Support Center > Search Results > SecureKnowledge Details
Enterprise Endpoint Security R77.30.02 Server and E80.64 Client Known Limitations
Solution

This article lists all of the known limitations of Enterprise Endpoint Security R77.30.02/E80.64.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

Important notes:

 

Table of Contents

  • R77.30.02 Management Server
  • Endpoint Security E80.64 Clients for Windows
    • Installation
    • Client UI
    • Anti-Malware
    • Application Control
    • Capsule Docs
    • Full Disk Encryption
    • FDE Offline Mode
    • Media Encryption and Port Protection
    • SandBlast Agent
    • SandBlast Agent Browser Extension
  • Endpoint Security E80.64 Clients for Mac
    • General
    • Full Disk Encryption
    • Media Encryption and Port Protection

 

R77.30.02 Management Server

ID Description
- A SmartDashboard administrator cannot login to the Web Remote Help portal.
- SmartDashboard and SmartEndpoint cannot connect to the Secondary server if the initial load is not completed.
- If there is at least one Remote Help server, manual synchronization of the Secondary Endpoint Security Management Server does not work. You must select Automatic synchronization.
02037545

After installation of this release, Apache configuration files are upgraded and all customization is removed. Previous configuration files are backed up in the $UEPMDIR/apache22/conf folder.

02292021

After an Endpoint Security Server upgrade to R77.30.02, these features are automatically enabled for E80.64 clients:

  • Scan e-mail messages on Access.
  • Scan e-mail messages on Scheduled scan.
01646143 The Self Help portal can be enabled on other servers but only works on the primary server.
01380031 Exporting multiple packages at the same time is not supported.
02307359 Next Generation SmartEvent is not supported in this release.
02360674

Policy installation fails if Compliance rule for Mac with "Active Directory Domain check" is configured.

Workaround:

  1. Edit the action of Compliance policy <Required - Computer in a domain and running secure screen saver>.
  2. Create new Required entity check.
  3. Select the "Check domain" option.
  4. Select the "Check File" option (with any action in the Combo Box) and write any file name in the row below.
  5. Install policy.
02169611 In the Application Control policy, after you import a new program, when you double-click to open the allowed/blocked applications list, it does not show the updated information. Click on "Manage Allowed/Blocked Apps List" to show the updated information.

 

Endpoint Security E80.64 Clients for Windows

ID Description
Installation
01837719 Prior to installing Endpoint Security Client on Windows 7 SP1 make sure that KB3033929 is installed.
01281459 The password for Client Uninstall must be in English.
Client UI
02080555 Two Endpoint Security client tray icons can show in rare situations where the logged in user logs into a program as a different user.
02049709 The Endpoint Client UI only shows the last 150 records for these blades: Anti-Malware, Forensics, and Threat Emulation.
02070494 UserCheck Messages appear too small on Ultra-HD display screens.
Anti-Malware
02036094 The displayed date and time of the Anti-Malware signatures might not be synchronized between clients and servers.
02325521

Intermittent failure to register Anti-Malware Blade in Windows Security Center leaving Windows Defender active alongside Anti-Malware Blade

Workaround: Manually turn off Windows Defender to prevent conflict over malware detection.

Application Control
02160802

The "Disable Application Control Policy" action in the Application Control policy is not enforced.

Capsule Docs
01787370 Screen capture enforcement is not supported in Office 2010 64-bit and Office 2013 and higher.
01989930 Capsule Docs does not support Protected View in Adobe Reader DC.
01962512 Clipboard operations between Adobe DC and Office 2010 32-bit and Office 2013 and higher are not permitted.
02208090 In Capsule Docs with DLP integration, after you define a File Protection Repository, you must add it as a data type in a rule in the DLP Policy. If not, the repository scan does not start.
02102747 Capsule Docs Windows context menu only supports encrypted Classifications.
02324916 In 32-bit operating systems, protection change of AutoCAD file formats is not supported.
Full Disk Encryption
01483398 Single Sign On from hibernation does not work if "Use Preboot account credentials in OS lock screen" is enabled.
01483532

On Windows 10, Single Sign On does not work when resuming up from hibernation if the sleep and then hibernation were performed automatically through Power Options.

