Endpoint Protection

Expand all | Collapse all

Issue about the SHA2 Windows Update Situation

ThaveshinP08-15-2019 05:56 AM

thedman2708-16-2019 09:20 AM

John_Owens08-16-2019 10:18 AM

John_Owens08-21-2019 03:24 PM

  • 1.  Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 02:47 AM

    https://support.symantec.com/us/en/article.tech255857.html

    do i understand this right? we cannot patch Windows 7 and Windows 2008 R2 machines until Symantec releases a new version of endpoint protection?

    Most news sites are currently making fun about symantec because it seems that 6 months was not enough for them to test and fix this situation.

    Well its not so funny and i wonder why this issue happens and they really didnt test and fix this before when they had multiple months time.

    this is a security disaster.



  • 2.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 08:59 AM

    I would think you could disable SEP and try patching that way. Worst case, you'd have to remove SEP, patch and re-install. I'll be testing it today to see what happens.



  • 3.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 10:10 AM

    well thats only a solution if you have just a few clients. but in a company with 100+ pcs this is impossible.



  • 4.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 12:55 PM

    Hi, does anyone know if this applies differently to environments where Microsoft SCCM is being used for patch deployment? Thanks.



  • 5.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 02:12 PM

    Symantec issued an update to TECH255857 .  Concerning the SHA2 issue, it now clearly says "This currently affects all versions of SEP." 



  • 6.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 02:39 PM

    I am hearing from our rep that a new SEP Client will be released 8/22. It will be for 14.2 MP1 and 14.2 RU1 MP1 only. There will be no update for 12.x. In other words, if you don't upgrade your 12.x clients to 14.2, they will not recieve Windows Updates. I haven't tried the disabling of SEP and then updating - that sounds like it might be a workaround. No official link or communication to reference yet...



  • 7.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 03:33 PM

    IMHO this must be fixed by an out of band LiveUpdate patch that is pushed out through SEPM/LU. Most systems I know that are still running Windows 7 or 2008R2 are business line computers or OT servers that are close to impossible to touch.

    Can someone explain the real issue? Why can't Symantec read SHA2 signed MS updates? Shouldn't that be easy to fix by updating the AV engine through a content update?



  • 8.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 03:33 PM

    ETA is 8/22. 3rd party applications deploying MS Updates will still get applied though I wouldn't do that.  This only affects Windows 7 and 2008 R2.

    If running 12.1 you will need to upgrade to SEP 14.2 RU1 MP1 hotfix version once available.



  • 9.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 03:37 PM

    @Torb --

     

    From my understanding that is not possible.



  • 10.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 05:33 PM

    CQ,

    Thanks for pointing that out.  I appreciate it.

    I have subscibed to that article, this article, as well as others over the years but only rarely receive notifications of updated information.

    -Regards

     



  • 11.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 05:45 PM

    What is SEP actually doing?  I was able to Patch with Sep 14.2 RU1 (14.2.335.1000) without issue, but we use Altiris to Patch, so I'm not sure what protections are in place since we don't use windows update



  • 12.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-14-2019 06:30 PM

    JJV,

    It is not that SEP is doing anything to prevent patch installation.  It is the metadata within the patch bundle from Microsoft that tells the Windows Update client that the patch is not appicable if SEP is installed (or perhaps only if it running at the time, not sure).

    Using Altiris bypasses the logic associated with the metadata and effectively force installs the patch.  This is basically equivalent to downloading the patch binary from the MS catalog and performing a (force) install.

    Microsoft has explicitly stated that they advise against doing this,  Systems may not start up after a reboot, or more likely a power off - on which is different than a warm reboot.  Loss of data or complete inability to use systems may result.

    See the MS KB articles for patches KB4512506 OS Monthly Rollup, KB4512486 OS Security Only and KB4511872 IE Cumulative.

    e.g  Look at the last row in the "Known Issues" table at:

    https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486

    Symptom:

    Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

    Workaround:

    Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

    Here "Symptom and Workaround" are really more like "Notice and Advice / Warning".

    If you have seen no problems, consider yourself lucky.  If you want to forge ahead be aware.

    -Regards



  • 13.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 02:16 AM

    So, does this mean that if WSUS is used , similar to Altris - it should still work? Instead of running the update manually?



  • 14.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 03:41 AM

    This affects WSUS and Windows Updates @ThaveshinP, other 3th party programs might work, but is not advised IAMJD mentioned.



