Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7

Transcription

1 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Revision Date: Tuesday, May 24, 2011, 11:00 a.m. PDT

2

3 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 This document includes the following topics: About this document What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 Release Update 6, MP2 and MP3 What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 Where to get more information What you need to know before you install or update your software User documentation changes summary Resolved issues in this release Components in this release Legal Notice

4 4 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 About this document About this document Please review this document in its entirety before you install or roll out Symantec Endpoint Protection, Symantec Network Access Control, or call for technical support. It describes known issues and provides additional information that is not included in the standard documentation or the context-sensitive help. You can find the latest version of the Readme file by using the following link: readme_sep_11.0_ru7 Localized versions of the readme file The readme has been translated into other languages. Your browser may automatically have switched to your chosen language. If it has not switched, click one of the links below. German Italian French Brazilian Portuguese Spanish Japanese Korean Simplified Chinese Traditional Chinese Russian Polish Czech What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 Release Update 6, MP2 and MP3 This release contains all of the features that were delivered in version , plus the following new features.

5 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 5 Table 1-1 Feature New features in this release Benefit FIPS level 1 compliance Group Update Provider support for the HTTPS protocol VeriSign support in Symantec Protection Center Updated tools on the product disc You can deploy Symantec Endpoint Protection with a FIPS-compliant configuration to protect its server-to-server communication and console-to-server communication. You can now configure the Group Update Provider to use the HTTPS protocol as well as the HTTP protocol to deliver content. Symantec Protection Center is now configured to manage three VeriSign hosted services: Managed PKI, Managed PKI for SSL, and VeriSign Identity Protection. Symantec Endpoint Protection includes the following updated tools: Symantec Endpoint Protection Integration Component version 7.0 SP2 and version 7.1 The Symantec Endpoint Protection Integration Component enables you to perform common Symantec Endpoint Protection client operations from the Symantec Management Console. Symantec IT Analytics You can install the Symantec Management Platform, which enables you to share data between Symantec Endpoint Protection and other platform services. See What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 on page 5. See Configuring Protection Center to manage VeriSign services on page 36. What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.

6 6 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 What's new in Symantec Endpoint Protection and Symantec Network Access Control 11 Table 1-2 New features in this version Feature A Web-based console provides a single sign-on capability for registered Symantec products Benefit Symantec Protection Center is a Web-based console that enables you to access and manage multiple, Symantec products. The console provides visibility and analytics across products as well as useful security feedback and attack statistics. A Web-based console for Symantec Endpoint Protection Manager provides easier remote management access The console provides a single sign-on screen for the following registered Symantec products: Symantec Endpoint Protection Symantec Critical System Protection Symantec Web Gateway Symantec Brightmail Gateway Symantec IT Analytics Symantec Data Loss Prevention You can access Symantec Endpoint Protection Manager remotely in a Web-based console. The Java-based remote console is also still available. Symantec Endpoint Protection includes client software to run on a Mac computer Scheduled scans can start at random times Enhanced default Antivirus and Antispyware security policies You can use Symantec Endpoint Protection Manager to manage Mac clients that run Symantec software to provide virus and spyware protection on Mac OS X computers. You can specify a time interval during which scheduled scans start, and enable the scans to start at different times within that time interval. By running scans at random times, you can increase scan performance, especially in virtualized environments. For new product installations, changes in the default security policies make Symantec Endpoint Protection more efficient at detecting malware. Customers who upgrade to Symantec Endpoint Protection version 11 RU6 MP2 or MP3 do not receive new default policies. To see the new recommended Antivirus and Antispyware security policies settings so that you can make the settings changes in your policies manually, see Security Response recommendations for Symantec Endpoint Protection settings.

7 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Where to get more information 7 Table 1-2 New features in this version (continued) Feature The Symantec Endpoint Recovery Tool scans and removes malware from severely infected computers Benefit The SymantecEndpointRecoveryTool provides an image that you can burn on a disc, and then use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively. You can download the tool from the following URL: You need your Symantec Endpoint Protection serial number to download the tool. Host Integrity policies check for additional security software You can run a Host Integrity check to see whether the client computers run the following software: Norton Antivirus 2010 Norton Internet Security 2010 Norton 360 Version 3.0 Symantec Endpoint Protection Version 11 Release Update 6, MP2 or MP3 McAfee Internet Security 2010 McAfee VirusScan Plus 2010 McAfee Total Protection 2010 McAfee VirusScan Enterprise 8.7i Where to get more information Sources of information include the following: Getting Started with Symantec Endpoint Protection Getting Started with Symantec Network Access Control Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control Client Guide for Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide for Symantec Network Access Control Enforcement LiveUpdate Administrator Getting Started Guide LiveUpdate Administrator User's Guide

