Windows 10 Symantec Endpoint Protection (SEP) Client 12.1.6 Compatibility

Windows 10 has been out for some time now.  Upon first being released, Symantec Endpoint Protection clients that were on Version 12.1.5 or older were no longer compatible if upgrading to Windows 10.

Symantec released SEP Version 12.1.6 for Windows 10 users.  Fast forward to today and Microsoft has released a Feature Update to Windows 10, version 1607.  In order to install the update, users running SEP 12.1.6 are prompted to uninstall SEP because it is no longer compatible with the newer version of Windows 10.

There is however a new version of SEP client 12.1.6 that is compatible with Windows 10.  Symantec Endpoint Protection 12.1.6 (12.1RU6 MP6) build 7061 (12.1.7061.6600) for enterprise users can be downloaded here by entering your serial number and downloading the file named

#sep-12-1-5, #sep-12-1-5-to-12-1-6, #sep-windows-10-compatability, #symantec-endpoint-protection, #symantec-endpoint-protection-windows-10-compatability

SEP Client …Block Traffic From IP Address… Event ID 8003, 8009, and 8019 Master Browser

SEP Client may sometimes block traffic from IP Address on the Local Area Network when workstations are part of a Workgroup and not Domain joined due to Master Browser/ Computer Browser service and will generate Event ID 8003, Event ID 8009, and Event ID 8019.


Symantec Endpoint Protection

Port Scan attack is logged

The client will block traffic from IP address for the next xxx seconds (from xx/xx/xxxx to x/xx/xxxx).

Symantec Intrusion Prevention services on a PC has blocked traffic from a workstation on the same LAN.

If the workstations are not domain joined and are part of a Workgroup in the local area network, and are running a SEP client, this may trigger a false positive on one or more workstations.  This is due to the fact that all Windows computers still broadcast traffic to each other because they are all part of a Workgroup on the same LAN.  For a local area network Workgroup, a single workstation is elected (by all other workstations in the LAN) as Master Browser; this happens automatically between Windows machines on the same LAN that are in a Workgroup.  If another PC on the LAN attempts to become Master Browser for the Workgroup, an Event ID 8003 will be logged on the machine that is the current Master Browser.

Log Name:     System
Source:         bowser
Date:          x/x/xxxx
Event ID:      8003
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     ComputerNameHere
The master browser has received a server announcement from the computer HostNameHere that believes that it is the master browser for the domain on transport NetBT_Tcpip_{xxxxx}. The master browser is stopping or an election is being forced.

On the computer attempting to become the Master Browser, you will find Event ID 8009 and Event ID 8019 that will have been logged at around the time of the incident.  It is a false positive caused by background network traffic between both computers competing for the Master Browser role on the LAN.

Future Symantec Endpoint Protection client IPS …block traffic from IP address… notifications caused by the Master Browser/ Computer Browser service related to Event ID 8003, Event ID 8009 and Event ID 8019 can be prevented by going to Control Panel > Administrative Tools > Services and locating “Computer Browser”.  If the service is “Started”, double-click it and set to “Disable”.  This will prevent this type of background communication from taking place between both workstations.

#computer-browser, #event-id-8003, #event-id-8009, #event-id-8019, #lan, #master-browser, #port-scan-attack-is-logged, #symantec-block-traffic-from-ip-address, #symantec-endpoint-protection, #symantec-intrusion-prevention, #the-client-will-block-traffic-from-ip-address, #the-master-browser-has-received-a-server-announcement-from-the-computer, #workgroup

Symantec Endpoint Protection Windows 10 Compatability

Is Symantec Endpoint Protection compatible with Windows 10?

Only if it is the latest Symantec Endpoint Protection version 12.1.6.  Symantec Endpoint Protection 12.1.5 and previous versions are not compatible with Windows 10.

With Microsoft upgrading Windows 7 and Windows 8 to their newest OS platform, Windows 10, businesses are evermore challenged in keeping their security solutions up to date.


We recently upgraded to SEP 12.1.5 and rolled out mostly unmanaged client and a few managed ones. Our organization is now ordering PCs with Winows 10 preinstalled and we need to update Symantec yet again for compatibility. Problem is, our organization does not have proper bandwidth resources to push out the SEP 12.1.6 client to all PCs. On top of that, most of our users are on thin clients. Our newest thin client images for HP t620 already include the SEP 12.1.5 client.

The question is this: Can I update SEPM to 12.1.6 to create the new package for Windows 10 PCs but leave all existing PCs/ thin clients on 12.1.5?  Will the 12.1.5 managed clients still talk to SEPM 12.1.6 and continue to download definitions without the need to update?   As long as the base version is the same (i.e 12.1.x) then SEPM and SEP client can be on different versions


Additionally, posts on the official Symantec forum state that an unmanaged SEP 12.1.6 client can be installed on Windows 10 machines by downloading instead of updating SEPM to 12.1.6 .

