Endpoint Protection

 View Only
Expand all | Collapse all

SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

ℬrίαη

ℬrίαηOct 24, 2014 06:38 AM

  • 1.  SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 06:35 AM

    Linking to my other post at https://www-secure.symantec.com/connect/forums/browser-intrusion-prevention-malfunctioning-0 but with a more accurate Title (for me anyway)

    I'm now experiencing this at mulitple sites that have no relation to each other besides using SEPM. Internet Explorer completely locks up after which most other programs become unresponsive and you cannot shut the computer down.

    I can trigger it by simply downloading CSV and TXT files from a few specific websites on Windows 7 w/ Internet Explorer 8 & SEP 12.1.5 although it happens in other versions of Internet Explorer too, most people have reported it from simple browsing to opening favorites they use every day.

    If I run "iexplore -extoff" everything seems to be fine (not sure about other users and general browsing)

    If I run iexplore as normal and disable the Symantec Vulnerability Protection BHO and Browser Intrusion / Network Threat Protection, it still crashes when downloading these TXT files (and randomly doing other things)

    If I uninstall SEP12.1.5 everything works fine again. 

    I think this is a definition issue as SEP12.1.5 was installed 14 days ago and they do this process several times a day so it would have cropped up before now, only started this morning so it's must be something to do with 10/22/2014 r17, 10/23/2014 r2 or 10/23/2014 r17. 

    I'ev rolled back the definitions to early 10/22/2014 but have also told everyone that's reported problems to stay away from IE for the time being until i a confirmed fix.



  • 2.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 06:38 AM

    Have you contacted support ??



  • 3.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 06:58 AM

    Not yet, I'm still doing damage control, have had over 50 calls about it since 0800 from pretty much every company we support that uses SEP, only determined the issue an hour or two ago. Unfortunately the computers I can consistently trigger this on are mission critical so I've had to just remove SEP - I believe they'll be free for use around 14:00 so I'm hoping to do further diagnostics and ring support when I can trigger it and confirm exactly which def causes it (assuming it is a def!) at that point.

    For now, I'm just making sure there's something out there in case other people are having problems and wondering what's going on.



  • 4.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 07:15 AM

    Not yet. Will do this afternoon when things have hopefully calmed down a little and i'll have access to a PC where I can consistently reproduce the issue. 

    Unfortunately they're all remote sites and when the problem happens a cold reboot is required before you can take further troubleshooting steps which makes it all a bit of a pain.



  • 5.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 08:58 AM

    We are also having this same issue and found that the only way we can fix it is to remove SEP by using Symantec Clean Wipe. We took all the same steps as you and are in the process of opening a ticket.



  • 6.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 09:26 AM

    Really i was just about to deploy is it a definition problem or a problem with SEP?



  • 7.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24
    Best Answer

    Posted Oct 24, 2014 09:41 AM

    Its a definition problem. We called support and they had us roll back the "intrusion prevention" signatures from 10/23/14.

    SERVER SIDE: To revert back on the server side, go to Symantec Endpoint Protection Manager -> Policies -> Live Update -> LiveUpdate Content Tab -> LiveUpdate Content Policy.  Click Security Definitions -> Select a revision for Intrusion prevention -> Choose 10/22.

    After you do that, run a command on the top level (My Company) under Clients section and do Update Content.

     

    CLIENT SIDE: To verify what version of definitions on a client workstation, launch Symantec and click on Protection definitions.  You should see under Versions, Definitions, Intrusion Protection should be 141022… (not 141023…)

    In the event you are unable to update, you can use the cleanwipe utility to wipe out SEP on the workstation and then perform a reinstall.

    Good Luck

     



  • 8.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 10:41 AM

    Same problem here. SEP is causing flash to freeze. Two ways to workaround is to turn off/remove flash player or rollback definitions in SEPM.



  • 9.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24
    Best Answer

    Posted Oct 24, 2014 10:58 AM

    This fix worked for us. Any of my clients running IE10 or earlier were being affected, clients running IE11 were not effected. Thank You for the fix.

    Engines
    -------
    Common Client:  12.3.4.4
    LiveUpdate:  2.2.2.3
    SymEvent:  12.9.5.2
    Auto-Protect Kernel Driver:  14.4.2.6
    Auto-Protect User Mode Interface:  14.4.2.7
    Decomposer:  2.3.1.1
    Eraser:  114.1.0.91
    SONAR Framework:  7.0.0.226
    SONAR Engine:  9.0.1.8
    Intrusion Protection Framework:  11.1.0.73
    Intrusion Protection Engine:  12.3.0.3


    Definitions
    -----------
    Virus & Spyware:  141023002 (10/24/2014 10:52 AM)
    Portal List:  140805020 (10/24/2014 10:52 AM)
    SONAR:  141003013 (10/24/2014 10:52 AM)
    Whitelist:  141022002 (10/24/2014 10:52 AM)
    Revocation List:  141022016 (10/24/2014 10:52 AM)
    Reputation Settings:  130708001 (10/24/2014 10:52 AM)
    Intrusion Protection:  141022012 (10/24/2014 10:52 AM)
    SCD:  140808032 (10/24/2014 10:52 AM)
    EFA Signatures:  141014006 (10/24/2014 10:52 AM)



  • 10.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Broadcom Employee
    Posted Oct 24, 2014 11:31 AM

    Hi,

    Similar issues have been reported to the Symantec support & team is working on it.

    Please create a support case.

    Please gather a full memory dump along with the Symhelp report prior to call support.

    Time being follow this workaround:

    How to Backdate Virus Definitions in Symantec Endpoint Protection Manager

    http://www.symantec.com/docs/TECH102935

     



  • 11.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 11:44 AM

    Chetan's link is the generic post that shows how to roll back. The post I added in this thread shows exactly how to correct this issue. Symantec's support said they are aware of the issue and are working on an update however it wouldnt be for up to 20 hours or os because that have to test it.

    Once you rollback you should force def updates.



  • 12.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 24, 2014 12:47 PM

    For the machines that don’t update immediately or have an issue downloading the older definitions from your liveupdate server, here are some manual instructions:

     

    Download http://definitions.symantec.com/defs/ips/20141022-012-IPS_IU_SEP.exe

     

    Close out of Symantec Endpoint GUI

     

    Click Start, type in: smc -stop

     

    Go to c:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IPSDefs\ (or the equivalent in XP)

     

    Delete everything inside.

     

    Type in smc -start

     

    Run 20141022-012-IPS_IU_SEP.exe

     

    Check the definitions afterwards and make sure it says 141022012 for Intrusion Prevention.

     

    Good luck.



  • 13.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Trusted Advisor
    Posted Oct 24, 2014 01:33 PM

    Just chiming in here to say that we had the same problem with 12.1.1, 12.1.2, and 12.1.4 clients as well.  Rolling back the IPS defs to 10/22/14 r12 resolved the issue for us.



  • 14.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Trusted Advisor
    Posted Oct 27, 2014 10:11 AM

    Chetan,

    Has Symantec fixed the IPS definitions?  Have new definitions been made available for download?

    Thanks.



  • 15.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Trusted Advisor
    Posted Oct 27, 2014 10:33 AM


  • 16.  RE: SEPM 12.1.5 and Internet Explorer causing system lockups as of 2014-10-24

    Posted Oct 27, 2014 11:09 AM

    With the definitions from sunday and so today the issue should be gone. One of our customers had this issue and reports that everything works fine now. Backdating defs should not be neccessary anymore.