Endpoint Protection

We have started to get Symantec warning when running Office 365 / Outlook, it shows Attack: Structured Exception Handler Overwrite detected. Symantec Endpoint Protection will terminate c:\Program Files(x86)\Symantec...

 

Then Symantec Endpoint Protection gets corrupted and must do a repair.

 

 

 

Anyone have ideas what it can be?

Maybe bad defs...re-produce it and run a symdiag...better get Symc engaged.

Hi dalmagnus_s

Thanks for the post.  There's been a number of reports of this behavior and we have an active investigation underway. Don't panic: at this time there's no indication this is because of any widespread new threat or attack or defect.

More info on SEHOP can be found in:

Symantec Endpoint Protection Memory Exploit Mitigation techniques
https://www.symantec.com/docs/HOWTO127047

I recommend collecting the material listed in the "Correcting and preventing false positives" section of

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
https://www.symantec.com/docs/HOWTO127057

and getting it submitted to teh experts for examination. 

That article also has details on how to change the Memory Exploit Mitigation policy so that these events are logged only-  see the "Auditing protection for a terminated application." Definitely do not disable SEP or MEM as a whole- just set up those exclusions/exceptions if you are confident that this is a FP.

Hi dalmagnus_s

Thanks for the post.  There's been a number of reports of this behavior and we have an active investigation underway. Don't panic: at this time there's no indication this is because of any widespread new threat or attack or defect.

More info on SEHOP can be found in:

Symantec Endpoint Protection Memory Exploit Mitigation techniques
https://www.symantec.com/docs/HOWTO127047

I recommend collecting the material listed in the "Correcting and preventing false positives" section of

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
https://www.symantec.com/docs/HOWTO127057

and getting it submitted to teh experts for examination. 

That article also has details on how to change the Memory Exploit Mitigation policy so that these events are logged only-  see the "Auditing protection for a terminated application." Definitely do not disable SEP or MEM as a whole- just set up those exclusions/exceptions if you are confident that this is a FP.

Hi dalmagnus_s

Thanks for the post.  There's been a number of reports of this behavior and we have an active investigation underway. Don't panic: at this time there's no indication this is because of any widespread new threat or attack or defect.

More info on SEHOP can be found in:

Symantec Endpoint Protection Memory Exploit Mitigation techniques
https://www.symantec.com/docs/HOWTO127047

I recommend collecting the material listed in the "Correcting and preventing false positives" section of

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
https://www.symantec.com/docs/HOWTO127057

and getting it submitted to teh experts for examination. 

That article also has details on how to change the Memory Exploit Mitigation policy so that these events are logged only-  see the "Auditing protection for a terminated application." Definitely do not disable SEP or MEM as a whole- just set up those exclusions/exceptions if you are confident that this is a FP.

Hi dalmagnus_s

Thanks for the post.  There's been a number of reports of this behavior and we have an active investigation underway. Don't panic: at this time there's no indication this is because of any widespread new threat or attack or defect.

More info on SEHOP can be found in:

Symantec Endpoint Protection Memory Exploit Mitigation techniques
https://www.symantec.com/docs/HOWTO127047

I recommend collecting the material listed in the "Correcting and preventing false positives" section of

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
https://www.symantec.com/docs/HOWTO127057

and getting it submitted to teh experts for examination. 

That article also has details on how to change the Memory Exploit Mitigation policy so that these events are logged only-  see the "Auditing protection for a terminated application." Definitely do not disable SEP or MEM as a whole- just set up those exclusions/exceptions if you are confident that this is a FP.

We are seeing the same issue at our locations.

Same here, it is ending a symantec process and doesn't report back to manager so doesn't appear in the logs!

where in the local log files can we look for this

 

I'm also getting reports of the same issue for Office 2013

Also getting reports of the same issue with Office 2013

I am seeing this on a completely fresh Windows 10 install with only SEP 14.2.760.0000 installed - no version of Office installed on this PC. The popup lists this attack and then Symantec either shuts down/malfunctions or restarts.  

Getting the same here but were using Windows 10 LTSB 1607 with Office 2016 Pro Plus. 

Getting the same here but were using Windows 10 LTSB 1607 with Office 2016 Pro Plus.

Just got off the phone with support.  As a temporary workaround they had me modify the Memory Exploit Mitigation policy and set the entry for ccSvcHst.exe to Log Only.

We're seeing the same issue but it's not widespread. Created a ticket with support.  So far, we have verified 8 out of 1,200 workstations that are affected.  It appears to affect Windows 10 machines with Office365.  Installing the latest Windows updates and rebooting fixed two machines.  One machine was not fixed even after a Clean Wipe and reinstall.  We had to clean wipe and delete the C:\ProgramData\Symantec directory before reinstalling. 

