installed, and you save a Symantec Endpoint Protection report, you are prompted to save the report as a .php file.
To solve this issue, install a service pack for Windows XP and one for Internet Explorer version 6.0. If you do not want to install the service packs, you can save the report as prompted. Then, change the file name extension to .mht before you view it.
Enable some Internet Options to view the information on the Home page, Monitors page, and Reports page in the Symantec Endpoint Protection Manager. Click on the Security tab of the Tools > Internet Options menu to find these settings.
Enable the following settings when using Internet Explorer 6:
Enable the following settings when using Internet Explorer 7:
A scheduled email report that is generated and then sent to Microsoft Outlook may not be formatted correctly. The report may contain missing line feeds behind the different sections. This issue occurs only when the recipient's Microsoft Outlook software has a setting enabled. In the E-mail Options pane, uncheck the checkbox. When this option is turned off, the email message that is sent with the report is formatted correctly.
The following text shows the content of an email that contains the formatting issue:
Report scheduled by: admin
Report generated on: 2007-04-04 21:31:19 Report type: System Report Report
description: Test description
The following text shows the correct formatting of the email content:
Report scheduled by: admin
Report generated on: 2007-04- 04 21:31:19
Report type: System Report
Report description: Test description
The Home page, Monitors page, and Reports page do not load on computers where the database server has a DBCS name that is too long. In this case, ODBC does not register the database correctly, so it does not load the reporting-related pages. If possible, keep names to 15 characters or less. Alternatively, use the Start menu > Symantec Endpoint Protection Manager > Management Server Configuration Wizard. You can then use an IP address for the database server instead of the DBCS host name.
If the tabs do not appear across the top of the page when you log onto the Symantec Endpoint Protection Manager reporting functions through a Web browser, try clearing the Internet Explorer temporary files cache. Delete temporary Internet files in Internet Explorer 6 by clicking under the Temporary Internet files group box on the General tab of the Internet Explorer Tools > Internet Options menu. In Internet Explorer 7, click under Browsing History.
To print the background colors when you print a report, open the Internet Explorer Tools > Internet Options menu and check on the Advanced tab.
On the computers that run Windows 2000 Server, Service Pack 3, the Site Status report always shows 0% memory usage. This error also occurs if you access the Site Status information by clicking Health Status under Site Status on the Symantec Endpoint Protection Manager console. When you use Symantec Endpoint Protection, this information is located on the Summary tab. If you use only Symantec Network Access Control, this information is located on the Home page. The information displays correctly if the computer is updated to run Service Pack 4.
Reporting components fail to work on Windows 2008 R2 computers that use a specific an IP address for the Symantec Web server in the IIS. To work around this issue, you can do either of the following:
For Mac client computers, if a virus is detected and moved to the Quarantine, the Symantec Endpoint Protection Manager console displays the virus as both Still Infected and Quarantined. The Still Infected action does not automatically update for Mac clients.
To work around this issue, you can manually clear the Still Infected action by running the Update Content and Scan command from Symantec Endpoint Protection Manager for the client computers.
For more information, see "Updating definitions and rescanning" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
In the console, you can view virus definitions on the Home page by clicking . If you view multiple virus definitions, Internet Explorer may close unexpectedly. This issue occurs if you run Internet Explorer 6 SP 2 or earlier.
To work around the issue, upgrade to Internet Explorer 6 SP 3 or later.
On the Home page, you can click the Unacknowledged notifications link in the Status Summary pane and view the notifications. However, if you then click the Home page again, the Home page might not appear. This is only an issue on Windows XP with Service Pack 3 running Internet Explorer 7 or 8.
Solution: Change the security setting for your Internet zone to or Low. Medium or High blocks the display of the Home page.
When an administrator is deleted, the person doing the deletion will be asked if the reports belonging to the deleted administrator should be saved. If the response is "yes," the reports that the deleted administrator owned will have their ownership changed. The new ownership will show as:
"OriginalName+'(AdminName)'". For example, there is a scheduled report named "Monday_risks_report," created by the admin JSmith. This report name now appears as "Monday_risks_report(JSmith)".
This section contains information about Symantec Endpoint Protection clients and Symantec Network Access Control clients on Windows computers.
A LiveUpdate policy that is created and then assigned to a group may display the incorrect default port number. The default port number is 2967. This default port number may appear as 0 in the System Log on the client computer.
If the schedule is changed for how often LiveUpdate runs on unmanaged clients, the change does not take effect until the smc process is restarted, or until the computer is restarted. For example, if the schedule is to run LiveUpdate weekly, and then is changed to run daily, you must restart the process or computer.
Symantec recommends against running MS Verifier on Windows 7. If the user's computer crashes, shows a BSODs, or has another failure, the solution is to restart the computer.
The Advanced options for Scheduled Updates contain a feature that is called Missed Update Options that does not work. The Scheduled Updates feature lets Symantec Endpoint Protection users specify how often to run LiveUpdate to check for updates from LiveUpdate servers. As part of the Scheduling, you can set a retry interval with the Missed Event Options. If a client does not successfully run LiveUpdate at the scheduled time, the client uses the retry interval to keep trying to run LiveUpdate for a specified amount of time. If this feature is important to you, the workaround is to update the scheduled frequency with which clients run LiveUpdate. This setting is located at Change Settings > Client Management Configure Settings > Scheduled Updates (tab) > Advanced.
If the Symantec Endpoint Protection client with Network Access Control is installed, the client does not allow the client access to a remote network server. Therefore, if you have Symantec Endpoint Protection clients with Network Access Control that run on Microsoft Vista, you must create a firewall rule on the Symantec Endpoint Protection Manager that allows access to remote servers.