8 8 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Where to get more information Symantec Central Quarantine Implementation Guide Symantec Client Firewall Policy Migration Guide Symantec Endpoint Protection Manager Database Schema Reference Guide Symantec Endpoint Protection 11.0 Windows Small Business Server Best Practices White Paper Tool-specific documents, located in some subdirectories of the Tools folder on the product disc Readme file, located in the root folder of the installation product disc. Note: You can find the latest version of this Readme file by using the following link: readme_11.0_ru6_mp3 Online Help that contains the information that is in the guides plus context-specific content The primary documentation is available in the Documentation folder on the product disc. Updates to the documentation are available from the Symantec Technical Support Web site. Table 1-3 Symantec Web sites Types of information Symantec Endpoint Protection trial version Public Knowledge Base Releases and updates Web address Manuals and documentation updates Contact options Release notes and additional post-release information Virus and other threat information and updates Product news and updates Symantec Endpoint Protection forums board.id=endpoint_protection11

9 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 What you need to know before you install or update your software 9 Table 1-3 Symantec Web sites (continued) Types of information Symantec Network Access Control forums Web address network-access-control What you need to know before you install or update your software System requirements for Symantec Endpoint Protection and Symantec Network Access Control and other material to consider before installation are located in the Getting Started with Symantec Endpoint Protection and Getting Started with Symantec Network Access Control documents, and in the Installation Guide. See Latest documentation on page 32. The Common Topics page of the Support site provides individual articles and links that are designed to provide installation assistance, best practices, and FAQs. Installing the product for the first time You can use the following main steps to install the product on a computer on which a version is not already installed. Table 1-4 Process for installing the product Step Step 1 Step 2 Action Review system and installation requirements Plan and prepare for the installation Description Confirm that your network and the computers you plan to use meet the requirements to install and run the software. Decide which type of database to use, plan your deployment, and prepare client computers. Step 3 Install Symantec Endpoint Protection Manager Run the installation program from the product disc. The program first installs the management server software. It then configures the management server and creates the database. Follow the procedure that corresponds to the type of database you select. See Symantec Endpoint Protection Manager requires TCP port 9090 by default on page 11.

10 10 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 What you need to know before you install or update your software Table 1-4 Process for installing the product (continued) Step Step 4 Action Create and deploy a client installation package Description After you configure the database, you are asked if you want to run the Migration and Deployment Wizard. This wizard creates and then pushes out a default client software installation package. Alternately, you can: Use the Migration and Deployment Wizard from the Start menu at any time. Create and deploy client software at a later time using the Find Unmanaged Computers utility in the console. Note: If this installation is an upgrade deployment from Symantec Endpoint Protection, there is no need to re-deploy the client. The installation of Symantec Network Access Control activates the Symantec Network Access Control features on the client without further deployment. To view this topic with links to the procedures listed above, go to the following URL: Upgrading to a new release of Symantec Endpoint Protection or Symantec Network Access Control You can upgrade to the latest release update of Symantec Endpoint Protection or Symantec Network Access Control. To install a new version of the software, you must perform certain tasks as part of your upgrade plan to ensure a successful upgrade. The information in this section is specific to upgrading software in environments where a version of Symantec Endpoint Protection or Symantec Network Access Control 11.x is already installed. Table 1-5 Process for upgrading to the latest release update Step Step 1 Action Back up the database Description Back up the database used by the Symantec Endpoint Protection Manager to ensure the integrity of your client information. Step 2 Turn off replication Turn off replication on all sites that are configured as replication partners. This avoids any attempts to update the database during the installation.