Symantec Endpoint Protection (SEP) adds support for Windows 10 with 12.1.6 MP1.

For Symantec Endpoint Protection 12.1, a maintenance patch has been released on July 29, 2015. Customers will need to be current on maintenance to receive the maintenance patch update. For more information, visit our SEP 12.1 Windows 10 Knowledge Base.

You can upgrade to Windows 10 with Symantec Endpoint Protection 12.1.6 MP1 installed. You must uninstall earlier versions of Symantec Endpoint Protection. The operating system upgrade stops if it detects an earlier version of Symantec Endpoint Protection.

The following operating system upgrade paths are supported with 12.1.6 MP1 installed:

  • Windows 8.1 to Windows 10

  • Windows 8 to Windows 10

  • Windows 7 to Windows 10 can be downloaded from the link below by entering your Symantec product serial number.

#antivirus-2, #security-2, #sep-12-1-5, #sep-12-1-5-to-12-1-6, #sep-12-1-6, #sep-manager, #sep-windows-10-compatability, #sepm, #sepm-12-1-6, #symantec-endpoint-protection, #symantec-endpoint-protection-windows-10-compatability

Symantec Endpoint Protection (SEP) 12.1.5 Antivirus Exclusion – Windows Server 2012 R2 – Citrix XenApp 7.6

Antivirus exclusions are an important step in deploying server based technologies.  Organization’s performance needs are just as critical as security.  Antivirus protection on physical XenApp servers hosting applications and shared desktops can be a challenge when the appropriate exclusions are not set up because performance and availability can suffer drastically.  Some of the issues that can be avoided by exclusion include hanging user sessions, long delays at logon and logoff, long delays launching apps, server unresponsiveness, etc.

Looking at a deployment of XenApp 7.6 VDA on Windows Server 2012 R2 platform for a healthcare organization, the following resources were reviewed in identifying what to add to the exclusion policy in Symantec Endpoint Protection Manager.  The following links refer to best practices as recommended by Symantec, Citrix, Microsoft and in the case of a healthcare organization using Intergy, Sage.

(SEP) 12.1.5 Antivirus Exclusion – Windows Server 2012 R2 – Citrix XenApp 7.6



Note that the registry fix described in the first link is performed after the SEP 12.1.5 client is installed on the XenApp 7.6 VDA server.

The fourth link down refers to Antivirus Exclusions recommended by Microsoft for Terminal Servers.  We were unable to find an updated list for Remote Desktop Services on Windows Server 2012 R2 but some of the previous exclusions will still apply.

The same is true for Intergy/ Intergy EHR exclusions.  Previous exclusions for earlier versions of Intergy still apply for newer versions.

Lastly, while all of the previous file exclusion recommendations come from the product vendors mentioned earlier, it is worth noting that some exclusions will technically make your server more vulnerable to attacks.  Thus, antivirus software on XenApp 7.6 VDA servers should only be part of a larger, more robust enterprise security plan.

#antivirus-2, #citrix, #exception-policy, #security-2, #sep-12-1-5, #sep-manager, #sepm, #shared-desktop, #symantec-endpoint-protection, #vda-7-6-0, #virtualization-2, #windows-server, #xenapp-7-6-2

Verify Symantec Endpoint Protection Manager Created Exception Policy is Applied to Client

Consider the following scenario:

You recently deployed a couple of Citrix XenApp servers. You created a new group in SEP 12.1.5 manager and modified an exception policy to exclude individual files, extensions and processes from being harassed by SEP 12.1.5. Then, you created an unmanaged client install package using that new group so that the exception policy would be included. You installed the client on the server and under User defined Exceptions the window is blank. How can you know for sure that the exception policy you applied to the group in SEP 12.1.5 Manager carried over and is being applied on the machine?

Thx to Reddit Symantec gurus we know that user defined exceptions section in the SEP client is for user added exception only and not the SEP Manager. Thus, that section will not show you what you configured in the exclusion policy created in SEP Manager and included in the install package.

To verify that Symantec Endpoint Protection Manager created exception policies are being applied to the client:

Open SEP on client machine and at the top-right, go to Help and select Troubleshooting from the drop-down menu that appears.  In the Management window, click on Export under the Policy Profile. This will allow you to export an XML file that you can then search for the exclusions.

Yet another way to verify that Symantec Endpoint Protection Manager created exception policy is applied to client is to open regedit and manually inspect those exclusions through registry.  Browse to the registry key: •HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS

Note: On 64bit window machines the registry path is: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions



#antivirus-2, #exception-policy, #security-2, #sep-12-1-5, #sep-manager, #sepm, #symantec-endpoint-protection, #windows-server