To create the rule
The Symantec Network Access Control client status field is only used when that client is connected to either an Enforcer appliance or an Integrated Enforcer. The Symantec Network Access Control client displays the status value "Allowed" even when it is not connected to an Enforcer appliance or an Integrated Enforcer. The Symantec Network Access Control client displays "Approved" or "Quarantine" when it is connected to the Enforcer appliance or the Integrated Enforcer and the Host Integrity check has passed or failed, respectively.
The Symantec Network Access Control client has no Traffic log. You can only see the Traffic log on the Symantec Endpoint Protection client. This log appears on both the peer client and on the authenticator client. For the Symantec Network Access Control client, the administrator can check the Enforcer client log on the Symantec Endpoint Protection Manager to view peer-to-peer authentication behavior.
Some networks use port address translation for TCP or UDP communications that occur between computers on a private network and computers on a public network. Each computer on the private network uses a different port number for the same IP address to connect to the public network. The public network only receives communications from the single IP address. Peer-to-peer authentication does not work with these modified IP addresses that originate from a single host.
Assigning a firewall policy that enables peer-to-peer authentication to Symantec Endpoint Protection clients and then assigning a Host Integrity policy to Symantec Network Access Control clients might block Symantec Network Access Control clients' access to shared folders on Symantec Endpoint Protection clients. The condition occurs after a Host Integrity compliance check completes.
If the COM+ service has stopped for any reason, after you install the Symantec Endpoint Protection client software, the SMC service cannot start. To work around this issue, you can do one of the following:
This has only been observed on Windows 7, and only intermittently. To work around this issue, restart the client manually.
If Proactive Threat Protection definitions are corrupted or missing, the Proactive Threat Protection portion of the client user interface does not turn red and does not automatically download new definitions to repair itself. After some time, a red dot appears on the Symantec Endpoint Protection notification area icon, and the client user interface states that Proactive Threat Protection is disabled.
To work around this issue, the user can click . Symantec Endpoint Protection then downloads new Proactive Threat definitions and corrects the problem.
This section contains information about Symantec Endpoint Protection clients on Mac computers.
If you run a scan command on a Mac client, the Command Status Details window displays mismatched scan status and details. This situation occurs when the scan is in progress and the software cannot determine the state of the scan. You can safely disregard this mismatch.
On Mac OS X 10.5 or 10.6, if you upgrade the client software, the installation wizard displays an Install option instead of an Upgrade option. Click to complete the installation.
Symantec Endpoint Protection for Mac does not provide location awareness. To work around this issue, you can modify the location-specific settings for the Default location for a group that contains Mac computers.
On the Clients page of Symantec Endpoint Protection Manager, the name and logon client of a Mac client computer may not display properly. This situation occurs if the hostname or the user account of the Mac computer contains extended Unicode characters.
If you set up an internal LiveUpdate server, your Mac client computers cannot get updates by following a UNC path. You must provide an FTP server or a Web page (HTTP) for Mac clients to get updates from an internal LiveUpdate server.
Virus definitions on a Windows client are considered out of date as follows: the date of the definitions on the client is compared with the date of the definitions on the server.
Mac client definitions are considered out of date by comparing the date of the definitions on the client with today's date.
This situation occurs because Mac clients always get their updates from an internal LiveUpdate server, not from the management server.
To uninstall Norton AntiVirus or Norton Internet Security on a Mac client computer, you can use the uninstaller that is provided on the product disc. The uninstaller is located in the SEP_MAC folder at the root of the product disc.
You must uninstall Norton AntiVirus for Mac before you can install Symantec Endpoint Protection for Mac.
Auto-Protect does not scan the files inside a Stuffit archive file. This situation occurs even if you check the option to scan compressed files in an Antivirus and Antispyware policy.
Symantec Endpoint Protection Manager can lock or unlock the Auto-Protect settings on client computers in server control, mixed mode, and client control. This works properly on Windows clients, but fails on the Mac clients that are in client control.
This section includes information specific to Symantec Endpoint Protection clients.
The auto-location network interface card (NIC) description condition is not available for dial-up connections because Windows provides a single description for all dial-up connections. Only Ethernet adapter connections can use the auto-location description condition because unique descriptions are provided. You can view connections and descriptions by entering ipconfig /all at a command prompt.
If the client closes or stops running after it displays a runtime error or an out of memory error, the client computer does not have enough memory. This situation can occur if the Windows page file is too full. To view the page file, open the Task Manager on the client computer, click the Performance tab, and look at the PF Usage graph. To work around this issue, either increase the memory on your client computer, or close applications that you do not need.
The administrator may require a password for the -stop, -importconfig, -exportconfig parameters for the smc command. When a user or a script runs the password-protected smc command and the supplied password is wrong, the smc command incorrectly returns an error code of 0, which states that the password was successful. Use a method other than the smc return value to check if the command was successful.
Restricted users cannot access all aspects of the product. Usually, those items are grayed out, but sometimes they appear with a red X. This situation does not indicate a problem, but rather limited privileges.
You can set up system standby on your computer to occur after a designated time. However, system standby never occurs on the computer on which you installed the client despite the setting being enabled.
If you want to correct this problem on the computer on which you installed the client, you need to manually enable system standby. You can manually enable Standby in the Shutdown Windows dialog box. Or, see the documentation that was shipped with your operating system for more information on how to manually enable system standby.
This problem can occur on all supported platforms on which you can install the client.
