Release Notes for Symantec™ Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6
Revision Date: April 14, 2010, 9:00 A.M. PDT
Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6
This document includes the following topics:
■ About Symantec Endpoint Protection and Symantec Network Access Control version11.0 Release Update 6 (11.0 RU6)
■ What's new in Symantec Endpoint Protection 11
■ Where to get more information
■ What you need to know before you install or update your software
■ User documentation changes summary
■ Known issues and workarounds
■ Resolved issues in this release
■ Components in this release
■ Legal Notice 4 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 About Symantec Endpoint Protection and Symantec Network Access Control version11.0 Release Update 6 (11.0 RU6)
About Symantec Endpoint Protection and Symantec Network Access Control version11.0 Release Update 6 (11.0 RU6) Version 11.0.6 is the upgrade to previous versions of the Symantec Endpoint Protection and Symantec Network Access Control 11.0 product line. All functionality of version 11.0 is maintained, unless otherwise noted.
What's new in Symantec Endpoint Protection 11 The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.
Table 1-1 New features in this version
Feature Benefit
A Web-based console provides a Symantec Protection Center is a Web-based console single sign-on capability for that enables you to access and manage multiple, registered Symantec products supported Symantec products. The console also provides visibility and analytics across products as well as provides useful security feedback and attack statistics. The console provides a single sign-on screen for the following registered Symantec products:
■ Symantec Endpoint Protection ■ Symantec Critical System Protection ■ Symantec Web Gateway ■ Symantec Brightmail Gateway ■ Symantec IT Analytics ■ Symantec Data Loss Prevention
A Web-based console for Symantec You can now manage Symantec Endpoint Protection Endpoint Protection Manager Manager remotely in a Web-based console. The provides easier remote management Java-based remote console is also still available. access
Symantec Endpoint Protection You can use Symantec Endpoint Protection Manager includes client software to run on a to manage Mac clients that run Symantec software Mac computer to provide virus and spyware protection on Mac OS X computers. Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 5 What's new in Symantec Endpoint Protection 11
Table 1-1 New features in this version (continued)
Feature Benefit
Scheduled scans can start at random You can specify a time interval during which times scheduled scans start, and enable the scans to start at different times within that time interval. By running scans at random times, you can increase scan performance, especially in virtualized environments.
Enhanced default Antivirus and For new product installations, changes in the default Antispyware security policies security policies make Symantec Endpoint Protection more efficient at detecting malware. Customers who upgrade to Symantec Endpoint Protection version 11 RU6 do not receive new default policies. To see the new recommended Antivirus and Antispyware security policies settings so that you can make the settings changes in your policies manually, see Security Response recommendations for Symantec Endpoint Protection settings.
The Symantec Endpoint Recovery The Symantec Endpoint Recovery Tool provides Tool scans and removes malware an image that you can burn on a disc, and then use from severely infected computers to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec Endpoint Protection to clean effectively. You can download the tool from the following URL: https://fileconnect.symantec.com/
Host Integrity policies check for You can run a Host Integrity check to see whether additional security software the client computers run the following software:
■ Norton Antivirus 2010 ■ Norton Internet Security 2010 ■ Norton 360 Version 3.0 ■ Symantec Endpoint Protection Version 11 Release Update 6 ■ McAfee Internet Security 2010 ■ McAfee VirusScan Plus 2010 ■ McAfee Total Protection 2010 ■ McAfee VirusScan Enterprise 8.7i 6 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Where to get more information
Where to get more information Sources of information include the following:
■ Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Client Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Implementation Guide for Symantec Network Access Control Enforcement
■ LiveUpdate Administrator Getting Started Guide
■ LiveUpdate Administrator User's Guide
■ Symantec Central Quarantine Implementation Guide
■ Symantec Endpoint Protection 11.0 Windows Small Business Server Best Practices White Paper
■ Tool-specific documents, located in some subdirectories of the Tools folders on the product disc
■ Readme file, located in the root folder of the installation product disc
■ Online Help that contains the information that is in the guides plus context-specific content The primary documentation is available in the Documentation folder on the product discs. Updates to the documentation are available from the Symantec Technical Support Web site.
