Support Center > Search Results > SecureKnowledge Details
Endpoint Security E80.40 Known Limitations

This article lists all of the known limitations of Endpoint Security E80.40.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

Important notes:

For more information on Endpoint Security E80.40 refer to Endpoint Security E80.40 Release Notes and Endpoint Security E80.40.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

Table of Contents

  • Installation & Upgrade
  • General Limitations
  • Endpoint Security Management Console and Blades
    • Policy
    • Media Encryption & Port Protection
    • Full Disk Encryption
    • Firewall
    • Anti-Malware
    • Compliance
    • Security Analysis Report
  • Endpoint Security Management Server
  • Endpoint Security Clients
    • All Endpoint Security Clients
    • Mac Clients Only
  • Active Directory
  • WebRH
  • SmartLog
ID Symptoms Fix Included in
Installation & Upgrade
00938284 If you do not install all of the SmartConsole applications, some icons may not show in SmartView Tracker. -
01022415 The Endpoint Security Management server automatically installs on Drive C: on Windows computers. This is true for new installations and upgrades. -
00948013 E80.40 Installation is not supported on language localized Windows server computers. -
01025798 Before you uninstall Endpoint Security Client with the Full Disk Encryption blade installed,
you MUST make sure that:
  • The FDE policy is installed on the client.
  • Any encryption/decryption action required by this policy has completed.
If you receive the 'Error 27106: Unknown error when extracting information...' message, or
any other error message, contact support. Run CPinfo and have the output ready for the
support technician.
01028405 When you upgrade to E80.40 on a Windows platform that does not have an earlier version
of Endpoint Security installed, you must do these actions before you reboot the server:
  1. Open a Windows command prompt.
  2. Go to %UEPMDIR%\system\install\
  3. Run postwrapper.exe

After Policy Server upgrade (after the reboot) run:




When you install the E80.40 Endpoint Security overlay on top of R75.40 Security Management, the 15 day plug-and-play trial license for Network Security blades and features is removed. It is replaced by a trial license for the Endpoint Security features only.

To evaluate Network Security blades, you must add a separate evaluation license for this purpose. This limitation has no effect on permanent licenses and contracts,

01052085 Endpoint Security E80.40 is compatible with R75.40 only.

The E80.40 Add On can be installed on top of R75.40 only.

The following is not supported:

  • Upgrading an E80.40 Server to R75.45
  • Installing E80.40 Server Add On on top of R75.45
01027893 E80.40 does not support installation of External Log Servers. -
01129615 If you upgrade from E80.3X to E80.40, names of policies and other objects must begin with English alphabetical characters. They can contain alphanumeric characters after the first character, but not special characters or white space. Refer to sk86640. E80.41

Despite the 'Prompt user to restart after upgrade' setting, computer is restarted automatically at the end the silent upgrade from legacy version to E80.40. (/promptrestart option of Windows Installer does not work in silent mode).

This occurs when upgrading FDE client only.

preupgrade.exe is used for uninstallation of R73 client.

In this case - as the upgrade log shows - "There is no legacy products for uninstall", so preupgrade.exe only installs new Endpoint Security Client (EPS.msi).

The reboot=1 value in EPS.ini file is related to the reboot after uninstallation of R73 client. If there is nothing to uninstall from R73, and "Silent mode" is selected, then Windows Installer reboots the computer immediately after installation of the new EPS.msi despite the value of 'reboot'.

Issue was also documented in sk90473.

General Limitations

When you define a new Directory Scanner instance, we recommend that you assign Read Only permissions for the AD and the deleted object container.


Symantec Endpoint Protection 12 can cause unexpected behavior when enabled together with Endpoint Security Network Protection. You must disable the Symantec Endpoint Protection firewall component.

Symantec Endpoint Protection and other desktop firewall products are not supported and can cause unexpected behavior in addition to the issue described above.
If Password caching is disabled on the VPN gateway and OneCheck is installed on the Endpoint Client, the authentication password is saved in the OneCheck user cache by the VPN client (Endpoint Connect). -
00938284 If you do not install all of the SmartConsole applications, some icons do not show in SmartView Tracker. -

Upgrade from Solaris to E80.40 is not supported.

Workaround: Do an Advanced upgrade to R75.40 and then install the E80.40 add-on.
01011792 The Log Server Connection feature is not supported for Administrators that were created using cpconfig. -
01025262 Custom SmartView Tracker queries are deleted after upgrading to E80.40. You must recreate your custom queries. -
Endpoint Security Management Console and Blades
If a compliance rule with an Application Compliance check uses the HKEY_CURRENT_USER registry key, there are inconsistent results. -
Media Encryption & Port Protection

When you configure Allow write access to a removable device and Block read access, you still have read access to that device.

