Endpoint Protection

Hey all,

No one else has posted about this yet, likely because right now USA and Europe has gone home.
Well here in Australia it's mid-Friday business, and a new CIDS (Intrusion Protection Engine) engine that's been pushed out by Symantec is causing problems.
Version 14.1.2, in my SEP RU5 Agent it reports the versions as 14.1.2.4.

Confirmed as an issue with IE 11 with SEP 12.1 versions, RU2, RU4MP1, RU5. (Granted RU2 doesn't support Browser IPS in IE 11 "officially", but it's always and still worked, but that's beside the point here)

Supported Browser versions for Browser Intrusion Prevention for Symantec Endpoint Protection 12.1.x
http://www.symantec.com/docs/TECH174537

New Features in Client Intrusion Detection System (CIDS) 14.1 (cannot find an article describing this latest CIDS release, this is the newest I found)
http://www.symantec.com/docs/TECH224237
 

I received a BCS Bulletin after the issue started mid-morning saying:

Symantec is releasing a new CIDS engine for Symantec Endpoint Protection. This is a staged rollout beginning today October 23rd, and is expected to be completed on Monday October 28th.

The test file contains version 14.1.2 and is available here:
https://fileshare.symantec.com
User Name: <removed>
Password: <removed>

Once logged in, please select the Shared Folders tab. The test file is available in the following path:
Component Files / CIDS / CIDS 14.2 BCS.ZIP

For more information about Staged Releases please see the following document:
http://www.symantec.com/business/support/index?page=content&id=TECH206118

Thank you, Symantec Endpoint Protection Engine Updates

So it almost looks like they've made available/released a test version the same time they're started rolling it out? (just guessing here)

For those wondering what happens, open IE 11, don't even visit a site, just open a tab, and you get this balloon.

We have some users complaining of multiple SEP system tray shield icons appearing, where one is SEP 12.1 and the other is SEP 11, and they can launch BOTH SEP 12.1 and 11 GUIs! (I've yet to replicate this on my workstation laptop)
These users have never had SEP 11 installed, it's almost as if some old code is being "activated". Still investigating this.

In the logs, under Systems Logs, it looks like this:

Will post updates as we get them.

This thread was created on Friday morning (Australian time) and was not approved by moderators until this morning, so unfortunately, it's a little late to provide any assistance to US and Europe people, which is what we were trying to do, seeing as Australia (being ahead in timezones) saw this issue first.

By now, everyone knows the cause (bad IPS Def) via these:

http://www.symantec.com/connect/forums/browser-intrusion-prevention-malfunctioning-0

http://www.symantec.com/connect/forums/sepm-1215-and-internet-explorer-causing-system-lockups-2014-10-24

Have any other community members ever had such issues, requiring escalation to Symantec mgmt to get threads approved?

Have any other community members ever had such issues, requiring escalation to Symantec mgmt to get threads approved?

Pretty much every time I include a link (whether it's to the symantec forums or externally) there's a lengthy delay on the post appearing which I'm guessing is because it has to be approved first, or it could be because I'm not a frequent poster? I (normally) only use the forums if there's a problem. I now try to avoid using any links in my OP and mention I'll be adding them to a second post because I've twice been in similar shoes to yourself and pointed out a problem as it was happening only for the post to appear many hours later after other people posts on the same subject have appeared and been solved.