Because of the file redirection feature on 64-bit operating systems, the user cannot add the native Windows system32 folder as an exception on the client. For example, if the user adds %windier%\system32\inetinfo.exe as an exception, Windows automatically redirects the client to the 32-bit subsystem Windows system32 directory, which is %windir%\SysWOW64.
To work around this issue, you must log on to the Symantec Endpoint Protection Manager and create an exception in the Centralized Exception policy for the file or folder in question.
The client computer does not restart the computer automatically for an unattended installation. If you have configured the Client Install Settings for a client installation package as "Unattended" and "Restart the computer after installation," users must still restart the computer.
If you attempt to patch the trialware version of Symantec Endpoint Protection Maintenance Release 2 or later client software, the patch is blocked. You then see the following misleading error message:
|
Warning: |
You are attempting to install trial version over a licensed copy of Symantec Endpoint Protection. You must first uninstall the licensed version before installing the trial version. |
Patching the Symantec Endpoint Protection trialware is not supported and fails.
If you create a client installation package while the management server is disconnected from the network, the sylink.xml file that is part of the client installation package no longer includes the IP address of the management server. When you deploy and install this client installation package with a missing IP address in the sylink.xml file, the clients cannot connect to the management server.
You can set up a domain name service (DNS) server to resolve the management server's IP address based on its
host name. If you do not have a DNS server, you can also resolve the management server's IP address based on its host name
by mapping the management server's IP address to its host name in the C:\WINDOWS\system32\drivers\etc\hosts file that is located on the client computer.
The client icon and notification area icon might not display in the notification area on managed Windows clients. The display settings are managed from the Symantec Endpoint Protection Manager console at Clients > Policies > Location-specific settings > Client user interface control settings > Server control > Customize. Even if the display settings are enabled, the icons might not display because the default policy includes a setting to hide the tray icons.
To display the icons, create a new policy or modify the default policy. Also, the icons display if you restart the smc process on the client.
This issue has been identified on several versions of Windows. These versions include XP (32-bit and 64-bit), 2000 (Professional and Server), Vista (32-bit and 64-bit), and Small Business Server.
After updating virus definitions, threats currently quarantined are automatically scanned. The automatic scan briefly creates and removes temporary files (DWH****.tmp) from the Windows\Temp directory. During the scan, these temporary files should not be opened. If one of these temporary files is opened during the scan, it might be detected by Auto-Protect as a new threat and added to quarantine.
When you first install the product, a message can appear in the notification area icon and main user interface that mistakenly indicates that virus definitions are out of date. This message can safely be ignored. After LiveUpdate runs, however, all messages should be accurate. Messages include a pop-up message box and a red status icon or a yellow status icon.
In the Troubleshooting dialog box, the debug log settings under the heading "Symantec Endpoint Protection" apply only to Antivirus and Antispyware Protection and Proactive Threat Protection scans.
On client computers that run Windows Vista, if you select Repair when Auto-Protect notifies you of a risk, the computer might crash. The crash only occurs when Auto-Protect is disabled, risks add unrepairable files to the computer, Auto-Protect is re-enabled, and then you try to repair the files. To prevent the computer from crashing, turn off Quarantine and back up the files first. Then repair the files.
Check Microsoft for the latest information about Windows Vista. A fix will be released to address this issue. See the Microsoft Knowledge Base article 951250.
Symantec Endpoint Protection Manager publishes content update files that are received from a LiveUpdate server
in a location similar to the following: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content\{1CD85198-26C6-4bac-8C72-5D34B025DE35}\80219003.
The content updates are copied into a subfolder named full. A compressed archive named full.zip is also created in the same location. In previous releases, a compressed archive named full.dax was also created. Previous versions of Symantec Endpoint Protection client software recognize only content update files named full.dax.
If you use a third-party management tool to distribute content updates to legacy clients, or if you want to manually copy content updates from the management server to legacy clients, you should copy the associated full.zip file to an alternate location. Rename the copied full.zip file to full.dax, and then use the full.dax file to update legacy clients. Clients that run Maintenance Release 2 or later recognize files named full.zip for content updates.
See the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control for more information about using third-party management tools.
If you configure Proactive Threat Scan detection notifications to appear on client computers, and if the action for a proactive threat detection is log only, when the scan makes the detection, a popup notification does not appear on a managed client computer. If any other action is configured for the detection, a popup notification always appears on the client computer. In either case, the user can always view the detection information in the Proactive Threat Protection log.
When you install the client, the TruScan proactive threat scans use LiveUpdate to get the latest content. The Proactive Threat Protection status appears green while the client waits to get its content updates from LiveUpdate. If you run a Proactive Threat Scan before LiveUpdate downloads the latest Proactive Threat Scan content, the TruScan status appears red.
The pop-up message that notifies you of a blocked application might not always appear each time that the firewall blocks an application. The absence of this pop-up message might occur in the following situations:
If you run multiple instances of the same application. For example, suppose a firewall rule blocks Internet Explorer. If you start Internet Explorer and try to locate a Web site, the pop-up message appears. If you then open a second instance of Internet Explorer without closing the first window, a pop-up message does not appear.
If you run an application, close it, and then run the application again within a short period.
A client computer that uses two network cards and that connects to the same network switch might not be able to communicate if the network uses a bridged connection. When traffic passes through the firewall, the firewall can cause a packet storm so that the network cannot broadcast traffic. If a client computer uses two NIC cards, uses a bridged connection, and cannot communicate, you might need to unbridge the connection.
If the client runs a protocol driver, the driver appears in the Network Activity dialog box and the Application List dialog box. If the user then tries to block the driver from these dialog boxes, the firewall ignores the block action and continues to allow the driver. To work around the problem, the user can create a firewall rule that blocks traffic from the protocol driver.
