Video Screencast Help

Adobe Flash Script Error (Something to do with SEP)

Created: 07 Mar 2013 | 15 comments

 I notice that sometimes when trying to update or download adobe flash I get a script error on some, not all workstations in our environment. We have a group named workstations that we have all our user workstations in, within SEPM. I noticed sometime when trying to update/install flash player I'll get a script error on the workstation and it will not install, so to test I disabled network threat protection on one of the workstations and then tried to download adobe flash again and it worked fine. I also uninstalled flash and re enabled ntp to see if it would stop the download with ntp on and sure enough i got a script error in the middle of install. So, I have pinpointed that ntp seems to be what may block the install sometimes, but I do not see any blocked messages within the event viewer workstation log.

I want to add an exception within the sepm console to keep from blocking adobe updates/downloads, but I am not sure how. I have added exceptions for applications in program files before but not for downloads updates from a website. I have read articles on adding exceptions but do not see anything specifically for adding downloads from a website.

Operating Systems:

Comments 15 CommentsJump to latest comment

.Brian's picture

Are you seeing anything in the Security log on the SEP client? Not sure why NTP would block this...are you using an application control policy?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

valley_girl1919's picture

 I don't see anything in the security log but I do see logs in the system log on the client PC, but I don't see anything pertaining to something being blocked.

 The only thing we have blocked using application and control policy is to block autorun.inf

 What I did to get adobe to download was right click on the client within the console and disable network threat protection and the I was able to run the download.

SebastianZ's picture

Could you post a screenshot of the error you are getting?

valley_girl1919's picture

 Here is a post of the error message I see when ntp is enabled and I try to download adobe.

AttachmentSize
adobe error.docx 45.55 KB
.Brian's picture

What happens if you disable the browser IPS add on in IE?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

valley_girl1919's picture

 When I go to manage add ons within IE and disable IPS then the download goes through fine, but re enable does cause the error, so it is IPS that is blocking. Now just need to add an exception for that in the IPS policy

.Brian's picture

There is no abilty to add exceptions for browser IPS. You can only enable or disable.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

valley_girl1919's picture

 Just out of curiosity, I found this within the SEPM console. I attached the print screen; can anything be added to this?

AttachmentSize
Intrusion Prevention.docx 30.03 KB
SebastianZ's picture

These are IPS attack signatures - the setting allows here to set a different action that the default (block in most cases) - but if you don't see any block actions in the SEP logs related to IPS protection no point really to set here any exclusions as there are few thousands of these signatures.

Mithun Sanghavi's picture

Hello,

You may be interested in these BLOG's - 

Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud

https://www-secure.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud

New Adobe PDF Zero-day Unleashes Trojan.Swaylib

https://www-secure.symantec.com/connect/blogs/new-adobe-pdf-zero-day-unleashes-trojanswaylib

New Adobe Vulnerabilities Being Exploited in the Wild

https://www-secure.symantec.com/connect/blogs/new-adobe-vulnerabilities-being-exploited-wild

Adobe Zero-day Used in LadyBoyle Attack

https://www-secure.symantec.com/connect/blogs/adobe-zero-day-used-ladyboyle-attack

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

This new Security Response blog post will be of interest to followers of this thread:

2013 First Quarter Zero-Day Vulnerabilities
https://www-secure.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities

...

Symantec recommends users to follow these best security practices:

  • Ensure all applications are up to date with the latest security patches. Even though a zero-day exploit cannot be patched, the latest updates will provide protection from previously disclosed vulnerabilities.
  • Ensure antivirus and IPS definitions are up-to-date.
  • Avoid visiting sites of questionable integrity.
  • Avoid opening files provided by untrusted sources.
  • Implement multiple redundant layers of security such as non-executable and randomly mapped memory segments that may hinder an attacker's ability to exploit vulnerabilities.

 

With thanks and best regards,

Mick

RickJDS's picture

We are having this problem too.  How do we resolve this?

.Brian's picture

Disable the browser IPS add-on

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RickJDS's picture

I don't want to leave the user's browser unprotected.

.Brian's picture

I would test with latest version and if still not working, I would open a case. If it's a bug,they need to look at it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.