Dear Symantec Employees,

When can we expect Permanent fix for "Symantec Endpoint Protection zero-day vulnerability".

Regards...

Ramji Iyyer

Check this

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)

Hi AJ,

I am Aware of the above document.

Required permanent Solution asap.

Hi,

I have alredy raised issue with symantec, as affencive security has publised the info about this valurable, Symantec taking has high priority and working on the issue hope will get solution, as I am also waiting for their response.

Hi,

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is available currently in English on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release.  All supported languages will be released to FileConnect as soon as they are available. This Knowledge Base article will be updated as further information becomes available.  Please subscribe TECH22338 to receive update notifications automatically.

This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line.

Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates for this issue.

Following article is now updated with the shared info: 

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)

http://www.symantec.com/docs/TECH223338 

So this is a full SEPM upgrade?

Can we just add the client to the SEPM or is there going to be a version conflict with SEPM's and GUP's?

pf

Hi,

This is a client side only fix The SEPM build is the same as 12.1 RU4 MP1a. 

You can import the client into current SEPM via the info or SEP install executable into the SEPM for assignment to groups or package configuration/deployment.

No issues with GUP communicating with SEPM or clients with SEPM? I know in the past it was an issue if clients were on a newer version then GUP's or SEPM they couldn't download the defs due to being on the newer version.

You can't have a SEP client on 12 RU4 and updating from a GUP/SEPM with SEP 12 RU3.

We have always upgraded the SEPM (1st), GUP's(2nd) and then clients(3rd) in order to keep clients from having update issues.

There has always been backward compatibility with newer clients using older GUPs.  See the below article:

http://www.symantec.com/docs/HOWTO80957

As far as I can tell, as no changes have been made to GUP functionality, there should be no issue with 12.1RU4MP1b clients updating via GUPs on older versions.

Why is there a SEPM download for 12.1 RU4 MP1b? This vuln only affects the clients.

Isn't it quicker to download the client package and import into the SEPM instead of going thru a whole SEPM upgrade?

Confused...

I had the same question and our Technical Rep has confirmed that you don't need to upgrade the SEPM. However if you need to recover or put in a new SEPM it is best to use the latest.

We are getting ready to confirm all the above and rebuilt our dev environment last night as we are still not fully comfortable with this patch.

Testing will be a SEPM with MP1a installed, adding the MP1b client package, and then installing to dev box and making sure GUP and SEPM can relay updates. LiveUpdate administrator doesn't need an update so far. Also I have confirmed with support that Cleanwipe has not been updated and current version should work on the MP1b version.

I should be done testing today and give an update and feedback.

No need to upgrade the SEPM to cover this vulnerability.

Cool, makes sense. Thanks for the update. I'll be curious to get your feedback.

Thanks

-Brian

TECH223338 states for the 11.x workaround:

1. From the SEPM console, click to Groups > Policy, and select the Application and Device Control (ADC) policy.
2. Click Tasks and disable the ADC policy, then click Yes.

However, there is no "disable" under the Tasks. By "disable" do you mean the Withdraw Policy option?

You can disable ADC policy.

Open the policy and in the Overview section is a checkbox for "Enable this policy".

"Also I have confirmed with support that Cleanwipe has not been updated and current version should work on the MP1b version."

Negative. Version detected error. Cleanwipe will need to be updated to MP1b.

Good to know. Thanks.

Latest info on new version.

GUP updates fine. SEPM updates fine.

No errors seen and installs went fine on test boxes.

DEV Environment:

SEPM 12 RU4 MP1a

Desktop clients: 12 RU4 MP1b (SEPM and GUP updates)

Server client: 12 RU4 MP1b (GUP server)

Moving to begin testing in our production environments.

Still no cleanwipe. :(

Cleanwipe should be available now.

I need some hand holding here. I downloaded Part 1 from fileconnect. However, when I extracted the file there is a folder named SEPM in there. If SEPM doesn't need to be upgraded then how do I go about just creating the Installation Packages and getting them into SEPM so I can deploy the client upgrades/Installation Packages FROM SEPM? This is new territory for me since I've always done a SEPM upgrade which, in turn, creates the Installation Packages for the endpoints.

Inside the SEPM folder is another called Packages. There will be 6 files in here ( 3 with .info, 3 with .dat)

SAV32 is 32-bit SEP client
SAV64 is 64-bit SEP client
SEP_Mac is Mac client

You need to import the SAV32 and SAV64.info files into the SEPM to create the packages.

This article will walk you thru it:

How to manually import client packages into Endpoint Protection Manager (SEPM)

http://www.symantec.com/docs/TECH122824

<RANT>

I'm thinkin' "Monkeys and Footballs" right about now. Symantec says we don't need to upgrade SEPM, but FileConnect has a SEPM download. Do I download it? NO, because SEPM doesn't need to be upgraded. So I download the installation files for WIN64 and 32BIT (Part 1). Seems logical.

After I learn how to import the Install Packages into SEPM I find out that the INFO files aren't in the download I did, it's in the SEPM download, you know, the one we seemingly don't need because SEPM doesn't need to be updated?

So yeah, I download the SEPM files from FileConnect and sure enough, there are the INFO files.

Give me a break!

</RANT>

The SEPM folder is there in case folks are doing a fresh install, they can just install it. Even though the SEPM stayed at RU1 MP1, the clients need to be upgraded to fix the ADC vuln.

So yea, kinda confusing but that's probably the logic behind it.

Hello Lawson,

The info files are not required to import the individual install packages, they simply fill out the data in the import wizard for you. If you download the unmanaged client packages for 32-bit and 64-bit they may be extracted to separate folders, then manually imported through the admin page > install packages. Personally, I try to fill out the details in the import wizard to look similar to the other install packages.

-Shawn

I'm wondering why not create a small patch package (20-30MB) to rollout, maybe without reboot?

I assume customers with 100s or 1000s of clients would be happy not to be forced to push out a whole AV client of 500Megs including a reboot.

SEP12 RU41B - Is there a new version of Cleanwipe?

where might I download the newest version?

It is out...create a chat case and request it.

Have to create a case with support.

If Cleanwipe is available, what package is it in in FileConnect? It is not in the SEPM download, so which is it?

You have to open a case with Symantec support. They will give you the download link.