You can use the Symantec Endpoint Protection Manager to enable the ZoneAlarm Security Suite 6.5 firewall as a Host Integrity policy for a Symantec Endpoint Protection client. However, if you turn off this firewall for a client on a computer that runs Windows 2000 Service Pack 4, the Host Integrity check fails to notify the user that the firewall protection is off. To provide firewall protection on the client computer, install the Symantec Endpoint Protection client firewall instead of the ZoneAlarm Security Suite 6.5.
This section includes information specific to Symantec Network Access Control clients, including the On-Demand clients.
The administrator may require a password for the -stop, -importconfig, -exportconfig parameters for the command. When a user or a script runs the password-protected command and the supplied password is wrong, the command incorrectly returns an error code of 0, which states that the password was successful. Use a method other than the return value to check if the command was successful.
After failing to authenticate from a computer running Windows, further authentication requests from the switch might be blocked for a minimum of 20 minutes. This issue is due to a hard-coded Windows 20-minute blocking period that prevents the network from being overloaded with potentially unsuccessful authentication requests. During this blocking period, the system does not respond to EAPOL-Identity messages from the switch.
This blocking period applies to Windows Vista, Windows Server 2008, and Windows XP. If the re-authentication period in the switch is set to less than 20 minutes, Windows still blocks authentication requests for 20 minutes. If the re-authentication period in the switch is set to more than 20 minutes, Windows blocked authentication requests for the amount of time that is set in the switch.
To change the hard-coded value in Windows, see Microsoft KB957931 (http://support.microsoft.com/kb/957931).
If you or your administrator configure a client for 802.1x authentication with the Cisco supplicant on a Cisco switch, the switch blocks all outgoing traffic for more than one minute. For this reason, the client computer may take more than one minute to get an IP address after it moves to a different VLAN.
If you or your administrator configure a client as a built-in supplicant for 802.1x authentication with an Aruba switch and WPA2 (Wi-Fi Protected Access) and AES encryption, the client deauthenticates the user after 30 minutes. The client is disconnected from the network. The user must restart the client machine to be authenticated again.
If you configure a Gateway Enforcer to allow non-Windows clients to access the network, you can detect and check for devices that run the Macintosh and Linux operating systems, but the detection of other network devices, such as IP telephones or network printers, is not supported. When a Gateway Enforcer is configured to allow non-Windows clients, such devices are always blocked.
Because of the start time of the Symantec Network Access Control service, the network connection status in the Local Area Connection window may at times inaccurately display that client authentication failed on XP operating systems. After using a Microsoft supplicant to authenticate to Symantec Network Access Control, if you right-click My Network Places and select to view Network Connections, the Local Area Connection may still display "Authentication failed," even though the authentication was successful. Refresh the window from the View menu to see the correct status.
The first time that a client in transparent mode authenticates to a LAN Enforcer, client authentication fails. You see the Enforcer close the port and report that the profile check is unavailable. Specifically, the following condition on LAN Enforcer for any supported switch causes this failure: p n/a p f n/a p Authentication succeeds when the client reauthenticates. As a result, clients in transparent mode need to authenticate twice during the first authentication to LAN Enforcer. Client users can manually perform this authentication.
In clients with on operating system older than Microsoft Vista, the client cannot download a roaming profile when it uses 802.1x authentication. This issue can be resolved by upgrading to Vista or later. For details, see this Microsoft article:
http://support.microsoft.com/Default.aspx?kbid=935638
A client computer running Symantec Endpoint Protection client and configured to authenticate using 802.1x and Protected Extensible Authentication Protocol (PEAP) and then moved to an on-demand environment where the On-Demand Client is downloaded and installed, might pass the Host Integrity check but fail the profile status check and be moved to the quarantine VLAN instead of the production VLAN
This issue affects computers that run Windows XP and Vista. No solution currently exists for this issue.
The user interface on the On-Demand client can show that network access is allowed when it is not. This issue happens when the client policy is set to check for the latest profile before it reports PASS to Host Integrity. It should report "Network access is NOT allowed," but instead reports "Network access is allowed." This issue will be fixed in the next release.
If the DNS server is configured incorrectly on the client, downloading the Windows On-Demand client takes longer than normal. This issue applies to ActiveX delivery of the client. The solution is to configure a valid DNS server or not to specify a DNS server.
This issue only appears on Windows Server 2008 Enterprise, but it is more secure to use a normal file path (for example: c:\download) than an environment variable (for example, %windir%). It is also possible to use the environment variable with FTP or HTTP without authentication if you are downloading to a path defined by an environment variable.
Some configurations of Windows Fundamentals for Legacy PC do not install the Local Management Support component.
This component is required for some Host Integrity scripts such as the Secure Workstation policy. The Symantec Network Access Control client reports it cannot find secedit.exe when a policy that requires the Local Management Support component is run. To work around this problem, make sure that the
Local Management Support component is installed.
This issue is only a visual issue. The user interface may say that the client is in the quarantine network, but in fact it has access to the appropriate network. The solution is to authenticate to an 11.x Enforcer instead.
This issue occurs because of a conflict between UAC and the logon privilege of the user. The workaround is to run Internet Explorer as Administrator, if UAC is turned on. The alternative is to turn off UAC.
The combination of Internet Explorer 7, Java Runtime Environment, and ActiveX on a computer might cause downloading the Symantec Endpoint Protection On-Demand client to fail due to lack of privileges. Users without administrator privileges might need to disable ActiveX to download the client. Users with administrator privileges or users running Internet Explorer 6 are not affected.
