Endpoint Protection

Please be aware of this new vulnerability related to Symantec's Anti-Virus Engine (AVE).  AVE is one of the components of Symantec Endpoint Protection (SEP) as well as other Symantec products. 

Security Advisories Relating to Symantec Products - Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation (SYM16-008)
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160516_00

There is no need to install a new version of SEP throughout your organization: Engine updates are delivered via LiveUpdate. Simply run LiveUpdate to protect your organization. The new AVE is included in certified LiveUpdate definitions sequence 177598, which appears as 5/16/2016 rev. 24 in the GUI. 

The new Anti-Virus Engine v 20151.1.1.4 is not vulnerable to the Malformed PE Header Parser Memory Access Violation.  To manually confirm that this new Engine version is in use by SEP:

Open the directory C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\VirusDefs\20160516.024 (or the latest that is present) and examine the file NAVENG32.DLL.

More details about Engines can be found in:

How to check the version of AV Engine, IPS Engine and Eraser Engine from the client computer
http://www.symantec.com/docs/TECH95856

This Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation vulnerability has been assigned CVE-2016-2208 "Symantec AVE malformed PE header parser memory access violation"

Symantec would like to thank Tavis Ormandy with Google's Project Zero, for reporting this to us and working with us as we addressed the issue.

With thanks and best regards,

Mick

After the SEPM LU session runs will it get this update and provide it to the clients?

Hi Brian,

Yes, that should do it.  As long as the endpoints have definitions sequence 177598 (5/16/2016 rev. 24) or higher, they are fine.

Thanks Mick.

Is searching for the NAVENG32.DLL file on all your network clients in order to extract and check the version the only way to get and verify this information?  Or is it decipherable from the client Help > Troubleshooting screen or in SEPM?

Here's the client Troubleshooting screen.  It doesn't look like it; but is the AVE version number you're looking for somewhere in here?

Will there be an MP in the next time? Tavis Ormandy who detected the vulnerability says that LU update is not enough:

Critical Symantec fix being released later today via LiveUpdate. The other critical RCE vulns cant be fixed via LU, will require a patch.

Hi thromada,

There's no need to manually check on every client.  Use the SEPM's reporting capabilities to check Computer Status for the endpoints in the network.  If the computer have definition version (Pattern Date & Revision) 5/16/2016 rev. 24 or higher, they have the correct AV Engine.

Hope this helps! &: )

Mick

Hi greg12,

Thanks for the post.  Symantec is aware of the tweets.  We are working closely with Google’s Project Zero to address any vulnerability issues reported and verified.  As with all reported vulnerabilities, Symantec reviews the potential impact and makes product changes as expeditiously as possible when necessary.

How do you check the AVE version on a linux client?  And does running Live Update on a linux client also include the new engine? 

Thanks Mick.  Now I finally understand that "pattern and revision".

Regards,

Tom.

Hi techyranger,

Yes, SEPFL also uses the AV Engine.  Checking the defintions date is the best course of action on Linux.  Anything 5/16/2016 rev. 24 or newer means the new AV Engine is in there. 

Please note: the sav info -p command will display an Engine version (151.1.0.15 on my 12.1.6 MP4 machine), but it is for a different component of the product (ECOM, specifically- yes, there are several Engines under SEP's hood).  

The AV definitions are displayed right in the GUI, or can be displayed using sav info -d.  See the following article for more details and a screenshot!

How to install Symantec Endpoint Protection 12.1.5 on supported Linux operating systems
http://www.symantec.com/docs/HOWTO101943
 

With thanks and best regards,

Mick

My environment requires a spot check to ensure that the AV engine is the one that has been updated against this vulnerability, beyond simply checking the LU version.

While the instructions on doing this manual check for Windows are perfectly clear, the above answer for Linux is not as clear. If I'm understanding correctly, you can display the engine version, but it's not the exact engine we need to check.

I understand that checking the LU version from the machine's SEPM console is the recommended method, but is there any completely concrete way to view the AV engine version for Linux and Mac clients similar to the process shown for Windows above? Yes, checking the LU and AV definitions versions will show indirectly whether the AV engine is vulnerable, but we're looking for a way to view the AV engine version itself.

If that's possible, what would the AV engine version numbers for Linux and Mac be that are not vulnerable to this exploit?

And does on verify the updated AVE is installed on the SEP Mac Client?

How do you check  version ?  And does running Live Update on a linux client also include the new engine?