11 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 What you need to know before you install or update your software 11 Table 1-5 Process for upgrading to the latest release update (continued) Step Step 3 Action If you have Symantec Network Access Control installed, enable local authentication Description Enforcers are not able to authenticate clients during an upgrade. To avoid problems with client authentication, Symantec recommends that you enable local authentication before you upgrade. After the upgrade is finished, you can return to your previous authentication setting. Step 4 Step 5 Stop the Symantec Endpoint Protection Manager service Upgrade the Symantec Endpoint Protection Manager software The Symantec Endpoint Protection Manager service must be stopped during the installation. Install the new version of the Symantec Endpoint Protection Manager on all sites in your network. The existing version is detected automatically, and all settings are saved during the upgrade. Step 6 Turn on replication after the upgrade Turn on replication when the installation is complete to restore your configuration. Step 7 Upgrade Symantec client software Upgrade your client software to the latest version. To view this topic with links to the procedures listed above, go to the following URL: Symantec Endpoint Protection Manager requires TCP port 9090 by default Symantec Endpoint Protection Manager uses TCP 9090 to display the Symantec Endpoint Protection Manager console. If other software is listening on this port, you cannot log on to the Symantec Endpoint Protection Manager console. Note that Symantec IM Manager uses TCP port If you are required to run Symantec Endpoint Protection Manager console on a computer that also requires other software that uses TCP port 9090, you can change the port for Symantec Endpoint Protection Manager console. To change TCP port 9090, edit the following file with WordPad (Notepad does not correctly show the XML line feeds): \Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml Search for port=9090 and change 9090 to a different TCP port number. Save the file, and then restart Symantec Endpoint Protection Manager with the

12 12 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 User documentation changes summary Administrative Tools > Services utility. You can then log on to the Symantec Endpoint Protection Manager console. Be aware, however, that changing port 9090 partially disables the online Help system. Every time you use Help, you will have to change 9090 in the URL to the changed port number to display the Help text. See The default port for Enforcer communication with Symantec Endpoint Protection Manager is 8014 on page 12. The default port for Enforcer communication with Symantec Endpoint Protection Manager is 8014 The default port for non-encrypted communication (HTTP) with the Symantec Endpoint Protection Manager has been changed from 80 to Encrypted communications (HTTPS) continue to use port 443. This port setting applies to all types of Enforcers. User documentation changes summary This release includes some updates to the following documents: Readme HTML file for Symantec Endpoint Protection and Symantec Network Access Control Read this first HTML file for Symantec Endpoint Protection Release notes for Symantec Endpoint Protection and Symantec Network Access Control This release includes the following new document: FIPS deployment guide: Symantec Endpoint Protection version 11, RU 6a, MP 2 and later FIPS Deployment Guide, found here. See Where to get more information on page 7. See Latest documentation on page 32. The issues in this section are new for Symantec Endpoint Protection version 11, RU6 MP2 and MP3. For a more detailed list of issues that are known but not resolved, see the readme.html file that accompanies the release. You can also view it on the Symantec Support site, at the following location:

13 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 13 readme_11.0_ru6_mp3 Upgrades, installation, uninstallation, and repair issues This section contains information about upgrades, installation, uninstallation, and repair issues. UPGRADES PHP files do not get migrated (replaced) correctly when you do an overinstall to a newer version of Symantec Endpoint Protection Manager Root Cause: PHP files that are modified (as shown in the time stamp) will not get replaced by MSI during an overinstall since they are unversioned files and MSI has a rule that notes unversioned files that get modified outside of the installer, and does not replace them in the next installation. This is useful for text files like.ini files, but causes the Symantec installation to fail. Resolution: Do not modify a PHP file. Symantec does not support unwarranted modification of Symantec PHP files. If there is a reason to modify temporarily, save the original, make the modification, and restore the original later. [ ] When you upgrade SQL Server from SQL Server 2000 to SQL Server 2008, Symantec Endpoint Protection Manager does not start This failure is caused by a change in SQL Server 2008 configuration. To work around this issue: 1. Run the MS SQL Server Configuration Manager. 2. Open SQL Server Network Configuration. 3. Enable IP1 and IP2. Close the Configuration Manager. 4. Restart the SQL service, as recommended by the Configuration Manager. 5. Run the Symantec Management Server Configuration Wizard. 6. Select Reconfigure the management server, and then click Continue. Complete the reconfiguration steps, retaining the existing settings. The database connection is re-established. [ ] Speeding up Auto-Protect by enabling the network cache Users can see a significant improvement in file performance over networks by implementing the following steps.