At the time of this release, you cannot use the Juniper VPN client with the Macintosh On-Demand client because Juniper has not released a version for Macintosh OS 10.6.
At the time of this release, you cannot use the Checkpoint VPN client with the Macintosh On-Demand client because Checkpoint has not released a version for Macintosh OS 10.6.
The default value of security hotfixes is less than the default value of important patches in Compliance.xml. So, when security hotfixes on the client machine are less than the default value, Host Integrity can check pass. Otherwise, Host Integrity cannot pass Bigfix compliance checks.
The "Check Norton confidential installed" rule has not been tested with Macintosh OS 10.6 because the current release of Norton Antivirus does not support the 10.6 version of the Macintosh OS.
The "Check SAV/NAV installed" HI Rule has not been tested with Macintosh OS 10.6. For this release, Symantec does not support Symantec Antivirus or Norton Antivirus for this version of the Macintosh OS.
Right-clicking the Symantec Endpoint Protection icon and selecting "Re-authentication" in the notification area does not reauthenticate as expected if you are:
The Macintosh on-demand client does a Host Integrity check and updates its policy once even if the agent has been disabled. This issue will be fixed in a future release.
The MacBook 10.5 Network application incorrectly displays a normal client IP address in the Subnet mask field. It should display a quarantine IP address. To view the quarantine IP address, run in a Terminal window.
The workaround is to turn off the P2P feature in the Symantec Endpoint Protection Manager or disable Network Threat Protection.
To work around this issue, use the command to manually remove the file. You can also work around this issue by using Macintosh Power PC operating system version 10.5 or 10.6.
This issue only appears on Windows XP, and if the user logs off in the brief interval while a remote user checks Host Integrity, or if a remote user logs off while Host Integrity has been running. The solution is not to log off during that period.
Selecting the "Allow HI check to pass even if this requirement fails" option in the Symantec Endpoint Protection Manager, does not give the expected result. When Host Integrity fails, the client can access internal network. However, the client log does not display which Host Integrity check fails.
The Macintosh On-Demand Client cannot connect to a DHCP Enforcer or the Symantec Endpoint Protection Manager if you configure the quarantine route as 127.0.0.1 in the DHCP server. This issue applies to DHCP Enforcers with the secure-mask feature enabled, or the DHCP Plug-in Enforcer with a 255.255.255.255 netmask. To work around this issue, do not set the 127.0.0.1 router in the Quarantine user class. Instead, manually run the and commands to get the correct IP address.
This section includes information about Enforcer features, which are only available in Symantec Network Access Control.
The timestamps that are recorded in the Enforcer appliance log are based on time settings in the appliance's CMOS instead of the appliance's system settings. For example, when you use an NTP server to set system time, the timestamps that are recorded in the log are still based on the appliance's CMOS settings. They are not based on the system time that the NTP server provides. For accurate timestamps, make sure that system time and the appliance's CMOS use the same clock settings.
Because external networks are considered unsecure, any server that the Gateway Enforcer connects to must reside on an internal network. Only the Enforcer Services and the On-Demand delivery services can communicate with hosts on external networks. Other user mode applications, such as SNMP client, NTP client, and SSH server must use the Gateway Enforcer's forwarding support module to communicate with hosts on an external network.
If you make configuration changes to the Enforcer, you should stop and start the Enforcer so that the new configuration is stored.
This error code indicates that the user class already exists in the DHCP database. The implication of this error code is that you have already manually configured this user class in the DHCP server. This user class still exists in the database, so the automatic process cannot add this user class. For Windows 2000 Server: This error occurs when the user class is manually configured on the DHCP server and then manually removed later. Sometimes, the user class is not deleted from the DHCP database. This scenario is when the automatic process can no longer add this user class.
The initial authentication between a client and a LAN Enforcer in transparent mode fails. See the topic called "How LAN Enforcer transparent mode works" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
The authentication fails the first time that the LAN Enforcer tries to authenticate the client after you have performed the following tasks:
Connected the client computer to any of the supported 802.1x switches.
Configured the client package for 802.1x authentication on the Symantec Endpoint Protection Manager. See the topic called "Using 802.1x authentication" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
Completed the deployment of the client package. See the chapter called "Working with client installation packages" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
Completed the installation of the client package on the client machine See the chapter called "Working with client installation packages" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
After the LAN Enforcer tries to authenticate the client for the first time and fails, the client must reauthenticate. Otherwise, the client cannot connect to the network. See the chapter called "About 802.1x authentication" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control. Because the initial authentication failed, the Enforcer reports profile is unavailable. Therefore you must reauthenticate.
If you use any device, such as a USB drive or a DVD-ROM drive, from which you copy an update package, the following message should no longer appear after you complete the update and type the "show update" command: Enforcer# show update initrd-Enforcer.img.gpg available in {device} device Disregard this message. The update has been completed successfully.
Printers do not accept the static routes that are configured for a DHCP Enforcer appliance or a DHCP Plug-in Enforcer. Therefore, SNAC Scanner cannot communicate with a printer that is connected to a DHCP Enforcer appliance or a DHCP Plug-in Enforcer.
If you delete a client's MAC address from the Trusted MAC list in the Symantec Endpoint Protection Manager, a DHCP Enforcer's lease prevents a client from connecting to the network. The client cannot communicate with the network until the DHCP server's lease expires. Alternatively, the user can execute the following command:
If you want the user to wait for a DHCP server's lease to expire, the user might have to wait for a long time. Administrators may have reset the default setting for lease expiration on a DHCP server from minutes to hours due to bandwidth issues.