  • 15.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 05:56 AM

    Thanks @mwit



  • 16.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 07:01 AM

    @John. There is starting to be a lot of speculation of what the problem actually is.

    Can you describe in detail what the problem is?

    is it:

    A) SEP is unable to whitelist Windows Updates because they are SHA2 signed something that cause FP detection on the patches

    B) SEP interfere with the WSUS update process. Installating patches manually works.

    C) Something else

     

    We need a detailed technical explanation asap.



  • 17.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 08:44 AM

    B) was the answer for me. Not sure what's happening behind the scenes but my understanding is that SEP doesn't trust the patches and it just blocks them when they come from WSUS.

    When you try and get the updates from WSUS they don't show as being needed for the system even though they are. Manually installing the updates works fine but if you have a lot of systems that would be a lot of work. You could also use PowerShell or something similar to push the patches out and install them.



  • 18.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 09:43 AM
    I would like an offical answers. It might just be that the «compliance» check of wether the patch should be installed or not is only done by Wsus. Doing it manually ignores the check but the risk of errors might still be there. Symantec must answer before people start doing unsupported workarounds.


  • 19.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 11:51 AM

    Withdrawn-

    Symantec updated the tech article and addressed my complaint.



  • 20.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 12:13 PM

    TORB,

     

    Technically the complaince or applicability check is done by the Windows Update client on each and every endpoint.

    WSUS is merely a repository of patches that the WinUpdate client connects to for a source of possible patches to examine and install if applicable.  From the WinUpdate client point of view it functions as an alternative for the Microsoft / Windows Update site.

    For our Win 7 / 2008R2 systems reporting into WSUS and that are also running SEP the following is observed:

    a) They report back to the WSUS server that the July security patches are NOT applicable.  In WSUS terminology they do not show up as "Needed".  They are not offered for installation.

    b) The SHA-2 update, KB4474419,  does show as applicable / needed. 

    c) Going to one of the endpoints showing NA in (a) above and directing the WinUpdate client to check with the Microsoft Update site results in the July security patches NOT being offered.  So this mirrors what we see with WSUS

    d) For the very few endpoints we have not running SEP, the July security updates are shown as applicable / needed and are offered for installation both via WSUS and Microsoft Update.

    e) Downloading the patch from Microsoft Catalog and running the executable on a system with SEP will install the patch.  THIS IS BAD.  The complaince / applicability checking to prevent installation when SEP is detected is not inclued in the executable.  It must therefore be in the metadata that the WinUpdate client uses for checking when obtaining via either WSUS or Microsoft Update.

    -Regards



  • 21.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 12:34 PM

    Looks to see how many 2008 R2 servers he has...

     

    cries...



  • 22.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 12:48 PM

    There has been no observed issue in relation to this update. Out of an abundance of caution we worked with MSFT to have the update hidden so that the potential for a False Positive could be prevented. The reason for this is that the version of SymVT that's in use with legacy Operating Systems (Win7/Win2K8R2) does not have the ability to see SHA-2 signatures.

    By removing the signature from the evaluation process, there is the potential that the final reputation score is impacted which may result in Conviction/Exoneration variance. For this update, we observed no such False Positives.

    However, it's possible a future update may have different behavior, so it's in everyone's best interest to pick up one of the fixed releases as soon as they're available so that this concern can be avoided.

    That's why, for customers that have already taken the update (update isn't hidden for 3rd party deployment solutions) they can safely stay on it until we have the updated releases available.



  • 23.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 01:52 PM

    John,

    Does this mean that Symantec is working with Microsoft to remove the blocking / hiding of the July updates as delivered by WSUS and Windows Update?

    If no, why not? 

    The July updates contain fixes for issus that have a very high potential for serious expoit - the RDP vulnerabilities.  We need to patch our systems at the earliest reasonable time that we are able.

    If yes, do you have any information from Microsoft when the new revisions will be made available?

    -Regards



  • 24.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 02:02 PM

    Once the machines have the SEP hotfix installed they will be update the MS updates and it will not be blocked. We are not working with MS to remove the block/hiding for updates being delivered by Windows Update.  The hotfix must be installed on these systems once available.



  • 25.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 04:30 PM

    John,  Are there any Norton products affected by this?  Thanks.  



  • 26.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 05:04 PM

    IAMJD,

    I assume that in your post, it should read "August" in place of "July"?  Just want to make sure that I fully understand the situation...



