Does anyone know if SEP is affected by AVGator. I opened up a case and Symantec said that there is no patch so far because there were no reports of any successful exploit on SEP / SEPM.
I can only take that to mean Symantec isn't taking any action until it is shown to be broken. Is there any additional information anyone might know about this on Symantec products?
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/
Nothing has been posted publicly on their blog about it. They were not in the list of vendors who are affected. At this point, it's a wait and see approach until more info is made available.
Hi Steven W,
Thanks for the post. I have been assured that SEP 14.0 RU1 and SEP 12.1 RU6 MP9 (the latest releases of both versions) are definitely not affected by this issue. These latest versions are also unaffected by known product vulnerabilities in earlier versions of SEP. For details please see:
SYM17-011: Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues https://www.symantec.com/connect/forums/sym17-011-security-advisories-relating-symantec-products-symantec-endpoint-protection-multipl?list_context_id=1403&list_context_type=sc_forum
The AVGater may be applicable to earlier releases of SEP, if normal/non-admin users have access to the computer and are allowed to restore threats from the quarantine.
So my advice would be: upgrade your SEP infrastructure to SEP 14.0 RU1 or SEP 12.1 RU6 MP9!
Thank you Mick for clearing this concern.!!!
Excellent, thank you Mick and Brian.
In addition to upgrading SEP to SEP 14.0 RU1 or SEP 12.1 RU6 MP9 that have any other way we can do?
can we know the version under the 14.0 RU1 or SEP 12.1 RU6 MP9 would be affected by AVGater ?
In addition to upgrade SEP to SEP 14.0 RU1 or SEP 12.1 RU6 MP9 that have any other way, we can do?