Endpoint Protection Small Business Edition

 View Only

  • 1.  SEP for Linux and Windows

    Posted Mar 20, 2011 04:09 PM

    Don't know if this is a unique question, but I just inherited a dozen Linux (RH, CentOS and SELinux) that have been loaded at various points with SEP. The management server is a windows system.

    This is the issue:

     

    CVE-2010-0114

    (under review)
    Learn more at National Vulnerability Database (NVD)
    • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
    Description
    fw_charts.php in the reporting module in the Manager (aka SEPM) component in Symantec Endpoint Protection (SEP) 11.x before 11 RU6 MP2 allows remote attackers to bypass intended restrictions on report generation, overwrite arbitrary PHP scripts, and execute arbitrary code via a crafted request.

    While this "appears" to be an SEP Manager issue, it is supposedly being issued against all SEP clients as well.

    Can anyone shed any light on this?

    I don't have access to the management server at this time. All machines are physically remote. I have remote login access to everything BUT the Management console/server as it is a Windows system managed by another group. Is there any way to tell what version of SEP is loaded on each client machine (that may help my determination), like for instance a configuration file or some command line command like "sep -v".

    Any help would be appreciated.



  • 2.  RE: SEP for Linux and Windows

    Posted Mar 21, 2011 09:50 AM

    The following URLs will provide you with a bit more information on this.

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24030

    http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101215_00

    This issue only impacts SEPM RU6MP1 or older builds and has been resolved in RU6MP2.

    Also just as clarification, there is not a SEP client for Linux. We do have SAV for Linux, however this is a different product and cannot be managed by a SEP Manager Console, save for the fact that you can configure the SEPM to receive SAV client log data to the reporting component.

    Regards,



  • 3.  RE: SEP for Linux and Windows

    Posted Mar 21, 2011 10:49 AM

    the following link:

    http://www.symantec.com/business/products/sysreq.jsp?pcid=pcat_security&pvid=endpt_prot_1

     

    It seems to suggest the opposite:

    System Requirements

    Client Workstations and Servers

    Linux Operating Systems (32-bit and 64-bit versions)
    • Red Hat Enterprise Linux 3.x, 4.x, 5.x
    • SuSE Linux Enterprise (server/desktop) 9.x, 10.x
    • Novell Open Enterprise Server (OES/OES2)
    • VMWare ESX 2.5, 3.x
    • Ubuntu 7.x, 8.x
    • Debian 4.x

     

    So, which is it? Is this symantec web page inaccurate and misleading or IS there an SEP Client for Linux?

     

     

     

     



  • 4.  RE: SEP for Linux and Windows

    Trusted Advisor
    Posted Mar 21, 2011 11:56 AM

    Hello,

    According to the product roadmap for SEP for Linux, full manageability support will be added sometime 2012.

    SAV for Linux cannot at this time be managed by the SEPM.

    Incase if you wish to voice your support for Linux client managability can cast a vote in the connect forums: 

    https://www-secure.symantec.com/connect/idea/linux-unmanaged-client

    SAV for Linux Reporter 1.0.10 is now available... SAV for Linux Reporter provides log records and inventory information from SAVFL clients to the Symantec Endpoint Protection Manager (SEPM) via its legacy reporting channel.  This allows SEP 11 customers to monitor and report on SAVFL client activities from the SEPM console.  The following data will be forwarded to the SEPM:

    - Inventory (Computer Status) logs
    - Scan logs
    - Virus (Risk) logs

    SAV for Linux Reporter is compatible with the following SEP 11 versions:

    - RU6 MP2 with PP1 or later
    - Any version of RU5 or earlier

     

     

    Symantec Endpoint Protection 11.0 Support for Novell Netware

    http://www.symantec.com/business/support/index?page=content&id=TECH103071&locale=en_US

    System requirements for Symantec AntiVirus for Linux 1.0

    http://www.symantec.com/business/support/index?page=content&id=TECH101598&locale=en_US



  • 5.  RE: SEP for Linux and Windows

    Posted Mar 21, 2011 04:28 PM

    OK. So still not clear.

    Does SAV for Linux Reporter execute on the (Linux) Client AND is this the vulnerable software per CVE-2010-0114?

    If "yes", how do I tell what version it is?

    If "no", what software (running on the Linux Client) is covered by this vulnerability AND how do I tell what version it is?

    To me, Symantec SEP/SAV etc is some of the most convoluted software I've ever seen. It appears WAY over-engineered and intentionally so, in order to ensure support call-in dollars from clients attempting to do just about anything useful with it. The last person working this project talked management into it, probably knowing he'd be long gone before it arrived for deployment. In good conscience, I'd never advise my management to continue using it and will strongly recommend something different, as in ANYthing but the Symantec approach. Perhaps if this were a Windows only environment, the level of complexity would not present itself, but it always seems that Linux is the elephant in the room and the last of the platforms to be partially/fully supported.

     

     



  • 6.  RE: SEP for Linux and Windows

    Posted Mar 22, 2011 09:43 AM

    So, apparently since there is no reply after all this time, there is "NO" answer?

    That being the case, it makes it all the easier to take the next logical step as mentioned above.



  • 7.  RE: SEP for Linux and Windows

    Posted Mar 23, 2011 11:07 AM

    I asked a question. Now how about an answer that I can use... IE: nothing cryptic, no double-speak...

    Lacking any response, I'll be certain to archive this thread and use the EX-responders name as further evidence as to why this is the wrong product AND the wrong company to count on for support.

     



  • 8.  RE: SEP for Linux and Windows

    Posted Mar 31, 2011 10:45 AM

    It would appear to only affect the SEPM:

    ...reporting module in the Manager (aka SEPM) component in Symantec Endpoint Protection (SEP) 11.x before 11 RU6 MP2...

    The reporting component is exclusive to the Manager. The only version of antivirus currently for Linux is the SAV for Linux build. Unfortunately the product page you quote is not clear in indicating this, but it is indeed not integrated into SEP for management at this time. The SAVFL Reporter allows the SAVFL client to send logs to the Manager through legacy reporting channels.

    If you have more detailed questions or would like this more closely examined I would definitely suggest opening a case with Support.

    Thanks,

    sandra