Workaround: Do not set a combination of sleep and hibernation in Power Options.

02161881 Custom Protection policy is not supported in an environment that includes UEFI and BIOS computers when using the new XTS-AES algorithm. This will be resolved in E80.64 HFA1 when BIOS support will be added for XTS-AES.
01574755 In Surface Pro2 (Windows 8 64-bit) with Type Cover 2, the cursor movement at preboot screen is unusual.
01574771 The Windows Recovery partition is encrypted, but sometimes the GUI only shows 99% encrypted, until after a reboot. After a reboot, the GUI is correct and shows it to be fully encrypted. 
01574774 You cannot type "_" using Type Cover 2.
00673418 It is not possible to unlock FAT32 and FAT volumes in Full Disk Encryption Drive Slaving Utility on BIOS systems. You will not be able to access the files, even if you authenticate to the volumes.
01431925
  1. When you add credentials to a user that is being assigned in the Authorized Pre-boot users window, the credentials are not saved on the server until you click on "OK" in the Authorized Pre-boot users window.
  2. When you add credentials to a user through "More info" in Users and Computers, the credentials are not saved on the server until you click the save icon.

For these reasons, newly added groups and existing groups in the Authorized Pre-boot users window can be shown as groups in which some users have no credentials. User might have acquired credentials that are not yet saved on the server.

00674375 Installing Full Disk Encryption on Dell Latitude E series 3*50, 5*50 and 7*50 in BIOS mode causes a Green Screen or an "SA not found error".
00674844 You must install Microsoft KB3105213 or a later cumulative update KB that contains these fixes for Windows 10 before you install the Full Disk Encryption blade.
01282104 On a Panasonic CF-RZ4 laptop, a USB Smart Card can only be used to authenticate a Pre-boot account when the laptop is in BIOS mode. When the laptop is in UEFI mode, a USB Smart Card cannot be used.
01483679 On E80.64 clients managed by R77.30.01 or lower server versions, Temporary pre-boot bypass is not supported.
01483672

If using the setting "Do not use device information for Full Disk Encryption remote help" on a deployed Internal User account, after deploying the account to a device, you cannot change "Remote Help response length".

If you change the response length, it will update correctly on users with regular remote help but users that have the "Do not use device information for Full Disk Encryption remote help" will see "Invalid logon" when performing the remote help session.

01483697 Hibernation is not supported on Dell E7440 running on 32-bit Windows 10.
FDE Offline Mode
-

To give Remote Help or create recovery media for offline clients, you must use the Endpoint Offline Management Tool.

- There is no support for Smart Card user acquisition.
- The Unlock on LAN feature is not supported.
-

If user acquisition is enabled and a number of acquired users are required to enable Pre-boot, then acquisition of all users must be made before a reboot occurs to complete the installation.

A reboot will remove all previously acquired users, if the installation is not finished.

Media Encryption and Port Protection
01837623 In some cases the list of removable drives in the System Tray is not updated with the correct status of the removable drive. For example, the drive might be shown as "Wait for scan" when the scan is finished. The System Tray is updated with the correct status after some time.
00673975 On Windows 8.1 and higher 32-bit computers: When Media Encryption is installed on a computer with secure boot enabled, Windows will be not start and will go into repair mode. Disable secure boot for media encryption to work correctly.
01658984 When encrypting a DVD-RW or CD-RW media, the media session closes after the encryption finishes. To add more data, erase the encrypted media and start over. DVD-RW disk becomes read only after encryption with Media Encryption.
01619782 There is no remote help support for encrypted CDs and DVDs.
01672485 In some scenarios, the Media Encryption UserCheck justification exception is not shown in the Check Media Encryption report for "Approved by UserCheck" in SmartEndpoint.
01837718 In rare cases, Optical Media Scan is disabled, although enabled by policy. To resolve the issue, please change General Properties (for example, Interval between client heartbeats in Connection Settings) and save the settings on SmartEndpoint.
SandBlast Agent
02030768

The Compliance blade is active by default on SandBlast Agent clients but it is not visible in the client GUI. Therefore users might experience Compliance issues but not see the cause of the problem.