Table 1-2 Symantec Web sites
Types of information Web address
Symantec Endpoint Protection http://www.symantec.com/business/products/downloads/ trialware
Public Knowledge Base http://www.symantec.com/business/support/overview.jsp?pid=54619 Releases and updates http://www.symantec.com/business/support/overview.jsp?pid=52788 Manuals and documentation updates Contact options
Release notes and additional http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648 post-release information Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 7 What you need to know before you install or update your software
Table 1-2 Symantec Web sites (continued)
Types of information Web address
Virus and other threat information and http://securityresponse.symantec.com updates
Product news and updates http://enterprisesecurity.symantec.com
Symantec Endpoint Protection forums https://forums.symantec.com/syment/board? board.id=endpoint_protection11
Symantec Network Access Control http://www.symantec.com/connect/security/forums/network-access-control forums
What you need to know before you install or update your software System requirements for Symantec Endpoint Protection and Symantec Network Access Control and other material to consider before installation are located in the Getting Started with Symantec Endpoint Protection and Getting Started with Symantec Network Access Control documents, and in the Installation Guide. These documents accompany the software and are also available on the Symantec Support Web at the following locations: Symantec Endpoint Protection documentation. Symantec Network Access Control documentation The Common Topics page of the Support site provides individual articles and links that are designed to provide installation assistance, best practices, and FAQs.
Installing the product for the first time You can use the following main steps to install the product on a computer on which a version is not already installed.
Table 1-3 Process for installing the product
Step Action Description
Step 1 Review system and Confirm that your network and the computers you plan to installation use meet the requirements to install and run the software. requirements
Step 2 Plan and prepare Decide which type of database to use, plan your deployment, for the installation and prepare client computers. 8 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 What you need to know before you install or update your software
Table 1-3 Process for installing the product (continued)
Step Action Description
Step 3 Install Symantec Run the installation program from the product disc. The Endpoint program first installs the management server software. It Protection then configures the management server and creates the Manager database. Follow the procedure that corresponds to the type of database you select.
Step 4 Create and deploy After you configure the database, you are asked if you want a client to run the Migration and Deployment Wizard. This wizard installation creates and then pushes out a default client software package installation package. Alternately, you can:
■ Use the Migration and Deployment Wizard from the Start menu at any time. ■ Create and deploy client software at a later time using the Find Unmanaged Computers utility in the console. Note: If this installation is an upgrade deployment from Symantec Endpoint Protection, there is no need to re-deploy the client. The installation of Symantec Network Access Control activates the Symantec Network Access Control features on the client without further deployment.
To view this topic with links to the procedures listed above, go to the following URL: http://seer.entsupport.symantec.com/docs/330754.htm
Upgrading to a new release of Symantec Endpoint Protection or Symantec Network Access Control You can upgrade to the latest maintenance release of Symantec Endpoint Protection or Symantec Network Access Control. Before you install a new version of the software, you must perform certain tasks as part of your upgrade plan to ensure a successful upgrade. The information in this section is specific to upgrading software in environments where a version of Symantec Endpoint Protection or Symantec Network Access Control 11.x is already installed. Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 9 What you need to know before you install or update your software
Table 1-4 Process for upgrading to the latest maintenance release
Step Action Description
Step 1 Back up the database Back up the database used by the Symantec Endpoint Protection Manager to ensure the integrity of your client information.
Step 2 Turn off replication Turn off replication on all sites that are configured as replication partners. This avoids any attempts to update the database during the installation.
Step 3 Stop the Symantec The Symantec Endpoint Protection Manager service Endpoint Protection must be stopped during the installation. Manager service
Step 4 Upgrade the Symantec Install the new version of the Symantec Endpoint Endpoint Protection Protection Manager on all sites in your network. The Manager software existing version is detected automatically, and all settings are saved during the upgrade.
Step 5 Turn on replication after Turn on replication when the installation is complete the upgrade to restore your configuration.
Step 6 Upgrade Symantec client Upgrade your client software to the latest version. software
To view this topic with links to the procedures listed above, go to the following URL: http://seer.entsupport.symantec.com/docs/330694.htm
Symantec Endpoint Protection Manager requires TCP port 9090 by default Symantec Endpoint Protection Manager uses TCP 9090 to display the Symantec Endpoint Protection Manager console. If other software is listening on this port, you cannot log on to the Symantec Endpoint Protection Manager console. Note that Symantec IM Manager uses TCP port 9090. If you are required to run Symantec Endpoint Protection Manager console on a computer that also requires other software that uses TCP port 9090, you can change the port for Symantec Endpoint Protection Manager console. To change TCP port 9090, edit the following file with WordPad (Notepad does not correctly show the XML line feeds): 10 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 User documentation changes summary
\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
Search for port=9090 and change 9090 to a different TCP port number. Save the file, and then restart Symantec Endpoint Protection Manager with the Administrative Tools > Services utility. You can then log on to the Symantec Endpoint Protection Manager console. Be aware, however, that changing port 9090 partially disables the online Help system. Every time you use Help, you will have to change 9090 in the URL to the changed port number to display the Help text.
