Endpoint Protection

Hello All,

As per the Latest Updates on Article: https://support.symantec.com/en_US/article.TECH248552.html

Q&A:

• Question: What versions of the product will the hotfixes be built off of?
  • Answer: 12.1 RU6 MP9, 14 MP2, 14 RU1, and 14 RU1 MP1.
• Question: Will the hotfixes be in the form of a binary that needs to be applied to a specific release or is it a completely new build of the product?
  • Answer: These will be complete builds which will follow all the normal upgrade paths and migration steps associated with moving to a new version of the product.
• Question: Is it required to upgrade to one of the original versions that the hotfixes are based off of prior to upgrading to the one hotfix releases?
  • Answer: No, upgrading directly to one of the hotfix releases from any previously released version is supported. (Example: Upgrading directly from 12.1 RU6 to 12.1 RU6 MP9 HF is a supported migration path.)
• Question: Will client-only patches be posted for the hotfix releases? (Example: Symantec Endpoint Protection RU1 client-only patches.)
  • Answer: Yes, client-only patches for each hotfix release will be made available.
• Question: When will the hotfixes be available?
  • Answer: Symantec is targeting the availability of all 4 hotfix builds for January 17th, 2018.
• Question: How will I acquire a hotfix build once it is available?
  • Answer: We will be targeting a refresh of 12.1 RU6 MP9 and 14 RU1 MP1 builds hosted on Symantec FileConnect as soon as possible. In the meantime, any requests for a specific release prior to the Symantec FileConnect refresh can be facilitated by reaching out to Symantec Technical Support. For the two releases that will not be posted to Symantec FileConnect (14 MP2 and 14 RU1), requests for access can be facilitated by reaching out to Symantec Technical Support.

Note that the above information is subject to change.

I am confused by the statements on this page.

Are Windows 7 and Windows Server 2008 R2 affected by these issues?

and

Does the statement of the patch anticipated to be released on January 17, mean that Windows 7 and Windows Server 2008 R2 will not patched?

Thanks 

 This is the first I've heard that Windows 7 and Server 2008 are not effected. What is the source of this info?

This is not mentioned in the linked articles.

http://www.symantec.com/docs/TECH248552

http://www.symantec.com/docs/TECH248558

Please clarify.

Thanks,

Allen

@ David and Allen: This is verified by Symantec and holds true.

Secondly : One of the customer has verified on the below Thread as well: 

https://www.symantec.com/connect/forums/latest-win10-update-corrupts-sep14

Regards,

@David and Allen,

Hopefully, a Symantec employee will verify. One use case does not always hold true for thousands of customers and the concensus seems to be to upgrade regardless of OS architecture.

For us, I've installed it on 20+ win7 and i havent seen the cosmetic issue with SEP.  I did see it on win 10 and server 2016.

We too have hugh amount of Windows 7 and Windows Server 2008 R2 machines and we came across no issues.

This is very much Symantec verified and the above posts are reposted after we received response from Symantec itself.

Regards,

@kahoots,

Good to know. Thanks.

80 (diverse) clients in our case:
- few XP, client 12.1 RU5
- mostly Win 7, client 14 RU1
- some Win 10, client 14 RU1
- 3 x MS Server 2003, client 12.1 RU6 MP9
- 1 x MS Server 2008R2, client 14 RU1
- 2 x MS Server 2012 (one of them SEPM 14 RU1), client 14 RU1
all fully Windows updated.

Issue reported only on Win 10/Server 2012 machines.

Regards

We have had mixed results with Windows 7 and 2008 Servers.  We advise to apply the Hotfix build to all systems.

Thanks John. Much appreciated, as always.

Hello Mithun,

We have recently updated our SEPM to the latest version 14.0  RU1 MP1.  We have also upgraded some of our Windows 7 clients to the matching version i.e 14.0.3876.1110  which came along with this 14.0 RU1MP1.  Although we haven't yet applied Jan 2018 Windows 7 updates on the clients, are you saying that doing so will also affect  these "14.0.3876.1110" clients & we instead need to wait for another updated client or a client-only patch from  Symantec ?

Thanks in advance,

Neeraj Shah

@Neeraj

It could affect your WIndows 7 clients.  We have seen mixed results. If it does affect those clients then you would need to apply the hotfix client builds that should be available Jan. 17th to resolve the issue.  Please remember the issue is merely cosemetic and does not affect your security posture.

John Owens

Does anyone know how to install the latest updates for SEP clients? I downloaded a update file called Sep_To_3876_EN and its full of .exe files called Sep_2415To3876_clientDAXMSI.exe. What do I do with these files?

How do I update my SEP clients so we can perform microsoft patching? Symantec has NO information on this. I says what their latest patch is but fileconnect doens't have the latest verison (assuming that's because the build isn't released until 17th as mentioned above) and the updates I downloaded have no instructions on how to install them. You cannot import them into SEPM and I'll be damned if I install these manually to each machine in our org.