00878046 Media Encryption & Port Protection rules that block Read and allow Write operations for a removable device are not supported. -
00891808 There can be more than one log entry for one file operation for a removable device. -
00893753 TrueCrypt is not supported on endpoint computers using the Media Encryption blade. We do not recommend using any other 3rd party software that encrypts storage devices when the Media Encryption blade is active. This can cause unexpected behavior. -
00904756 When an external device is connected, the Windows system file icon sometimes shows instead of the applicable Business or Non-Business related lock icon. -
Media Encryption & Port Protection blocks all access to removable devices from network shares, except for CD/DVDs. It does not use the access permissions defined in policy rules. You cannot configure access to removable devices through a network Share in policy rules. -
00917897 The Execute permission for removable devices is not supported in Media Encryption rules. -

Encryption of Business Related data is enforced for file operations generated by Windows Explorer only. File operations generated by other applications are blocked, regardless of the file type.

Resolved in E80.50 for Windows 7 and higher.

00940058 Media Encryption blocks all file operations on Oxygen Open Storage virtual drives that are initiated by Windows Explorer regardless of the applicable policy. -
01013395 Encrypted storage devices formatted with NTFS by an E80.40 client are not supported for clients that have not yet been upgraded to E80.40. Only FAT32 is supported for earlier versions

We recommend that you do not format an encrypted storage with NTFS for use in mixed environments that include clients and servers with releases prior to E80.40.

01026288 When device authorization and scanning are enabled, device formatting can fail. In most of these
cases, windows incorrectly reports a format failure, but the device is, in fact, correctly formatted.
01090922 When you move a file from the Non-Business Data drive, you might get a UserCheck message showing that the operation is not allowed, even though reading from the drive is allowed. You can ignore this message. -

The maximum size for FAT files that can be encrypted is 4GB. If a file larger than 4GB is copied to an encrypted drive, the file does not copy successfully. There is no indication to the user that the file is not copied.

Workaround: Divide files that are larger than 4GB before copying them to encrypted storage.

Resolved in E80.50. An error shows that the encryption is blocked for files larger than 4GB.

Full Disk Encryption
0907767 One Check Logon (Single Sign-on) is not supported. When the user's password changes, the preboot password is not automatically updated. (for Mac only)

If you disable the "Allow Windows Logon" option for Temporary Preboot Bypass, this has no effect. You can log in to Windows and block the message that shows.

- MultiMediaCard (MMC) memory cards are not supported by Endpoint Full Disk Encryption. Refer to sk92708. -


Network object groups with exclusions are not supported for Firewall policy rules. -
00974800 Adding non-supported services to Firewall rules can cause policy installation failure. -
When an archive file that contains many infected files is scanned, the number of detected infections can be lower than the number of treated infections. This behavior might result in a negative quantity of untreated infections in the SmartLog log header. -
When a new Compliance policy is installed, and a remediation process from the previous policy is still running, all remediation processes for the new policy are placed on hold. A Checking Pre-requisites message shows in Client.
01047252 In Compliance Rules, a Remediation for a check does not run if the check is for a prohibited file that is defined with file parameters. -
Security Analysis Report
You must add the (local computer) to your Internet Explorer trusted zone before you run the Endpoint Security Compliance Report. -
01022152 You must install the Initial Analysis Client on endpoint computers before you can run the Security
Analysis Report. To do this, export the client to the Management Server, save the exported client
and then install it on the endpoint computer.
01050834 When you export a Connectivity Report to a file, endpoints with the status 'All Statuses are OK' are not exported. -
- The Security Analysis Tool collects anonymous statistical data from Endpoint Security clients. This is to improve the accuracy of the tool and make the product more valuable for current and future users. -
Endpoint Security Management Server

During the E80.40 Endpoint Security Management server installation, you must always select Yes at the Reboot prompt.



The Security Management Database Revision feature works with E80.40 with these limitations:

1. Endpoint Security data is not part of the database revision.

2. When using database revisions, Endpoint Firewall and Access Zones can use network objects that are part of the revision. In this case, if you restore a revision that does not include these network objects, the policies can become corrupted.

3. Endpoint Policy servers are part of the network objects database. If you restore a revision that does not include these objects, you must define and establish SIC trust with the Policy servers again.



