Last Modified:10/09/2008
| Document ID:2006050314483048 Last Modified:10/09/2008 |
| Situation: | This article documents the changes and fixes in each update to Symantec AntiVirus Corporate Edition 10.1.x and Symantec Client Security 3.1.x. Symantec Client Security 3.1.x includes Symantec AntiVirus 10.1.x and Symantec Client Firewall 8.7.x. |
| Solution: | As updates to Symantec Client Security are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top. For information about how to obtain the latest build of Symantec AntiVirus or Symantec Client Security, read the following document: Obtaining an upgrade or update for Symantec AntiVirus Corporate Edition or Symantec Client Security. Maintenance Release 8 (MR8) This section describes the fixes in Maintenance Release 8 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. Components
Symantec AntiVirus Fixes
Fix ID: 833154 Symptom: When attempting to perform a client remote install to 64-bit systems running a 32-bit operating system, the following error message appears: "The server <server name> is not hosting any compatible Symantec Antivirus (SAV) 64 bit installers for the 64 bit client." Solution: Changed detection of 32-bit operating system on 64-bit systems. Symantec System Center displays AutoProtect tabs incorrectly Fix ID: 860948 Symptom: After uninstalling an email plug-in from a client, the email plug-in tab will still exist when viewing the client's AutoProtect options from Symantec System Center. Solution: At startup, the client's email plug-in list is reset in the registry. Dell Optiplex 745 computers fail to start after installing Symantec AntiVirus Fix ID: 935817 Symptom: After installing Symantec AntiVirus, the Dell computer may fail to start. Upon restart, the computer may load correctly. Solution: Changed volume mount tracking capabilities to overcome a conflict when monitoring write-protected volumes. Rtvscan.exe high CPU usage on 64-bit Citrix Servers Fix ID: 996183 Symptom: Rtvscan.exe exhibits high CPU usage when installed on 64-bit Citrix servers, caused by a missing Navlogon.dll path in the registry. Solution: Set the Navlogon.dll correctly in the registry during install. Rtvscan.exe left in a hung state with 1 thread Fix ID: 998993 Symptom: Viewing Rtvscan.exe in Task Manager shows a thread count of 1. Solution: Updated Auto-Protect exclusion offset error in Rtvscan.exe. Symantec AntiVirus does not skip offline files as expected Fix ID: 1000124 Symptom: With the advanced setting "Skip offline and sparse files" selected, Symantec AntiVirus incorrectly scans sparse files. Solution: Changed logic to identify sparse files correctly. The Symantec Event Manager Service registry key's permissions are reset each time the service is reloaded Fix ID: 1027172 Symptom: After adding custom permissions to the service's registry key and reloading the service, the custom permissions will be deleted. Solution: The registry key is now only recreated when changes to the key are detected. Settings changes made to the server group are not set on secondary servers Fix ID: 1032593 Symptom: When settings changes are made to the server group while secondary servers are offline, the settings changes are never updated on the secondary servers. As designed, a message box indicates that the "changes may not properly roll out." Solution: The verbiage for the message box has changed to indicate the settings "will not properly roll out". You must still update the secondary servers when they become available. AutoProtect Error: AutoProtect is unable to block security risks Fix ID: 1039115 Symptom: When failing to load a corrupt Srtpv.dat file, the error "AutoProtect Error: AutoProtect is unable to block security risks" is generated with no remediation actions. Solution: Error message changed to provide a more clear error description and manual steps to remediate. Default LiveUpdate configuration settings are not applied to client group members Fix ID: 1068200 Symptom: In Symantec System Center, a new client group with unaltered LiveUpdate configuration settings fail to apply settings to clients that are moved from a client group with altered LiveUpdate configuration settings. Solution: Triggered the LiveUpdate configuration settings to be written even if configuration settings are not changed when created. Verifying Security Risk exceptions from another Symantec System Center deletes existing exceptions Fix ID: 1069359 Symptom: When viewing Security Risk exceptions through Symantec System Center installed on a managed client machine, locked exceptions are removed from the primary server. Solution: Removed the condition which caused locked exceptions not to be written on the primary server. Symantec System Center crashes when rolling out Symantec Client Firewall policy Fix ID: 1111628 Symptom: In Symantec System Center, selecting the Groups node and attempting to roll out a Symantec Client Firewall policy causes Symantec System Center to crash. Solution: Logic changed not to process the Groups node when enumerating the server list during policy rollout. Auto-Protect actions and exclusions under All Risks allows locked categories to be edited Fix ID: 1121324 Symptom: Viewing the File System Auto-Protect Exceptions under Actions, locked exceptions can be edited if Security Risks (all categories) is selected. Solution: The list of exceptions has been changed not to include locked exceptions during an add operation. Inconsistency in default values when creating scans in the Symantec System Center Fix ID: 1122355 Symptom: When creating a scheduled scan for a client group, the "Advanced Settings" will not retain their initial default values if other settings (i.e. "Notifications") are changed. Solution: Update to use a client group's default settings and not server group's local scan settings. Rtvscan.exe crashes when performing a Master Boot Record scan Fix ID: 1134011 Symptom: In rare cases, Rtvscan.exe can crash if a Master Boot Record scan and virus definitions update occurs simultaneously. Solution: Virus definitions are locked, preventing update, when a Master Boot Record scan is in progress. AV Server Rollout migrating Symantec AntiVirus server to Symantec Client Security server does not preserve custom install path Fix ID: 1144400 Symptom: Using AV Server Rollout to migrate Symantec AntiVirus server installed in a custom path to Symantec Client Security Server causes the install path to revert to default location path. Solution: In AV Server rollout, added logic to handle this installation scenario. Roaming profiles revert to default profiles Fix ID: 1150915 Symptom: After login, Windows 2000 users receive a default profile from their domain controller. Solution: Moved the close registry handle to earlier in the logoff processing. Computer stops responding about 30 seconds after the user logs on Fix ID: 1194558 Symptom: About 30 seconds after a user logs on, the client computer becomes unresponsive. A hard reboot is required to resolve the issue. Solution: Module signature calculation is now only performed when Component Monitoring is enabled. Rtvscan.exe application error when shutting down Fix ID: 1196950 Symptom: During shutdown, Rtvscan.exe gets an Application error. The instruction at "0x00419201" referenced memory at "0x00000000". The memory could not be "read". Solution: A check was added to verify that the memory being accessed is valid. "Nlnhook.exe - DLL initialization failed" message during Windows shutdown Fix ID: 1202621 Symptom: With Symantec AntiVirus Notes plugin installed, during shutdown or logoff NLNhook.exe receives an error indicating a failed DLL initialization (The application failed to initialize because the windows station is shutting down). Solution: Suppressed benign Windows error message during shutdown. Rtvscan.exe does not release files after it finishes scanning Fix ID: 1203752 Symptom: After scanning a file with an extremely long filename, the file is not released by Rtvscan.exe Solution: File handles for extremely long filenames are properly closed after being scanned. Restoring files from quarantine server causes a Runtime error Fix ID: 1215087 Symptom: After restoring files from quarantine server, exiting the Symantec AntiVirus main user interface causes a Runtime error. Solution: Scan engines are unloaded properly before exiting. ESX Performance issues with Symantec AntiVirus during heavy I/O events Fix ID: 1238639 Symptom: VMWare sessions running on an ESX Server with Symantec AntiVirus installed perform poorly due to heavy I/O events caused by virus definitions updates on multiple sessions. Solution: Virus definitions updates are staggered to prevent multiple simultaneously updates. Secondary servers do not respond to configuration changes made through the Symantec System Center Fix ID: 1238908 Symptom: In Symantec System Center, editing a server's Definition Manager settings does not take effect on the secondary server. Solution: Check to see whether the settings have changed and trigger the secondary server to update. Registry entries from Enabling Multithreaded are removed during migration Fix ID: 1257386 Symptom: Registry entries created for enabling multithreaded scans are removed during a migration. Solution: Registry entries for multithreaded scans are saved and restored during migration. Symantec