The default port for Enforcer communication with Symantec Endpoint Protection Manager is 8014 The default port for non-encrypted communication (HTTP) with the Symantec Endpoint Protection Manager has been changed from 80 to 8014. Encrypted communications (HTTPS) continue to use port 443. This port setting applies to all types of Enforcers.
User documentation changes summary This release includes some reorganization and updates to the following documents:
■ Readme HTML file for Symantec Endpoint Protection
■ Readme HTML file for Symantec Network Access Control
■ Readme HTML file for trialware
■ Getting Started for Symantec Endpoint Protection
■ Getting Started for Symantec Network Access Control
■ Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control, which now includes information about managing Symantec Endpoint Protection by using the new Symantec Protection Center Web console, and information about how to manage the new Symantec Endpoint Protection for Mac client
■ Client Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Implementation Guide for Symantec Network Access Control Enforcement
■ Context-sensitive help Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 11 Known issues and workarounds
Client help for the Symantec Endpoint Protection for Mac component is new in this release. Documentation for Symantec Protection Center, including context-sensitive help, is new in this release. Minor changes to several documents and help include clarification about supported operating systems. Windows 7 is supported for the Symantec Endpoint Protection client only. Windows Server 2003 requires Service Pack 1 or later.
Known issues and workarounds The issues in this section are new for Symantec Endpoint Protection version 11, RU6. For a more detailed list of issues that are known but not resolved, see the readme.html file that accompanies the release. You can also view it on the Symantec Support site, at the following location: http://www.symantec.com/business/support/overview.jsp?pid=54619
Upgrades, installation, uninstallation, and repair issues This section contains information about upgrades, installation, uninstallation, and repairs.
UPGRADES
PHP files do not get migrated (replaced) correctly when you do an overinstall to a newer version of Symantec Endpoint Protection Manager. Root Cause: PHP files that are modified (as shown in the time stamp) will not get replaced by MSI during an overinstall since they are unversioned files and MSI has a rule that notes unversioned files that get modified outside of the , and does not replace them in the next installation. This is useful for text files like .ini files, but causes the Symantec installation to fail. Resolution: Do not modify a PHP file. Symantec does not support unwarranted modification of Symantec PHP files. If there is a reason to modify temporarily, please save off the original, do the modification and restore the original later. [1977433]
When you upgrade SQL Server from SQL Server 2000 to SQL Server 2008, Symantec Endpoint Protection Manager does not start This failure is caused by a change in SQL Server 2008 configuration. 12 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
The following steps solve the problem: 1. Run the MS SQL Server Configuration Manager. 2. Open SQL Server Network Configuration. 3. Configure IP1 and IP2 to be Enabled. Close the Configuration Manager. 4. Restart the SQL service, as recommended by the Configuration Manager. 5. Run the Symantec Management Server Configuration Wizard. 6. Select Reconfigure the management server, and then click Continue. Complete the reconfiguration steps, retaining the existing settings. The database connection is re-established. [1993979]
INSTALLATION AND REPAIR
New client installations must always be made to groups named with English-language characters, not double-byte characters If you create groups with names that use a double-byte character set, you cannot add new clients to those groups through any form of installation. New clients will automatically be placed into the Default Group. From the Default Group you can move those clients to your desired groups. To work around this issue: 1. Create a group that is named with English-language characters. 2. Add new clients to that group. 3. Take one of the following actions:
■ Rename the group to use a double-byte character set.
■ Move the new clients to an existing group that uses a double-byte character set.
Note: This restriction does not apply to upgrades or migrations.
[2020545]
LiveUpdate wizard prompts with an error in some cases on Windows Vista This only happens with a command-line installation, using the "ReallySuppress" flag, and only on Windows Vista. Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 13 Known issues and workarounds
Solution: Do not use command-line installation for this case. Instead, export a package that is configured to run silently. No error prompt will appear. [1987467]
QServer and QConsole do not install or work properly on Windows 7 This is known behavior. QServer and QConsole are not supported on Windows 7 and should not be used. [1954166]
Custom packages created by a Limited Administrator point only to the default group When a Limited Administrator creates a custom package with a specific group assignment, that assignment fails. The clients that install that package are assigned to the default group. Solution: To set assignments in a custom package, a full Administrator must create the package. [2008587]
Symantec Protection Center and Web console issues This section contains information about Symantec Protection Center.
