New Symantec Endpoint Maintenance Release – Minor update series for version 12.1.4013.8083 SEPM

The potential to leverage the remote access XXE vulnerability to attempt to exploit the local access SQL Injection issues increases the overall severity from a successful exploit of these issues. Symantec customers need to apply the available updates (12.1.4023.4080) as soon as possible.

Over the course of the next week we will be upgrading our clients using Symantec Endpoint protection to this newer version. For their benefit, we are listing the new and changes features in this release. We recommend all users of Symantec Endpoint upgrade their versions as soon as possible to address these issues (listed below). In addition to this Management/Client release they have also released an urgent patch to the management program, after applying this 12.1.4.4013 fix first, then the Management Security Fix.

  • Expanded operating system and browser support
    Supports Mac OS X 10.9 and Windows 8.1 / Server 2012 R2.  Supports the latest versions of Internet Explorer, Firefox, and Chrome.
  • Expanded and improved features for Endpoint Protection for Mac
    Improved remote deployment features for the client, including a standardized deployment package for use with third-party client management systems that supports unattended, logged out, and silent deployment.
  • Intrusion prevention for Mac client computers.  LiveUpdate 6 for Mac, which does not require Java and can run with no user logged in.  Content for Mac from Symantec Endpoint Protection Manager (SEPM)  Other improvements including improved scheduled scan options, user interface improvements, and language support
  • Faster alerting and notification for priority events  SEP 12.1.4 Windows clients can quickly send priority events to SEPM without waiting for the next heartbeat. You can create notifications without a damper for critical events. Priority events include malware detections and IPS alerts.