AntiVirus logs do not display the correct IP address Fix ID: 1293172 Symptom: When Symantec AntiVirus service is started with the computer offline, events are logged with the loopback IP address (127.0.0.1) even after the computer is back online. Solution: During event log creation when the loopback IP address is present, try to obtain the current IP address. Vpstart /uninstall removes user groups even though there are other servers in context Fix ID: 1120029 Symptom: If the last Symantec AntiVirus Netware server installed into a Netware NDS (Netware Directory Service) or if any server has the /remove parameter performed, the NDS groups and rights become corrupted. Solution: Command line parameter /REDO_NDS was added to trigger the server to verify and recreate the Symantec AntiVirus groups and update the NDS login script to point to the server on which it is run. Netware Servers hang with Novell Audit 2.0.2 and Symantec AntiVirus server Fix ID: 1234673 Symptom: A Netware server with both Novell Audit 2.0.2 and Symantec AntiVirus 10.1.6 installed may experience a hang. Solution: Added a thread switch after calling "Select" to avoid a possible spin lock. Netware server pushes full VDB to clients instead of IDB Fix ID: 1295768 Symptom: Netware server pushes out full VDB to clients instead of the expected IDB. Solution: Netware now uses the full path instead of the relative path to IDB files. Symantec Reporting Server Fixes
Fix ID: 844328 Symptom: Restricted reporting user receives incorrect data when running "Computers not Scanned" report. Solution: Corrected the SQL query to produce the correct data. Error when creating a Full Report for All Products with Past 24 hour time range Fix ID: 864459 Symptom: When creating a Full Report for All Products using a time range of Past 24 hours generates the following error: "The start date must be before the end date." Solution: Corrected the date validation for Select Time Range. Only the first of multiple "Virus definitions out- of-date" Reporting alerts is triggered Fix ID: 1025078, 1149877 Symptom: If an "out-of-date" alert is triggered, no more alerts are checked for this category. The alert will be generated again after 12 hours have elapsed or there has been a change in the status of the machine(s). Solution: Added logic to allow multiple alerts to be processed. Reports emailed by Reporting Server contain non-functional links Fix ID: 1034999, 1191927 Symptom: Following a link from a daily report or virus incident received from Reporting Server does not show the proper data after a successful logon. Solution: Corrected the encoding of links after successful logon. Configured virus definition alert does not run Fix ID: 1150795 Symptom: Virus definition alerts via email or written to the database are not run. Solution: Corrected when timestamp and time zone conversion is required. Agent Down email notifications being sent out in error Fix ID: 1164910, 1267759 Symptom: Emails indicating that an agent is down or failing are being sent out even though the agent status in the Reporting console shows green (running). Solution: Corrected when timestamp and time zone conversion is required. "Risk Type" column in exported Reporting Risk logs does not contain meaningful data Fix ID: 1200953 Symptom: When exporting reports to a CSV file, "Risk Type" display only -1 or 1. Solution: "Risk Type" now provides the risk's virus categories, i.e. viral, malicious, heuristic, etc. Servers that have been taken offline still show in Reporting Fix ID: 1205937 Symptom: Removed Symantec AntiVirus servers are still shown and accessible in configuration settings in Reporting. Solution: Updated SQL query to filter out aged (older than 30 days by default) Symantec AntiVirus servers. Cannot report by specific virus type in Reporting Server Fix ID: 1215649 Symptom: Reporting database cannot be queried by a particular virus category because the category is not defined correctly or missing. Solution: Updated database schema to correctly insert virus type into the virus category table. 1970 records created in database incorrectly when user is logged out Fix ID: 1226250 Symptom: When user is logged out, a 1970 entry is added in the parent inventory log: "Error 234 in getting username." As a side effect, clients with a 1970 entry are excluded from the Computer Status Logs report, preventing the user from reporting on these clients. Solution: Increased the buffer used to retrieve the username. Incomplete scan engine information causes Error 2 in parent inventory log Fix ID: 1244677 Symptom: Incomplete or corrupt scan engine information in the registry causes Error 2 in the parent inventory log. This prevents new inventory data from being inserted into the database. Solution: Allowed clients to be included in inventory by not logging error. Also, replaced incomplete version with 0.0.0.0 to identify client for remediation. Reporting Risk Logs Advanced Settings are not retained Fix ID: 1248949 Symptom: When viewing logs under "Advance Setting" with a specific "Scan Type" filter, the log does not display the logs according to the scan type selected, and does not retain the value selected from the "Scan Type" filter. Solution: Changed logic to retain the filter selection between log views. Symantec Client Firewall fixes
Fix ID: 843483 Symptom: When creating General Rules with multiple locations through Symantec Client Firewall Administrator, a script error causes the user interface to hang. Solution: Updated the global rules count to match the count for each location correctly. pRules based on Size Range are not created correctly Fix ID: 1041224 Symptom: Symantec Client Firewall Administrator fails to create pRules when a match criteria for size range is used. Solution: The size range option for pRule match criteria was removed, only single file size now available. When viewing Symantec Firewall Client Network Connections, unknown IP addresses appear for UDP port 137 or 138 Fix ID: 1080903 Symptom: From the Symantec Client Firewall user interface, viewing Network Connections under Statistics shows unknown IP addresses for UDP port 136 and/or 137 when VMware is installed on the computer. Solution: Corrected a problem in IP address matching which corrupted the IP address. Cannot access Web page with Symantec Client Security enabled Fix ID: 1153519 Symptom: Users cannot access Web pages with an HTTP body containing a HTTP header termination pattern. Solution: HTTP processing updated to identify the offending pattern in HTTP bodies. Parent Server Name is rewritten on Symantec Client Firewall events, thereby overwriting IPS signature Fix ID: 1265671 Symptom: When Symantec Client Firewall events are forwarded to the primary server, Intrusion Signature is overwritten by the parent server name. Maintenance Release 7 (MR7) This section describes the fixes in Maintenance Release 7 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. Components
Symantec AntiVirus fixes
Fix ID: 808384 Symptom: After migrating to Symantec AntiVirus 10.1 MR5, the installation path has changed to Symantec AntiVirus\Symantec AntiVirus. Solution: Removed extra "Symantec AntiVirus" from path in installation routine. Event ID 42 is not forwarded to the parent server Fix ID: 819124 Symptom: Event ID 42, "Auto-Protect Error: Auto-Protect is unable to block security risks," appears in the local Windows Application log, but is not forwarded to the parent server event log. Solution: Event ID 42 is now forwarded and appears in Symantec Reporting Server. The report is "Risk Report/Comprehensive Reports/Auto-Protect not running". Symantec AntiVirus Server upgrade rollout changes original installation location Fix ID: 894292 Symptom: Migrations do not maintain custom installation locations, but will install to the default \Program Files\Symantec AntiVirus installation folder. Solution: Corrected custom action during installation to use the correct installation path. DWHWizrd.exe application error Fix ID: 999142 Symptom: Intermittently, when DWHWizrd.exe is called after a definition update, the user receives an application error popup indicating a "memory cannot be read" error. Solution: Resolved memory allocation conflict. Symantec AntiVirus MR5 scheduled scans are not honoring short (8.3) folder and file names in exclusions Fix ID: 1026031 Symptom: When setting scan exclusions using short folder names, the exclusions are not honored when running a scheduled scan. Solution: Logic added to expand short path names into their long name equivalent before using them for comparison. Server hangs after event id 7031 is encountered Fix ID: 1055706 Symptom: When certain files contain a "%20S" in the names, a scan can cause a server hang. Solution: Changed scan logic to handle those file types correctly. File restoration is slow with Veritas or ARCserve restore on NetWare Fix ID: 1058567 Symptom: File restoration is very slow when doing an ARCserve restoration on NetWare 6.0 with Symantec AntiVirus 10 installed. Solution: Changed the way we determine if a "CLOSE FILE" notification matches the "OPEN FILE" notification. EMC/Legato Networker users experience full backups instead of incremental backups after Symantec AntiVirus scans run. Fix ID: 1059791 Symptom: After running a virus scan, files are incorrectly marked as