Endpoint Protection

 View Only

 Core3 SDS v5i64 Intelligent Updater executable installation failing

James Leuci's profile image
James Leuci posted Apr 08, 2022 10:52 AM
When attempting to update several standalone computers using the latest Core3 SDS v5i64 executable file, the output says the definitions were updated successfully but when opening Symantec Endpoint Protection it shows that they were not. When looking at the logs they show that the update failed with the following information "UNRAR FAILURE: UNRAR DLL is not Symantec Signed" and "ERROR: unrar.dll is not Symantec Signed. IU cannot continue processing. Terminating all IU operations.". 

Does anyone know how to resolve this issue? I have tried the daily definitions download for the last week and have gotten this same error each time. 
JoWo's profile image
JoWo posted Apr 08, 2022 11:45 AM
Had the same sometimes. 
Mostly a stop and start of smc service helps
Gino I's profile image
Gino I posted Apr 11, 2022 12:19 PM
Hi There @James Leuci

it looks like after the 23rd things went sideways with the intelligent updater packaging. we have been using an automated script that downloads the rapidrelease updates, and then distributes these to legacy OS's, however it seems since then Symantec/Broadcom updated the unrar.dll library to a new version.  I have tried to change the .exe's to 'rars' and then update the unrar.dll using an old working version, but this did not work as it seems the virdefs.zip file was created with a new version of winrar to package the defs.  basically any OS still using this version of unrar (XP, W2003) is buggered it looks like - until Symc/BC provide some sort of signed unrar.dll that can at least open the virdefs.zip file without bombing out.

I have also scoured the web and found that the norton for XP definitions/updates are doing the same.
(unfortunately as these are not officially supported OS's, I cannot make a loud enough noise... but there definitely is a problem!)

I just hope that someone from Symc/BC monitors these community threads :|
Fred Feradov's profile image
Fred Feradov posted Apr 19, 2022 01:48 PM
Have the same issue with Endpoint Protection 14.2 standalone on Windows Server 2012 R2 (officially supported OS) applying latest definitions file 20220419-003-core15sdsv5i64.exe. Getting the same error in the log.intelligentupdater.txt file, see below.

Wed Apr 20 00:12:31 2022 : AUTH SYMSIGNED BEGIN: Started.
Wed Apr 20 00:12:31 2022 : AUTH SYMSIGNED: Provider is unknown, returning FALSE.
Wed Apr 20 00:12:31 2022 : UNRAR FAILURE: UNRAR DLL is not Symantec Signed.
Wed Apr 20 00:12:31 2022 : ERROR: unrar.dll is not Symantec Signed. IU cannot continue processing. Terminating all IU operations.
Wed Apr 20 00:12:31 2022 : Cleaning up the AuthorizationEngine
anon743's profile image
anon743 posted May 30, 2022 07:07 AM
Hello, allow me to chip in some input. I'm a customer from the Norton Community side and am experiencing the exact problem with dealing with IU. See this forum thread for details
https://community.norton.com/en/forums/problem-intelligent-updater-file

I can confirm that what "Gino I" has said is absolutely correct and dead-on. Meanwhile the IU logs from Fred Feradov's post is exactly what's happening on my side as well.

Unfortunately, the article here does NOT provide any help to fix the issue (at least under the XP environment)
https://knowledge.broadcom.com/external/article/241845/error-unrardll-is-not-symantec-signed-iu.html

For the record I'm still on XP and using NIS 21.7.xx.  I switched to IU from LU since March 2020 due to certain favorable circumstances from the Norton LL side.

Here's another discussion on SEP I found online (see koral5057's post) (Google translated):
https://forum-ru--board-com.translate.goog/topic.cgi?forum=5&topic=24492&glp&_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

... which suggests further complications when using Live Update (see Strannik06's post), as all ZIP archives downloaded from Live Update could well be all affected with the newer UNRAR.DLL.

The aforementioned page also points to this
https://sockettools.com/kb/invalid-digital-signatures-on-windows-xp/

From all the reports and observations I gathered, here is what I believe probably is happening:

1. BC/Sym switched to a newer WinRAR version (6.10 or later) for packing their virus defs packages. The UNRAR.DLL version is 6.11;

2. RARLabs terminated WinRAR sypport on XP after version 6.02. In other words, version 6.10 or later is not XP-compatible. The UNRAR.DLL version for WinRAR 6.02 is 5.10;

3. It appears that the root certificates on UNRAR.DLL version 6.11 cannot be interpreted under the XP system (see screencaps on my Norton thread), resulting in the log message "UNRAR.DLL is not Symantec signed" and thus the IU operation cannot continue;

4. The only solution is for BC/Sym to immediately revert (fallback) to an older WinRAR workflow, namely WinRAR 5.91 where the version 5.10 of UNRAR.DLL would be used (and that the root certs properly recognized) and, when signed properly, can be understood under XP environment.

I've reported this mater to Norton LL on March 25. Unfortunately the only thing being done was to have the defs package in the filename format "20220324-010-v5i32.exe" (and its 64-bit variant) removed from this page
https://www.broadcom.com/support/security-center/definitions/download/detail?gid=n95

However, ALL of the .exe packages (even those not removed) are affected by this UNRAR.DLL (v6.11) problem. So, as long as you're still on XP, and regardless of NIS or SEP versions, the IU updating operation would fail after March 23.

Same thing goes to the exe packages on the Rapid Release Virus Definitions page
https://www.broadcom.com/support/security-center/definitions/download/detail?gid=rr

Anyway this IU issue has been escalated on the Norton LL side a few times, yet NOTHING was being done.

Meanwhile, I've attempted to contact BC/Symantec regarding the issue since April, and after a few attempts, managed to send in an email via a certain online contact form. However, the response was an irresponsible one, having been asked to refer the matter to Norton LL. Absolutely ridiculous!!

It is now more than two months since the IU problem h as started. But as you can imagine, even Llve Update is implicated, because of the bad WinRAR workflow. Despite Norton LL having escalated this issue, if the BC/Sym side doesn't investigate and do something, the the problem will only continue, to the disadvantage of ALL XP clients. Wat is even more worrying is that, they could use this as an excuse to terminate XP support once and for all, which is a very irresponsible move, expecially since Norton LL has, back in early 2021, released a notice that XP/Vista clients will continue to be supported.

So PLEASE, I ask (and beg) Symc/BC to monitor this forum community, to read this thread page and understand what exactly is going on, and how they messed it up during these two months WITHOUT DOING ANYTHING. This is a very serious matter as many XP clients from both the pro and consumer side are being heavily affected.  If Sym/BC and Norton LL are still committed to protecting customers down the XP clients, then they'll need to take a step backward with their (WinRAR) workflow.