14 14 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 On Symantec Endpoint Protection Manager, enable the network cache, which is disabled by default: Click Policies > Antivirus and Antispyware Policy > File System Auto-Protect, and then click to enable the Network box. Another option is to click Network Settings and click to clear Trust files on remote computers running Auto-Protect. On the Symantec Endpoint Protection client, enable the network cache, which is disabled by default. Click Change settings > Antivirus and Antispyware Protection > Configure Settings > File System Auto-Protect > Advanced > Network. As with the server, another option is to click Network Settings and click to clear Trust files on remote computers running Auto-Protect. [ ] Upgrading Symantec Endpoint Protection Manager server from version 11.0 RU7 to version 12.1 is not currently Symantec Endpoint Protection Manager server version 11.0 RU7 cannot migrate to Symantec Endpoint Protection Manager server 12.1 due to database schema differences between the two products. This migration path is blocked with an error message. If you plan to migrate to Symantec Endpoint Protection Manager 12.1 in the near future, stay with your existing Symantec Endpoint Protection Manager version and migrate from that version. Symantec Endpoint Protection Manager 11.0 RU7 supports migration to Symantec Endpoint Protection Manager 12.1 MP1. Note: This limitation only applies to the Symantec Endpoint Protection Manager server. Client migration from Symantec Endpoint Protection 11.0 RU7 to Symantec Endpoint Protection 12.1 is fully. [ ] INSTALLATION ISSUES LiveUpdate wizard might display an error on Windows Vista This only happens with a command-line installation, using the "ReallySuppress" flag, and only on Windows Vista. Solution: Do not use command-line installation for this case. Instead, export a package that is configured to run silently. No error prompt appears. [ ]

15 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 15 Migration issues QServer and QConsole do not install or work properly on Windows 7 This is known behavior. QServer and QConsole are not on Windows 7 and should not be used. [ ] Custom packages created by a Limited Administrator point only to the Default Group When a Limited Administrator creates a custom package with a specific group assignment, that assignment fails. The clients that install that package are assigned to the Default Group. Solution: To set assignments in a custom package, a System Administrator must create the package. [ ] Certificate mismatch appears when you check certificates when doing replication Problem: You get "certificate mismatch" when you click Check Certificate when doing replication To prevent this error, you need to click Check Certificate before Replication takes place. Trigger condition: Two Sites (Site A and Site B) are Replication Partners. The first server (which does replication) of Site A updates a new Certificate. Correcting certificate mismatch for successful replication 1 Open the console and connect to the first server of Site B. 2 Go to the Admin Panel. Open the Servers page. Locate the Replication Partner "Site A" in the Site Tree. Click the Check Certificate Task on the Replication Partner Site A. 3 The New Certificate dialog appears. Click OK to trust this new Certificate. 4 Do replication. [ ] This section contains information about migration. Web site for the latest migration information You can find the latest information about migration at the following Web site:

16 16 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 When you migrate from SSEP 5.1 MR8 to Symantec Endpoint Protection 11.0 MR4, create only 32-bit client installation packages The management server automatically upgrades a Symantec Sygate Protection Agent version 5.1 to a Symantec Endpoint Protection MR4 client by using a 32-bit client installation package, and not a 64-bit client installation package. This occurs only if you are migrating from Symantec Sygate Enterprise Protection MR8 MP1 or earlier to Symantec Endpoint Protection MR4. When you migrate from SSEP 5.1 MR8 to Symantec Endpoint Protection 11.0 MR4, the client might receive the wrong package The SSEP 5.1 MR8 agent cannot determine whether to request the 32-bit client installation package or the 64-bit client package for download from the management server. Therefore, the 32-bit client computer might receive the wrong package. To work around this issue, create a group for 32-bit computers and a group for 64-bit computers. Then, deploy the appropriate package to each group. Migrating legacy Symantec AntiVirus servers to Symantec Endpoint Protection clients does not unshare the VPHOME directory Legacy Symantec AntiVirus and Symantec Client Security servers create and use a shared directory. The location of the shared directory is \\Program Files\SAV. The name of the share is VPHOME. In some instances, after migration to Symantec Endpoint Protection client, this directory and share is retained with read-only permission. To delete the VPHOME share: 1 Right-click the \\Program Files\SAV directory. 2 Click Properties. 3 In the SAV Properties dialog box, on the Sharing tab, click Do Not Share This Folder, if it is enabled.

17 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 17 Upgrading Symantec Network Access Control unmanaged client to Symantec Endpoint Protection unmanaged client requires a restart If you install a Symantec Network Access Control unmanaged client on a computer, and then install a Symantec Endpoint Protection client as an upgrade on the same computer, you must manually restart the computer. No restart prompt appears. The Symantec Endpoint Protection client status is colored red until this restart occurs. Migrating unmanaged clients does not use a blank serdef.dat file Earlier versions of the Installation Guide for Symantec Endpoint Protection gave instructions for using a blank Serdef.dat file. Those instructions are no longer valid, and migration is done internally to the product. [ ] Symantec Protection Center and Symantec Endpoint Protection Manager Web console issues This section contains information about Symantec Protection Center and the Symantec Endpoint Protection Manager Web console. Symantec Protection Center and Symantec Endpoint Protection Manager Web console - need to set Internet Explorer to display mixed content To run Symantec Protection Center or the Symantec Endpoint Protection Manager Web console, you must enable mixed content in Internet Explorer. To enable mixed content, click No in the Security Warning dialog box that appears when you first log on. [ ] The Symantec Protection Center Dashboard does not reproduce readable text when you change text size in the browser menu to Largest or Smallest Making these changes is not currently. Symantec recommends that you leave the text size at the default setting of Medium. [ ]