changed, causing files to be backed up unnecessarily. Solution: Ensure that the metaDataUpdateTime is not changed if the file is not changed. Symantec AntiVirus does not provide satisfactory error on why new definitions cannot be downloaded or processed Fix ID: 1066311 Symptom: When a client is low on disk space and is unable to download the definitions, the client errors out with "definition update failed" but does not state that it is due to low disk space. Solution: Added check to see what the exact failure was after extraction and to log an entry stating that the failure was due to low disk space when appropriate. Symantec AntiVirus installs to the root of the Program Files folder after a migration Fix ID: 1069095 Symptom: After migrating to Symantec AntiVirus server 10.1.6.6000 via Server Roll-out, the installed files will be in the root of the \Program Files\ folder instead of in a \Symantec AntiVirus\ installation folder. Solution: Changed the installation actions to verify that the INSTALLDIR property contains \Symantec AntiVirus\. "Unable to open system registry" error during ClientRemote Installation Fix ID: 901594 Symptom: "Unable to open system registry on the remote server" error appears during ClientRemote Installation when deploying a Symantec AntiVirus/Symantec Client Security client from a NetWare parent server. Solution: Changed the remote registry call to allow functionality from a Netware server. "Minutes to delay the start of continuous LiveUpdate" does not set in Client Groups Fix ID: 994458 Symptom: Changes made to the "Minutes to delay the start of continuous LiveUpdate" under the Continuous LiveUpdate settings at the Client Group's Virus Definition Manager does not write to the registry. Solution: The settings are now written to the registry for deployment. 99 Character limit in the SAVRoam configuration textbox in the Symantec System Center Fix ID: 1003333 Symptom: The SAVRoam parent server list is limited to 99 characters in the Symantec System Center, but the registry limit is 1024 for both fields. Solution: Each field has been increased to have a limit of 1024. However, if the total of both fields is over 1024 a warning appears in order to warn the user. Client event timestamp conversions can be incorrect when a client roams to parents in different time zones Fix ID: 1021364 Symptom: Symantec AntiVirus servers convert the client's events to the local time zone. When a client does not have a correct parent field, the conversion can be incorrect. Solution: Corrected the conversion process to update client events. Manually removed ReportServerURL value in the registry is not recreated by the Symantec System Center Fix ID: 1059989 Symptom: After deleting the ReportServerURL value from the registry, the Symantec System Center does not replace the value in the registry automatically. Solution: Updated Symantec System Center to replace the missing value. Scan History entries disappear from the Symantec AntiVirus console in Netware after a few minutes Fix ID: 1082626 Symptom: After a manual or scheduled scan is completed, it only appears in the Symantec AntiVirus console for a short period of time. Solution: Updated the scan release functionality to keep the scan in the user interface for a longer period of time. Symantec Reporting Server Fixes
Fix ID: 972769 Symptom: SQL Query Failed message appears when the Scan Table query times out. This occurs when there are over 400,000 entries. Solution: Updated Reporting Server to correctly delete old data in chunks of 25,000 rows. Reporter home page shows two agents "hanging" Fix ID: 1112691 Symptom: The agents appear to be hanging on the home page, but the agents are actually running appropriately. Solution: Added PHP function to get the GMT (Greenwich Mean Time) date. The comparison of dates needs to be done in GMT because the date in the database is in GMT. DBMaint agent shows "next run" time in GMT instead of local time Fix ID: 1119930 Symptom: Agent Configuration in Reporting Server console shows the DBMaint agent's "next run" in GMT time instead of the local time zone. Solution: Modified the PHP function to display the time in the local time zone. DBMaint Timeout error Fix ID: 1125984 Symptom: When running DBMaint on large databases, the scan will time out before it completes. Solution: Set the timeout for SQL query to 30 minutes. "Source" field does not display accurate information in reporting Fix ID: 857599 Symptom: The Source computer listed in the event does not report accurately when a log file is missing some parameters or has become corrupt. Solution: Updated the log reader to confirm that the log data is reported correctly. Clicking "more info" link for risk name in outbreak report gives multiple search results Fix ID: 913617 Symptom: When clicking on the "more info" link, it doesn't go to the risk write-up, but sends the user to a search page instead. Solution: Updated all the links to correlate to the new Security Response site locations. Reporting Server displaying Last Scanned Time as 12/31/1999 Fix ID: 924926 Symptom: Scans that do not complete are reported into Symantec Reporting Server with a last scanned date as 12/31/1999. Solution: Scan times now report the scan start time instead of the scan end time. "Definitions out-of-date" alert email has a broken hyperlink Fix ID: 1024042 Symptom: The hyperlink to the client list in a "Virus definitions out-of-date" Reporting email alert takes the user to a blank "Computer Status Logs" page. Solution: Updated email alert to link to the appropriate report. The "last date updated" in Symantec Reporting Server console does not appear to match the last run time Fix ID: 1040534 Symptom: After running a report, the "last date updated" time will be a few hours outdated when compared to the local system time. Solution: Updated how the agent status time stamp is converted. LogReaderEvents agent quits unexpectedly Fix ID: 1051606 Symptom: When the agent parses a corrupt or incomplete log entry, the agent may stop suddenly. Solution: Modified the legacy function call to parse the incomplete log data correctly. Cannot install Reporting with non-default settings Fix ID: 1058456 Symptom: When installing Reporting server from the MR6 release, if using non-default Reporting database names or user names, the installation fails. Solution: Removed references to the default installation path in the schema. Daily report alert e-mails have broken URLs Fix ID: 1065817 Symptom: When the alert e-mail is sent, the link will take the user to an authentication page or will display a DBerror page. Solution: Cleaned up the alert URL to properly report the correct date and time zone. Spaces in a Server group name cause some server group specific reports to report data incorrectly Fix ID: 1069214 Symptom: Reports with an advanced filter specific to a server group are not working when spaces exist in the server group name. Solution: Spaces were being converted to "+" incorrectly. Corrected the PHP conversion. Full log export does not honor filter settings Fix ID: 1074153 Symptom: When filtering certain log views and then exporting it to .CSV, the entire log is exported instead of just the filtered data. Solution: Added correct filters to PHP output requests. Scanned and Last checked-in reports are slow to generate Fix ID: 1095471 Symptom: Certain reports can be extremely slow to generate, taking hours to display. Solution: Modified the date conversion to display the local time of the Symantec Reporting console. Log entry for definitions arriving on Quarantine server appears as error Fix ID: 913823 Symptom: When definitions arrive on the Quarantine server, the event is logged as an error. Solution: Changed the event log type to be "information" instead of "error." Symantec Client Firewall fixes
Fix ID: 913748 Symptom: User is unable to access streaming audio from a website through an ISA proxy if Symantec Client Firewall is enabled. Solution: Updated pxyhttp.dll to allow the traffic to pass correctly. Maintenance Patch 1 for Maintenance Release 6 (MR 6 MP 1) This section describes the fixes in Maintenance Patch 1 for Maintenance Release 6 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.6.x or Symantec Client Security 3.1.6.x. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 6. Components
Symantec AntiVirus Fixes