Any information would be greatly appreciated. PLEASE SYMANTEC HAVE SOME INSTRUCTIONS FOR YOUR PRODUCTS.

Hi Raw,

They are patches only. Details at https://support.symantec.com/en_US/article.INFO4766.html

They will not work with SEPM. You will need the full client to deploy them. You'll need to wait for 17th Jan for the full client releases.

@Raw

The hotfix builds are not available yet. We have an ETA for January 17th.  These will be full builds for SEP 14 RU1 MP1 and SEP 12.1 RU6 MP9.  You will just need to do a normal upgrade for those.

If you need SEP 14 MP2 or SEP 14 RU1 these will be client only patches that you can import into your SEPM and push out that way.

The files you have mentioned have nothing to do with this issue.  They are client patches you would deploy manually or through a 3rd party service.

Thanks,

John Owens

@ John Thank you

Where are the hot fixes?  Can you post the link to the hotfixes mentioned below?

Question: When will the hotfixes be available?
Answer: Symantec is targeting the availability of all 4 hotfix builds for January 17th, 2018.

Hi Derek,

They are US based business time so once they 'wakes up', they will release it as soon as they can.

Once the hotfixes are available they will be on Fileconnect. https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

ETA is still sometime today. 

Thanks John.  Do you expect Tech Support will be leaving a comment here when the new build is posted?  Since it will still be a HF of MP9 I'm not sure how easy it will be to tell the difference between the old and new code on Fileconnect.

Is there a revised ETA for the hotfixes?

Hi,

I can't find any updated software on the portal. According to https://support.symantec.com/en_US/article.TECH248552.html updates have been released.

But according to https://support.symantec.com/en_US/article.TECH154475.html updates have not been rteleased.

No mention of any updates or delays here. Is there a new ETA?

Hello All,

John Owens from Symantec has updated the below Threads with his comment:

https://www.symantec.com/connect/forums/sep-system-tray-icon-warns-multiple-issues-following-installation-january-3rd-2018-windows-se#comment-11960111

https://www.symantec.com/connect/forums/latest-win10-update-corrupts-sep14#comment-11959871

The English client packages (hotfix) (.dat/.info) files are available for distribution.  You can download them here:

•    12.1 RU6 MP9 (12.1.7384.6902) - https://symantec.box.com/s/y0j2r3gwl65hxqnwnltwws1...
•    14 MP2 (14.0.2455.0206) - https://symantec.box.com/s/gr3pk9s4hpx5cp1mk4zgeie...
•    14 RU1 (14.0.3775.1002) - https://symantec.box.com/s/qej42vf6efabaisakqomy6m...
•    14 RU1 MP1 (14.0.3892.1101) - https://symantec.box.com/s/kl2dbafvyphzz56i5inqe68...

See the following document for additional details on importing this media into an existing SEPM

https://support.symantec.com/en_US/article.HOWTO81...

The full builds of SEP 14 RU1 MP1 and SEP 12.1 RU6 MP9 are still being worked on for the additional languages.  As soon as they are available I will update the thread.

Hello,

We are currently running SEP 12.1RU5.  I do not see a build release for this.  Do we need to update to 12.1 RU6 MP9​ in order to apply this hotfix?

Thanks

Is there an ETA on when the new full build is expected to be available for download?  Will it still be called 12.1 RU6 MP9​ or will there be a new designation?

@Mithun & Josh,  Currently the hoftix .dat client is for windows endpoints. Is there a similar client package for linux clients as well ?  Thanks for posting the download links .

IMPORTANT UPDATE:

Over the past couple weeks we’ve been working with Microsoft to have them address the issue outlined in this thread from their end. Ultimately, the systray icon issue was caused by a change they made that impacted how we were using a certain call (CoInitializeSecurity). They had acknowledged it as a known issue, but their timeline for delivery of a solution was Mid-February. So we decided to proceed with publishing the hotfixes mentioned below, in order to unblock customers and allow them to deploy the Microsoft Security Updates for Meltdown.

As many of you have mentioned Microsoft was able to release this fix much sooner than expected.

Here are the updates for each impacted Operating System:

•        Windows Server 2016 – KB4057142
•        Windows Server 2012 R2 – KB4057401
•        Windows Server 2012 – KB4057402
•        Windows 10 1709 – KB4073290
•        Windows 10 1703 – KB4057144  
•        Windows 10 1607 – KB4057142
•        Windows 8.1 – KB4057401

Effectively immediately, we are pulling all 4 hotfix builds from distribution. If you have already applied the patch and are not having any of the issues with the GUI that’s completely fine. Our fix is compatible with the change made by Microsoft and we will support both the original version and the hotfix version of the 4 releases we made available. If you have not yet deployed, there is no reason to continue to make plans to do so. Instead, discard the hotfix media and implement the relevant Microsoft Update outlined above.