18 18 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Brightmail Gateway host configuration stops responding in Symantec Protection Center If you edit host configuration settings in Symantec Brightmail Gateway, the server stops responding. You must restart Symantec Protection Center from the initial launch page. [ ] Configuring Symantec Protection Center to use a proxy server In some situations, Symantec Protection Center requires the use of a proxy server. To configure the proxy server, edit the portal.properties file to include the appropriate settings. The portal.properties file is located in the <install_sepm_directory>\tomcat\portal folder. These properties are specified only on the server. Nothing needs to be done on the client. You can set the following properties: portal.proxy.enable Enables and disables the use of the proxy settings. The possible values are true and false. Example: portal.proxy.enable=true portal.proxy.hostname Specifies the proxy hostname. Example: pprtal.proxy.hostname= portal.proxy.port Specifies the proxy port. Example: portal.proxy.port=808 portal.deepsight.enable Enables and disables the DeepSight feeds that are shown on the Dashboard. The possible values are true and false. Example: portal.deepsight.enable=true Special guidelines: The Symantec Endpoint Protection Manager must be installed on a private network. Example: the xx network. The proxy server is assumed to run on port 80. If another port is used, you must specify it. After you set or modify the parameters in the portal.properties file, you must restart the Symantec Endpoint Protection Manager service. [ ]

19 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 19 Right-To-Left Document option in Internet Explorer adds space to left of text If you choose the Right-To-Left Document option in Internet Explorer, an extra space is displayed at the left end of the text. [ ] Enhancements to filtering which clients you can view on the Clients tab You can display which clients in a group appear on the Clients tab, based on the operating system or account type. You can display or hide which computers are connected to the management server. You can also configure how many clients appear on each page to make the list easier to manage. There is now a new Client View Filter setting that is retained by the Management Server and stored with the login name of the individual administrator or limited administrator. If an administrator sets a filter condition, that condition is retained for that administrator. Different administrators will see only the filters that they have set themselves. [ ] Symantec Endpoint Protection Manager policy issues This section includes information about working with policies in Symantec Endpoint Protection and Symantec Network Access Control. ANTIVIRUS AND ANTISPYWARE POLICIES This section includes the known issues information related to Antivirus and Antispyware policies. The default settings for several Antivirus and Antispyware policies have changed The default policy that you add includes the following changes: For File System Auto-Protect: Under Remediation, Terminate processes automatically is enabled. Under Remediation, Stop processes automatically is enabled. On the Actions tab, the action for Security Risks is set to Quarantine risk and Delete risk. All types of Auto-Protect are enabled.

20 20 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 The High Security policy includes the following changes All padlocks are locked, so that the end user cannot configure the settings on the client. All types of Auto-Protect are enabled. The Bloodhound level is set to Maximum. [ ] Clients may show "outdated" warning for definitions even though "display a warning" is disabled On the Miscellaneous > Notifications tab, if the Display a warning when definitions are outdated setting is unchecked, the client might still display an outdated definitions message. You might need to specify a greater number of days and remediation attempts the client allows. [ ; ] Windows Security Center cannot be configured on Windows Vista or Windows 7 You cannot use an Antivirus and Antispyware policy to configure Windows Security Center on your client computers that run Windows Vista or Windows 7. [ ] NETWORK THREAT PROTECTION POLICIES This section includes the known issues information related to Network Threat Protection policies. The Next option appears disabled in selecting a single exception signature for Intrusion Prevention policies In the Intrusion Prevention policy, you can add a single signature as an exception that the policy ignores. To add the exception, in the Intrusion Prevention policy, click Exceptions, and then click Add. From the list of signatures that appear, you can select a single signature or select all. If you select a single signature, the Next button should be enabled, but is not. To work around this issue, click Select All. The Next option is enabled. You can then select individual signatures and the Next option continues to be enabled. [ ]