Fix ID: 802843 Symptom: When a new user profile is created using the Lotus Notes configuration process, the Notes profile is created in the Local Service profile instead of the user's profile. Solution: The profile creation process now queries the local user first before running the API. RTVScan holds open user profiles after a user logs off of a session using Citrix Metaframe or Web Presentation server Fix ID: 860803, 983890, 983899, 983935 Symptom: When a client logs off or disconnects a session connected to a Citrix server, the profile is not completely closed, causing possible profile locks or corruption. Solution: Changed how RTVScan handles session disconnects and logoffs to release NTUser.dat file in a more timely fashion. Also made changes to add better support for Seamless Windows within Citrix. Symantec AntiVirus Client unable to recover from corrupted definitions and accumulation of .vdb files in 7.5 folder Fix ID: 838436 Symptom: A large number of corrupted .vdb files are accumulated, and the client is unable to download or install any further definitions. Solution: Added a definition check to ensure the definitions are downloaded correctly, and if corruption is located, the file is removed and remediation occurs. RTVScan error on logoff Fix ID: 917503 Symptom: When logging off a client, an application error occurs, referencing "memory cannot be read." Solution: Changed the logoff process to ensure that disconnect calls are not made prematurely. Dell Optiplex 745 computers fail to start after installing Symantec AntiVirus Fix ID: 935817 Symptom: After installing Symantec AntiVirus, the Dell computer may fail to start. Upon restart, the computer may load correctly. Solution: Changed our volume mount tracking capabilities to overcome a conflict when monitoring write protected volumes. Future-dated events in the Symantec AntiVirus log files are forwarded multiple times Fix ID: 973579 Symptom: The same events dated in the future appear multiple times in parent server log files or in the Reporting console. Solution: Changed FwdStat.log file to monitor new events and not to forward any logs that have already been forwarded to the parent. Scheduled scans run as "missed events" after a client roams to another parent server Fix ID: 968729 Symptom: After roaming to a new parent server, the client will run a scheduled scan again, and mark it as a missed event. Solution: Adjusted the time a client holds on to scan data to allow a new GRC.dat to be processed from the new parent server. Blue screen occurs when Symantec Antivirus definitions are repeatedly backdated then reapplied Fix ID: 1026551 Symptom: When definitions are repeatedly backdated and reapplied to a computer, the computer crashes. Solution: In a very rare situation, RTVScan was not releasing a mutex, causing I2lpvp3 to hang. Fixed. The Symantec Event Manager service registry key's permissions are reset each time the service is reloaded Fix ID: 1027172 Symptom: After adding custom permissions to the service's registry key and reloading the service, the custom permissions will be deleted. Solution: The registry key is now only recreated when changes to the key are detected. An empty GUID is reported when running Symantec AntiVirus on a computer with two network cards Fix ID: 1031751 Symptom: When using a computer with multiple network cards, the client will fail to create a unique GUID, causing the client to lose connectivity with the parent server. Solution: Added additional checks to the MAC address requests when creating the GUID to avoid a null GUID. While logging on the computer, a new user profile is created Fix ID: 994915 Symptom: When logging on to a computer, a user profile may appear to be locked, so the system creates a new user profile for the user. Solution: Eliminated an unnecessary delay during the logon process to alleviate some of the load on the thread that processes logging on and off. Symantec Client Firewall Fixes Script error when viewing Symantec Client Firewall logs with Internet Explorer 7 installed Fix ID: 865944 Symptom: If Internet Explorer 7 is installed, when viewing the Symantec Client Firewall logs, a script error appears. Solution: Modified scripts to work with Internet Explorer 7. Maintenance Release 6 (MR 6) This section describes the fixes in Maintenance Release 6 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. Components
Symantec AntiVirus Fixes
Fix ID: 801961 Symptoms: You migrate a client by using a login script that is set to restart the client when the installation is complete. The client does not restart after the installation is complete. Solution: Made a fix to ensure that a user-configured Vplogon.ini file is not overwritten when the Symantec AntiVirus service restarts. Continuous LiveUpdate window in Symantec System Center does not reflect current configuration Fix ID: 837165 Symptoms: You open the Continuous LiveUpdate window from the Virus Definition Manager window in Symantec System Center. The settings in the Continuous LiveUpdate window do not reflect the Continuous LiveUpdate settings that are in effect. Solution: Updated the user interface to reflect the most recent configuration. AntiVirus Server Rollout does not find computers across a VLAN Fix ID: 846234 Symptoms: You run AntiVirus Server Rollout in Symantec System Center to deploy Symantec AntiVirus server. When you view your network in the Select Computers dialog box, computers across a VLAN do not appear. Solution: Changed the discovery process to correct a failed "Open Mutex" call. ClientRemote installs Symantec AntiVirus server instead of client during migration Fix ID: 852987 Symptoms: When you migrate a client by using ClientRemote Install in the Symantec System Center, the migration deploys Symantec AntiVirus server instead of the client. Solution: Modified SAV_Server_mm.ism to copy all files except Vpremote.dat to the CLT-INST folder. Symantec AntiVirus server does not provide Symantec AntiVirus for Handhelds definitions to clients Fix ID: 858821 Symptoms: Symantec AntiVirus server does not distribute definitions for Symantec AntiVirus for Handhelds to clients. Solution: Updated the server so that it includes the Symantec AntiVirus for Handhelds definitions in its definition package creation. NetWare server shows an "out of memory" message after running a scheduled scan Fix ID: 864360 Symptoms: After a scheduled scan runs on a NetWare server, the NetWare Console shows the message "Cache memory allocator out of available memory." Solution: Changed the code that completes directory lookups. Symevent is uninstalled and Auto-Protect disabled after migration Fix ID: 865236 Symptoms: After you migrate to a new build of Symantec AntiVirus and restart the computer, Symevent is no longer installed and Auto-Protect is disabled. Solution: Updated the installer sequence to recognize newer versions of Symevent . NetWare server abends when scanning .gsh files Fix ID: 898183 Symptoms: On a NetWare server, after Symantec AntiVirus scans .gsh files during a scheduled scan, the server abends. Solution: Fixed in the latest decomposer update. Symantec AntiVirus excludes infected files on read-only media Fix ID: 900050 Symptoms: After Symantec AntiVirus detects an infected file on a read -only memory source, Symantec AntiVirus excludes the file from detection on that source for the rest of the Windows session. Solution: Added a check to prevent the exclusion of these files after detection. OpenScanningMode=0 registry value disappears from Symantec AntiVirus clients Fix ID: 990596 Symptom: After you click "Reset All" in the Client Auto-Protect configuration window in Symantec System Center, the OpenScanningMode registry value disappears from managed clients. Solution: Made the registry keys part of the Symantec AntiVirus server installation defaults so that they are not removed from the client. Scheduled Scan deletes the SID's shell folder startup registry value Fix ID: 647987 Symptom: You create a scheduled scan in Symantec System Center. When that scan runs, the HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup value is removed from the local computer. Solution: Fixed in the new build of Eraser. Duplicate domain GUIDs on NetWare servers Fix ID: 796373 Symptom: Server groups that have a NetWare primary server have the same root certificate name. Solution: Made a change that ensures that GUIDs are always created randomly. Quarantine Server version changes after migrating to Symantec AntiVirus 10.1 MR4 MP1
Symantec Client Firewall Fixes Multicast packets use default rule set Fix ID: 923474 Symptom: When you use a program that sends multicast packets, the connection uses the default rule set instead of the rules for the active location. Solution: Fixed in the new SymNetDrive build. Reporting Server Fixes Cannot view details about a computer that shows as infected in computer status logs Fix ID: 629701 Symptom: When you view the details of a "Still Infected" query on the Reporting Server home page, no clients appear. Solution: Added an option to "also delete infected events" that deletes uncleared infection events after the configured interval (400 days default). This option also clears the infection status for the corresponding computers in the inventory table. Only one email sent for multiple virus events Fix ID: 802717 Symptom: The same virus event on multiple computers triggers only one Email notification. Solution: Changed the event check to recognize the same event from different computers and trigger the appropriate email notifications. Reporting Agent Status window reports shows a date in the future Fix ID: 838870 Symptom: When you run agents in multiple time zones, the Reporting Agent Status window shows a future date/time stamp. Solution: Corrected the time zone conversion method. Database backup agent error shows incorrect path when using a remote SQL server Fix ID: 788260 Symptom: When the Reporting Server database runs on a remote SQL server, the Database Backup Agent shows an error message with an incorrect path for the Backup.dat file. Solution: Changed error path from "C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32 \Backup\BACKUP_xxxxx/backup.dat" to reflect the correct path to the Backup.dat file. Maintenance Patch 1 for Maintenance Release 5 (MR 5 MP 1) This section describes the fixes in Maintenance Patch 1 for Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.5.x or Symantec Client Security 3.1.5.x. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 5. Components