New fixes in this release

  • A detected threat does not have a corresponding entry in the risk log.  Symptom: You see the pop-up warning, “Threats were detected while you were logged out,” but the risk log does not display a corresponding entry.
  • System hangs after reboot on Windows XP Embedded SP3.  Symptom: After you install Symantec Endpoint Protection client on a Windows XP Embedded device on which PCAnywhere and specific video adapters are also installed, a crash in the video memory occurs.
  • Scan Logs do not display updated scan status.  Symptom: Administrator-defined scheduled scans do not update the scan status of Symantec Endpoint Protection Manager scan logs if you suspend then complete the scan.
  • Microsoft Outlook 2010 freezes.  Symptom: If you install Symantec Endpoint Protection Microsoft Outlook plug-in along with McAfee DLP software, Microsoft Outlook 2010 appears to hang or become unresponsive when you open or add an attachment.
  • Cannot generate quick risk reports  Symptom: When you try to generate quick risk reports, PHP errors and warnings display. You also see many PHP-related errors in the reporting logs.
  • Some detection counts do not display correctly in reports.  Symptom: The distribution bar under the “Risk Detection Counts and Detection by Computer” report shows one color, instead of the expected multiple colors for different infection types.
  • Application and Device Control exception is not working correctly.  Symptom:An Application and Device Control folder control exception does not work correctly with an absolute path, such as “C:\TEST”.
  • Management Server Configuration Wizard encounters Unexpected Server Error  Symptom: An Unexpected Server Error occurs after you run the Management Server Configuration Wizard.
  • When both the Symantec Endpoint Protection client and management server are installed, Windows Server Backup utility cannot complete a volume shadow copy  Symptom: When you install both Symantec Endpoint Protection client and Symantec Endpoint Protection Manager 12.1.x on the same computer, the \System Volume Information\EfaData\ folder grows large in size. This growth causes a lack of available free space for the Windows Server Backup Utility to create a volume shadow copy.
  • Scheduled scan report fails to abide by an OS filter  Symptom: When you schedule a Scan Report based on an OS filter, it instead returns every OS.
  • Symantec Endpoint Protection installation results in warning messages in logs  Symptom: Warning messages, such as Event ID 28, appear in the logs when you install the Symantec Endpoint Protection to a physical Windows Server 2008 R2 with Hyper-V.
  • Unable to remove the “Delete from Quarantine” option Symptom: After you uncheck the “Delete from Quarantine” command option for Limited Admins, this option still appears on the dropdown menu as a possible Action. The only way to remove “Delete from Quarantine” from the dropdown menu is to also remove other features, such as “Enable Download Insight.”
  • Download Protection Content reports as “Not Available” after a restart Symptom: After a client restarts, the initial heartbeat reports that Download Protection is “Not available.” As a result, a notification for “Download Protection out of date” triggers from Symantec Endpoint Protection Manager. Subsequent heartbeats report correctly.
  • Too many active connections from the Group Update Provider (GUP) to Symantec Endpoint Protection Manager Symptom: The Group Update Provider (GUP) computer keeps more than 200 connections open to Symantec Endpoint Protection Manager.
  • Client reports Firewall Status as “Disabled” Symptom: If you disable or withdraw the firewall policy from a client group, the clients display as “Disabled” on the Symantec Endpoint Protection Manager Home tab, under Endpoint Status. Clicking on the Endpoint Status chart shows the Firewall Status as “Disabled.” The Firewall Status should only display as “Disabled” if the end user disables the firewall.
  • Lotus Notes 7.0.3 terminates unexpectedly Symptom: Lotus Notes 7.0.3 terminates unexpectedly when you attempt to open an attachment.
  • Some clients do not honor the restart after using the Client Deployment Wizard Symptom: When you use the Client Deployment Wizard to install a package that includes Application and Device Control, Symantec Endpoint Protection clients do not honor the reboot command provided in Client Install Settings.
  • Clients move to the wrong group if group name has a space in it Symptom: If you copy a group name containing a space from the details tab of one Symantec Endpoint Protection Manager and paste that group name into a new group on another Symantec Endpoint Protection Manager, then the clients end up in an incorrect group. If you copy the same group name containing a space from Windows Notepad, then the clients end up in the correct group.
  • Scan time is shown incorrectly Symptom: If you click Home > View Details > Scan Failures, the last scan time displayed is incorrect.
  • Teefer does not see outbound traffic on Windows XP Symptom: On Windows XP SP3, Teefer does not see the outbound traffic for QoS Packet Scheduler (PSched).
  • Lotus Notes terminates unexpectedly during start-up. Symptom: Lotus Notes terminates unexpectedly during start-up when it attempts to load the Notes Auto-Protect plugin (nlnhook.exe).
  • Windows Hypervisor stops responding. Symptom: Windows Server 2012 Hypervisor servers stop responding after you install Symantec Endpoint Protection 12.1.2 (12.1 RU2).
  • Juniper Network Agent Virtual Adapter missing from VPN classification Symptom: Juniper Network Agent Virtual Adapter (Juniper Junos Pulse client) does not appear within the “Any VPN” classification in the firewall rules.
  • Windows Server 2008 R2 is not identified correctly in Symantec Endpoint Protection Manager Symptom: Symantec Endpoint Protection Manager shows an incorrect operating system name for Windows Server 2008 R2 computers in the client inventory report and client properties dialog.
  • Cannot generate risk report Symptom: When you create a risk report for “Action List” or “Infected and At Risk Computers”, the query fails.
  • Log file size grows to be very large. Symptom: Log messages continue to write to scm-ui.log, even after the user logs out of the console. As a result, the log file grows very large.
  • Windows OXP 64 bit is listed incorrectly. Symptom: If you click Monitors > Logs > Computer Status > View Log, Windows Server 2003 clients incorrectly display as Windows XP 64-bit.
  • GFValidate.exe application error 1000. Symptom: When Symantec Endpoint Protection Management server is running, you see program errors or crashes when ThreatCon contains an invalid certificate.
  • Windows client incorrectly becomes a Group Update Provider (GUP) after an upgrade. Symptom: After you upgrade a Windows XP computer to Symantec Endpoint Protection 12.1.2, the computer becomes a GUP even though it was not designated as one.
  • Management Server Configuration Wizard displays an error when using a non-default path for the database data folder. Symptom: When you designate a new database using a non-default data folder, such as on drive D:, the Management Server Configuration Wizard displays an error about the database data folder, because it is incorrectly looking for the default path on C:.