The Symantec Network Access Control Enforcer no longer supports the Juniper Odyssey 4.6 client supplicant for 802.1x authentication.
If you need to use wireless access points external to the DHCP Enforcer, Symantec recommends that you set both the Authentication timeout period and the DHCP timeout period to more than 10 seconds. Increasing the timeout periods helps to avoid repeated agent timeouts and reattempts at authentication.
The command on the Macintosh does not show routers that have invalid addresses or are not reachable. This situation is the result of a Macintosh issue. The solution is to ensure that routers have valid addresses and are addressable.
This situation is a driver issue that is resolved at the next authentication attempt. It will be fixed in a future release.
With the DHCP Enforcer and a MacBook 10.6, static route records do not delete when the client gets a normal IP. The Microsoft DHCP server does not always offer the Static Route option, so the client needs to retain the static route records..
The default value is 60 seconds. The administrator should update the value to 10 minutes (600 seconds) to make this value be the client's reauthentication timeout * 2.
To change the value, edit the following registry key on the Integrated NAP Enforcer computer:HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\SNAC\Enforcer\SymEnforcerShv - ReauthTimeout:DWORD
If two Gateway Enforcers are in active mode, connecting them to construct a failover environment causes a 0.5 ~ 9 second ARP storm. (The default duration is one second, as determined by the failover sensitive-level configured from the Enforcer command line.) Once the failover begins to work, the ARP storm disappears. To prevent this issue, connect the two Gateway Enforcers into a failover environment when one of the Enforcers is on standby mode.
The interrupt handling capacity of the network interface card that is used on the Dell 850 and 860 causes this issue. The solution is to upgrade the hardware to the Dell R200.
If you use a DHCP Enforcer and you want to enable a secure netmask on the DHCP Enforcer, you must add an external router and a static route. These additions ensure that the client can always access the Enforcer, the Symantec Endpoint Protection Manager, and the DHCP server.
If you install Symantec Network Access Control on a computer that runs Windows 2000 Service Pack 4 (SP4), wireless connections might fail on the client computer. You can modify the Symantec Network Access Control policy to fix this issue.
The issue occurs because of incompatibilities between third-party wireless management software, such as Intel PROSet/Wireless Software, and the Wireless Zero Configuration software on Windows.
To enable wireless connections on the client computers that run Symantec Network Access Control, make sure that you enable third-party support when you create Symantec Network Access Control policies inSymantec Endpoint Protection Manager.
When you use the Enforcer with Windows XP or Windows Server 2003 (including RTM, Service Pack 1, and Service Pack 2 on x86 and x64 platforms), you might encounter problems with the Microsoft DHCP Client. When the client updates its IP address, you might lose connection or the command might show the incorrect subnet mask.
You may also see the incorrect subnet mask in the command prompt if the client's IP address changes from a quarantine IP address to a normal IP address. The client still uses the correct subnet mask. This issue occurs on client computers that run Microsoft Windows 2000, and occurs even if the client passes the Host Integrity check. The client still works correctly.
To fix the problem on Windows XP or Windows Server 2003, you should apply the Microsoft Hot Fix (Microsoft KB927288). The Hot Fix has been updated since its original release, so make sure to download and apply the most up-to-date version for your computer platform. Because Microsoft no longer supports Windows 2000, there is no patch for this issue on Windows 2000.
If you install a Cisco supplicant 5.0 or 5.1 on a client computer and then install an exported Symantec Endpoint Protection client that is configured for third-party supplicants, the Cisco supplicant does not perform dot1x authentication and does not pass a Host Integrity check.
Due to the kernel upgrade present in RU 5, upgrading from earlier versions is not supported. Users should do a fresh install from the product disc. Note that this will require reconfiguration of settings.
When using Macintosh OS 10.5 or 10.6 with a DHCP Enforcer secure mask, failed Host Integrity passes do not automatically switch from normal to quarantine IP addresses. To work around this issue, double-click to get the correct IP address.
After you install Symantec Endpoint Protection Manager and a NAP Enforcer and then connect to a client, the management server validates the client's UID. If you then connect the NAP Enforcer to a second management server, you must stop and start the NAP Enforcer to have the UID properly validated with the second management server.
You cannot upgrade an Enforcer appliance image from version 11.0.4000 to 11.0.6000 or above. Instead of upgrading, perform a fresh 11.0.6 installation on the appliance.
The Mac OS does not respond to the DHCP static routing option (33) without a patch. Mac computers in a Symantec Endpoint Protection network cannot download and use the Demand Client for Mac without applying that patch.
Solution: For each computer that is running Mac OS X 10.4, 10.5, or 10.6, download and install "Symantec ODC Static Route Spoof Tool.pkg." Administrative permission is needed during the installation. A restart is needed after the installation is complete.
To make the DHCP Enforcer environment work, the admin must configure the static route option (33) on the DHCP server. This option enables the following servers to be accessed from the client side when the client is quarantined:
DHCP server: An empty router option (003) needs to be created on the DHCP server for the quarantine user class.
Gateway Enforcer: When you use the DHCP plug-in, the Gateway Enforcer is used as the delivery point.
Spoofing DNS server: When you use the DHCP plug-in, the spoofing DNS server is used to resolve names to the Gateway Enforcer for download of the Mac on-demand client.
If you re-initialize an Enforcer or if you reconfigure the interface role, On-Demand Clients are disconnected from the Enforcer.
To work around this issue, disable the On-Demand Clients and then re-enable them.
To change the default Gateway Enforcer, use the interface set command. The route delete and route add commands result in duplicate Gateway Enforcers.
