SYM12-017 Symantec Legacy Decomposer CAB File Issues

Article:TECH199470  |  Created: 2012-11-07  |  Updated: 2013-06-19  |  Article URL http://www.symantec.com/docs/TECH199470
Article Type
Technical Solution


Issue



You use Symantec Endpoint Protection and would like more information about the SYM12-017 Symantec Legacy Decomposer CAB File Issue vulnerability.


Solution



A vulnerability has been identified in the Symantec Decomposer component that is used to decompose some types of archive content while scanning for malicious content.  For additional information on the SYM12-017 vulnerability, read the Symantec Security Response SYM12-017 Security Advisory.

 

Mitigation

There are several possible ways to remove the SYM12-017 vulnerability in Symantec Endpoint Protection (SEP):

As an alternative, there is one workaround that while not removing the vulnerability completely, will lessen the exposure:

 
Note: Excluding the .cab file extension does not fully mitigate the issue. Use one of the options described above to mitigate this issue.

Symantec AntiVirus (SAV) 10.x clients are also affected by this vulnerability. SAV 10.x has officially reached end of life status and is no longer supported.  However, if you are still using SAV 10.x and wish to mitigate this vulnerability, you can use the manual mitigation options listed below or upgrade to a current version of Symantec Endpoint Protection.

 

Upgrade to the latest build of Symantec Endpoint Protection

All versions of Symantec Endpoint Protection 12.1 are unaffected. To obtain the latest release, read the document Best practices for upgrading to the latest version of Symantec Endpoint Protection 12.1.x.

 

Download the latest Decomposer through LiveUpdate

Symantec has made updated Decomposer files available for SEP 11.x and 12.0.x clients through LiveUpdate. This update can be obtained by running LiveUpdate on clients, or by distribution from updated Symantec Endpoint Protection Managers or Group Update Providers. For more information, read the document About the LiveUpdate patch for Symantec Advisory SYM-12-017.

 

Upgrade the Decomposer component using the Symantec Decomposer Update Tool 

The Symantec Decomposer Update Tool mitigates the problem on clients with Symantec Endpoint Protection 11.0 RU5 and later versions.

About the Decomposer Update Tool

Symantec has created a tool to update the decomposer engine for Symantec Endpoint Protection 11.x clients running 11.0 RU5 and above. This tool updates the client to Decomposer 1.2.8.

The tool is available for download from the attachments section of this article in a zipped format. Unzip the utility before using it.

Filename:

SYM12_017_Fixtool.exe

MD5:

C7C85E8A44BC16C030F026799900F434

 

Installation requirements

The tool must be run with Administrator or System account privileges on each endpoint.

If the "Protect files and registry keys" setting in SEP Application and Device Control has been enabled, the tool will fail to apply. Create an exception for SYM12_017_Fixtool.exe before deploying or installing the tool.

Note: Any SEP 11.0 releases prior to RU5 are not supported by SYM12_017_Fixtool.exe tool. SEP 12.0 is also not supported by this tool. SEP 12.1.x  products have a newer version of Decomposer and are not affected by this vulnerability.

 

Command line options

The following command line option is available for the tool:


Option: Effect:

/l

Appends or creates the log file SYM2012_017_Fixtool.log in the user temp variable folder (%temp%)

 

Functionality

  • The tool accesses the Windows Registry to determine the version of Symantec Endpoint Protection and the location of the Decomposer engine.

  • The tool stops the services that depend on the Decomposer files in order to ensure that the files are not held open or otherwise locked. Any dependent services will also be stopped.  

  • The tool replaces the existing Decomposer files with the new files.

  • If the tool is unable to replace the files due to a file lock, the files will be replaced upon reboot.

  • The tool restarts any services that were stopped.

  • If the /l option is enabled, the tool creates the logfile SYM12_017_Fixtool.log in the user temp variable (%temp%) folder.

 

The tool replaces the following files:

  • Dec_ABI.dll

  • Dec3.cfg

The tool will update Dec_ABI.dll (located in C:\Program Files (x86)\Common Files\Symantec Shared) to version 1.2.8.4.

 

There are five possible return codes:

  • 0 SUCCESS  

    • Update successful
  • 1 SUCCESS_REBOOT

    • The .dll was patched, but a service restart is required
  • 2 FAILED

    • Update failed
  • 3 FAILED_REBOOT

    • Unable to patch the .dll, a reboot is required to complete
  • 4 NOT_APPLICABLE

    • The patch isn’t applicable to this system (it is already patched or the version of SEP is unsupported.)

If a reboot is required, a registry value DecUpdateRebootRequired with value data of 0 will be added in the following Registry location:
HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\SMC\Patch

 

Disable scanning of potentially vulnerable files manually


This method manually prevents the Decomposer engine from scanning files that may cause the problem.

