Endpoint Protection

Expand all | Collapse all

AVGater - is SEP affected?

  • 1.  AVGater - is SEP affected?

    Posted 11-13-2017 03:36 PM

    Does anyone know if SEP is affected by AVGator.  I opened up a case and Symantec said that there is no patch so far because there were no reports of any successful exploit on SEP / SEPM.

     

    I can only take that to mean Symantec isn't taking any action until it is shown to be broken.  Is there any additional information anyone might know about this on Symantec products?

     

    https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

     

    https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/



  • 2.  RE: AVGater - is SEP affected?

    Posted 11-13-2017 03:54 PM

    Nothing has been posted publicly on their blog about it. They were not in the list of vendors who are affected. At this point, it's a wait and see approach until more info is made available.



  • 3.  RE: AVGater - is SEP affected?

    Posted 11-14-2017 06:58 AM

    Hi Steven W,

    Thanks for the post.  I have been assured that SEP 14.0 RU1 and SEP 12.1 RU6 MP9 (the latest releases of both versions) are definitely not affected by this issue.  These latest versions are also unaffected by known product vulnerabilities in earlier versions of SEP.  For details please see:

    SYM17-011: Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues
    https://www.symantec.com/connect/forums/sym17-011-security-advisories-relating-symantec-products-symantec-endpoint-protection-multipl?list_context_id=1403&list_context_type=sc_forum

    The AVGater may be applicable to earlier releases of SEP, if normal/non-admin users have access to the computer and are allowed to restore threats from the quarantine. 

    So my advice would be: upgrade your SEP infrastructure to SEP 14.0 RU1 or SEP 12.1 RU6 MP9!  

     

     



  • 4.  RE: AVGater - is SEP affected?

    Posted 11-14-2017 07:30 AM

    Thank you Mick for clearing this concern.!!!



  • 5.  RE: AVGater - is SEP affected?

    Posted 11-14-2017 08:22 AM

    Excellent, thank you Mick and Brian.



  • 6.  RE: AVGater - is SEP affected?

    Posted 11-15-2017 05:27 AM

    In addition to upgrading  SEP  to SEP 14.0 RU1 or SEP 12.1 RU6 MP9 that have any other way we can do?

    can we know the version under the 14.0 RU1 or SEP 12.1 RU6 MP9 would be affected by AVGater ?

     

     

     



  • 7.  RE: AVGater - is SEP affected?

    Posted 11-15-2017 05:29 AM

    In addition to upgrade  SEP  to SEP 14.0 RU1 or SEP 12.1 RU6 MP9 that have any other way, we can do?

    can we know the version under the 14.0 RU1 or SEP 12.1 RU6 MP9 would be affected by AVGater ?