Hi John,

Do you means we can just install the new KB MS's update without install hotfix client?

regards,

Loh

Just disregard the systray warnings?   What about the risks of ccSvcHst.exe crashes?  Do customers with clients below SEP 12.1 RU6 MP6 still need to upgrade to at least this version address this?

@Sean Lewis

The Windos update should resolve the ccsvchst.exe crashes as well.  We suggest getting off of SEP 12.1 Ru6 MP5 as it is a vulnerable build, but it is not necessary to resolve the ccsvchst.exe crash.

hi John,

Thanks for your reply, appreciate it.

I just manually install the KB on those already have MS's 1/3 patch or without and so far all fine.

regards,

Loh

Hello,

So just to Summarized,

After the release of Microsoft Patch at 3rd January, there are 2 issues for Symantec,

1. ccSvcHst.exe crashes after applying 3rd January Patch which results in Blue Dump error

This is because of Symantec Eraser Engine update
Which applies only to SEP 12.X, not for SEP 14.X
To Resolve this issue Symantec has suggested updating the Symantec definitions set above 3rd Jan 2018
Here is the Link I have taken reference from: https://www.symantec.com/connect/forums/intel-chip-vunrabiliity
2. Symantec Endpoint Protection system tray icon issues

To resolve this issue Symantec has first released hotfix, we have Symantec 14 MP2 Version 14 MP2 Build 2415.0200
So we need to upgrade all the clients to 14.0.2455.0206
But Microsoft has released new patch on Jan 17 which address the Symantec Tray Icon issue
And now we do not need to update it to new version
Here the question is,

Does the new release patch address both the issues for example,

If we have a system having definition older than 4th Jan 2018 and get Microsoft new release patch, so does it will get impact?

Also, if we have Windows 7 systems with SPE 12 MP1 and if we apply new Microsoft release patch does it will impact?

We are in the phase of Upgrade from Symantec 12 MP1 to SEP14 MP2 Build 2415.0200 and we almost completed more than 90 percent of deployment.

So we still have 10 percent of systems with SEP 12 MP1, please confirm if we can move to newly release Microsoft Patch for those systems also

I'd installed the KB4057142 on 1 of the Win10 and it solved the sys tray icon problem.

But, KB4057142 is not available on WSUS, which means the rest of the 4000 PC in my company are not getting KB4057142. 

Can Symantec re-release the SEP hotfixes?

I still can't see any hotfix which was announced to the 17th of January.

Any information when it will be available?

We are currently on 14.0.3876.1100

Hi Wayne,

Symantec pulled the hotfix when Microsoft released a new patch. See post from Symantec

https://www.symantec.com/connect/forums/symantec-updates-meltdown-spectre#comment-11961341

I thought Symantec was going to release a new build on the 17th. Fileconnect shows it never got released. Why would an Anti-virus company with such a high level security flaw not address this yet?

This forums mentions windows 10 and Server 2016 patches but what about Windows 7 machines? What hotfix from either Microsoft or Symantec will fix these guys' systems? Are there still KBs that canot be installed on machines even if definitions are up-to-date? If definitions are up-to-date can all the January patches be installed?

Symantec pulled the hotfixes because MS released a patch much sooner than they were supposed to.

Yes MS released the hotfix.  But this hotfix is not available on WSUS, so I cannot distribute to thousands of PC in my company.

Symantec please make your hotfix available again.

I cannot locate the following 2 in Remediation Center. Any idea?

• Windows 10 1709 (64-bit) – KB4073290
• Windows 10 1709 (32-bit) – KB4073291

Symantec these KBs are 600MB - 1.2GB

•        Windows 10 1709 – KB4073290
•        Windows 10 1703 – KB4057144  
•        Windows 10 1607 – KB4057142
 

Is there not a better way?

Thanks

We're getting ready to push January updates to client laptops in our enterprise (a mix of Windows 7 and 10 machines), however on our WSUS server I do not see the KB numbers John mentions above for Windows 10. Here is what I see in my WSUS console:

• Windows 10 1709 — KB4056892
• Windows 10 1703 — KB4056891
• Windows 10 1607 — KB4056890
• Windows 10 1511 — KB4056888

We're running SEPM 14 MP2. Can someone advise what is the best approach for us?

Thanks!

Hi DaveSchaefer,

It was Microsoft that 'broke' Symantec software, so I'm afraid you will need to apply these Microsoft patches to resolve this (plus this also resolves Microsoft security issuses as well)

Either way, you will need to apply these updates to protect your computers anyway.

I believe you will have to use the import feature of your WSUS server.