  1. In Windows Explorer, open the Symantec Endpoint Protection installation folder. The location of this folder varies by product and operating system.
  2. Create a backup copy of the Dec3.cfg file.
  3. In an ASCII text editor such as Notepad, open the file Dec3.cfg.
  4. Find the following line:
    Dec2CAB.dll
  5. Delete the Dec2CAB.dll line and the line that immediately follows.
  6. Count the number of .dll files that are listed after removing the Dec2CAB.dll line. On the fifth line of the file, replace the existing number with the new number of .dll files.
  7. Close and save the Dec3.cfg file.
  8. Restart the Symantec Endpoint Protection service.

 

This procedure disables the Dec2CAB.dll. After these files are disabled, Symantec Endpoint Protection is no longer vulnerable.

Example:  The following is an example of the contents of the Dec3.cfg file before and after the manual alteration. Bold emphasis has been added to the lines that are altered.

Before alteration

After alteration

.

1000000

16384

500000

16

Dec2ID.dll

10

Dec2ZIP.dll

24

Dec2SS.dll

18

Dec2GZIP.dll

7

Dec2CAB.dll

4

Dec2LHA.dll

12

Dec2ARJ.dll

3

Dec2TNEF.dll

22

Dec2LZ.dll

14

Dec2AMG.dll

1

Dec2RAR.dll

19

Dec2TAR.dll

21

Dec2ACE.dll

30

Dec2RTF.dll

20

Dec2Text.dll

33

Dec2Pdf.dll

31

 

 

[Options]

EnableMIMEEngine=1

EnableUUEEngine=1

EnableBinHexEngine=1

EnableMBOXEngine=1

MIMEFuzzyMainHeader=0

NonMIMEThreshold=100000

NonUUEThreshold=1024

MaxCompressedEXESize=5000000

MaxTextScanBytes=8192

EnhancedTextID=0

.

1000000

16384

500000

15

Dec2ID.dll

10

Dec2ZIP.dll

24

Dec2SS.dll

18

Dec2GZIP.dll

7

Dec2LHA.dll

12

Dec2ARJ.dll

3

Dec2TNEF.dll

22

Dec2LZ.dll

14

Dec2AMG.dll

1

Dec2RAR.dll

19

Dec2TAR.dll

21

Dec2ACE.dll

30

Dec2RTF.dll

20

Dec2Text.dll

33

Dec2Pdf.dll

31

 

 

[Options]

EnableMIMEEngine=1

EnableUUEEngine=1

EnableBinHexEngine=1

EnableMBOXEngine=1

MIMEFuzzyMainHeader=0

NonMIMEThreshold=100000

NonUUEThreshold=1024

MaxCompressedEXESize=5000000

MaxTextScanBytes=8192

EnhancedTextID=0

 

The fix can be delivered using a third-party tool by copying the Dec3.cfg file from a manually-repaired computer and deploying it to other endpoints. The Dec3.cfg file differs between versions, so clients must receive a Dec3.cfg file from a client in the same group of versions:

  • SEP 11.0 through SEP 11.0 MR4 MP2

  • SEP 11.0 RU5 or greater

  • SEP 12.0

  • SEP 12.0 RU1

For example, a SEP 11.0 MR1 client can use a Dec3.cfg file from SEP 11.0 MR3, but not from SEP 11.0 RU6 or SEP 12.0, while a SEP 12.0 RU1 client can only use a Dec3.cfg file from another SEP 12.0 RU1 client.

On Windows 7, Windows Vista and Windows 2008, User Access Control may block manually editing this file. Depending on settings, Administrators may need to open Windows Explorer using "Run As Administrator" in order to edit the file.  Any scripts must be run with Administrator privileges.

 

Disable scanning of compressed files


This method prevents the Decomposer engine from parsing any compressed file during a manual scan or when called by either of the two e-mail scanning tools. This mitigation option allows an administrator to disable compressed file scanning centrally by using an antivirus policy change.

For instructions, please read the following article: How to disable scanning of compressed files within Symantec Endpoint Protection

This disables scanning of all compressed files, not just .cab files. This setting must be changed in all administrator and active scans, as well as in both the Exchange and Lotus Notes e-mail client tools.

A computer is vulnerable as long as .cab file scanning is enabled. This workaround lowers the risk while still providing real-time protection through Auto-Protect. With this configuration in place the .cab file decomposer engine is only used if a user right-clicks and scans a .cab file, or if a user-created scan on the machine does not include the "disable compressed file scanning" option.

Note: When using this configuration setting, compressed files are not scanned during normal administrator or active scans. However, AutoProtect still scans these files if a user extracts them. For example, if a user downloads a .cab or .zip file, it is not scanned during the next administrator scheduled scan. However, if the user extracts it, AutoProtect immediately scans and detects any malicious content. Since the file was not extracted by SEP, the vulnerability is not exposed.

 


Attachments

SYM12-017 Decomposer Update Tool
SYM12_017_Fixtool.zip (816 kBytes)

Supplemental Materials

SourceETrack
Value2987129


Article URL http://www.symantec.com/docs/TECH199470


Terms of use for this information are found in Legal Notices