21 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 21 PROACTIVE THREAT PROTECTION POLICIES This section includes the known issues information related to Proactive Threat Protection policies. Application and Device Control white list process appears not to use the %tmp% folder correctly This occurs because the tool used for adding white list items is in the system context, and not the user context. For example, adding the Windows XP entry '%temp%' refers to 'c:\windows\temp' and not 'c:\documents and Settings\<username>\Local Settings\Temp'. Best practice: When adding white list entries, use the explicit path whenever possible. [ ] Application and Device Control rules do not block "Read" access to folders when using Windows 7 This is caused by a difference in the way that Windows 7 codes its read requests, as opposed to how they are coded in Windows XP. Symantec does not anticipate a fix and recommend against attempting to block entire folders. [ ] System Lockdown recovery instructions are unclear System Lockdown works by blocking all files that you have not already deemed as safe. Detailed instructions for setting up the File Fingerprint list for System Lockdown appear on page 567 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control. If you mistakenly did not include a core Windows program on the File Fingerprint list, you need to correct the omission before restarting your clients. You can either disable System Lockdown on Symantec Endpoint Protection Manager, or add the file fingerprints that are missing, following the instructions on page 567. The next step is to restart the client computers in Safe Mode with Network Support. This restart will correct the issue by allowing the clients to download updated policies from Symantec Endpoint Protection Manager. Restarting in Safe Mode with Network Support is only necessary in this case of the computer being unable to restart. A SafeModewithNetworkSupport restart, in that case, will resolve the issue. Otherwise, a simple restart is sufficient. [ ]

22 22 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 CENTRALIZED EXCEPTIONS POLICIES This section describes the known issues related to Centralized Exceptions policies. Cannot browse to folders and files to add centralized exceptions on clients Because of the file redirection feature on 64-bit operating systems, the user cannot add the native Windows system32 folder as an exception on the client. For example, if the user adds %windier%\system32\inetinfo.exe as an exception, Windows automatically redirects the client to the 32-bit subsystem Windows system32 directory, which is %windir%\syswow64. To work around this issue, you must log on to the Symantec Endpoint Protection Manager and create an exception in the Centralized Exception policy for the file or folder in question. [ ] Reporting This section contains material that is related to monitoring and reporting issues. Still Infected includes count of items moved to Quarantine on Mac clients For Mac client computers, if a virus is detected and moved to the Quarantine, the Symantec Endpoint Protection Manager console displays the virus as both Still Infected and Quarantined. The Still Infected action does not automatically update for Mac clients. To work around this issue, you can manually clear the Still Infected action by running the Update Content and Scan command from Symantec Endpoint Protection Manager for the client computers. For more information, see "Updating definitions and rescanning" in the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control. Internet Explorer may close unexpectedly when you review virus definitions in the Symantec Endpoint Protection Manager console Home page In the console, you can view virus definitions on the Home page by clicking Virus Definitions Distribution. If you view multiple virus definitions, Internet Explorer

23 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 23 may close unexpectedly. This issue occurs if you run Internet Explorer 6 SP 2 or earlier. To work around the issue, upgrade to Internet Explorer 6 SP 3 or later. [ ] Clicking on an unacknowledged notifications alert fails to return focus to the Home page after the alert displays On the Home page, you can click the Unacknowledged notifications link in the Status Summary pane and view the notifications. However, if you then click the Home page again, the Home page might not appear. This is only an issue on Windows XP with Service Pack 3 running Internet Explorer 7 or 8. Solution: Change the security setting for your Internet zone to Medium-low or Low. Medium or High blocks the display of the Home page. [ ] Managing reports owned by a deleted administrator When an administrator is deleted, the person doing the deletion will be asked if the reports belonging to the deleted administrator should be saved. If the response is "yes," the reports that the deleted administrator owned will have their ownership changed. The new ownership will show as: "OriginalName+ (AdminName) ". For example, there is a scheduled report named "Monday_risks_report," created by the admin JSmith. This report name now appears as "Monday_risks_report(JSmith)". [ ] Audit report filter will have the domain name of "??" after upgrading to RU7 if the domain name contains a non-english character To work around this issue, do the following after upgrading to RU7: 1. Modify the audit filter with the correct domain name. 2. Save the filter at the console. [ ] Changes made to syslog display The display of syslog events has changed in response to customer requests:

