Endpoint Protection

Hi,

Following error appears on a lot of clients today when the users start Internet Explorer.

Browser Intrusion Prevention is malfunctioning. Browser type: Internet Explorer. Try to update the signatures Browser path: C:\Program Files (x86)\Internet Explorer\iexplore.exe        

Do anyone know what the error can be??

I'm having similar problems but I can trigger it by simply downloading CSV and TXT files from a few specific websites on Windows 7 w/ Internet Explorer 8 & SEP 12.1.5 (locked into this thanks to 3rd parties that won't support anything greater, is ridiculous) - have confirmed that the lockups are happening in IE11 too tho.

Symptoms I experience are you click on the download link for the CSV or TXT file, it asks whether you want to open/save. Click on open and it hangs on 'Verifying / download to: Temporary Folder', you can close that window but the rest become unresponsive. It practically locks the computer up you can't end the iexplore.exe process and the computer then fails to shutdown, have to cold reboot. Only started this morning, was fine yesterday so I'm guessing it's a definition issue. 

If I run "iexplore -extoff" I can download the file fine.

If I run iexplore as normal and disable the Symantec Vulnerability Protection BHO and Browser Intrusion / Network Threat Protection, it still crashes when downloading these TXT files (and randomly doing other things)

If I uninstall SEP12.1.5 everything works fine again. As I said earlier, I think this is a definition issue as SEP12.1.5 was installed 14 days ago and they do this process several times a day, only started this morning.

we are too having this issue after the last definition update its driving our clients mad!

We are also having this issue on many of our machines when trying to launch IE, since a definition update thismorning.  It is affecting Windows 7 and Windows 8 machines running IE9 and IE11 (and presumably others too)

Is this being looked at?

Anyone opened a case with support? This needs to be looked at ASAP.

I haven't, anyone else?

ive opened a case and had this back it looks like a fix they recomended previously now breaks stuff and needes reversing!

Was a GPO has previously been created to suppress the message "The Symantec Intrusion Prevention add-on from Symantec Corporation is ready for use" in your environment.

Due to changes in the way CIDS works, it's no longer recommended to implement such GPO.

http://www.symantec.com/business/support/index?page=content&id=TECH224237

I think I found the problem.

http://www.symantec.com/business/support/index?page=content&id=TECH164924

"

Due to a change in how this protection works in CIDS version 14.0 and above, it is no longer recommended to implement a GPO as described below. Leaving such a GPO in place will result in pop-up messages indicating "Browser Intrusion Prevention is malfunctioning. Check the System logs for details."

Symantec Technical Support recommends removing such a GPO if one has been created.

"

Anyone opening a case to confirm?

We're not using any GPO for IE Add-on Management so it's not the issue in our environments.

Can confirm that the removal of the previous fix in the above URL worked for us:

Remove CLSID {6D53EC84-6AAE-4787-AEEE-F4628F01010C}=1 from User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Security Features/Add-on Management

PaulHod above

I can confirm that we do NOT have this GPO policy set Remove CLSID {6D53EC84-6AAE-4787-AEEE-F4628F01010C}=1 from User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Security Features/Add-on Management

Received this message on Windows 7 using the CIDS definitions - 10/23/2014 R12. 

So I'm thinking Symantec might have had an Oops. 

I got this message also on many clients. Window 7 SP1 IE9

I opened a case with Symantec and they confirmed their definitions for Oct 24th 2014 caused this issue with a flash player. They are working on releasing a definition update and that should resolve the issue. Your only options are disabling it on the endpoint or dealing with it until they get the definitions updated.

The solution on this thread suggests it's GPO related.

So...which is it...defs or GPO?

I'm hoping that it's the definitions because we don't have that GPO enabled in our environment at all.

I've also got a case opened but, have yet to hear from support.

The GPO update mentioned previously resolved the issue for us.

Disabling this GPO is wrong. The GPO force the enabling of the Symantec Vulnerability Protection in IE.

Hi,

Similar issues have been reported to the Symantec support & team is working on it.

Please create a support case.

Please gather a full memory dump along with the Symhelp report prior to call support.

Time being follow this workaround:

How to Backdate Virus Definitions in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102935

Could you share the support case number?

Hi Chetan my case number was

Case Number 07536951

removing the gpo settings fixed it for all of my clients

Thanks for the udpate.

Ray07 the GPO is no longer needed as the addon is no longer used please read the following

http://www.symantec.com/business/support/index?page=content&id=TECH224237

GPO is also not the cause here.  No message with virus definitions 10/24 rev 17, experience issue with virus definitions 10/24 rev 25.

I followed the post that discussed the CIDS changes, New Features in Client Intrusion Detection System (CIDS) 14.1 (http://www.symantec.com/docs/TECH224237), very closely since it was posted on 8/29/14. It concerned me because of the nature of its release (via LiveUpdate opposed to in a SEP client upgrade) and the possibility users would receive prompts from IE or IE simply would not work. I noticed its release was postponed several times as it originally was due to be released in September.

That being said, we never set a GPO to control the browser prompts to begin with. I know Symantec recommended this if you received prompts with how the now older BHO worked. We have over 13K total SEP clients and many are not receiving the error (yet). I am using the monitor in SEPM -> Client Activity -> with Advanced settings of event source: Network Intrusion Protection Sys   and   severity: Warning and above. Out of our 13K clients, I have 145 currently reporting the error. I have only fixed two at this point, but I have fixed them with a simple reboot. Has anyone else tried this?

Here is something I noticed...

On a working machine, in IE, the Symantec Vulnerability Protection add-on is DISABLED (I expected it to be removed based on CIDS post above, but disabled will work for now.)

On a machine reporting the error, in IE, the Symantec Vulnerability Protection add-on is ENABLED. After I reboot the machine, it disables this add-on and resolves the error.

If this helps, I have over 4500 clients and only 178 reporting issue.  Rebooting and upgrading to v12.1.4100 did not resolve issue here.  Client running virus definitions October 23, 2014 rev17 no error, but virus definitions October 23, 2014 rev 25 do have the issue.

Wattsdown!  Thanks!

It's the add-on, it was ENABLED.  We DISABLED it and no error!  Will await additional information from Symantec, but this workaround will help ease our users.

Thanks again for providing the information to the post!

Excellent EIG-AV!

I was suprised when the add-on was still available/installed in IE. The CIDS tech article mentioned it would be removed, so I'm confused why it is still there. Yes, we will wait for further info from Symantec on this one, but it seems we are onto something.
 

They are rolling it back. Symantec just released this...

Internet Explorer hang or machine freeze after CIDS update 10/23/2014 r12

http://www.symantec.com/business/support/index?page=content&id=TECH225736&actp=SUBSCRIPTION

CASE#07540125 - no GPOs for us, just stopped browsing this morning.  Symantec has no answers yet, but my company is lovin' it!  All we do is browser-based and over 1000 people spent a non productive day.

J