Policy name may not be longer than 100 characters when importing policies during an upgrade of Endpoint Security Server from E80.3x to E80.40. Refer to sk92794. -
Endpoint Security Clients
All Endpoint Security Clients
00671654 In the Temporarily Pre-boot bypass (Wake on LAN) settings, the Allow OS Logon after Temporary Pre-boot Bypass setting is not supported on Mac clients. -
E80.30 and earlier clients do not enforce Endpoint Security Client type rules when connected to an E80.40 Endpoint Security Server. Endpoint Security Client type rules make sure that the required Blades are installed on the endpoint client.
00923191 The E80.40 Endpoint Security SmartConsole client requires .NET 3.5 or higher. Make sure that you install .NET 3.5 or higher before you install SmartConsole. -
00940612 Secure Domain Logon is not supported on Windows XP clients when SSO is enabled. -
01038272 The 'Internet Explorer Automatically detect settings' option is not supported with the VPN
blade for proxy detection and replacement features.
00953730 You cannot use trailing spaces in a file name when using custom logos for Full Disk Encryption pre-boot in the Common Client policy. -
01064459 Multi-user Login (commonly known  as Concurrent Sessions) is not supported for Endpoint Security Clients. -
01150194 Internal server error when changing deployment policy name for endpoint client. -
Mac Clients Only
The Disable Pre-boot settings option "The computer cannot reach any of the configured locations" is not supported for Mac clients. -
00671662 Older Mac computers running only the 32 bit EFI mode are not supported. You cannot install the client.

The list of computers subject to this limitation can be found here (

00671671 The Disable Pre-boot settings option "The hard disk is not used by the original computer (hardware hash)" is not supported for MAC clients. -
00671500 Full Disk Encryption encrypts volumes and disks that are present, when the policy is first enforced. Volumes and disks that are added afterwards are not encrypted.
01048279 Installing the Mac client on a disk that was formatted as case sensitive (*using the format option "Mac OS Extended (Case-sensitive, Journaled)") is not supported.
00907767 One Check Logon (Single Sign-on) is not supported. When the user's password changes, the pre-boot password is not automatically updated.
00907778 The pre-boot background image, screen saver, and banner image cannot be customized.

If the Mac endpoint has a web proxy configured, the connection between the client and the management server will go through the proxy, even if the management server is added to the Proxy's exception list.

Workaround: Disable the proxy detection feature so that the client ignores proxy settings and contacts the proxy directly. To do this:

  1. On the client computer, open this file: /Users/Shared/CheckPoint/Endpoint\ Security/Common/cpda.plist
  2. Change:






  3. Restart the computer.
01028671 If more than one user uses the VPN blade with a Keychain certificate, the first user must reboot before a second user can connect to a VPN site. -
00922280 The Mac Endpoint Security client cannot be deployed from the E80.40 Endpoint Security Management server. See Building a Distribution Package in the Endpoint Sceurity E80.40 Administration Guide. -

Blades cannot added or removed from an installed client. To remove existing blades or add new ones: 

1. Uninstall the client.

2. Install a new client with the required blades.

Common Client settings are not supported.

00936507 When you deploy the client, instruct users that only one user can log onto the Mac. Multiple users are not supported. -
00671951 Macs with Apple Fusion drives are not supported by the Full Disk Encryption blade. If you attempt to install the Full Disk Encryption blade on such systems, installation will fail. -
00671876 User acquisition of Open Directory users is not supported. -
00913073 If you create an outbound firewall rule that blocks all http/https traffic, then you must create a specific rule that allows a connection to the management server. Without this specific rule, the client will not be able to receive policy updates. -
00934612 Do not use site objects in the firewall policy. Site objects are not supported. -
00937132 Compliance checks for OS version and OS updates are not supported. -
00937138 Run Custom File remediation is not supported. Only remediation messages. -
01345538 If Sophos Anti-Virus 9.0.3 is installed, and the administrator creates a rule to check if Sophos Anti-Virus is always running, the Compliance blade fails to detect it and reports that it is not running.
01345544 If TrendMicro Titanium v 3.0.1187 Anti-Virus is installed, and the administrator creates a rule that checks if TrendMicro Anti-Virus is always running, the Compliance blade does not detect it and reports that it is not running.
01345551 The Compliance blade does not recognize the McAfee Internet Security update version in an Anti-malware Compliance rule to check McAfee Anti-Virus oldest DAT file time stamp.
01345557 If McAfee Internet Security is installed, and the administrator creates an Antimalware Compliance rule to check if McAfee Anti-Virus is always running, the compliance blade fails to detect it and reports it as not running.
01345563 If Norton Anti-Virus v12 or Norton Internet Security v5 is installed, and the administrator creates a rule to check if Norton Anti-Virus is always running, the Compliance blade fails to detect it and reports that it is not running.
Active Directory
00871442 The maximum number of supported Directory Scanner Instances is 30. However, you can create more than 30 instances in the Endpoint Security Management Console. Do not try to create more than 30 instances.
00870664 Media Encryption recovery with WebRH on Internet Explorer does not work if WebRH is used on the same computer that has Media Encryption and Port Protection installed.


  • Use Google Chrome
  • Type the challenge manually and do not Copy and Paste.
  • Copy the challenge to Notepad and put all of the text on one line.
In SmartLog, the Table View  is not supported, Only the Grid View  is supported. -
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document