24 24 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 The source computer IP no longer shows " " as its address. It now shows a blank in the syslog. The IP Address field has been added to syslog to contain the address of computers on which risks are detected. Both settings appear in exported syslogs. [ ] Symantec Endpoint Protection and Symantec Network Access Control Windows client issues This section contains information about Symantec Endpoint Protection clients and Symantec Network Access Control clients on Windows computers. The Symantec Endpoint Protection client sometimes fails to restart when the user clicks Restart Now This has only been observed on Windows 7, and only intermittently. To work around this issue, restart the client manually. [ ] The Proactive Threat Protection portion of the client user interface does not turn red or begin an automatic repair when Proactive Threat Protection definitions are corrupted or missing If Proactive Threat Protection definitions are corrupted or missing, the Proactive Threat Protection portion of the client user interface does not turn red and does not automatically download new definitions to repair itself. After some time, a red dot appears on the Symantec Endpoint Protection notification area icon, and the client user interface states that Proactive Threat Protection is disabled. To work around this issue, the user can click Fix. Symantec Endpoint Protection then downloads new Proactive Threat definitions and corrects the problem. [ ] Some features / msi codes are only available on 32-bit systems The table on page 194 of the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control, entitled Symantec Endpoint Protection client features, has omissions. It fails to specify that the following capabilities are only available on 32-bit systems:

25 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 25 SymProtectManifest POP3SMTP [ ] Symantec Endpoint Protection Mac client issues This section contains information about Symantec Endpoint Protection clients on Mac computers. Installation Wizard displays Install option instead of Upgrade option On Mac OS X 10.5 or 10.6, if you upgrade the client software, the installation wizard displays an Install option instead of an Upgrade option. Click Install to complete the installation. [ ] Scan Status and Details do not match If you run a scan command on a Mac client, the Command Status Details window displays mismatched scan status and details. This situation occurs when the scan is in progress and the software cannot determine the state of the scan. You can safely disregard this mismatch. [ ] Limited support for location awareness on Mac client Symantec Endpoint Protection for Mac does not provide location awareness. To work around this issue, you can modify the location-specific settings for the Default location for a group that contains Mac computers. [ ] Extended Unicode characters do not display properly in Symantec Endpoint Protection Manager On the Clients page of Symantec Endpoint Protection Manager, the name and logon client of a Mac client computer may not display properly. This situation occurs if the hostname or the user account of the Mac computer contains extended Unicode characters. [ ]

26 26 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Mac client cannot use UNC path to get updates from internal LiveUpdate server If you set up an internal LiveUpdate server, your Mac client computers cannot get updates by following a UNC path. You must provide an FTP server or a Web page (HTTP) for Mac clients to get updates from an internal LiveUpdate server. [ ] Out-of-date definitions determined differently for Mac client Virus definitions on a Windows client are considered out of date as follows: the date of the definitions on the client is compared with the date of the definitions on the server. Mac client definitions are considered out of date by comparing the date of the definitions on the client with today s date. This situation occurs because Mac clients always get their updates from an internal LiveUpdate server, not from the management server. [ ] Uninstalling Norton AntiVirus or Norton Internet Security on the Mac client To uninstall Norton AntiVirus or Norton Internet Security on a Mac client computer, you can use the uninstaller that is provided on the product disc. The uninstaller is located in the SEP_MAC folder at the root of the product disc. You must uninstall Norton AntiVirus for Mac before you can install Symantec Endpoint Protection for Mac. [ ] File System Auto-Protect settings are not locked as expected on the Mac clients that are set to client control Symantec Endpoint Protection Manager can lock or unlock the Auto-Protect settings on client computers in server control, mixed mode, and client control. This works properly on Windows clients, but fails on the Mac clients that are in client control. To work around this issue: 1. In the console, click Clients > Policies, and change the Client User Interface Control setting for Mac clients to Server control.

27 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update While in server control, in the Antivirus and Antispyware policy, change the state of the Auto-Protect settings. 3. Change the Client User Interface Control setting back to Client control. Note: This only works on the clients that are online at the time of the change to server control. You may want to verify that all clients have received this update. Enforcer issues [ ] This section includes information about Enforcer features, which are only available in Symantec Network Access Control. The Integrated Enforcer for Microsoft Network Access Protection (NAP Enforcer) may not validate the UID of a client in some cases After you install Symantec Endpoint Protection Manager and a NAP Enforcer and then connect to a client, the management server validates the client's UID. If you then connect the NAP Enforcer to a second management server, you must stop and start the NAP Enforcer to have the UID properly validated with the second management server. [ ] Re-initializing Enforcer or reconfiguring interface role disconnects On-Demand Client If you re-initialize an Enforcer or if you reconfigure the interface role, On-Demand Clients are disconnected from the Enforcer. To work around this issue, disable the On-Demand Clients and then re-enable them. [ ] To change the default Gateway Enforcer, use interface set command To change the default Gateway Enforcer, use the interface set command. The route delete and route add commands result in duplicate Gateway Enforcers. [ ]