Symantec Protection Center and Web console - need to set Internet Explorer to display mixed content To run Symantec Protection Center or the Symantec Endpoint Protection Manager Web console, you must enable mixed content in Internet Explorer. To enable mixed content, click No in the Security Warning dialog box that appears when you first log on. [1873313]
The Symantec Protection Center Dashboard does not reproduce readable text when you change text size in the browser menu to Largest or Smallest Making these changes is not currently supported. We recommend that you leave the text size at the default setting of Medium. [1925419] 14 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
Brightmail Gateway host configuration stops responding in Protection Center If you edit host configuration settings in Symantec Brightmail Gateway, the server stops responding. You must restart Protection Center from the initial launch page. [1987516]
Configuring Symantec Protection Center to use a proxy server In some situations, Symantec Protection Center requires the use of a proxy server. To configure the proxy server, edit the portal.properties file to include the appropriate settings. The portal.properties file is located at
portal.proxy.enable Enables/disables the use of the proxy settings. The possible values are true and false. Example: portal.proxy.enable=true
portal.proxy.hostname Specifies the proxy hostname. Example: portal.proxy.hostname= 192.168.0.4
portal.proxy.port Specifies the proxy port. Example: portal.proxy.port=808
portal.deepsight.enable Enables/disables the DeepSight feeds that are shown on the Dashboard. The possible values are true and false. Example: portal.deepsight.enable=true
Special guidelines:
■ The Symantec Endpoint Protection Manager must be installed on a private network. Example: the 192.168.0.xx network.
■ The proxy server is assumed to run on port 80. If another port is used, you must specify it.
■ After you set or modify the parameters in the Portal.properties file, you must restart the Symantec Endpoint Protection Manager service. [1991950] Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 15 Known issues and workarounds
Right-To-Left Document option in Internet Explorer adds space to left of text If you choose the Right-To-Left Document option in Internet Explorer, an extra space is displayed at the left end of the text. This issue will be fixed in a future release of the software. [1925425]
Symantec Endpoint Protection Manager policy issues This section includes information about working with policies in Symantec Endpoint Protection and Symantec Network Access Control.
GENERAL POLICY ISSUES This section describes general policy-related issues.
Cannot browse to folders and files to add centralized exceptions on clients On 64-bit operating systems, when you try to add an exclusion on the client, you will not be able to browse to the native Windows system32 directory. For example, you cannot browse to %windir%\system32\inetinfo.exe to add it as an exception. Because of the file redirection feature on 64-bit platforms, Windows automatically redirects the client to the 32-bit subsystem Windows system32 directory, which is %windir%\SysWOW64. To work around this issue, the user must log on to the Symantec Endpoint Protection Manager and create a Centralized Exception for the file or folder in question and apply this to the client. [1918264]
NETWORK THREAT PROTECTION POLICIES This section includes the known issues information related to Network Threat Protection policies.
New installations of Symantec Endpoint Protection Manager receive new default antivirus settings for "regular security" and "high security" The following are the new default AV settings for "regular security"
■ Remediation – terminate processes is set to: Yes 16 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
■ Remediation – terminate services is set to: Yes
■ AP action taken for security risks is set to: Quarantine/Delete The following are the new default AV settings for "high security"
■ Lock Settings is set to: Lock ALL settings
■ Network AutoProtect is set to: Enabled
■ Bloodhound level is set to: Maximum
■ Lock Settings is set to: Lock ALL settings [1978461]
Clients may show "outdated" warning for definitions even though "display a warning" is unchecked The overall setting of Display a Warning when definitions are outdatedremains the same when it is unchecked. It provides an additional option to edit the outdated days and remediation attempts before triggering the notification. We recommend setting specific threshholds of number of days and remediation attempts. [1958302; 1958306]
The Next button appears disabled in selecting a single exception signature for Intrusion Prevention policies When editing Intrusion Prevention policies, you can choose to select individual policies to ignore. To do this, click Edit the policy, and then Exception, and then Add to add an exception. From the list of signatures that appear, you can select a single signature or select all. If you select a single signature, the Next button should be enabled, but is not. Solution: Click Selectall. The Next button is enabled. You can then select individual signatures and the Next button continues to be enabled. [2003309]
PROACTIVE THREAT PROTECTION POLICIES This section includes the known issues information related to Proactive Threat Protection policies. Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 17 Known issues and workarounds
Application and Device Control white list process appears not to use the %tmp% folder correctly This is because the tool used for adding white list items uses the System context, and not the user context. For example, adding an entry on Windows XP, '%temp%' refers to 'c:\Windows\Temp' and not 'c:\Documents and Settings\
Application and Device Control rules do not block "Read" access to folders when using Windows 7 This is caused by a difference in the way that Windows 7 codes its read requests, as opposed to how they are coded in Windows XP. We do not anticipate a fix and recommend against attempting to block entire folders. [1987652]
HOST INTEGRITY POLICIES This section includes information about policies, such as Host Integrity policies, that are available only with Symantec Network Access Control. These issues apply only to environments where Symantec Network Access Control is installed.