We got the same issue today on a Win 10 home laptop. It popped up the same error. I followed above JBMiller's instructions to set the entry log only for ccSvcHst. I hope it will fix the issue. Thank you!

"Just got off the phone with support.  As a temporary workaround they had me modify the Memory Exploit Mitigation policy and set the entry for ccSvcHst.exe to Log Only." from JBiller

We opened a case with Symantec support today as well. I was told recently that it was a false positive (FP).

Details from their last update email: "... the issue was determined to be an FP due to a content issue. New content is expected to be posted ETA 2pm Pacific time. It will be IPS content with a sequence number of 20190115.64 ..."

I hope this info helps.

Edit #1: I just looked for the IPS content update in the SEPM console, but all I see are the Windows Definitions on the Home page. Where in the console can I see the IPS Definitions other than in the endpoint properties window for any given endpoint? Thanks!

Edit #2: I actually found that I can use the "Quick Reports" to summarize that information by using "Computer Status" report type and "Intrusion Prevention Signature Distribution" for report selection. (If there's a simpler way, I'd be happy to hear it.)

We are also having this issue, few user reported it to us so far

@Symantec - do these IPS definitions (atrtached screenshot) include the fix?

We also had this on Windows 7 machines yesterday.  Our console isn't reporting lots of these events though.  Does anyone know if the issue stops it from being reported back to the console?

Is this a global issue?

 

Seems like a complain is raising up currently - same detection item

 

Worst case is that it causing SEP client to crash constantly....

Hello,

It is a global issue caused by the bad set of IPS definitions. In this case, MEM policy is practically disabling SEP process, so the client is dead and logs about the false detection and killing ccSvcHst.exe couldn't be sent to SEPM console. I think that the issue is already fixed in the last night IPS definitions, so you need to check if your clients have been updated with it.

 

https://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep&pvid=sep14

We've just had our first report of the same issue at our site. The affected client is running 14.2.758.0000 and has a volume licensed copy of Office 2016. OS Version Windows 10 1709 / 16299. There are likely plenty more instances but this user queried it as they're within the I.T Department.

 

Definition versions:

Virus: 01/15/2019 r24

Sonar: 01/07/2019 r1

IPS: 01/14/2019 r63

Download protection: 01/15/2019 r53

EDR: 08/16/2018 r17

WTR: 12/19/2018 r201

No updated signatures yet from Symantec. See attached...

 

Same here. Appeared yesterday quick popup, could not see what is was. Today noticed Symantec Endpoint Protection service was stopped. Started it and again right away again popup with attached notification. Problem is that Endpoint will stop and detection is stopped of viruses. I would consider this as a "thingy"

 

Edit #1: Implemented temp workaround from JBiller. Fixed problem for now.

Edit #2: Nope, does not fix it. Startup scan runs again into same problem.

Same here. Appeared yesterday quick popup, could not see what is was. Today noticed Symantec Endpoint Protection service was stopped. Started it and again right away again popup with attached notification. Problem is that Endpoint will stop and detection is stopped of viruses. I would consider this as a "thingy"

Edit #1: Implemented temp workaround from JBiller. Fixed problem for now.

Edit #2: Nope, does not fix it. Startup scan runs again into same problem.

Thanks to all who are following this thread.  Run LiveUpdate to obtain the latest IPS defintions in order to resolve this issue.  (IPS Signatures 201901150.64 and above.)

Would really like to bruh, but don't get no updates from Symantec.

Have updated the clients by running Live Update, however the issue is still happening. I have currently disabled the Memory Exploit Mitigation Policy which appears to be preventing the issue, prior to that I changed the ccSvcHst.exe to Log Only which had no effect.

I just had a user report this issue and the machine has IPS defs - 20190115.066. Shouldn't this have been resolved? Thanks.

For those that attempted to make a change to the MEM policy to set the ccSvcHst.exe entry to Log Only, be mindful of the 2nd column that lists the path.  Yesterday we also entered a support ticket and were instucted to to the same however, when we originaly made the change it was to the entry with the *\Symantec\*SEP* path this did not match our installation and needed to make the Log Only setting change to the entry with the *\Symantec\*Endpoint Protection\* path.  If you did the same and the rule you modified doesnt match your installs you will still get the same behavior. 

We also were provided the information that the fix was in the 190115064 sequence number IPS update by early this morning a majority of our systems had already updated to 190115066 update but we were still generating the MEM events.  Followup on our ticket, support stated that this has been seen and that updated Whitelist and Virus + Spyware updates are also needed to solve these events (specific versions # were not provided).  I am currently reviewing our devices to see if this appears to be the case, though just monitoring the Exploits Activity Summary in SEPM over the last hour does appear to show a lower count than I have been seeing since early this morning as if it is slowing down.