When re-initializing an Enforcer appliance, running the advanced re-initialize configuration command does not work if you press Ctrl + C after the first configuration attempt. Running this command should return the eth0 IP address as output, but instead it does not display anything.
To work around this issue, restart the Enforcer appliance to successfully re- initialize the Enforcer.
The client computers that run Windows XP might receive pop-up messages about a missing client every 30 seconds.
This situation occurs if you choose the option on the Gateway Enforcer. The situation occurs regardless of the frequency of the pop-up messages that you set. The Messenger Service must also be started on the client computer for the pop-ups to continue to appear.
You may encounter a situation where you connect a Mac computer to a shared network that includes an Enforcer. If you subsequently download the Mac On-Demand client, you cannot connect to the network.
This situation occurs because the client computer must always be authenticated by the Enforcer that authenticates it first. If you connect the client computer through an Enforcer before you download the On-Demand client, the client then cannot authenticate by using the Enforcer that the On-Demand client software requires.
You can work around this issue by downloading the Mac On-Demand client before you connect to a network that requires authentication through an Enforcer.
If a Symantec Endpoint Protection Manager server shuts down, the Enforcer is expected to select the highest priority server on the management server list. Instead, the Enforcer selects the next available server in the list sequence instead. There is no known workaround at this time.
If a Symantec Network Access Control client resumes after hibernation, there may be a delay in obtaining DHCP server authentication. This situation occurs because the client should request a new IP address. Instead, the client continues to request the current IP address.
Beginning with Symantec Network Access Control version 11.0 RU6 MP1, Enforcers will ship with a Silcom NIC card that is in configured in fail-open mode.
To configure the Enforcer to be in fail-closed mode, issue the following CLI command:
Enforcer hardware compatibility matrix lists Symantec Network Access Control appliance image releases and their level of testing and support for Dell Enforcer appliance hardware models.
Table: Enforcer hardware compatibility matrix
The default management server list that is on the console of Symantec Endpoint Protection Manager is migrated to the Enforcer. In some cases, that list may contain a hostname, rather than an IP address or DNS name. If the Enforcer uses the default management server list and if that list contains a hostname, the enforcer may be shown as offline. Symantec recommends against using hostnames in the management server list.
This section includes information about product documentation.
The user documentation might be updated between product releases. You can locate the latest user documentation at the Symantec Technical Support Web sites:
Symantec Endpoint Protection documentation
Symantec Network Access Control documentation
This section contains documentation issues for the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control.
This section contains documentation issues in context-sensitive help for Symantec Endpoint Protection Manager.
The Help for the Communications Settings dialog box needs the following description for the Reconnection Preferences group box.
You use the settings to keep the client computer in its current group, whether or not the client computer receives a new client installation package. Each client installation package includes a group setting, which can be different from a client computer's current group.
You can check the following settings:
Use the client's last-used group setting
The client computer stays in the same group, no matter what client installation package is installed on that client computer.
Use the client's last-used User mode/Computer setting
If a new user logs on to a client computer that is in user mode, the client stays in the previous user's group.
To access the Communications Settings dialog box, click > > . This feature is a group-specific feature only, not a location-specific feature.
The Communication Settings dialog box Help does not appear if you access the dialog box through a location that has the check box unchecked.
To access the Help, click > , expand , and, to the right of Communications Settings, click . Make sure that the check box is checked, click , and then click .
The Help topic for the Data Collection tab should say:
If you choose, Symantec can collect information about how you use the Symantec Endpoint Protection client, to help improve the product. When you initially configured an instance of Symantec Endpoint Protection Manager, you chose to allow or decline this data collection. You use this tab to change the setting that you chose during configuration.
The description for the Add Directory Server dialog box for adding a replication directory server is incorrect. The dialog box displays one text field that is called . The description of the text field should say "Enter the IP address or host name of the replication server."
The following options are missing from the context-sensitive help for scheduled scans. This help is missing on both the client and the console.
Specifies how long a scan should run. You can specify any of the following options:
This setting is recommended in most cases to optimize scan performance.
This setting lets you control scan times in environments where resources may be limited. If a scan does not finished within the time period that is specified, the scan resumes at the next scheduled time. For randomized scans, the scan resumes at a randomized time during the specified interval. For example, if you configure the scan to run at 8:00pm and set the duration for up to 4 hours, a non-randomized scan starts or resumes at 8:00pm. For randomized scans, the scan starts or resumes at a randomly selected minute between 8:00pm and midnight.
Randomize the scan start time within this period.
If you choose to limit the scan time, you can also specify Randomize scan start time within this period. Use this setting to scan virtual machines. Randomizing scans minimizes the chance of multiple scans starting at the same time and requiring high resource use on the host computer.
If the computer does not start a scan when it is supposed to, specifies when to restart a scan. Retry the scan within specifies the number of hours or days to wait before the scan runs again. (Windows only). A scan may be missed because the computer was off or unable to start the scan for some other reason.
This section contains documentation issues in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.
The system requirements for Microsoft Virtual Servers state that Symantec software is supported on Windows Server 2008 Hyper-V. This statement requires clarification. Microsoft Hyper-V Server 2008 is not supported. The Hyper-V role on Windows Server 2008 is supported.
The system requirements specify that Windows Small Business Server 2003 is supported on the Windows client. The system requirements should also mention that Service Pack 1 or later is required on both 32-bit and 64-bit systems.
The topic "Migrations that are supported and unsupported for the Mac client" includes a confusing title for the table that explains the migrations. The table title should read "Migration paths from Symantec AntiVirus for Mac to the Symantec Endpoint Protection Mac client."