List of supported antivirus products is not current in documentation The following antivirus products are currently supported in Symantec Network Access Control:
■ AhnLab V3 Internet Security 7.0 Platinum
■ AVG AV 8.0
■ AVG IS 8.0
■ BitDefender IS 2008
■ BitDefender TotalSecurity 2008
■ CA Antivirus 2008, 2009
■ CA Internet Security 2008, 2009
■ CA eTrust Antivirus r8.1
■ CA ez Antivirus r8.2 18 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
■ Kaspersky Antivirus 7.0
■ Kaspersky Internet Security 7.0
■ McAfee VirusScan Enterprise 8.0i, 8.5i, 8.7i
■ McAfee Internet Security 2008, 2009, 2010
■ McAfee Total Protection 2009, 2010
■ McAfee VirusScan Plus 2008, 2009, 2010
■ Microsoft ForeFront
■ Microsoft LiveOneCare
■ Panda Antivirus+Firewall 2008
■ Panda Antivirus 2008, 2009
■ Panda Internet Security 2008, 2009
■ Panda IS_Platinium 2006
■ Panda Titanium 2006, 2007
■ Sophos 5.x, 6.x, and 7.x
■ Symantec Endpoint Protection, all versions
■ Symantec Norton AntiVirus 2008, 2009, 2010
■ Symantec Norton Internet Security 2008, 2009, 2010
■ Symantec Norton 360 3.x
■ Trend Internet Security 2008, 2009
■ Trend Pc-cillin 2006, 2007
■ Trend OfficeScan 7.3, 8.0
■ Trend Server Protector
Reporting This section contains material that is related to monitoring and reporting issues.
Still Infected includes count of items moved to Quarantine on Mac clients For Mac client computers, if a virus is detected and moved to the Quarantine, the Symantec Endpoint Protection Manager console displays the virus as both Still Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 19 Known issues and workarounds
Infected and Quarantined. The Still Infected action does not automatically update for Mac clients. To work around this issue, you can manually clear the Still Infected action by running the Update Content and Scan command on the client computers. For more information, see chapter 10 of the Administration Guide, "Monitoring endpoint protection."
Internet Explorer may close unexpectedly when you review virus definitions in the Symantec Endpoint Protection Manager console Home page If you review multiple virus definitions in the Home page of the Symantec Endpoint Protection Manager console, Internet Explorer may close unexpectedly. This issue occurs if you run Internet Explorer 6 SP 2 or earlier. To work around the issue, upgrade to Internet Explorer 6 SP 3 or later. [1928731]
Clicking on an unacknowledged notifications alert fails to return focus to the Home page after the alert displays When you click on the Unacknowledged notifications link at the left bottom of the Home page, the notifications will display. In some cases, clicking on the Home tab does not return you to the Home page. This is only an issue on Windows XP with Service Pack 3 running Internet Explorer 7 or 8. Solution: Change the security setting for your Internet zone to be Medium or lower. Medium-High and above will block the display of the Home page. [2005768]
Symantec Endpoint Protection and Symantec Network Access Control Windows client issues This section contains information about Symantec Endpoint Protection clients and Symantec Network Access Control clients on Windows computers.
The Symantec Endpoint Protection client sometimes fails to restart when the user clicks Restart Now This has only been observed on Windows 7, and only intermittently. The workaround is to restart the client manually. [1987639] 20 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
The Proactive Threat Protection portion of the client user interface does not turn red or begin an automatic repair when Proactive Threat Protection definitions are corrupted or missing If Proactive Threat Protection definitions are corrupted or missing, the Proactive Threat Protection portion of the client user interface does not turn red and does not automatically download new definitions to repair itself. After some time, a red dot appears on the Symantec Endpoint Protection notification area icon, and the client user interface states that Proactive Threat Protection is disabled. To work around this issue, the user can click Fix. Symantec Endpoint Protection then downloads new Proactive Threat definitions and corrects the problem. [1934245]
Symantec Endpoint Protection Mac client issues This section contains information about Symantec Endpoint Protection clients on Mac computers.