Symantec AntiVirus Fixes "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll..." appears after installing Symantec AntiVirus 10.1.5.5000 Fix ID: 833133 Symptom: After you install Symantec AntiVirus 10.1.5, you see the error "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll, version 10.1.5.5000, fault address 0x000056ab." Solution: Changed the code to prevent the null pointer access that causes the application fault. A workaround for this problem is to run LiveUpdate after you install a Symantec AntiVirus server before you add clients to the server group. Symantec AntiVirus clients do not appear in Symantec System Center after applying the SYM06-010 point patch Fix ID: 1-5ZMW9N Symptom: You apply the SYM06-010 point patch to a managed client that runs Symantec AntiVirus Maintenance Release 2 with Maintenance Patch 2 (Symantec AntiVirus 10.0.2.2020). If you originally installed this client as an unmanaged client, the client no longer appears in Symantec System Center after you apply the SYM06-010 point patch. Solution: Properly migrated the "Connected" and "ClientType" registry values during the patch installation. Event ID 7009 or Event ID 7011: "Timeout (30000ms) waiting for a transaction response from the SAV service" Fix ID: 649697 Symptom: After you remotely log on to a computer that runs Symantec AntiVirus 10.1, you see the message "Timeout (30000ms) waiting for a transaction response from the SAV service" in the System Event log. Solution: Lowered the timeout value that the Symantec AntiVirus service waits before creating the Custom Tasks registry key. Symantec AntiVirus service fails to start when using network paths Fix ID: 792579 Symptom: The Symantec AntiVirus service fails to load automatically when it runs on a computer with a network path in the Path variable. Solution: Added additional MFC resource .dll files to our installation package. Roaming Profiles are not deleted on a Windows 2003 Terminal Server Fix ID: 704930/630516 Symptom: After you install Symantec AntiVirus to a Terminal Server, roaming profiles are not deleted when the user logs off. Solution: Change the code to notify Rtvscan.exe of ending remote sessions before the user profile is unloaded. SAVRoam service not restarted after applying a Maintenance Patch Fix ID: 632306 Symptom: After you deploy a Maintenance Patch, the SAVRoam service is not restarted. Solution: Added a condition to the patch installer to start the SAVRoam process after the patch installation is finished. Defwatch Quick Scan no longer runs after installing Symantec AntiVirus 10.1 Maintenance Release 4 Fix ID: 632605 Symptom: After you install Symantec AntiVirus 10.1.4.4000, you notice that the Quick Scan no longer runs when new virus definitions arrive. Solution: Changed the installation to migrate the \ApplicationCache\{parent} registry key information. SAVRoam fails when the parent server is unavailable Fix ID: 1-5ZPJXD Symptom: When you install Symantec AntiVirus client to a computer whose parent server is unavailable, the client cannot successfully roam to a different parent server in the list. Solution: Added a delay to SAVRoam.exe start to allow the Grc.dat file to complete processing. VPRemote install log file path is hard-coded Fix ID: 1-5ZU6L9 Symptom: When you install Symantec AntiVirus from Symantec System Center, the install log file location is hard-coded. Solution: The installation now reads the log file path from the command line. If a log file path isn't specified, the log file is saved to the temp directory. Installation of Symantec AntiVirus fails when using HP's Radia deployment software Fix ID: 642943 Symptom: When you install Symantec AntiVirus with HP's Radia deployment software, the installation fails due to long file names. Solution: Added short file name of DefFileChanges.dll to the FileTable. Symantec AntiVirus server does not purge logs after 30 days Fix ID: 778875 Symptom: Symantec AntiVirus server does not purge log files after 30 days until you change the setting in Configure History. Solution: Added an entry in Symantec AntiVirus Server install script to add the LogFileRollOverDay value to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDESK\VirusProtect6\CurrentVersion. Symantec Client Firewall Fixes
Fix ID: 1-5EYURL Symptom: A user can run a Program Scan and automatically create rules, even if the client permissions are set to deny the user the ability to create rules. Solution: Added a check for the user permissions before allowing the user to create rules through a Program scan. Point Patch 1 for Maintenance Release 5 (MR 5 PP 1) This section describes the fixes in Point Patch 1 for Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. You can apply this patch over Symantec AntiVirus 10.1.5.5000 or Symantec Client Security 3.1.5.5000. To learn how to obtain and apply the patch, read Applying Point Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 5. Components
Symantec AntiVirus Fixes "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll..." appears after installing Symantec AntiVirus 10.1.5.5000 Fix ID: 833133 Symptom: After you install Symantec AntiVirus 10.1.5, you see the error "Faulting application Rtvscan.exe, version 10.1.5.5000, faulting module I2ldvp3.dll, version 10.1.5.5000, fault address 0x000056ab." Solution: Changed the code to to prevent the null pointer access that causes the application fault. A workaround for this problem is to run LiveUpdate after you install a Symantec AntiVirus server before you add clients to the server group. Symantec Client Firewall Fixes No fixes for Symantec Client Firewall are included in this patch. Maintenance Release 5 (MR 5) This section describes the fixes in Maintenance Release 5 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. Components
Symantec AntiVirus Fixes
Fix ID: 1-51KJLX Symptom: When you unload Symantec AntiVirus on a NetWare server that manages a large number of clients, the server abends. Solution: Added a check to verify that the SystemRunning flag is still active before accepting a keep alive packet. Imaged computer cannot join a domain after using Sysprep Fix ID: 1-5ZBQA6 Symptom: After running Sysprep 1.0 or 1.1 on Windows 2000 Pro with the Symantec AntiVirus 10.1 client installed, upon restarting the computer, the computer will not join the domain automatically. Solution: This problem is fixed in Symevent 12.1. Drive not spinning down with Rtvscan.exe running Fix ID: 1-606ZV3 Symptom: RTVScan.exe does not allow the hard drive to spin down due to frequent updates to the Windows Security Center. Solution: The fix was to reduce the frequency of updates to the Windows Security Center. RTVScan.exe only updates the Windows Security Center when the state of Symantec AntiVirus has changed. High memory utilization with SAEX Fix ID: 1-5NV0LV, 536701, 769405 Symptom: High memory utilization was seen on a Symantec AntiVirus client with the SAEX tag set. Solution: Fixed a memory leak in Auto-Protect. The fix was included with Auto-Protect version 9.4.6. UDP rules applied to all locations Fix ID: 1-5J7I93 Symptom: When a UDP rule is created for Symantec Client Firewall and applied to the DEFAULT location, the rule is also applied to other locations. Solution: This was fixed in SymNetDrv 6.0.4. When "PluginInstalledOnlyOnPrimary" is set to 0 for the SCFsesa plugin, no events are sent from parent Fix ID: 1-5Z1NLP Symptom: Settting "PluginInstalledOnlyOnPrimary" is set to 0, which is required if collecting from all servers (as opposed to collecting from the primary server only), causes the local client events to be omitted from reports. Solution: When forwarding events, ensure that the EB_FROM_CLIENT value is set for clients. Server Group server tuning options are not shared with other servers Fix ID: 1-5R7DVU Symptom: After creating a primary server and enabling legacy support at the server group level, the settings do not propagate to secondary servers. Solution: This is a rework of the original fix in MR4 MP1. The settings were not captured in the GRCSrv.dat file, which is distributed to the secondary servers. The fix added these settings to the GRCSrv.dat file. Application error against NLNHook.exe Fix ID: 631405 Symptom: After installing Symantec AntiVirus, then logging on as a restricted user, an application error is generated against NLNHook.exe. Solution: Added a check of the return code from the NotesInitExtended call. If Notes has not yet been configured for this user, do not try to add the hook to Notes.ini. Disconnecting and reconnecting a computer to the network does not recognize network change Fix ID: 628762 Symptom: Symantec Secure Port will not detect network changes when they occur frequently and within seconds of each other. When using Symantec AntiVirus Parent Netspec, this will cause the location not to switch correctly. Solution: Once a network change is detected, Symantec Secure Port would not monitor network changes until processing of the current network change has completed. Changed behavior to return to monitoring for network changes immediately while the current network change