28 28 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 The Gateway Enforcer advanced re-initialize command does not work on the first attempt When re-initializing an Enforcer appliance, running the advanced re-initialize configuration command does not work if you press Ctrl + C after the first configuration attempt. Running this command should return the eth0 IP address as output, but instead it does not display anything. To work around this issue, restart the Enforcer appliance to successfully reinitialize the Enforcer. [ ] A SNAC Enforcer appliance image cannot be upgraded to an image You cannot upgrade an Enforcer appliance image from version to or above. Instead of upgrading, perform a fresh installation on the appliance. [ ] Pop-up messages appear every 30 seconds on client computer running Windows XP The client computers that run Windows XP might receive pop-up messages about a missing client every 30 seconds. This situation occurs if you choose the Enable pop-up message on client if Client is not running option on the Gateway Enforcer. The situation occurs regardless of the frequency of the pop-up messages that you set. The Messenger Service must also be started on the client computer for the pop-ups to continue to appear. [ ] Client computers that run the Mac On-Demand client cannot be authenticated by multiple Enforcers You may encounter a situation where you connect a Mac computer to a shared network that includes an Enforcer. If you subsequently download the Mac On-Demand client, you cannot connect to the network. This situation occurs because the client computer must always be authenticated by the Enforcer that authenticates it first. If you connect the client computer through an Enforcer before you download the On-Demand client, the client then cannot authenticate by using the Enforcer that the On-Demand client software requires.

29 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 29 You can work around this issue by downloading the Mac On-Demand client before you connect to a network that requires authentication through an Enforcer. [ ] Enforcers select a Symantec Endpoint Protection Manager server by management server list sequence instead of priority If a Symantec Endpoint Protection Manager server shuts down, the Enforcer is expected to select the highest priority server on the management server list. Instead, the Enforcer selects the next available server in the list sequence instead. There is no known workaround at this time. [ ] Symantec Network Access Control client can delay DHCP server authentication after hibernation If a Symantec Network Access Control client resumes after hibernation, there may be a delay in obtaining DHCP server authentication. This situation occurs because the client should request a new IP address. Instead, the client continues to request the current IP address. [ ] The On-Demand Client for Mac cannot run without first installing the Static Route tool The Mac OS does not respond to the DHCP static routing option (33) without a patch. Mac computers in a Symantec Endpoint Protection network cannot download and use the Demand Client for Mac without applying that patch. Solution: For each computer that is running Mac OS X 10.4, 10.5, or 10.6, download and install "Symantec ODC Static Route Spoof Tool.pkg." Administrative permission is needed during the installation. A restart is needed after the installation is complete. To make the DHCP Enforcer environment work, the admin must configure the static route option (33) on the DHCP server. This option enables the following servers to be accessed from the client side when the client is quarantined: Symantec Endpoint Protection Manager server DHCP server: An empty router option (003) needs to be created on the DHCP server for the quarantine user class. DHCP Enforcer (if the DHCP Enforcer appliance is used)

30 30 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 Gateway Enforcer: When you use the DHCP plug-in, the Gateway Enforcer is used as the delivery point. Spoofing DNS server: When you use the DHCP plug-in, the spoofing DNS server is used to resolve names to the Gateway Enforcer for download of the Mac on-demand client. [ ] Mac static route spoof tool does not run on Mac OS X 10.4 The Mac static route spoof tool is not on your client computers that run Mac OS X [ ] Configuring a fail-open NIC card in fail-closed mode Beginning with Symantec Network Access Control version 11.0 RU6 MP1, Enforcers will ship with a Silcom NIC card that is in configured in fail-open mode. To configure the Enforcer to be in fail-closed mode, issue the following CLI command: configure interface failopen disable [ ] Enforcer shows as offline when default management server list uses a hostname The default management server list that is on the console of Symantec Endpoint Protection Manager is migrated to the Enforcer. In some cases, that list may contain a hostname, rather than an IP address or DNS name. If the Enforcer uses the default management server list and if that list contains a hostname, the enforcer may be shown as offline. Symantec recommends against using hostnames in the management server list. To work around this issue: 1. Create a new list of management servers, using IP addresses or DNS names. 2. Assign the list you just created to the Enforcer or Enforcers that are connected to the management servers. 3. If you used DNS names for the management servers, configure the DNS server as appropriate on each Enforcer. [ ]