Scan Status and Details do not match If you run a scan command on a Mac client, the Command Status Details window displays mismatched scan status and details. This situation occurs when the scan is in progress and the software cannot determine the state of the scan. You can safely disregard this mismatch. [1893054]
Installation Wizard displays Install option instead of Upgrade option On Mac OS X 10.5 (Leopard) or 10.6 (Snow Leopard): If you upgrade the client software, the installation wizard displays an Install option instead of an Upgrade option. Click Install to complete the installation. [1922671]
Limited support for location awareness on Mac client Symantec Endpoint Protection for Mac does not provide location awareness. To work around this issue, you can modify the location-specific settings for the Default location for a group that contains Mac computers. [1989028] Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 21 Known issues and workarounds
Extended Unicode characters do not display properly in Symantec Endpoint Protection Manager On the Clients page of Symantec Endpoint Protection Manager, the name and logon client of a Mac client computer may not display properly. This situation occurs if the hostname or the user account of the Mac computer contains extended Unicode characters. [1982630]
The Mac on-demand client cannot run without first installing the Static Route tool The Mac OS does not respond to the DHCP static routing option (33) without a patch. Macs in a Symantec Endpoint Protection network cannot download and use the Mac on-demand client without applying that patch. Solution: For each Mac that is running Mac OS X 10.4, 10.5, or 10.6, download and install "Symantec ODC Static Route Spoof Tool.pkg" to install. Administrative permission is needed during the installation. A restart is needed after the installation is complete. To make the DHCP Enforcer environment work, the admin must configure the static route option (33) on the DHCP server . This option enables the following servers to be accessed from the client side when the client is quarantined:
■ Symantec Endpoint Protection Manager server
■ DHCP server: An empty router option (003) needs to be created on the DHCP server for the quarantine user class.
■ DHCP Enforcer, if using the DHCP Appliance
■ Gateway Enforcer: When using the DHCP plug-in, the Gateway Enforcer is used as the delivery point.
■ Spoofing DNS server: When using the DHCP plug-in, the spoofing DNS server is used to resolve names to the Gateway Enforcer for download of the Mac on-demand client. [1978734]
Mac client cannot use UNC path to get updates from internal LiveUpdate server If you set up an internal LiveUpdate server, your Mac client computers cannot get updates by following a UNC path. You must provide an FTP server or a Web page (HTTP) for Mac clients to get updates from an internal LiveUpdate server. 22 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
[1998197]
Out-of-date definitions determined differently for Mac client Virus definitions on a Windows client are considered out of date as follows: the date of the definitions on the client is compared with the date of the definitions on the server. Mac client definitions are considered out of date by comparing the date of the definitions on the client with today’s date. This situation occurs because Mac clients always get their updates from a LiveUpdate server, not from the management server. [2013252]
Uninstalling Norton AntiVirus or Norton Internet Security on the Mac client To uninstall Norton AntiVirus or Norton Internet Security on a Mac client computer, you can use the uninstaller that is provided on the product disc. The uninstaller is located in the SEP_MAC folder at the root of the product disc. You must uninstall Norton AntiVirus for Mac before you can install Symantec Endpoint Protection for Mac. [2014091]
File System Auto-Protect settings are not locked as expected on Mac clients that are set to Client Control mode Symantec Endpoint Protection Manager can lock or unlock the Auto-Protect settings on client computers in Server Control mode, Mixed mode, and Client Control mode. This works properly on Windows clients, but fails on Mac clients that are in Client Control mode. To work around this issue: 1. Change the Client User Interface Control setting for Mac clients to Server Control mode. 2. Change the state of the Auto-Protect settings while in Server Control mode. 3. Change the clients' Client User Interface Control setting back to Client Control mode.
Note: This only works on clients that are online at the time of the change to Server Control mode. You may want to verify that all clients have received this update. Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 23 Known issues and workarounds
[2018385]
Symantec Endpoint Protection Windows client issues This section includes information specific to Symantec Endpoint Protection clients.
ANTIVIRUS AND ANTISPYWARE PROTECTION ISSUES
Windows Security Center cannot be configured on Windows Vista or Windows 7 You cannot use an Antivirus and Antispyware policy to configure Windows Security Center on your client computers that run Windows Vista or Windows 7. [2003228]
Enforcer issues This section includes information about Enforcer features, which are only available in Symantec Network Access Control.