is being processed. Windows and NetWare Logon Scripts fail when using Symantec Client Security 3.1 Fix ID: 1-5P3ZER Symptom: Installing Symantec AntiVirus 10.x or Symantec Client Security 3.x clients by using a logon script fails. Solution: A correction was made to a bad path found in a Symantec application used during this process. Scheduled LiveUpdate is not removed when moving client groups Fix ID: 1-5UMKE6 Symptom: When moving a client from one group with a scheduled LiveUpdate to another group without a scheduled LiveUpdate, the scheduled LiveUpdate is not removed. Solution: The LiveUpdate schedule settings are now locked in the registry and GRC.dat upon server installation because the setting "Do not allow client to modify LiveUpdate schedule" is now checked by default. If the setting is not locked, the client ignores them. AMS does not alert on certain events Fix ID: 1-5W5T0C Symptom: AMS does not forward the event GL_EVENT_ANOMALY_START which is added with Symantec AntiVirus 10.x Solution: Added the case to support event ID GL_EVENT_ANOMALY_START. Also changed the alert string from "Risk repaired" to "Risk Found/Repaired" for both the start and finish events for anomalies. When threat status indicates Adware/Spyware, Audit Network feature no longer displays correct client type Fix ID: 1-5AJ197 Symptom: When a client has a status indicating that Adware/Spyware has been detected, the Audit Network feature shows the client type as Unknown. Solution: The new computer type I_CLIENT_GREYWARE and I_SERVER_GREYWARE are now used to display the computer type of the greyware-affected computers. Installing Symantec AntiVirus 10.01 server to an existing server group from a command line creates a duplicate group Fix ID: 1-4OXYCN Symptom: Duplicate server groups are created when installing a Symantec AntiVirus 10.1 server to an existing server group from a command line installation. Solution: The custom action ValidateServerGroup is not executed while using the qb! switch, for which the UILevel is 3. The fix is to update the settings for the custom action ValidateServerGroup to make it run at UILevel 3. Liveupdate fails to run when installing Symantec AntiVirus from a command line Fix ID: 1-5QG4EQ Symptom: LiveUpdate fails to run during a command line installation while upgrading a managed client, regardless of the administrator setting to allow or disallow the user to run LiveUpdate. Solution: Changed behavior to allow the RUNLIVEUPDATE flag to take precedence in case of a full installation (not a migration or a patch install). SavRoam for Enterprise Security Manager fails with Enterprise Security Manager 6.5 installed Fix ID: 1-65A7D5 Symptom: SavRoam for Enterprise Security Manager, fails with Enterprise Security Manager 6.5 installed Solution: Enterprise Security Manager 6.5 includes register.exe, instead of reg.exe. Added the support to handle register.exe if reg.exe is not present. Global Security Exclusion settings are not propagated to client groups when changes are made from the server group level Fix ID: 1-5U1BNL Symptom: Global Security Exclusion settings are not propagated to client groups when changes are made from the server group level. Solution: Changed behavior to update client groups while changes are made at server group level. Symantec System Center sometimes crashes when security risks are repeatedly added to Global Security Risk Exclusions Fix ID: 1-5PD143 Symptom: Symantec System Center sometimes crashes when security risks are repeatedly added to Global Security Risk Exclusions. Solution: Changes to properly initialize certain pointer variables. Symantec AntiVirus on NetWare causes errors scanning long filenames Fix ID: 772476 Symptom: Symantec AntiVirus fails to scan files with filenames longer than 127, and ABENDs on some long filenames. Solution: Fixed handling of long filename strings. Symantec AntiVirus 10.0.2 ABENDs Fix ID: 1-5MJYG1 Symptom: Symantec AntiVirus causes NetWare to ABEND in VPReg.NLM. Solution: Improved the thread-safe code in the VPReg.nlm library. Symantec AntiVirus ABENDs in VPStart.nlm Fix ID: 1-5WDW6A Symptom: NetWare ABENDs when loading Symantec AntiVirus using VPStart.ncf. Solution: Reworked code dealing with imported variables from VPReg.nlm. NetWare login scripts do not fill in the $FILE_SERVER$ variable correctly Fix ID: 1-4D8RGN Symptom: Clients logging into a NetWare server are not updated or installed correctly in certain cases. Solution: Changed the installation module to use the correct environmental variable on installation. Long directory names cannot be viewed on NetWare Servers Fix ID: 1-4GFHQ7 Symptom: Directories with long names appear empty when viewed from Symantec System Center. Solution: Added long name functionality to FindFirstFile and FindNextFile functions. Continuous LiveUpdate settings revert to default settings Fix ID: 1-5WLWPO Symptom: In the Configure Primary Server Updates dialog, setting the values in the order Source, Continuous LiveUpdate Configure... is different than setting the values in the order Continuous LiveUpdate Configure, Source. Solution: Changed code to allow for consistency. Cannot see server groups across VLANs during remote server deployment Fix ID: 785939 Symptom: Cannot see server groups across different VLANs when trying to install a secondary server. Solution: Added code in AV Server Rollout which involves copying over the DomainGUID and updating registry keys to contain the address cache of the secondary server. CPU spike when installing with Terminal Services disabled Fix ID: 1-5OTPUD Symptom: High CPU usage after installing Symantec AntiVirus server and Terminal Services in remote adminstration mode. Solution: Changed code to prevent an infinite loop. Client tracking is not turned off by default Fix ID: 1-5LBW4N Symptom: Client tracking check box is enabled by default. Solution: Changed check box to be disabled by default. Scan histories from different levels in Symantec System Center do not match up Fix ID: 633623 Symptom: Using Symantec System Center to view scan histories, scanned/infected file numbers are incorrect at client/server level. Solution: Added functionality to check for successful parsing of Event data. NetWare 6.5 SP 5 server abends when Symantec AntiVirus 10.1.4 runs a scheduled scan Fix ID: 772645 Symptom: When you run a scheduled scan with Symantec AntiVirus 10.1.4.4000 on a computer that runs NetWare 6.5 Service Pack 5, the server abends. The Abend.log file shows that Rtvscan.nlm owns the process that caused the abend. Solution: This problem no longer occurs in Symantec AntiVirus 10.1.5. Symantec Client Firewall fixes
Fix ID: 1-5M19C7 Symptom: When applying a Symantec firewall policy file containing a large number of rules and settings to a legacy Symantec Client Security client (9.x or below), it will cause the client to fail to accept any future firewall policies. Solution: Symantec Client Firewall Administrator now warns the user of the firewall policy size restrictions for legacy Symantec Client Security clients when a firewall policy reaches the size limitations for rules and settings. Phantom IP address is reported in Symantec Client Firewall log Fix ID: 1-5VO3N8 Symptom: The log entry line, "Details: Rule "Microsoft Internet Explorer" permitted (x.x.x.x,http(80))" contains an incorrect IP address. Solution: The IP parameters to reportEvent has been fixed. Also fixed the corresponding alert log entry. Clients managed by secondary servers do not receive a policy file when you deploy a policy at the client group level Fix ID: 809180 Symptom: In Symantec System Center, you deploy a Symantec Client Firewall policy at the client group level. Some clients do not receive the policy file. This problem only happens to clients whose parents are secondary servers that run Symantec AntiVirus 10.1.4.4010 or Symantec Client Security 3.1.4010. The problem does not happen to clients whose parent server is the primary server, regardless of the product version. Solution: This problem no longer occurs in Symantec Client Security 3.1.5. Symantec AntiVirus Reporting Custom virus search links in Reporting are invalid due to Symantec Web site change Fix ID: 647851 Symptom: Three custom virus search links in Reporting are invalid due to a change to the Symantec Web site. Solution: Removed the broken links and replaced them with the new links. Reporting is slow to transfer data to the database Fix ID: 1-5WEKF6 Symptom: Incoming inventory and event logs from parent server to reporting server accumulate in the upload directory and Temp.LogReader directory. Eventually, these slow the agents considerably and may fill the volume. Solution: Overall performance for log and inventory data processing functionalities for Reporting were enhanced, and a new configuration option was introduced to discard security data that is not relevant for typical usage scenario. Reporting does not work correctly with a proxy connection Fix ID: 1-5WX8JV Symptom: If the proxy connection configured for virus category agent is authenticated by a domain user login, then the agent fails to connect to the proxy server. No virus category data is downloaded. Solution: This was caused by incorrect handling of special characters in the proxy address. Fixed by using a different authentication API in Perl that was capable of handling the username correctly. Reporting requires local user account on Reporting Server Fix ID: 1-5REVC7 Symptom: Reporting requires C:\Program Files\Symantec\Reporter\Temp folder to have Everyone granted full control. Solution: Added IIS user IUSR_[MACHINENAME] and Administrators to the User column for TEMPDIR folder. Maintenance Patch 1 for Maintenance Release 4 (MR 4 MP 1) This section describes the fixes in Maintenance Patch 1 for Maintenance Release 4 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. This patch can be applied only to computers that run Symantec AntiVirus 10.1.4 or Symantec Client Security 3.1.4. To learn how to obtain and apply the patch, read Applying Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Maintenance Release 4. Symantec AntiVirus Corporate Edition 10.1.4.4010-1