The Installation Guide makes a confusing statement about when the embedded database should be used vs. when a SQL server should be used.
The first paragraph on "Upgrading from the embedded database to a SQL Server database," appearing on page 85 of the Installation Guide, should read as follows:
If you use an embedded database, you may decide to upgrade to a SQL Server database. The embedded database must always be hosted on the server that hosts Symantec Endpoint Protection Manager. If you want to split hosting between servers, you should configure the Symantec Endpoint Protection Manager to use a SQL Server database. Upgrading from an embedded to a SQL Server database can also facilitate converting a test deployment to a production network.
This section contains documentation issues in Getting Started with Symantec Endpoint Protection and Getting Started with Symantec Network Access Control.
The Symantec Endpoint Recovery Tool is new in RU6, and available from FileConnect. To download the tool, you use your Symantec Endpoint Protection serial number. You do not need a separate serial number.
For more information, see the knowledge base articles
About the Symantec Endpoint Protection Support Tool
and
The Symantec Endpoint Protection Support Tool
This section contains documentation issues in the Client Guide for Symantec Endpoint Protection and Symantec Network Access Control or Symantec Endpoint Protection Client Help.
The Help topic for the Antivirus and Antispyware Protection System Log does not appear. To access the System log, on the Symantec Endpoint Protection client console, click . Beside Antivirus and Antispyware Protection, click > .
The System Log contains daily records of the virus and security risk activities that are related to protection on your computer. These records, called events, include configuration changes, errors, and virus and security risk definitions file information, and are displayed with additional information. Actions that are inappropriate or that your administrator does not allow are unavailable.
This section contains documentation issues in the Implementation Guide for Symantec Network Access Control Enforcement.
The topic "Operating requirements for an Integrated Enforcer for Microsoft DHCP Server" should include Windows Server 2008 32-bit. Other listed operating systems are for 32-bit systems only.
The description "If you select this option and do not have an Enforcer, the client computer always checks the Host Integrity requirements." This description is incorrect. It should read, "If you select this option and do not have an Enforcer, the client computer does not check the Host Integrity requirements."
The list of supported antivirus products is outdated for Host Integrity policies. The following products are currently supported:
The documentation for the Windows On-Demand client incorrectly states that the client requires 9 GB of free disc space. This figure includes the space needed by the operating system. Only 100 MB is required for the On-Demand client itself.
The readme.html file for Symantec Endpoint Protection RU6 incorrectly stated that only 256 MAC addresses could be maintained in the Enforcer
local database.
The current Enforcer local database size has been increased to 32 MB. This means that DHCP and LAN Enforcers can include 1 million MAC addresses, and the Gateway Enforcer can include 1 million IP addresses.
The following system requirements for browsers and operating systems for the On-Demand Client are missing from the current documentation.
Table: On-Demand Client system requirements
The Symantec Protection Center has been enhanced to manage several VeriSign hosted services. Instructions appear in the following material.
Because VeriSign products are hosted services, the information that you provide to configure Protection Center to manage them is slightly different.
To configure Protection Center to manage Managed PKI for SSL
New product display name |
Type any string that you want to use to identify this instance of Managed PKI for SSL in Protection Center. |
Product type |
Select Managed PKI for SSL from the drop-down list. |
Product address |
For access to a pilot (pre-production) system, type pilot-spc-ssl-admin.verisign.com. For access to a production system, type spc-ssl-admin.verisign.com. |
Product user name |
Type mpki. |
Product password |
Type mpki. |
To configure Protection Center to manage Managed PKI
New product display name |
Type any string that you want to use to identify this instance of Managed PKI in Protection Center. |
Product type |
Select Managed PKI from the drop-down list. |
Product address |
For access to a pilot (pre-production) system, type pilotonsite-admin.verisign.com. For access to a production system, type onsite-admin.verisign.com. |
Product user name |
Type mpki. |
Product password |
Type mpki. |
To configure Protection Center to manage VeriSign Identity Protection
New product display name |
Type any string that you want to use to identify this instance of Verisign Identity Protection in Protection Center. |
Product type |
Select VIP Manager from the drop-down list. |
Product address |
Type vipmanager.verisign.com. |
Product user name |
The user name for the VIP Manager account to use in Protection Center. |
Product password |
The password for the VIP Manager account. |
This section includes information about third-party issues.
If a Nortel VPN client and a Symantec Endpoint Protection or Symantec Network Access Control client are installed at the same time and the Nortel AutoConnect feature is enabled, then when the computer is restarted, neither client starts and neither notification area icon appears. Restarting the computer may resolve the issue. If it does not, then as a workaround, disabling Nortel AutoConnect allows the Symantec Endpoint Protection or Symantec Network Access Control client to start. Because the VPN server can enable the AutoConnect feature, the user may need to disable the AutoConnect feature after every VPN connection.
To run Trend Micro OfficeScan 7.3 with Symantec client software, you must install Trend Micro OfficeScan first, and then install Symantec client software. Otherwise, when the Trend Micro OfficeScan installer detects LiveUpdate, it attempts to uninstall it, fails, and exits.
The firewall does not work with Google Web Accelerator in combination with Internet Explorer. This issue affects any Symantec Endpoint Protection client that has both Internet Explorer and Google Web Accelerator installed. The issue occurs when the client computer tries to use a firewall rule to block access to a remote Web site. All platforms are affected. Symantec Corporation recommends that you avoid using Internet Explorer, Google Web Accelerator, and firewall combinations. No workaround exists for this issue.
Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, LiveUpdate, Sygate, Symantec AntiVirus, Bloodhound, Confidence Online, Digital Immune System, and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.