The Integrated Enforcer for Microsoft Network Access Protection (NAP Enforcer) may not validate the UID of a client in some cases If you install the Symantec Endpoint Protection Manager and a NAP Enforcer, and then connect a client, it will be validated for that Manager. If you then correct the NAP Enforcer to a second Manager, you must stop and start the Integrated NAP Enforcer to have the UID properly validated for use with that Manager. [1949062]
A SNAC 11.04.000 Enforcer appliance image cannot be upgraded to an 11.06.000 image You cannot upgrade an Enforcer appliance image from version 11.0.4000 to 11.0.6000. Instead of upgrading, perform a fresh 11.0.6 installation on the appliance. [1879162]
The Mac OS does not respond to the DHCP static routing option (33) without a patch. This means that Macs in a Symantec Endpoint Protection network cannot download and use the Mac On-Demand Client without applying that patch. 24 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
Solution: For each Mac that is running Mac OS X 10.4, 10.5, or 10.6, download and install Symantec ODC Static Route Spoof Tool.pkg to install. Administrative permission is needed during the installation. A restart is needed after the installation is complete. To make the DHCP Enforcer environment work, the admin must configure the static route option (33) on the DHCP Server. This option enables the following servers to be accessed from the client side when the client is quarantined The following servers should be accessed via router from the client side when the client is quarantined:
■ SEPM Server
■ DHCP Server
■ DHCP Enforcer
■ Gateway Enforcer: when using the DHCP Plug-in, the Gateway Enforcer is used as the delivery point
■ Spoofing DNS Server: when using the DHCP Plug-in, to resolve names to the Gateway Enforcer for download of the Mac On-Demand Client. In addition, create an empty router option (003) on the DHCP Server for the quarantine user class. [1978734]
Re-initializing Enforcer or reconfiguring interface role disconnects on-demand client If you re-initialize an Enforcer or if you reconfigure the interface role, on-demand clients are disconnected from the Enforcer. To work around this issue, disable the on-demand clients and then re-enable them. [1957244]
To change default gateway, use interface set command
To change the default Enforcer gateway, use the interface set command. The route delete and route add commands result in duplicate gateways. [1996721] Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 25 Known issues and workarounds
The Gateway Enforcer advanced re-initialize command does not work on the first attempt When re-initializing an Enforcer appliance, running the advanced re-initialize configuration command does not work if you press Ctrl + C after the first configuration attempt. Running this command should return the eth0 IP address as output, but instead it does not display anything. To work around this issue, restart the Enforcer appliance to successfully re- initialize the Enforcer. [1995448]
Enforcer hardware compatibility matrix Enforcer hardware compatibility matrix lists Symantec Network Access Control appliance image releases and their level of testing and support for Dell Enforcer appliance hardware models.
Table 1-5 Enforcer hardware compatibility matrix
Image version Dell PE Dell PE Dell R200 Dell R210 850 860
Image version 11.0.6 Partially Partially Fully tested Not tested and tested and and fully supported fully fully supported supported supported
Image versions 11.0.3, 11.0.4, and Fully tested Fully tested Fully tested Not 11.0 RU5 and fully and fully and fully supported supported supported supported
Image version 11.0 Fully tested Fully tested Not Not and fully and fully supported supported supported supported
Pop-ups appear every 30 seconds on client computer running Windows XP You may encounter a situation where your client computers that run Windows XP receive pop-up messages about a missing agent every 30 seconds. This situation occurs if you choose the Enable pop-up message on client if Client is not running option on the Gateway Enforcer. The situation occurs regardless of the frequency of the pop-up messages that you set. The Messenger Service must also be started on the client computer for the pop-ups to continue to appear. 26 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
[2014557]
Client computers that run the Mac On-Demand client cannot be authenticated by multiple Enforcers You may encounter a situation where you connect a Mac computer to a shared network that includes an Enforcer. If you subsequently download the Mac On-Demand client, you cannot connect to the network. This situation occurs because the client computer must always be authenticated by the Enforcer that authenticates it first. If you connect the client computer through an Enforcer before you download the On-Demand client, the client then cannot authenticate by using the Enforcer that the On-Demand client software requires. You can work around this issue by downloading the Mac On-Demand client before you connect to a network that requires authentication through an Enforcer. [2011535]
Enforcers select a Symantec Endpoint Protection Manager server by server list sequence instead of priority If a Symantec Endpoint Protection Manager server shuts down, the Enforcer is expected to select the highest priority server on the server list. Instead, the Enforcer selects the next available server in the list sequence instead. There is no known workaround at this time. [2014558]
Symantec Network Access Control client can delay DHCP server authentication after hibernation If a Symantec Network Access Control client resumes after hibernation, there may be a delay in obtaining DHCP server authentication. This situation occurs because the client should request a new IP address. Instead, the client continues to request the current IP address. [2011533]
Mac static route spoof tool does not run on Mac OS X 10.4 (Tiger) The Mac static route spoof tool is not supported on your client computers that run Mac OS X 10.4 (Tiger). [2011540] Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 27 Known issues and workarounds
Documentation issues This section includes information about product documentation.