Server Group Server Tuning Options do not propagate to secondary servers Fix ID: 1-5R7DVU Symptom: After you create a primary server and enable legacy support at the server group level, the settings do not propagate to secondary servers. Resolution: Added the Server Tuning Options settings to the GRCSrv.dat file, which is distributed to secondary servers. Virus definitions do not update until the Symantec AntiVirus service restarts Fix ID: 642963 Symptom: After LiveUpdate runs, the Definfo.dat file is updated, but the Usage.dat file is not updated until the Symantec AntiVirus service restarts. Resolution: Minor change to the code to correct this issue. Symantec AntiVirus service (Rtvscan.exe) does not start Fix ID: 631839 Symptom: In some specific environments, the Symantec AntiVirus service (Rtvscan.exe) does not start. Resolution: Fixed in Common Client 104.0.11.1. Improved handling of Rapid Release definitions Fix ID: 769756 Symptom: You apply Rapid Release virus definitions to a Symantec AntiVirus server. After the server pushes the new virus definitions to its clients, the server then pushes a full virus definition set to its clients. The use of Rapid Release virus definitions requires more network traffic than the use of other virus definitions. Resolution: Symantec AntiVirus servers can now deploy Rapid Release virus definitions without pushing a full virus definition set to clients. This change reduces the amount of network traffic that is needed to use Rapid Release virus definitions in a managed environment. Roaming between parent servers starts a scheduled scan Fix ID: 1-606ZZ5 Symptom: When a Symantec AntiVirus client uses the SAV Roam feature and connects to a new parent server, a scheduled scan starts on the client. Resolution: Changed the code that writes and reads the new scheduled scan settings after a client connects to a new parent server. These changes ensure that all of the new scheduled scan settings are present before the code checks whether a scan is needed. Symantec Client Security 3.1.4.4010-1
New fixes User permissions are not applied to ALEScan Fix ID: 1-5EOPZ5 Symptom: Restricted users can run ALEScan. A restricted user should not be able to run ALEScan. Resolution: Changed the code to check user permissions when ALEScan runs. A restricted user sees the alert, "You do not have privileges to run this program." Messaging for Exchange does not work properly with Symantec Client Firewall Fix ID: 1-5LB0S3 Symptom: When you use MSN 2.x to send messages to another MSN 2.x client through an Exchange 2000 server, the messages do not arrive. Resolution: SymNetDrv filters the port that MSN uses to log on and prevents the completion of the logon process. Fixed in SymNetDrv version 6.0.3. New clients do not apply policy files from the parent server Fix ID: 1-5V1707 Symptom: When a Symantec Client Security 3.1 client checks in with its parent server for the first time, the client does not automatically apply the policy file after the first reboot. Resolution: Changed the code to allow the policy file to be applied under a certain set of conditions which were previously causing the client update to fail. SSIM SMNP traps sometimes do not have the MAC and/or IP addresses for Symantec Client Firewall events Fix ID: 632290/ 632271 Symptom: The MAC and/or IP address sometimes does not appear in the event information that the client sends to the SSIM appliance. Resolution: Added additional methods to obtain the MAC address and IP address to ensure that the addresses are always discovered and sent with the event. Maintenance Release 4 (MR4) This section describes the fixes in Maintenance Release 4 of Symantec AntiVirus 10.1 and Symantec Client Security 3.1. Symantec AntiVirus Corporate Edition 10.1.4.4000
Maintenance Release 4 includes a fix for the Symantec Client Security and Symantec AntiVirus Elevation of Privilege vulnerability. You do not need to apply the patch for the vulnerability if you migrate to Maintenance Release 4. For information about the vulnerability, read the advisory. Restricted Users cannot run LiveUpdate Fix ID: 1-5QFYNN Symptom: LiveUpdate 3.0 requires Power User or Administrator rights for the user to run locally. The EnableAllUsers registry key no longer allows all users to run LiveUpdate 3.0. Resolution: Changed the code so that restricted users can run LiveUpdate. Files copied to floppy/USB drive not encrypted when using Hitachi Hibun encryption software Fix ID: 1-5QI8Z7 Symptom: Hitachi Hibun encryption software is installed with SAV 10.1 (which includes SymEvent 12.0.2.1), and Hibun is used to encrypt files. When an encrypted file is copied to a FAT-formatted disk or USB key, the file does not appear encrypted on the disk. Resolution: The issue was caused by the delayed load feature of SymEvent. SymEvent 12.0.3.1 includes a fix for this issue and is included in this release. When using .mbox format for storing electronic mail, the inbox file is quarantined when a virus is found Fix ID: 1-5PL4Z5 Symptom: When a threat is found within an .mbox mail file, the entire mail file is quarantined. Resolution: Changed the code to utilize the file decomposer engine to determine mbox container settings. Symantec AntiVirus now quarantines risks individually rather than the entire .mbox file. AMS reports the action taken as "undefined" Fix ID: 1-5UJHS2 Symptom: AMS reports the action taken as "undefined" when the Symantec AntiVirus Side Effects Engine examines a risk. Resolution: Added additional action strings to increase the number of actions that AMS can report. Symantec Client Security 3.1.4.4000
New fixes
Fix ID: 1-5NTR1B Symptoms: During a migration from Symantec Client Security 3.0.2 to Symantec Client Security 3.1, the following error message appears: "Setup has not received an update status from <ServerName>. The server may still be updating or an error occurred on the server. Do you want to continue waiting for server status?" The Symantec Client Security server is left in a non-functional state because many of the files are missing. Resolution: Changed the installation modules to prevent the timeout. The SAV Parent Netspec does not reapply itself after a network change Fix ID: 1-5TDHI8 Symptom: When disconnecting and then reconnecting a client to the network, Symantec Client Firewall does not always reapply the SAV Parent Netspec. Resolution: Changed the communication code to allow more time for communications between client and server. These changes greatly reduce the instances of this problem occurring. Symantec SecurePort service fails randomly Fix ID: 1-4Z45SL, 1-5NAZ08 Symptom: The Symantec SecurePort service fails with the error message "SymSecure Port has encountered a problem and needs to close." Resolution: Changed the code to handle the case where a network connection is set up with a NULL device name. Maintenance Patch 1 for Symantec Client Security 3.1 and Symantec AntiVirus 10.1 Versions of this patch are available for installation over Symantec Client Security 3.1 or Symantec AntiVirus 10.1. Unable to enter Standby with Symantec AntiVirus service enabled Fix ID: 1-4XG3PT Symptom: The computer will not enter Standby mode while the Symantec AntiVirus services are still running. Resolution: The Symantec AntiVirus service was preventing Standby mode by calling the DefUtils library unnecessarily. Changed it to call DefUtils only when there are new virus definitions. Scan engine failure during manual scan Fix ID: 1-5J7F4G Symptom: While running a manual scan, a scan engine failure occurs. The error reported is 0x20000058. Resolution: The scan was trying to run before it got the login account of the user, so it would fail for permissions reasons. Changed code to wait (approximately 60 seconds maximum) to get the login account so that manual scans are successful. Auto-Protect does not give warning when it cannot use definitions Fix ID: 1-58FE31 Symptom: If definitions are deleted and new definitions are pushed to the client, Auto-Protect will not reload definitions until the computer restarts. Resolution: Added check for valid definitions. Auto-Protect now loads the new definitions without requiring a restart. Roaming profiles are not saved at shutdown Fix ID: 1-581TK3 Symptom: When Symantec AntiVirus 10.x is installed, roaming profiles are not saved when the computer shuts down. Resolution: Added code to allow the roaming profiles data to be saved. Repeating entries in Wbemprox.log Fix ID: 1-4LW4BQ Symptom: Large numbers of errors