  • Cannot add applications to Exception policy. Symptom: You try to add detected applications to existing Exception policies, but those policies do not display in the Monitors tab.
  • Discrepancy in the Endpoint Status report. Symptom: The information displayed on the Home tab under Endpoint Status is different from the information displayed when you click the chart for details.
  • An unexpected database error occurs. Symptom: An unexpected database error occurs when you log on the Web Services Application Registration page.
  • Client upgrade rolls back Symptom: At the end of the upgrade to Symantec Endpoint Protection 12.1.2 on a computer with a custom Windows system root directory, the installation rolls back to the previous version.
  • BIOS serial number not stored Symptom: The Symantec Endpoint Protection client sends the BIOS serial number when it connects to the Symantec Endpoint Protection Manager. You can see this information in the scm-server-*.log, but it is not stored within the Symantec Endpoint Protection Manager.
  • Symantec Endpoint Protection Internet email Auto-Protect prevents POP3 email from being sent or received. Symptom: When you check email with a client program that uses the service session (session 0), sending or receiving email experiences delays if you install Symantec Endpoint Protection Internet email Auto-Protect.
  • Unable to copy from USB. Symptom: After you upgrade Windows Vista to Symantec Endpoint Protection 12.1.2, you are unable to read files from a USB device, even though the Application and Device Control policy only prohibits writing to a USB device.
  • Server crashes with BugCheck 8E. Symptom: A Symantec Endpoint Protection client installed to a server operating system crashes with BugCheck 8E {c0000005, f723fac3, abb89930, 0}. The crash log contains a reference to SRTSP.sys.
  • LiveUpdate fails to process content on Symantec Endpoint Protection Manager. Symptom: The LiveUpdate client runs successfully and downloads the content on Symantec Endpoint Protection Manager 12.1.2 (RU2), but fails during the post-processing of the content.
  • EFS encrypted files are damaged. Symptom: After a content download triggers a Defwatch scan, EFS encrypted files become corrupted.
  • Weekly deadlocks occur on Symantec Endpoint Protection Manager database. Symptom: The server logs indicate weekly deadlocks on the Microsoft SQL Server database used by Symantec Endpoint Protection Manager. These deadlocks place an excessive load on the database server.
  • USB data stick removal results in BugCheck 7E error. Symptom: When you remove a USB memory stick, the computer crashes with error code 0X0000007E (BugCheck 7E).
  • Servers are slow or unresponsive. Symptom: After you install the Symantec Endpoint Protection client without Network Threat Protection, the file share server appears to be offline, or becomes extremely slow and unresponsive.
  • Connectivity issues with 3G connection. Symptom: When you try to connect to the internet with a 3G NIC, the Symantec Endpoint Protection firewall component detects a problem and blocks the connection.
  • Wired 802.1x connection attempt results in BugCheck 50 referencing Teefer. Symptom: When attempting to connect using wired 802.1x authentication, the computer crashes with BugCheck 50. The blue screen message references teefer.sys.
  • LiveUpdate does not update Symantec Endpoint Protection client. Symptom: The Symantec Endpoint Protection client downloads but cannot update definitions with LiveUpdate. Content updates from the Symantec Endpoint Protection Manager occur as expected.
  • Enabling Windows Driver Verifier on Teefer2 results in BugCheck 139 Symptom: You install Symantec Endpoint Protection, enable the Windows Driver Verifier for Teefer2, and reboot. An attempt at a network connection causes the computer to crash with BugCheck 139.
  • Cluster is unable to fail over with AutoProtect enable. Symptom:  With AutoProtect enabled, an active cluster node cannot fail over and hangs.
  • Some Intrusion Prevention exclusions do not work Symptom: After you create an Intrusion Prevention (IPS) policy exclusion to keep an application from being blocked, Intrusion Prevention continues to block the application.
  • Download Protection reports as malfunctioning . Symptom: Client computers always report Download Protection as malfunctioning on the first heartbeat after the Symantec Management Client (SMC) service is started. This issue occurs because the heartbeat reports the status before this component fully initializes.
  • Persistent “unexpected server error” notification. Symptom: You receive System Event Notification emails multiple times a day reporting an unexpected server error. The Symantec Endpoint Protection server logs display the message, “This is not a valid IP address.”
  • “Unexpected server error” appears in server logs. Symptom: For the Symantec Endpoint Protection Manager, the server name is different than the host name. The Symantec Endpoint Protection Manager’s server logs display repeated errors by ScheduledReportingTask about an UnknownHostException. You do not receive email notifications or scheduled reports.
  • “Unexpected server error [0x10010000]” when deleting a Symantec Endpoint Protection Manager administrator. Symptom: When you try to delete an administrator account in Symantec Endpoint Protection Manager but opt to retain the existing reports, the message “Unexpected server error [0x10010000]” appears and the administrator account remains.
  • The policy serial number unexpectedly updates at midnight Symptom: You notice that the policy serial number updated at midnight, but you did not update a policy at that time, only earlier in the day.
  • Some errors in reporting logs related to risk reporting Symptom: There are PHP errors and warnings in the reporting log. The pie charts on the Monitors tab contain no information, and you encounter a fatal error when you click Reports > Quick Reports.
  • Auto-refresh value reverts for Command Status Symptom: The Auto-refresh value you configure under Monitors > Command Status reverts to the previous value.
  • Scheduled or On-Demand scans fill backup cache disks Symptom: You observe that on a computer using a third-party backup program, a scheduled or on-demand scan unexpectedly fills the backup cache disk.
  • SMC service crashing Symptom: The Symantec Management Client (SMC) service crashes on client computers that are Group Update Providers (GUPs).
  • Accelerated heartbeat after clients fails to register with Symantec Endpoint Protection Manager Symptom:  When Symantec Endpoint Protection Manager returns a registration failure with code 412, the client triggers another registration in five seconds. This behavior results in performance degradation on Symantec Endpoint Protection Manager.
  • Installation of Symantec Endpoint Protection causes BugCheck 8e Symptom: After the installation of Symantec Endpoint Protection, the computer crashes with BugCheck 8e. A triggered Auto-Protect scan appears to be the cause.
Advertisements

Symantec Confirms Norton AV Source Code Exposed

An unidentified hacker, going by the handle YamaTough, appears to have source code for the 2006 version of Symantec’s Norton antivirus product.

Symantec’s response has been the following:

“Symantec can confirm that a segment of its source code has been accessed.  Symantec’s own network was not breached, but rather that of a third party entity.”

“We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”

“Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions.  Furthermore, there are no indications that customer information has been impacted or exposed at this time.”

“However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information.  We will communicate that process once the steps have been finalized.”

“Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

Though the code is for an older version of the Norton antivirus product, the impact of the exposure is still as of yet undetermined, and several questions remain:

• As the file provided to Symantec was merely a sample of the material YamTough claimed to be in possession of, does that mean that code for more recent editions have not been compromised as well?

• What was the “third party” – presumably some entity related to the Indian government – doing in possession of the source code for the Symantec product?

• How much information would source code from 2006 provide to malware authors assuming that the entire product has not been reinvented from scratch since the time this code was produced?

Stay tuned for more as this story develops into what could be one of the biggest data loss events of 2012, and just less than one week into the new year.

“Nitro” spear-phishers

Symantec has revealed that at least 50 companies, many of them in the defense and chemical industries, have been attacked in a spear-phishing attack aimed at stealing research and development data. The “Nitro” attacks, as Symantec called them, started in late July, and lasted through September, according to a Symantec report. But the infrastructure used for command and control and other aspects of the attacks were used in another, earlier wave dating at least back to April, which was focused on human rights groups.

There is no known connection to the phishing attacks on RSA earlier this year. And it remains unclear whether the attacks were made by a single individual or group, though it appears the attack came from China. Analysts traced the attack back to a $32-a-month virtual private server in the US, owned by a “20-something male located in the Hebei region of China,” and found traffic being sent back to the network from 52 different organizations in 20 countries, 12 of them based in the US.

Spear phishing is a form of e-mail based attack that is carefully tailored to individuals at the target organization, usually disguised as a file-attachment that appears to be from someone the individual knows. In the Nitro attacks, the attackers used several approaches, but relied largely on two types of phishing: posing as a known business partner and sending what appeared to be a meeting invitations, or hitting a larger number of targets with an email “purporting to be a security update,” according to Symantec’s Eric Chien and Gavin O’Gorman. The attacks included executable files that were disguised as text files, or as password-protected archives. In both cases, the file would execute when opened, installing a program called PoisonIvy—a backdoor developed by a “Chinese speaker,” according to the Symantec report.

The backdoor then sent back the IP address of the infected computer, the names of other computers visible in the Windows workgroup the computer was in, and Windows cached password hashes. This allowed the hackers to remotely control the system, possibly even downloading additional tools to attack from within the network, and infect other computers in an attempt to gain administrative credentials and access to servers containing sensitive data.

‘Stuxnet-Like’ Virus making the rounds

Security researchers on Tuesday issued a warning about a virus, dubbed Duqu, that’s similar in nature to the Stuxnet worm that targeted Iranian critical infrastructure last year.

International researchers alerted Symantec about Duqu last week and Symantec found that “parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose”—information gathering rather than system sabotage.

Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

According to our security alerts, Duqu is a “precursor to a future Stuxnet-like attack” and was authored by the same people as Stuxnet, or at least by those who had access to Stuxnet source code.

At this point, however, Duqu does not appear to contain any code that singles out any particular industrial control system (ICS); it’s primarily a remote access Trojan (RAT). It appears as though the perpetrators are targeting a limited number of organizations, but it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The fact that Duqu creators have the Stuxnet source code is troubling. Stuxnet source code is not out there. Only the original authors have it.

Symantec Endpoint Protection 11.0.6 MP3 released

If you have an active subscription for Symantec Endoint Protection, you should download and install the latest version. Endpoint Protection is a corporate version of Symantec’s antivirus product. If you are one of our regularly scheduled maintenance plan clients, this update will be installed for you automatically. If you are not on our regular schedule and would like help pushing out your update or you need to consider this product for your group, please contact us at Support@scbenterprises.net

-Chris Bolcik