Latest documentation The user documentation might be updated between product releases. You can locate the latest user documentation at the Symantec Technical Support Web sites: Symantec Endpoint Protection documentation Symantec Network Access Control documentation
Installation Guide - System requirements for Windows Server 2008 Hyper-V are not clear The Installation Guide states that Symantec software is supported on Windows Server 2008 Hyper-V. This statement requires clarification. Microsoft Hyper-V Server 2008 is not supported. The Hyper-V role on Windows Server 2008 is supported. [1848688]
Enforcer Implementation Guide: Missing operating system requirements for an Integrated Enforcer for Microsoft DHCP Servers The section titled "Operating requirements for an Integrated Enforcer for Microsoft DHCP Server" should include Windows Server 2008 32-bit and should note that other listed operating systems are for 32-bit systems only. [2001144]
Documentation incorrectly states that exporting data to a Syslog server can only be done with UDP This is incorrect. Either UDP or TCP/IP can be used. This error appears in the "Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control." [1997507] 28 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Known issues and workarounds
The description in the online help for "Only do Host Integrity checking through the Gateway or DHCP Enforcer" is wrong The description in the online help states, "If you select this option and do not have an Enforcer, the client computer always checks the Host Integrity requirements." This is incorrect. It should read, "If you select this option and do not have an Enforcer, the client computer does not check the Host Integrity requirements." [1967964]
Replication can be done with either Embedded or SQL Server databases The documentation incorrectly states that you must use a SQL Server for the management server in order to do replication. This is incorrect. You can have multiple management servers, each with an embedded database or a SQL Server database. If you want to have a single database with multiple management servers, you should choose the SQL Server for that purpose. The embedded database does not support multiple management servers.
System requirements do not show the SP1 requirement for Windows Server 2003 The Windows client software system requirements specify Windows Small Business Server 2003, but do not mention that Service Pack 1 or later is required on both 32-bit and 64-bit systems. These requirements appear in "Getting Started with Symantec Endpoint Protection" and in "Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control." [1917413]
Table title in topic about supported and unsupported migrations for Mac client is confusing In the Installation Guide, the topic "Migrations that are supported and unsupported for the Mac client" includes a confusing title for the table that explains the migrations. The table title should read "Migration paths from Symantec AntiVirus for Mac to the Symantec Endpoint Protection Mac client." Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 29 Known issues and workarounds
Symantec Network Access Control Implementation Guide includes out-of-date list of supported antivirus products The list of supported antivirus products for Symantec Network Access Control that is included in the Symantec Network Access Control Implementation Guide is not current. The following products are currently supported:
■ AhnLab V3 Internet Security 7.0 Platinum
■ AVG AV 8.0
■ AVG IS 8.0
■ BitDefender IS 2008
■ BitDefender TotalSecurity 2008
■ CA Antivirus 2008, 2009
■ CA Internet Security 2008, 2009
■ CA eTrust Antivirus r8.1
■ CA ez Antivirus r8.2
■ Kaspersky Antivirus 7.0
■ Kaspersky Internet Security 7.0
■ McAfee VirusScan Enterprise 8.0i, 8.5i, 8.7i
■ McAfee Internet Security 2008, 2009, 2010
■ McAfee Total Protection 2009, 2010
■ McAfee VirusScan Plus 2008, 2009, 2010
■ Microsoft ForeFront
■ Microsoft LiveOneCare
■ Panda Antivirus+Firewall 2008
■ Panda Antivirus 2008, 2009
■ Panda Internet Security 2008, 2009
■ Panda IS_Platinium 2006
■ Panda Titanium 2006, 2007
■ Sophos 5.x, 6.x, and 7.x
■ Symantec Endpoint Protection, all versions
■ Symantec Norton AntiVirus 2008, 2009, 2010 30 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Resolved issues in this release
■ Symantec Norton Internet Security 2008, 2009, 2010
■ Symantec Norton 360 3.x
■ Trend Internet Security 2008, 2009
■ Trend Pc-cillin 2006, 2007
■ Trend OfficeScan 7.3, 8.0
■ Trend Server Protector [2017353]
Getting Started Guide lacks some information about downloading Symantec Endpoint Recovery Tool The Getting Started Guide explains that Symantec Endpoint Recovery Tool is new in RU6, and available from FileConnect. To download the tool, you use your Symantec Endpoint Protection serial number. You do not need a separate serial number.
Resolved issues in this release You can view a list of the issues that have been resolved in this release at the following location: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648
Components in this release You can view a list of the components in this release at the following location: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648
Legal Notice Copyright © 2010 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System, LiveUpdate, Norton, Norton 360, Sygate, and TruScan are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 31 Legal Notice
this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com 32 Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 6 Legal Notice