are logged in the Wbemprox.log file. Resolution: Connecting to Windows Security Center results in an error when run on Windows 2000. The fix was to avoid updating the Windows Security Center unless running on Windows XP or a later version. The logging errors stop after the Symantec AntiVirus service starts. Cannot scan with PointSec Media Encryption installed Fix ID: 1-4SCR15 Symptom: With PointSec Media Encryption installed, Symantec AntiVirus can not perform a scan. Resolution: When there is a gap of about 60 seconds or more between the Windows login and the PointSec Media application login, the manual scan fails. When the PointSec Media application prompts for login, the shell is not initialized, and the user is still logging in. Fixed by having Symantec AntiVirus process the log again after VPTray is loaded. SymSPort fails Fix ID: 1-5NAZ08 Symptom: If a network connection with a NULL device name exists on the system, SymSPort crashes. Resolution: Made changes to handle network connections with NULL device names. Symantec AntiVirus 10.x changes the Last Accessed date after scheduled or manual scan Fix ID: 1-5G86I8 Symptom: Manual or scheduled scans change the Last Accessed date on files that are not protected by Windows File Protection or read-only, which triggers backup applications to back up the files unnecessarily. Resolution: Code changes made to preserve the Last Accessed Date on scanned files. Extension exclusions are not propagated under same circumstances as folder exclusions Fix ID: 1-4NHFUX Symptom: When a folder exclusion is set at the server group level, the setting is automatically propagated to the clients. When an extension exclusion is set at the server group level, the setting is not automatically propagated to the clients. Resolution: Added fix to always update exclusions on clients when new changes are present. Without the Ad Blocking component, error "SymAdBlockinUI is null or not an object" occurs Fix ID: 1-503XY4 Symptom: On a Symantec Client Security client installed without the Ad Blocking component, the error "SymAdBlockinUI is null or not an object" occurs if the user interface is open while a policy is pushed to the client. Resolution: Added validation code to check whether Ad Blocking is enabled. This prevents the error from occurring. Symantec Client Security 3.1 and Symantec AntiVirus 10.1 (includes Maintenance Release 3) This section describes the fixes in the first release of Symantec Client Security 3.1 and Symantec AntiVirus 10.1. For a list of new product features, read What's new in Symantec Client Security 3.1 or What's new in Symantec AntiVirus Corporate Edition 10.1. Symantec AntiVirus Corporate Edition 10.1.0.394
New fixes
Fix ID: 1-4JKGJI Symptom: You use Symantec System Center 10.0 to view log files from legacy (version 9.x or earlier) servers or from legacy clients. When you view legacy client log files, the process takes significantly longer than when you view Symantec AntiVirus 10.0 client log files. Resolution: Updated the code to improve performance. Manual or scheduled scan on NetWare sets Meta Data archive bit Fix ID: 1-4HCKDZ Symptom: During a manual or scheduled scan on a Novell NetWare server, Symantec AntiVirus incorrectly sets the Meta Data archive bit to On. This causes backup software to perform full backups rather than incremental backups. Resolution: Symantec AntiVirus no longer sets the Meta Data archive bit. Clients show offline in Symantec System Center when they're still online Fix ID: 1-5FDXJV Symptom: In Symantec System Center, managed clients show an incorrect status of "offline." Resolution: To the Symantec System Center Console Options screen, added a "Indicate when clients are offline more than x minutes" parameter to reduce communication discrepancies. NetWare server abends after upgrading NetWare 6.5 to Support Pack 5 with Symantec AntiVirus 10.0 installed Fix ID: 1-5FP7NB Symptom: Symantec AntiVirus 10.0 is installed on your NetWare 6.5/6.0 server. You upgrade Novell NetWare 6.5 to Support Pack 5. The NetWare server abends. Resolution: Symantec AntiVirus 10.1 is fully compatible with NetWare 6.5 to Support Pack 5. Error: "The wizard was interrupted..." with "WriteCCSettingsTables" error in the install log Fix ID: 1-4PLT45 Symptom: You install Symantec AntiVirus 10.0.x. The installation fails and rolls back. In some cases, the installation may stop at the "Starting Services" message. In the installation log, you find a message referring to errors in "WriteCCSettingsTables." Resolution: Fixed a problem in the installer to prevent this error. Error: "Loader cannot find public symbol: netdbgethostbyname for module VPSTART.NLM" when installing Symantec AntiVirus 10.0 to NetWare Fix ID: 1-4GLAH3 Symptom: You install Symantec AntiVirus 10.0 to a computer that runs NetWare 6.5 Service Pack 3. The installation does not finish, and you see the error message "Cannot find public symbol: netdbgethostbyname for module VPSTART.NLM." You may also see error messages similar to "000000020016777216,server\netware\pki\roots\,InstallPKITemp\pki\roots\,*.*" or "Loading Module VPSTART.NLM [ UNRESOLVED ]" Resolution: Set Netdb.nlm to load automatically when Vpstart.nlm and Rtvscan.nlm run. Odd Central Quarantine Event entries under the Event Actions configuration menu Fix ID: 1-5MPZAQ Symptom: When you configure Central Quarantine Events and expand the Central Quarantine Alert Actions, you see the letters C, D, N, T, U and W. These letters appear to be alert action entries. Resolution: This problem no longer happens with Symantec AntiVirus 10.1 and later. ADDLOCAL= in Vpremote.dat causes Symantec AntiVirus 10.0.2 client installations to fail Fix ID: 1-54CVNH Symptom: You edit the Vpremote.dat file with custom command-line switches in order to deploy Symantec AntiVirus 10.0.2 clients through ClientRemote Install. The command-line switches that you added include ADDLOCAL=. When you use ClientRemote Install to deploy clients, the installations fail. Resolution: Fixed a problem in the installer to prevent this error. Security Risk exceptions are not available in Symantec System Center if the parent server is NetWare Fix ID: 1-45L5VS Symptom: You try to configure Security Risk exceptions in the Symantec System Center for clients that are managed by a Novell NetWare parent server. The exceptions list is blank, and you cannot configure exceptions. Resolution: Updated the code so that NetWare primary servers can better distinguish between security risk types. Symantec Client Security 3.1.0.394
New fixes
Fix ID: 1-4OFQJN Symptom: You migrate from Symantec AntiVirus to a later version of Symantec Client Security. During this process, the policy file (Cpolicy.xml) is not applied. Resolution: Made changes in the installer to check whether the installed program is Symantec AntiVirus or Symantec Client Security. Using IP Address in a pRule does not function properly Fix ID: 1-4FVO5Y Symptom: You create a pRule with a single rule for a specific remote IP address. When you open the program, you are prompted with a security alert or the action is blocked entirely. You use a required digest and want the program rule to be created automatically. If you set the rule to Any Computer, the pRule seems to function properly. Resolution: Changed the code in Common Client to fix this problem. Unlocked rules on a Symantec Client Firewall client are deleted after deploying a policy file Fix ID: 1-4SCVWT Symptom: You edit a Symantec Client Firewall policy file in Symantec Client Firewall Administrator. On the Settings tab in Symantec Client Firewall Administrator, you uncheck "Delete unlocked rules on policy integration." After you deploy the policy file to a client, any existing unlocked rules on the client are deleted. Resolution: Updated the code so that unlocked rules are no longer deleted. Secure Port and ISservice fail to load at startup Fix ID: 1-5C5XCC Symptom: You install Symantec Client Security 3.0. When you start the computer, the Symantec Secure Port service and the IS Service service do not load. You can start the services manually without errors. Resolution: The problem no longer occurs with Symantec Client Security 3.1. You must defragment the hard drive of any affected computers before you migrate to Symantec Client Security 3.1. "Any Version" in Prule creation continues to prompt for user action Fix ID: 1-3L5TQY Symptom: In Symantec Client Firewall Administrator, you create or edit a new pRule that uses only the criteria for the file name and "Any Version" to match a network-aware application. You export this rule set to your clients and try to run the network-aware application. A Low Security Risk pop-up appears and asks which action to take for this alert. Resolution: The "Any Version" parameter now works as expected. SSL E-mail does not work with Privacy Control Fix ID: 1-4CZ69T, 1-5A5MHR, 1-4LE64H Symptom: Your email client uses SSL to send email. After you install Symantec Client Security, you send email and you see the message "An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email." The numbers 1003,14 appear in the lower-left corner of the dialog box. The email message is not sent. The problem persists after you disable Internet E-mail Auto-Protect. Resolution: The problem no longer occurs with Symantec Client Security 3.1. |