  • 27.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 05:39 PM

    DOH!

     

    Yes, you are correct.  August not July.

     

    -Regards

     

     



  • 28.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 06:37 PM

    According to Microsoft Norton is affected:

    Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

    Source: https://support.microsoft.com/en-hk/help/4512486/windows-7-update-kb4512486

     

    Microsoft announced this SHA-2 change 6+ months ago. It is totally unacceptable that Symantec didn't address this major problem earlier this year.



  • 29.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 09:34 PM

    Yes. Norton is affected though I am not sure what versions. I would reach out to Norton support for that.



  • 30.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-15-2019 10:41 PM

    @ScottK


    We acknowledge that the lack of prepared support for legacy Operating Systems (Win7/Win2K8R2) receiving SHA-1 deprecation has had consequences. We're actively working to address this situation as quickly and safely as possible.



  • 31.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 04:47 AM

    Does this issue also apply for Server 2012 in the future?

    I understand that Server 2012 is going to SHA-2 later this year.



  • 32.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 08:03 AM

    Somebody knows if in addition to the patches, Symantec will be releasing a Full package (RU2 or whatever) on the 08/22?

     

    Thanks!



  • 33.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 08:05 AM

    Forgive me for asking what is more of a contractual question.

    From what I'm reading, Symantec will make hotfixes available for 14.2 customers - this presumes entitlement to that version. In the case that customers hold perpetual licenses, but do not have active support contracts, and accordingly cannot upgrade to 14.2, are these legacy customers permanently bricked?

     

     



  • 34.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 09:20 AM

    Thanks John.  



  • 35.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 09:55 AM

    Other OSs are not impacted as they have a newer driver already that will work with the updates. This only affects legacy OSs.

    SEP 14.2 RU2 has an ETA of late October and will not be released on 8/22. It will have the fix in it though.

     



  • 36.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 09:57 AM

    @Ultron

    If you do not have an active license then you will not be able to download the Hotfixes. What license do you currently have?



  • 37.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:00 AM

    SEP 14.2 RU1 MP1 will be a full build.  Others hotfixes will be able to be imported into the SEPM and either pushed out or exported out.



  • 38.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:12 AM

    Thanks John! Can you please confirm this full build will be also released by end of the next week?



  • 39.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:14 AM

    14.0 MP2 Build 2415, thousands of perpetual licenses but no active support contract, as this product is complementing other security products but still happily receiving definition updates.



  • 40.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:18 AM

    That is the plan. Current ETA is 8/22.



  • 41.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:19 AM

    @Ultron

    You will want to work with our Customer Service/Licensing team to see what can be done.



  • 42.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:20 AM

    Hotfix builds:

    SEP 14.2 RU1 MP1

    SEP 14.2 RU1

    SEP 14.2 MP1

     



  • 43.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 10:23 AM

    Noted - thanks for the candor on this forum.



  • 44.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 11:46 AM

    Who at Symantec would we send the bill to for all the extra work this is going to cause us? /s

    They really dropped the ball on this and someone's head needs to roll.

     



  • 45.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 06:09 PM

    What is the deployment method for the hotfix? We are on 14.2 MP1. Does it requred a reboot of the endpoint?

     

     



  • 46.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-16-2019 06:52 PM

    John,

     

    Microsoft has issued new patches today, August 16, for various OS versions including Win 7 / 2008R2.  It is KB4517297.

    https://support.microsoft.com/en-us/help/4517297/windows-7-update-kb4517297

    This new patch was issued to fix problems with VB, VBA and VBscript that were introduced with the patches from August 13.  In other words Microsoft is fixing their broken patch with this new patch.

     

    At the bottom of that page there is this:

    "Note This update contains all the quality and security changes in KB4512486 (released August 16, 2019). While it does not replace KB4512486 on Windows Update, if you install this update you do not need to install KB4512486."

     

    While KB4512486 was one of the patches that Symantec worked with Microsoft to block installation if SEP was detected, this new patch is NOT blocked via either Windows Update or WSUS.

    If this new patch KB4517297 contains all of the content of the blocked patch, this would seem to be contradictory.

    I know that Symantec is not responsible for the patch, but what is Symantec's stance on installing this?

    Did Microsoft not check with Symantec about this new patch in its haste to correct the broken earlier patch?

     

    -Regards

     

     



  • 47.  RE: Issue about the SHA2 Windows Update Situation

    Posted 08-17-2019 09:56 AM