Workaround: Disable the Compliance blade enforcement in the SmartEndpoint.

02083304

The Firewall blade is active by default on SandBlast Agent clients, but it is not visible in the client GUI. Therefore, users might experience Firewall issues, but not see the cause of the problem.

Workaround: Disable the Firewall blade rules in SmartEndpoint.

02017354

All SandBlast Agent client deployments also include the required Firewall, Compliance, and Application Control blades. Do not remove any of these blades. If you remove one of the blades, the SandBlast Agent blades are also removed.

02173365

Gateway triggers for Forensics will only work:

  • With HTTP connections
  • With traffic that matches a rule that includes UserCheck in the Network Security Policy
02173378 For Forensics Analysis and Remediation settings that use Confidence levels, only SandBlast Agent Anti-Bot and SandBlast Agent Threat Emulation are supported. For all other triggers, only "Always" and "Never" are supported. If other options are selected, the behavior enforced is "Always".
01837796 Threat Emulation local appliance detection logs will not contain emulation reports
SandBlast Agent Browser Extension
02307216 The Browser Extension is only supported in AD environments.
02307274 The Browser Extension is only supported in Google Chrome.
02307283 In Incognito mode, the Browser Extension is disabled by default. If you enable it, users can disable it.
02307280 Google Chrome gets Endpoint Security policy updates once every 10 minutes. To push a policy update, close all instances of Chrome and then open it again.
02307212 The policy is not encrypted. Users can see the configured Web Extension policy at chrome://policy

 

Endpoint Security E80.64 Clients for Mac

ID Description
General
01483952 Endpoint Security might ask for Administrator authentication. This can happen when the Endpoint Security Management Server is running in Authenticated mode and the Mac user is a standard account.
To prevent this from happening, run the following command on the Mac client computer:
sudo security authorizationdb write com.checkpoint.fde.authenticate.user-kerberos-tgt authenticate-session-user
Full Disk Encryption
02346951 SmartEndpoint settings for Temporary Pre-boot Bypass Settings are not supported for Mac clients.
01483893 When using Mac clients with an R77.30 01 HF1 server on Windows, Bypass pre-boot when connected to LAN fails intermittently with Apple Mac USB Ethernet Adapter. Apple Thunderbolt Ethernet Adapter does not fail.
01483767 Single Sign-on does not work with Full Disk Encryption when users use a smart card as the preboot authentication method.
01483784 In the SmartEndpoint GUI, "Authorize Preboot Users" - "Add New Preboot Users", the setting "Do not use device information for Full Disk Encryption Remote Help" is not supported with Mac clients.
01483768 When multiple USB devices are connected to a computer during Full Disk Encryption Pre-boot, the Smart Card reader intermittently fails.
This is due to an error found in the Apple EFI firmware (Apple bug id#28710736).
01483941 Smart Card authentication for Preboot is only supported with hardware that shows in SmartEndpoint in the Preboot Authentication Settings window.
To use different hardware, submit a Request for Enhancement.
Media Encryption and Port Protection
01483805 Sometimes opening a document in the NON-BIZDATA will fail with a "Permission error" message. This can happen if the document's default application is using Apple Sandbox.
01483801 A Media Encryption password with international characters that was created on a Mac client does not work in the Windows offline utility.
01483804 Media Encryption will only mount BIZdata, if media is inserted while a Mac user is logged into Mac OS X.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment