Looking for a bug fix list for all versions of Endpoint Protector Client?
All bug fixes will automatically be added here!
2605.0 Updates
Netwrix Endpoint Protector Client Version 2605 — Release Notes (Now with Hotfix 1)
June 8, 2026
| Component | Description | Case | Escalation |
|---|---|---|---|
| Security | WolfSSL FIPS cryptographic library refreshed in Enforced Encryption — The WolfSSL FIPS-validated cryptographic library used by Enforced Encryption (EasyLock) has been updated to the latest version, incorporating the most recent security fixes and stability improvements. | 432075 | — |
| General | Improved version display in Windows Programs and Features — The EPP Client version displayed in Windows Programs and Features now correctly reflects the YYMM release version format (e.g., 2605). This improvement mitigates a Microsoft Windows limitation that previously caused only a shortened internal version value to appear, which could interfere with software inventory systems and automated deployment tools. | 432159 | CP: 121916 |
| General | Improved log handling for offline clients — Improved log handling for Windows EPP clients operating in offline mode to ensure logs are reliably queued and delivered once connectivity is restored. | 391391 | — |
| General | Collect reprovision.db in diagnostic bundles — The reprovision.db file is now included when collecting client diagnostic log bundles. |
416138 | — |
| General | EPP Notifier auto-start on Linux — Fixed the EPP Notifier not automatically starting or restarting following client installation or upgrade on Linux. | 407981 | 00455749 |
| General | Log transmission after Reporting V1 removal — Fixed log transmission issues following the removal of the legacy Reporting V1 component. | 417911, 418411 | 00470290 |
| General | Client logs not sent after agent crash or stop — Fixed client logs not being sent to the EPP server following an agent crash or service stop. | 424448 | — |
| General | Application crash with file tracing enabled — Fixed an application crash on Windows occurring when file tracing was enabled and recently accessed files were being tracked. | 420389 | — |
| General | Debug logs not collected on Windows — Fixed debug logs not being collected when requesting diagnostic information on Windows. | 421308 | — |
| General | BSOD caused by third-party sports tracking application — Fixed a blue screen of death (BSOD) on Windows occurring when a specific sports tracking application was in use alongside the EPP client. | 435052 | 00472250 |
| General | “Failed to save server configuration” during installation on macOS — Fixed a “Failed to save server configuration” error occurring during EPP client installation on macOS. | 408014 | 00457127 |
| General | Startup performance improvement on macOS — Fixed an unnecessary mountpoint retrieval for non-storage devices at startup, improving EPP client startup time on macOS. | 416040 | — |
| General | File shadow upload timing on macOS — Fixed an issue where file shadows were not uploaded immediately after the corresponding log was sent to the EPP server on macOS. | 426321 | 00473021 |
| General | Improved uninstall tamper protection on Linux — The EPP client now resists uninstallation via the system package manager when an uninstall password is configured, even for users with sudo access. Not supported on RHEL 8.x and Ubuntu 18.04. | 327442 | EPPSUPPORT-3081, CP: 118662 |
| General | Improved EPP client tamper protection on macOS — Improved the EPP client to resist unauthorized attempts to stop, unload, or disable the EPP daemon. Tampering attempts trigger Unplanned Client Termination events on the EPP server. | 319874 | — |
| General | Improved Tamper mode protection on Windows — Closed an attack vector that allowed EPP processes to be terminated by a local administrator using WMI/CIM-based commands, bypassing existing Tamper mode safeguards. | 437233 | — |
| General | Improved Tamper mode protection on Windows — Strengthened protection of EPP resources and folders by introducing ACL-based access restrictions, limiting the ability of local administrators to access or modify EPP-owned files and directories. | 438124 | — |
| General | Improved Tamper mode protection on macOS — Strengthened protection of EPP resources by introducing ACL-based permission restrictions, reducing the ability of local administrators to manipulate EPP-owned services and files. | 438144 | — |
| General | Improved Tamper mode protection on macOS — Prevented local administrators from disabling the EPP agent using the launchctl unload command, closing an attack vector that could leave endpoints unprotected. |
437234 | — |
| General | Fixed EPPservice.exe crash when loading a large dictionary file — EPPservice.exe could crash with an access violation inside EPPDlp.dll when the DLP engine attempted to load a large custom dictionary from file. The memory handling issue has been resolved. | 437988 | — |
| General | Fixed diagnostic logs not being collected via the Collect Diagnostics action — Triggering the Collect Diagnostics action from Device Control did not produce log files in the Diagnostic Data table. Log collection now completes successfully. | 438317 | — |
| General | Improved EPP installer validation on Windows ARM — Added a safeguard to prevent the x64 EPP Client installer from being applied on ARM-based Windows devices, avoiding potential instability or protection gaps caused by incompatible binaries. | 438769 | — |
| General | Improved Windows ARM client OS identification in server-side reporting — Windows ARM clients did not include an architecture suffix in the OS field reported to the EPP Server, making it impossible to distinguish Windows ARM from Windows x64 in server reports and logs. Windows ARM clients now report an arm64 suffix, consistent with the existing macOS ARM behavior. |
439072 | — |
| General | Fixed Client lockdown not applying device restrictions on macOS Sonoma — When a Client lockdown was triggered from the Dashboard System Status page, the lockdown did not correctly update device policies on endpoints running macOS Sonoma, leaving devices accessible instead of blocked. Device policy enforcement during lockdown now applies correctly on macOS Sonoma. | 319869 | — |
| DC | Fixed Client and Device lockdown not applying on macOS Sonoma — Fixed the Client and Device lockdown options in the EPP Server Dashboard not applying correctly on macOS Sonoma endpoints. When lockdown was triggered from the System Status panel, device rights were not updated on the client side as expected. | 319869 | — |
| DC | Improved USB remediation handling on Linux — Improved USB device remediation flow on Linux to ensure devices are properly accessible after remediation. | 383227 | 00442236 |
| DC | Axpert application error with file tracing — Fixed an application error occurring in Axpert on Windows when file tracing was enabled. | 423154 | 00473091 |
| DC | Improved audio device detection and classification — Improved detection and classification of audio devices in Device Control, ensuring consistent identification and enforcement across embedded, USB, and external audio devices. USB audio cards are now properly recognized and classified as either Audio Input or Audio Output devices. | 431905 | 00475101 |
| DC | False positive remediation popup for trusted devices — Fixed a false positive remediation popup being displayed when users accessed a trusted device where no policy violation was present. | 426313 | 00474528 |
| DC | Serial ATA Controller not blocked — Fixed the Serial ATA Controller not being blocked when a deny right was configured in the Device Control policy. | 424811 | 00473511 |
| DC | VMware user directories incorrectly flagged — Fixed VMware-related user directories being incorrectly flagged; commonly used VMware user directories are now automatically allowlisted. | 425241 | 00473475 |
| DC | Bluetooth keyboard and mouse disappear after upgrade — Fixed Bluetooth keyboard and mouse devices disappearing from the EPP Notifier on macOS after a client upgrade. | 415117 | — |
| DC | Huawei HarmonyOS tablet Bluetooth classification — Fixed a Huawei HarmonyOS tablet being incorrectly identified as “BT Others” instead of “BT Tablet” in Bluetooth device classification on macOS. | 348216 | — |
| DC | Device Control Offline Temporary Password on RHEL 9.x — Fixed Device Control Offline Temporary Password not working on RHEL 9.x. | 320094 | — |
| DC | “Apply policy to all storage devices” blocking internal storage on Linux — Fixed an issue where enabling “Apply policy to all storage devices” incorrectly blocked access to internal storage devices on Linux. | 425755 | 00473817 |
| DC | Improved CHCrypt virtual drive handling — Improved handling of CHCrypt virtual drives; the EPP client no longer generates false threat alerts for them. | 422435 | 00466821 |
| DC | Improved Advanced Printer and MTP Scanning compatibility on ARM64 Windows — The Advanced Printer and MTP Scanning feature did not function correctly on ARM64 Windows when interacting with x64 and x86 processes running under WoW64 emulation. Architecture-specific code paths have been updated to ensure correct behavior on ARM64 platforms. | 426297 | — |
| DC | Fixed internal webcam not detected by EPP on ARM64 Windows — The built-in webcam was not recognized as a connected device on ARM64 Windows endpoints, preventing Device Control policies from applying to it. Device detection has been corrected for the ARM64 platform. | 435603 | — |
| DC | Fixed GDI Print Hook scanning error when print driver output path is invalid — During printing, the GDI print hook could attempt to scan a file at a temporary path that no longer existed on disk, resulting in scan errors. The hook now validates the file path before initiating a scan. | 433789 | 00475104 |
| CAP | Fixed clipboard performance and paste blocking issues with large Excel data — Fixed severe performance degradation (freeze/delay) when copying large amounts of data from Excel, caused by unnecessary serialization of all OLE clipboard formats. Also fixed Excel clipboard paste not being blocked when a CAP policy issued a block response, allowing users to paste restricted data freely. | 435769 | 00474663 |
| CAP | Improved CAP user remediation for DPI text inspection events — User remediation prompts now apply to DPI text inspection detections, including chat messages on Microsoft Teams, Slack, Mattermost, and social media posts on Facebook and Instagram. | 396810 | — |
| CAP | Fixed missing “Download shadows” button in CAP reports on Linux — Fixed the “Download shadows” button not appearing in CAP reports after copying a file with sensitive content to a USB device on RHEL 8.9 and later. | 320098 | — |
| CAP | Fixed browser detection in CAP policies on macOS — Fixed an issue where CAP policies did not detect threats for certain browsers when only that browser was selected in the policy (e.g., Brave), and where the wrong browser was reported when all browsers were selected. | 319919 | — |
| CAP | Application execution blocking notifications persisting — Fixed notifications for application execution blocking continuing to be displayed after the associated policy had been removed. | 420589 | 00471491 |
| CAP | Israel ID not detected with custom regex — Fixed Israel ID not being detected when used in combination with a custom regex pattern. | 423972 | 00473449 |
| CAP | Improved Israel ID detection accuracy — Fixed company IDs (which always start with digit 5) being incorrectly matched as Israeli personal IDs. Detection now correctly validates only IDs starting with digits 0–3, which correspond to personal IDs under local regulation. | 410086 | CP: 119026 |
| CAP | Transfer limit not enforced on Linux — Fixed the transfer limit not being enforced on Linux endpoints. | 418925 | — |
| CAP | File copy events not generated on Linux — Fixed file copy events not being generated on Linux. | 419038 | — |
| CAP | Improved Zoho Workdrive detection — Improved detection and blocking of data exfiltration attempts through Zoho Workdrive. | 346957 | 00412517 |
| CAP | Amazon WorkDocs incorrectly blocked — Fixed Amazon WorkDocs being incorrectly blocked by the EPP client. | 319820 | — |
| CAP | Clipboard file shadow with multiple data chunks — Fixed a clipboard file shadow issue occurring when multiple data chunks had to be reported for a single event. | 320040 | — |
| CAP | MIME Type allowlist for large MSI files — Fixed the MIME Type allowlist for application/msi not being enforced for large MSI files. |
320074 | — |
| CAP | Adobe Reader print not content-aware — Fixed PDF files not being subject to content inspection when printing via Adobe Reader on Windows and macOS. | 418763, 418188 | — |
| CAP | Print screen CAP policy reports on macOS — Fixed print screen CAP policy reports not working as intended on macOS. | 320207 | — |
| CAP | Outlook Desktop false-positive detections on startup — Fixed Outlook Desktop incorrectly triggering false-positive content scans on legitimate emails with no sensitive data. | 425584 | — |
| CAP | Legacy Outlook .msg files triggering false positives — Fixed false-positive content scan triggers caused by legacy .msg files opened in Outlook when an older add-in was disabled. | 420358 | 00465962 |
| CAP | Microsoft Teams remediation — text not released — Fixed a Microsoft Teams remediation failure on macOS where text was not released after remediation. | 363480 | 00437632 |
| CAP | CAP threat logs delayed until subsequent event — Fixed CAP threat logs not being sent to the EPP server until a subsequent threat event was triggered. | 425688 | — |
| CAP | CAP alerts not sent for globally blocked URLs — Fixed CAP alerts not being generated for URLs blocked through global deny-lists. | 432634 | 00474205 |
| CAP | Google Drive uploads not blocked — Fixed Google Drive uploads not being blocked by the EPP client on Windows. | 419651 | 00456661 |
| CAP | Google Drive uploads not blocked on Linux — Fixed file uploads to Google Drive not being detected or blocked by the EPP client on Linux. | 327632 | — |
| CAP | Google Drive Desktop fails to start — Fixed an issue where Google Drive Desktop failed to start on Windows and macOS when unidentified files were actively monitored by a CAP policy. | 426170 | — |
| CAP | Gmail uploads not blocked — Fixed file uploads to Gmail not being blocked by CAP policies. | 418718 | 00460624 |
| CAP | GitHub false positives with text file inspection — Fixed false positives being triggered when browsing github with text file inspection active in a CAP policy. | 422203 | — |
| CAP | False positive file upload alert on GitHub sign-up page — Fixed a false positive block alert triggered when users typed their email address into the GitHub registration form while a CAP policy blocking uploads to GitHub was active. | 434684 | 00474490 |
| CAP | ChatGPT web telemetry false positives — Fixed false positive threat alerts triggered by ChatGPT web telemetry requests in the EPP client. | 432347 | — |
| CAP | Excel workbook print allowed until reload — Fixed threats added to an existing Excel workbook being allowed to print via browsers until the workbook was reloaded. | 347369 | 00415648 |
| CAP | CAP policies not applying on Ubuntu 24.04 — Fixed Content Aware Protection policies not applying correctly on Ubuntu 24.04 endpoints using the DLP FUSE kernel module. | 434685 | 00473806 |
| CAP | Autodesk Fusion files generating excessive false positive reports — Fixed Autodesk Fusion .f3z files triggering a large number of false positive scan reports. Because .f3z is ZIP-based, the EPP client was decompressing and individually scanning each file inside the archive; the fix prevents unnecessary deep scanning of Fusion archives. |
434433 | — |
| CAP | Embedded images scanned and reported twice — Fixed images embedded in Office documents being scanned and reported twice when OCR was enabled. | 422889 | — |
| CAP | OCR engine reporting temporary folder path — Fixed the OCR engine reporting a temporary folder path instead of the original document path for files with embedded images. | 422866 | — |
| CAP | OCR creating unnecessary temporary image files — Fixed the OCR engine sometimes creating unnecessary temporary image files and reporting an incorrect file path in the scan result. | 424842 | — |
| CAP | OCR language matching via BCP-47 tags — Fixed incorrect OCR language matching caused by BCP-47 language tags not being normalized to 2-character codes; this also resolves OCR detection not being applied during print blocking in CAP policies. | 425056 | — |
| CAP | Clipboard image shadowing crash — Fixed a crash caused by a debug assertion failure when clipboard shadowing was enabled during an image clipboard operation. | 422732 | — |
| CAP | Improved service stability during OCR scanning — Fixed a crash or freeze in the EPP daemon occurring after OCR content scanning, particularly when the service was stopped while a scan was in progress. | 320244 | — |
| CAP | Fixed file deletion on USB block on Linux — On Linux, when a CAP policy blocked access to a sensitive file opened directly from a USB storage device, the file was also deleted from the device. EPP Client now correctly blocks access without removing the file. | 415400 | 00456675 |
| CAP | Fixed excessive false positive source code reports in Office files — Fixed a CAP issue where enabling Extended Source Code detection caused a single Office file (such as .xls) to generate a large number of false positive reports across multiple source code types. The root cause was related to data being scanned in chunks, resulting in repeated detections for the same file. | 367770 | 00418887 |
| CAP | Fixed SBF file type not reliably identified — SBF files were not consistently recognized as the SBF file type, causing unreliable detection in Content Aware Protection policies. File type identification for SBF has been corrected. | 426543 | 00473674 |
| CAP | Fixed files not blocked when a matched word exists in multiple custom dictionaries with logical conditions — When a word appeared in more than one custom dictionary, the DLP engine reported it as a single concatenated threat type instead of individual dictionary matches. This caused logical policy conditions to evaluate incorrectly and allowed files through that should have been blocked. | 437734 | 00474838 |
| CAP | Fixed clipboard content remaining accessible on remote AnyDesk sessions after a CAP block — When a CAP clipboard block cleared the clipboard, AnyDesk did not propagate the empty clipboard to the remote machine, leaving sensitive content accessible on the remote side. After a block event, the clipboard is now set to a single space character, which AnyDesk detects as a change and syncs to the remote session. | 438599 | 00477984 |
| DPI | Fixed TLS fingerprinting causing connection rejections with DPI enabled — Fixed certain servers rejecting connections when EPP DPI was active due to TLS fingerprinting checks. Affected servers compared the ClientHello signature against known browser patterns and blocked connections that did not match; the fix aligns the DPI engine’s TLS handshake to prevent fingerprint-based rejections. | 435086 | 00476110 |
| DPI | Improved Git SSH connection control — EPP Client can intercept and inspect Git transfers over HTTPS but cannot decrypt SSH tunnel traffic. Administrators can now block Git from establishing SSH connections entirely, preventing data transfers over SSH-tunneled Git operations where content inspection is not possible. | 396409 | 00448358 |
| DPI | Improved MIME Type Allowlist enforcement with DPI — Improved enforcement of MIME Type Allowlist rules to correctly apply them when DPI is enabled. | 420955 | 00471267 |
| DPI | Figma web application loading failure — Fixed a DPI issue causing failures when loading the Figma web application. | 415431 | — |
| DPI | Jamf Trust VPN compatibility on macOS — Fixed a compatibility issue between the EPP client DPI engine and Jamf Trust VPN on macOS. When Jamf Trust VPN was active, traffic routed over IPv6 unique-local addresses was not being intercepted by the network extension. | 420732 | 00471407 |
| DPI | Network extension race condition on restart — Fixed a race condition and thread hang in the macOS network extension (sslsplit) during restart. | 418720 | 00466738 |
| DPI | Webcam not detected on macOS — Fixed macOS webcam devices not being detected by the EPP client. | 419105 | 00467192 |
| DPI | Chrome certificate path changed on Linux — Fixed an issue caused by a changed Chrome certificate path on Linux. | 425286 | 00473670 |
| DPI | TCP keepalive settings not propagated in sslsplit on Linux — Fixed SO_KEEPALIVE settings not being propagated to outbound sslsplit connections on Linux, which could cause long-lived proxied connections to be silently dropped. |
424977 | 00473817 |
| DPI | Fixed DPI causing website load failures and excessive SSLsplit connections on macOS — Enabling Deep Packet Inspection on macOS caused certain websites to fail to load or load very slowly, accompanied by an abnormally high number of concurrent SSLsplit connections (~10,000+). Connection handling has been corrected to prevent resource exhaustion. | 423981 | 00468494 |
| DPI | Fixed Chrome Translate triggering false positives for gzip files when DPI is enabled — When Chrome’s built-in translation feature was used on a webpage, EPP incorrectly flagged gzip file transfers as policy violations. The DPI engine now correctly handles gzip content generated by Chrome Translate. | 437698 | — |
| DPI | Fixed Google Photos uploads not blocked on Linux — Photo uploads to Google Photos via browser were not being blocked on Linux endpoints even when a CAP policy with browser exit points and graphic file types was active. Browser upload detection has been corrected for Linux. | 437861 | 00477061 |
| eD | Incorrect detection count with obfuscated data — Fixed an undercount in eDiscovery reports when Obfuscate Sensitive Data was enabled. When a file contained multiple distinct threats that produced identical obfuscated strings, only one log entry was sent instead of one per threat. | 415021 | 00466132 |
| eD | eDiscovery logs sent incorrectly — Fixed eDiscovery logs being sent incorrectly to the EPP server in certain conditions. | 409108 | — |
| EE | Fixed false CAP scan triggered by EasyLock USB on Linux — Fixed an issue where plugging in a USB device containing EasyLock on a Linux endpoint triggered a CAP content scan and reported threats, even though no file transfer had been initiated. | 341790 | — |
| EE | Metadata file creation error (EEXIST) — Fixed a metadata file creation error (EEXIST) in EasyLock on Windows when accessing certain USB storage devices. | 423187 | 00473036 |
| EE | Files cannot be copied to EasyLock on macOS — Fixed files not being copyable to EasyLock in certain usage scenarios on macOS. | 426398 | 00474381 |
| New Outlook Add-in | Improved content detection for Excel tables pasted into Outlook — Improved detection of sensitive content when copying tables from Microsoft Excel into an Outlook email body by correctly preserving cell delimiters. Only the validation.js file is affected. Recommended for customers observing missing EPP policy actions when pasting Excel tables into email. |
435952 | 00477245 |
Netwrix Endpoint Protector Client Version 2605 — Release Notes
May 19, 2026
| Component | Description | Case | Escalation |
|---|---|---|---|
| Security | WolfSSL FIPS cryptographic library refreshed in Enforced Encryption — The WolfSSL FIPS-validated cryptographic library used by Enforced Encryption (EasyLock) has been updated to the latest version, incorporating the most recent security fixes and stability improvements. | 432075 | — |
| General | Improved version display in Windows Programs and Features — The EPP Client version displayed in Windows Programs and Features now correctly reflects the YYMM release version format (e.g., 2605). This improvement mitigates a Microsoft Windows limitation that previously caused only a shortened internal version value to appear, which could interfere with software inventory systems and automated deployment tools. | 432159 | CP: 121916 |
| General | Improved log handling for offline clients — Improved log handling for Windows EPP clients operating in offline mode to ensure logs are reliably queued and delivered once connectivity is restored. | 391391 | — |
| General | Collect reprovision.db in diagnostic bundles — The reprovision.db file is now included when collecting client diagnostic log bundles. |
416138 | — |
| General | EPP Notifier auto-start on Linux — Fixed the EPP Notifier not automatically starting or restarting following client installation or upgrade on Linux. | 407981 | 00455749 |
| General | Log transmission after Reporting V1 removal — Fixed log transmission issues following the removal of the legacy Reporting V1 component. | 417911, 418411 | 00470290 |
| General | Client logs not sent after agent crash or stop — Fixed client logs not being sent to the EPP server following an agent crash or service stop. | 424448 | — |
| General | Application crash with file tracing enabled — Fixed an application crash on Windows occurring when file tracing was enabled and recently accessed files were being tracked. | 420389 | — |
| General | Debug logs not collected on Windows — Fixed debug logs not being collected when requesting diagnostic information on Windows. | 421308 | — |
| General | BSOD caused by third-party sports tracking application — Fixed a blue screen of death (BSOD) on Windows occurring when a specific sports tracking application was in use alongside the EPP client. | 435052 | 00472250 |
| General | “Failed to save server configuration” during installation on macOS — Fixed a “Failed to save server configuration” error occurring during EPP client installation on macOS. | 408014 | 00457127 |
| General | Startup performance improvement on macOS — Fixed an unnecessary mountpoint retrieval for non-storage devices at startup, improving EPP client startup time on macOS. | 416040 | — |
| General | File shadow upload timing on macOS — Fixed an issue where file shadows were not uploaded immediately after the corresponding log was sent to the EPP server on macOS. | 426321 | 00473021 |
| General | Improved uninstall tamper protection on Linux — The EPP client now resists uninstallation via the system package manager when an uninstall password is configured, even for users with sudo access. Not supported on RHEL 8.x and Ubuntu 18.04. | 327442 | EPPSUPPORT-3081, CP: 118662 |
| General | Improved EPP client tamper protection on macOS — Improved the EPP client to resist unauthorized attempts to stop, unload, or disable the EPP daemon. Tampering attempts trigger Unplanned Client Termination events on the EPP server. | 319874 | — |
| DC | Fixed Client and Device lockdown not applying on macOS Sonoma — Fixed the Client and Device lockdown options in the EPP Server Dashboard not applying correctly on macOS Sonoma endpoints. When lockdown was triggered from the System Status panel, device rights were not updated on the client side as expected. | 319869 | — |
| DC | Improved USB remediation handling on Linux — Improved USB device remediation flow on Linux to ensure devices are properly accessible after remediation. | 383227 | 00442236 |
| DC | Axpert application error with file tracing — Fixed an application error occurring in Axpert on Windows when file tracing was enabled. | 423154 | 00473091 |
| DC | Improved audio device detection and classification — Improved detection and classification of audio devices in Device Control, ensuring consistent identification and enforcement across embedded, USB, and external audio devices. USB audio cards are now properly recognized and classified as either Audio Input or Audio Output devices. | 431905 | 00475101 |
| DC | False positive remediation popup for trusted devices — Fixed a false positive remediation popup being displayed when users accessed a trusted device where no policy violation was present. | 426313 | 00474528 |
| DC | Serial ATA Controller not blocked — Fixed the Serial ATA Controller not being blocked when a deny right was configured in the Device Control policy. | 424811 | 00473511 |
| DC | VMware user directories incorrectly flagged — Fixed VMware-related user directories being incorrectly flagged; commonly used VMware user directories are now automatically allowlisted. | 425241 | 00473475 |
| DC | Bluetooth keyboard and mouse disappear after upgrade — Fixed Bluetooth keyboard and mouse devices disappearing from the EPP Notifier on macOS after a client upgrade. | 415117 | — |
| DC | Huawei HarmonyOS tablet Bluetooth classification — Fixed a Huawei HarmonyOS tablet being incorrectly identified as “BT Others” instead of “BT Tablet” in Bluetooth device classification on macOS. | 348216 | — |
| DC | Device Control Offline Temporary Password on RHEL 9.x — Fixed Device Control Offline Temporary Password not working on RHEL 9.x. | 320094 | — |
| DC | “Apply policy to all storage devices” blocking internal storage on Linux — Fixed an issue where enabling “Apply policy to all storage devices” incorrectly blocked access to internal storage devices on Linux. | 425755 | 00473817 |
| DC | Improved CHCrypt virtual drive handling — Improved handling of CHCrypt virtual drives; the EPP client no longer generates false threat alerts for them. | 422435 | 00466821 |
| CAP | Fixed clipboard performance and paste blocking issues with large Excel data — Fixed severe performance degradation (freeze/delay) when copying large amounts of data from Excel, caused by unnecessary serialization of all OLE clipboard formats. Also fixed Excel clipboard paste not being blocked when a CAP policy issued a block response, allowing users to paste restricted data freely. | 435769 | 00474663 |
| CAP | Improved CAP user remediation for DPI text inspection events — User remediation prompts now apply to DPI text inspection detections, including chat messages on Microsoft Teams, Slack, Mattermost, and social media posts on Facebook and Instagram. | 396810 | — |
| CAP | Fixed missing “Download shadows” button in CAP reports on Linux — Fixed the “Download shadows” button not appearing in CAP reports after copying a file with sensitive content to a USB device on RHEL 8.9 and later. | 320098 | — |
| CAP | Fixed browser detection in CAP policies on macOS — Fixed an issue where CAP policies did not detect threats for certain browsers when only that browser was selected in the policy (e.g., Brave), and where the wrong browser was reported when all browsers were selected. | 319919 | — |
| CAP | Application execution blocking notifications persisting — Fixed notifications for application execution blocking continuing to be displayed after the associated policy had been removed. | 420589 | 00471491 |
| CAP | Israel ID not detected with custom regex — Fixed Israel ID not being detected when used in combination with a custom regex pattern. | 423972 | 00473449 |
| CAP | Improved Israel ID detection accuracy — Fixed company IDs (which always start with digit 5) being incorrectly matched as Israeli personal IDs. Detection now correctly validates only IDs starting with digits 0–3, which correspond to personal IDs under local regulation. | 410086 | CP: 119026 |
| CAP | Transfer limit not enforced on Linux — Fixed the transfer limit not being enforced on Linux endpoints. | 418925 | — |
| CAP | File copy events not generated on Linux — Fixed file copy events not being generated on Linux. | 419038 | — |
| CAP | Improved Zoho Workdrive detection — Improved detection and blocking of data exfiltration attempts through Zoho Workdrive. | 346957 | 00412517 |
| CAP | Amazon WorkDocs incorrectly blocked — Fixed Amazon WorkDocs being incorrectly blocked by the EPP client. | 319820 | — |
| CAP | Clipboard file shadow with multiple data chunks — Fixed a clipboard file shadow issue occurring when multiple data chunks had to be reported for a single event. | 320040 | — |
| CAP | MIME Type allowlist for large MSI files — Fixed the MIME Type allowlist for application/msi not being enforced for large MSI files. |
320074 | — |
| CAP | Adobe Reader print not content-aware — Fixed PDF files not being subject to content inspection when printing via Adobe Reader on Windows and macOS. | 418763, 418188 | — |
| CAP | Print screen CAP policy reports on macOS — Fixed print screen CAP policy reports not working as intended on macOS. | 320207 | — |
| CAP | Outlook Desktop false-positive detections on startup — Fixed Outlook Desktop incorrectly triggering false-positive content scans on legitimate emails with no sensitive data. | 425584 | — |
| CAP | Legacy Outlook .msg files triggering false positives — Fixed false-positive content scan triggers caused by legacy .msg files opened in Outlook when an older add-in was disabled. | 420358 | 00465962 |
| CAP | Microsoft Teams remediation — text not released — Fixed a Microsoft Teams remediation failure on macOS where text was not released after remediation. | 363480 | 00437632 |
| CAP | CAP threat logs delayed until subsequent event — Fixed CAP threat logs not being sent to the EPP server until a subsequent threat event was triggered. | 425688 | — |
| CAP | CAP alerts not sent for globally blocked URLs — Fixed CAP alerts not being generated for URLs blocked through global deny-lists. | 432634 | 00474205 |
| CAP | Google Drive uploads not blocked — Fixed Google Drive uploads not being blocked by the EPP client on Windows. | 419651 | 00456661 |
| CAP | Google Drive uploads not blocked on Linux — Fixed file uploads to Google Drive not being detected or blocked by the EPP client on Linux. | 327632 | — |
| CAP | Google Drive Desktop fails to start — Fixed an issue where Google Drive Desktop failed to start on Windows and macOS when unidentified files were actively monitored by a CAP policy. | 426170 | — |
| CAP | Gmail uploads not blocked — Fixed file uploads to Gmail not being blocked by CAP policies. | 418718 | 00460624 |
| CAP | GitHub false positives with text file inspection — Fixed false positives being triggered when browsing github with text file inspection active in a CAP policy. | 422203 | — |
| CAP | False positive file upload alert on GitHub sign-up page — Fixed a false positive block alert triggered when users typed their email address into the GitHub registration form while a CAP policy blocking uploads to GitHub was active. | 434684 | 00474490 |
| CAP | ChatGPT web telemetry false positives — Fixed false positive threat alerts triggered by ChatGPT web telemetry requests in the EPP client. | 432347 | — |
| CAP | Excel workbook print allowed until reload — Fixed threats added to an existing Excel workbook being allowed to print via browsers until the workbook was reloaded. | 347369 | 00415648 |
| CAP | CAP policies not applying on Ubuntu 24.04 — Fixed Content Aware Protection policies not applying correctly on Ubuntu 24.04 endpoints using the DLP FUSE kernel module. | 434685 | 00473806 |
| CAP | Autodesk Fusion files generating excessive false positive reports — Fixed Autodesk Fusion .f3z files triggering a large number of false positive scan reports. Because .f3z is ZIP-based, the EPP client was decompressing and individually scanning each file inside the archive; the fix prevents unnecessary deep scanning of Fusion archives. |
434433 | — |
| CAP | Embedded images scanned and reported twice — Fixed images embedded in Office documents being scanned and reported twice when OCR was enabled. | 422889 | — |
| CAP | OCR engine reporting temporary folder path — Fixed the OCR engine reporting a temporary folder path instead of the original document path for files with embedded images. | 422866 | — |
| CAP | OCR creating unnecessary temporary image files — Fixed the OCR engine sometimes creating unnecessary temporary image files and reporting an incorrect file path in the scan result. | 424842 | — |
| CAP | OCR language matching via BCP-47 tags — Fixed incorrect OCR language matching caused by BCP-47 language tags not being normalized to 2-character codes; this also resolves OCR detection not being applied during print blocking in CAP policies. | 425056 | — |
| CAP | Clipboard image shadowing crash — Fixed a crash caused by a debug assertion failure when clipboard shadowing was enabled during an image clipboard operation. | 422732 | — |
| CAP | Improved service stability during OCR scanning — Fixed a crash or freeze in the EPP daemon occurring after OCR content scanning, particularly when the service was stopped while a scan was in progress. | 320244 | — |
| CAP | Fixed file deletion on USB block on Linux — On Linux, when a CAP policy blocked access to a sensitive file opened directly from a USB storage device, the file was also deleted from the device. EPP Client now correctly blocks access without removing the file. | 415400 | 00456675 |
| CAP | Fixed excessive false positive source code reports in Office files — Fixed a CAP issue where enabling Extended Source Code detection caused a single Office file (such as .xls) to generate a large number of false positive reports across multiple source code types. The root cause was related to data being scanned in chunks, resulting in repeated detections for the same file. | 367770 | 00418887 |
| DPI | Fixed TLS fingerprinting causing connection rejections with DPI enabled — Fixed certain servers rejecting connections when EPP DPI was active due to TLS fingerprinting checks. Affected servers compared the ClientHello signature against known browser patterns and blocked connections that did not match; the fix aligns the DPI engine’s TLS handshake to prevent fingerprint-based rejections. | 435086 | 00476110 |
| DPI | Improved Git SSH connection control — EPP Client can intercept and inspect Git transfers over HTTPS but cannot decrypt SSH tunnel traffic. Administrators can now block Git from establishing SSH connections entirely, preventing data transfers over SSH-tunneled Git operations where content inspection is not possible. | 396409 | 00448358 |
| DPI | Improved MIME Type Allowlist enforcement with DPI — Improved enforcement of MIME Type Allowlist rules to correctly apply them when DPI is enabled. | 420955 | 00471267 |
| DPI | Figma web application loading failure — Fixed a DPI issue causing failures when loading the Figma web application. | 415431 | — |
| DPI | Jamf Trust VPN compatibility on macOS — Fixed a compatibility issue between the EPP client DPI engine and Jamf Trust VPN on macOS. When Jamf Trust VPN was active, traffic routed over IPv6 unique-local addresses was not being intercepted by the network extension. | 420732 | 00471407 |
| DPI | Network extension race condition on restart — Fixed a race condition and thread hang in the macOS network extension (sslsplit) during restart. | 418720 | 00466738 |
| DPI | Webcam not detected on macOS — Fixed macOS webcam devices not being detected by the EPP client. | 419105 | 00467192 |
| DPI | Chrome certificate path changed on Linux — Fixed an issue caused by a changed Chrome certificate path on Linux. | 425286 | 00473670 |
| DPI | TCP keepalive settings not propagated in sslsplit on Linux — Fixed SO_KEEPALIVE settings not being propagated to outbound sslsplit connections on Linux, which could cause long-lived proxied connections to be silently dropped. |
424977 | 00473817 |
| eD | Incorrect detection count with obfuscated data — Fixed an undercount in eDiscovery reports when Obfuscate Sensitive Data was enabled. When a file contained multiple distinct threats that produced identical obfuscated strings, only one log entry was sent instead of one per threat. | 415021 | 00466132 |
| eD | eDiscovery logs sent incorrectly — Fixed eDiscovery logs being sent incorrectly to the EPP server in certain conditions. | 409108 | — |
| EE | Fixed false CAP scan triggered by EasyLock USB on Linux — Fixed an issue where plugging in a USB device containing EasyLock on a Linux endpoint triggered a CAP content scan and reported threats, even though no file transfer had been initiated. | 341790 | — |
| EE | Metadata file creation error (EEXIST) — Fixed a metadata file creation error (EEXIST) in EasyLock on Windows when accessing certain USB storage devices. | 423187 | 00473036 |
| EE | Files cannot be copied to EasyLock on macOS — Fixed files not being copyable to EasyLock in certain usage scenarios on macOS. | 426398 | 00474381 |
| New Outlook Add-in | Improved content detection for Excel tables pasted into Outlook — Improved detection of sensitive content when copying tables from Microsoft Excel into an Outlook email body by correctly preserving cell delimiters. Only the validation.js file is affected. Recommended for customers observing missing EPP policy actions when pasting Excel tables into email. |
435952 | 00477245 |
2602.0 Updates
Netwrix Endpoint Protector Client version 2602 Released (Now with Hotfix 1)
February 5, 2026
The following table contains a comprehensive list of updates and fixes introduced in this version:
| Component | Description | Case # | Escalation # |
|---|---|---|---|
| Security | Endpoint Protector Components Refreshed Upgraded components for Libmagic, OpenSSL | 398993, 400329, 405642 | |
| Security | **Executable renaming to reduce false positives **BrowserBroker.exe has been renamed to EppExtensionHost.exe to eliminate false positive virus detections (CVE: Win32:CVE-2019-0566-A) in the EPP client archive. The new name has been verified and no longer triggers alerts on VirusTotal. Note: Please update your antivirus exclusions to reflect the new executable names. | 408618 | 00463758, 00461324 |
| General | Enhanced tamper protection against forced uninstallation Strengthened tamper protection to prevent EPP Client uninstallation using third-party tools such as Revo Uninstaller and IOBit Uninstaller, even when uninstall password and tamper mode are enabled. Additional improvements were made to better handle uninstallation attempts when offline. | 320104 | |
| General | Improved IPv6 communication between EPP Client and Server Fixed an issue where the EPP Client installer did not accept IPv6 IP addresses and required DNS AAAA records instead. The EPP Client now supports binding to both IPv6 IP addresses and DNS records across all platforms. | 408636 | |
| DC | **Enhanced mobile device control on macOS **Mobile device blocking for iPhone and Android devices on macOS is now more reliable, ensuring devices are consistently restricted from mounting in Finder and other applications. This update simplifies configuration, improves consistency, and provides effective control without impacting device charging. | 407826 | 00460417 |
| DC | **Improved compatibility with Axpert application when File Tracing is enabled **Resolved an issue where enabling File Tracing caused the Axpert application to fail to open. Axpert now runs correctly with File Tracing enabled. | 408967 | 00456905 |
| DC | Audio device permission handling improvement on Windows Resolved an issue where manually disabled audio devices were automatically re-enabled by the agent when permission was set to Allow. Disabled devices now remain disabled as expected, and inactive states are no longer intercepted. | 409970 | 00460253 |
| DC | mproved detection and monitoring of HID devices in EPP Resolved an issue where devices with specific HID identifiers (e.g., HID_DEVICE_UPR:xxxxxx, PID: xxxxx, VID: xxxx) were recognized in Device Manager but not detected by Endpoint Protector, even when USB device access was restricted. These HID devices are now properly detected and monitored by EPP. | 413877 | 00433152 |
| CAP | **Improved OneDrive differentiation without DPI **EPP client can now distinguish between OneDrive Business and OneDrive Personal on macOS and Windows without relying on DPI. This update enables more precise monitoring, allows DPI to be disabled for OneDrive | 409112, 369333 | 00429530 |
| CAP | OCR text handling in EPP client logs Previously, OCR-extracted text from image files was logged in the EPP client log during debug mode, even when obfuscation was enabled. Logging of OCR text during hashing scans has now been suppressed to prevent potential exposure of confidential information. | 409223 | |
| CAP | OCR clipboard blocking reliability on macOS Corrected an issue where images containing sensitive content were not blocked when pasted into Teams, Slack, or email in monitored browsers on macOS, despite CAP clipboard restrictions and OCR being enabled. Images are now properly blocked and reported according to policy settings. | 320056, EPP-8651 | 00421283 |
| CAP | Web Dropbox file upload blocking behavior improvement Resolved an issue with web Dropbox where files containing confidential information, when blocked by CAP policy with DPI enabled, would remain in a syncing state and could not be canceled, ultimately being uploaded after about 90 seconds. The blocking process now properly prevents upload and allows users to cancel the transfer without needing to close the browser tab. | 320096, 409083 | |
| CAP | Improved CAP policy enforcement for special characters Resolved an issue where CAP policies failed to block strings containing special characters, such as Korean driving licenses, when using clipboard restrictions. These patterns are now correctly detected and blocked according to policy settings. | 345111 | 341233 |
| CAP | Clipboard monitoring performance improvement for Excel on Windows Resolved delays and interface freezes when performing copy/paste operations on large Excel files with clipboard monitoring enabled, ensuring smoother user experience. | 345857, 403888 | 00455431, 00435855, 340648, 00445881 |
| CAP | Improved compatibility with OneDrive on macOS under CAP policies Resolved an issue where OneDrive for macOS could fail to start if EPP client blocked access to certain configuration or database files due to CAP policy settings. OneDrive now starts reliably when CAP policies are applied. | 346410 | |
| CAP | Improved file shadow upload performance for Mac Mail and Printers Addressed delays where file shadows from Mac Mail app or printing actions took excessive time to upload to the server with DPI and file shadowing enabled. File shadows now upload promptly as expected. | 346488 | |
| CAP | Correct CAP policy enforcement for browsers with URL categories enabled and DPI disabled Resolved an issue where CAP policies did not block files in browsers when URL categories were enabled but DPI was disabled. Files are now correctly blocked as expected in this configuration. | 357464 | |
| CAP | Obfuscation of email subject in logs and UI Resolved an issue where email subjects containing confidential data were written in plain text in EPP client logs and displayed in the server UI, even with obfuscation enabled. Subjects are now properly obfuscated in both logs and UI across supported platforms. | 363919 | |
| CAP | Content Aware Report accuracy with Print Screen blocking policies Resolved an issue where print screen events blocked by CAP “Block Only” policies were still displayed in the Content Aware Report table. Events are now correctly excluded from reports as expected. | 399803, 409874 | |
| CAP | Correct application identification for cloud file uploads with DPI disabled Resolved an issue where uploads to Microsoft Teams were incorrectly detected as Outlook (Attachments) in Content Aware Reports when DPI was disabled. Reports now display the correct application as expected. | 399904 | |
| CAP | Improved CAP enforcement for blocking source code printing Resolved an issue where source code could still be printed from Notepad despite CAP policies configured to block such actions via printers. Printing of source code is now correctly blocked according to policy. | 403776 | 00429095 |
| CAP | Improved OCR detection of threats in images attached via Outlook on Windows10 Resolved an issue where threats in images sent as Outlook attachments were not detected or reported when OCR was enabled. Image threats are now properly identified and reported. | 403928 | 00451505 |
| CAP | Improved file remediation handling for AI chat uploads Resolved an issue where files sent via AI chat platforms such as Copilot and ChatGPT required multiple rounds of remediation due to being detected as different file types. Remediation now works as expected and files can be successfully sent after the first action. | 405948 | |
| CAP | Shadow icon accuracy in remediation logs without file tracing Resolved an issue on Mac and Linux where the shadow icon was missing from “Content Remediation Session Active” logs when CAP shadowing was enabled but file tracing was turned off. The shadow icon now appears correctly when files are found on disk during remediation. | 408907 | |
| CAP | **Improved CAP enforcement for Slack installed from Microsoft Store or msix package **Resolved an issue where file uploads in Slack installed via Microsoft Store or msix package were not monitored or blocked by CAP policies when DPI was disabled. Uploads are now correctly blocked and reported according to policy settings. | 408926 | |
| CAP | Resolved infinite print loop with Palo Alto Cortex and EPP Agent on macOS Fixed an issue where printing files flagged by a Report Only CAP policy resulted in an infinite print job loop when both Palo Alto Cortex and EPP Agent were installed on macOS. Printing now completes as expected without repeated restarts. | 408964 | |
| CAP | OCR scanning for image attachments in Outlook on macOS Resolved an issue where image files attached in Outlook were not OCR scanned and therefore not blocked according to policy. Image attachments are now properly scanned and blocked when containing threats. | 409464 | |
| CAP | Correct case-sensitive detection in custom denylist dictionaries Resolved an issue where case-sensitive custom dictionaries did not properly detect threats when words appeared in different capitalization formats. Files are now scanned and threats are reported accurately according to case sensitivity settings. | 409559 | 00462396 |
| CAP | Accurate application detection for paste restrictions in EPP Notifier Resolved an issue where paste restrictions incorrectly reported Outlook instead of Teams when the Teams application process was detected as msedgewebview2.exe. Paste actions are now accurately attributed to the correct application in logs. | 409573 | 00462638 |
| CAP | **Improved detection of image files in ZIP archives for CAP policies **Resolved an issue where image files within ZIP archives uploaded through web browsers were not detected or blocked when DPI and OCR were enabled, allowing policy bypass. CAP policies now properly inspect and enforce restrictions on images inside compressed archives. | 410071 | |
| CAP | Notification template handling for long or multi-byte policy names Resolved an issue where notification templates failed to display correctly if the CAP policy name exceeded the byte limit or contained multi-byte special characters. Notification templates now display as expected for policies with longer or special character names. | 410695 | 00463434 |
| CAP | Excess WebUpload Logs Generated for Specific Websites Resolved an issue where EPP generated excessive WebUpload logs when users accessed certain websites (e.g., geeksforgeeks.org, trendyol.com, shop.mango.com). This occurred because background site requests with text content were being reported as text file uploads. The new build includes additional conditions to automatically ignore scanning such requests on these websites, addressing the customer’s concern. | 366638 | 00419396 |
| CAP | Fixed: DC Transfer Limit Not Triggering on Linux Resolved an issue where enabling the DC transfer limit did not prevent additional file transfers once the limit was reached on Linux systems. CAP transfer limit continues to work as expected. | 418925 | |
| CAP | Fixed: Incorrect CAP Policy Report Creation for Print Screen Actions Resolved an issue where the “Report Only” CAP policy action failed to generate reports in the “Content Aware Reports” section, while the “Block Only” action was incorrectly creating reports. CAP policy report generation now works as intended: “Report Only” creates a report and “Block Only” does not. | 418757 | |
| DPI | Improved QUIC protocol management for Firefox on macOS QUIC protocol management for Firefox now works for installations in both the default location and user-specific Applications folders under /Users on macOS, covering more common usage scenarios. | 410476 | |
| DPI | Improved website compatibility with Stealthy DPI Connection handling in the Stealthy Deep Packet Inspection (DPI) connector has been improved to support successful loading of websites like https://sma.bobcard.co.in, resolving issues with connection failures caused by improper disconnect timing. | 411528 | |
| DPI | File hash and shadowing reporting for recently modified files Resolved an issue where file hashes and shadowing were not performed for files that had just been modified, due to timing between hash calculation and request scanning. Enhancements to scanning order now ensure that files correctly appear in Content Aware Reports with their hash and download shadows. Further improvements are planned to minimize such cases and optimize reliability. | 319819 | |
| DPI | Network connection stability improvements in DPI on macOS Addressed rare issues on macOS where network connections could be dropped or routed incorrectly when DPI was enabled, particularly under high system load or with many concurrent connections. Enhancements to connection list management and timing now ensure reliable downloads and accurate server routing. | 320037 | 00415587 |
| DPI | Correct file size reporting with DPI enabled for WhatsApp uploads Resolved an issue where file sizes and details were not accurately reported for files uploaded via WhatsApp when DPI was enabled. Reports now display correct file information and sizes as expected. | 345145 | |
| EE | Enforced Encryption deployment feedback improvement Previously, when attempting to deploy Enforced Encryption (EasyLock) on an EPP server with no EE client uploaded, users received a deployment notification but no feedback if installation failed. Now, the client displays a clear message if EasyLock cannot be deployed, improving user guidance in these scenarios. | 403653 | |
| EE | Immediate retrieval of Enforced Encryption settings on first ping Resolved an issue where the Enforced Encryption client received critical settings only after the second communication with the server. All relevant metadata is now updated promptly on the first ping across macOS and Windows EE. | 409484 |
The following versions may have limited or no support. Please see the