What is the best way to tell what version of IPS definitions are installed?  I have done the LiveUpdates this morning on a couple of PCs that had the issue.  Then a little while later we got the same message again.  I rebooted the PC after getting the alert again and haven't had it since.  So should one reboot there PC after running the LiveUpdate?  Would that really make a difference?

Globally, a quick means is the Computer Status -> Intrusion Prevention Signiture Distribution report in SEPM.  On an individul system open SEP -> click Help -> Troubleshooting -> Versions will list the individual definition sequence numbers.

@Symantec - any news on this?

I was informed by a user that the issue still persists even with the latest virus definitions

I see in the SEPM that computers with the IPS definition 01/16/2019 r61 get warning on this(I have set it to log only).

We too are still having this isse. 

Hi all - if you have IPS definitions 20190115.064 or higher and the issue is still occuring, please do contact Tech Support! 

Collect the material listed in the "Correcting and preventing false positives" section of

Hardening Windows clients against memory tampering attacks with a Memory Exploit Mitigation policy
https://www.symantec.com/docs/HOWTO127057

and getting it submitted to the experts for examination. 

Many thanks!

this happened a week ago in one of the computers of the company where I work was done the corresponding investigation at the time it was nothing that had to have been taken to the background

The issue also affects Windows Server 2008 R2.  Funny enough, the Hyper-V VM running 2008 R2 is affected, but the Hyper-V host running 2008 R2 which is also the SEPM, is not.  Ah well, fixes coming soon I guess via the updates.  

Is there any update from Symantec support on this? 

The issue should be resolved with present definitions (20190115.64 or later) and, if the problem is still seen, reboot the computers.  If the issue can be reproduced after applying those definitions and rebooting, please get in touch with Tech Support and provide them with a procdump of ccsvchst.exe. 
 

Does this issue only affect the following SEP client version; 14.2.760.0000?  We haven't encountered this.

It's an issue some SEP 14 clients experienced last week.  If you have not seen this, there's nothing to worry about. 

Is there a way to check if we were affected?  There haven't been any reports of issues; however, is there a way to verify?

I'm a Symantec partner so the following will sound like I'm an idiot but is SEP 15 out yet, and if so, does it have the problem?  It was only last week that I did a SEP 15 partner webcast, up to that point I didn't even know SEP 15 was out (or soon to be).  

 

Also Cyber Security's qustion above hasn't been answered yet (mentioning it since I don't want my post to overshadow the question).  

So this just popped up on one of our workstations. Actually hit mine. Which kinda sucks as I'm the IT Mgr and see no clear resolutions listed. So anybody got anything for this?

So this just popped up on one of our workstations. Actually hit mine. Which kinda sucks as I'm the IT Mgr and see no clear resolutions listed. So anybody got anything for this?

If you did not perform the work around to set that MEM rule to log only you will not have any events in SEPM for the issue as it kills the ccSvcHst.exe process, we didn't start getting visability in SEPM with this until we were in Log Only mode.

When this originally started we did our initial scoping by searching the Windows Application log for Warning level EventID 400 from Symantec Network Protection its details contain "Blocked Attack: Structured Exception Handler Overwrite attack against C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\ccSvcHst.exe".  
 

If you do not have the environment to setup Windows Event Forwarding or perhaps some script to parse the event log to check for these events (logon\startup script\SCCM?) you may want to elect to enable the LogOnly workaround for a day or so.  Once clients are able to get the updated policy they would then be able to submit the log only alerts and you would have visability from SEPM. 

<Deleted Double Post>

Hi Brian,

Thanks for the post.  The issue being described should not be appearing at all at the moment- it's been resolved by running LiveUpdate and rebooting the computers after that if necessary.  Can you provide more details or logs if this has just occured on your machine-?

Hello - where do I check in the SEPM console to see what our definition numbers are?  Above a user  commented - "The issue should be resolved with present definitions (20190115.64 or later) and, if the problem is still seen, reboot the computers." 

 

Where do i find the def numbers i.e.like above (20190115.64)

 

thanks

Hi MzSolo,

"20190115.64" means definitions from "2019 January 15 revision 64."

This article is pretty good:

Checking that Symantec Endpoint Protection Manager has the latest content
https://www.symantec.com/docs/HOWTO80806  

Here's a mildly amusing one about the different ways definitions are displayed:

Sequence Makes Sense
https://www.symantec.com/connect/articles/sequence-makes-sense
 

So this is unresolved still, no? I'm currently getting this error from allowing Dropbox to access my network, which appears to be unique here...

Hi NicholaStevens216,

The reported issue has been fixed for quite some time. I recommend starting a new Connect thread with your logs and details of your definitions and configuration. Many thanks in advance!