Reports that combination of SEP Corp v12 MP5 and lower causing issues with KB4056897


Recommended Posts

All,

 

just placing this here as a heads up to any SEP (Symantec Endpoint Protection) ADMS who may miss this.

 

Symantec released an update to the Eraser engine which should have made it compatible with KB4056897 back on the 4th of Jan.

 

What we have discovered is a combination of that Eraser update is BSODIng any machine with KB4056897 installed (so any supported Windows OS at this point in time, 8,8.1,10, 2008 Server, 2012 Server, 2016 Server)

 

This has been verified on our test lab machines running two different operating systems and both had the necessary updated Eraser engine from Symantec and the registry key present for compatibility.  Yesterday, Symantec released a finding that identified this problem and the only fix/recommendation is to upgrade the entire environment to version 12.1.6MP6 or higher.

 

Symantec Support have confirmed To provide a fix for this problem is to either:

 

Upgrade the entire environment to version 12.1.6MP9 Note – version 12.1.x has an EOL of 4-3-2019 for standard life support.

Upgrade the entire environment to version 14.0.x (which we are waiting on fixes for findings we discovered during upgrading the SEPM management servers last month). The projected release date for these fixes are Feb 18.

 

https://support.symantec.com/en_US/article.INFO4797.html

https://support.symantec.com/en_US/article.TECH248558.html

https://support.symantec.com/en_US/article.TECH248552.html

 

there we have it gang, if this wasnt ending up a sh**storm already, now add this to the stack of ****  

 

This is what happens when something thats not ready to be publicly disclosed, is leaked, explains the intel snafu with broadwell/haswell chips too!

 

**UPDATE** Win 7 does not exhibit the issue in this scenario, proved on over 200 test boxes.

  • Like 2
Link to comment
Share on other sites

24 minutes ago, Jason S. said:

Thanks, Mando! i had not yet heard about this. we use SEP here at work, so this could be a big deal. i've emailed my coworkers and manager about it too.

your welcome mate, currently testing , looking like its only affecting W8 upwards, W7 is looking immune currently.

 

will be able to confirm in 30 mins, testing the theory atm.

Link to comment
Share on other sites

1 minute ago, Jason S. said:

is v12.1.6 MP8 affected? i cant tell... we have a bunch of servers on that version. the Symantec bulletins seem to only mention MP6 and earlier.

no, you should be ok, Mp6 is the lowest version thats ok for the re-released of Eraser engine. 

 

Quote

Yesterday, Symantec released a finding that identified this problem and the only fix/recommendation is to upgrade the entire environment to version 12.1.6MP6 or higher. I have opened a ticket with Symantec to see if there is anything that can be done to prevent us for force-upgrading at this time and unfortunately there is not. 

 

^thats from my global SEP Sec team, they know their shizzle, that can be treated as Gospel.

Link to comment
Share on other sites

@Mando I hope you don't mind me piggybacking onto your thread, but IMO this is somewhat relevant.

 

For those running versions of SEP that are compatible with the fix, there's a minor issue. On Windows Server 2008 and higher, and Windows 10, SEP's system tray icon will show 2 problems. However, when youopen the program, it will show everything as fine. According to Symantec It's just a cosmetic issue - SEP is working properly.

 

I can confirm that this happens with SEP 14.0 MP2 with  Windows 10. Symantec is apparently working on a fix. In the meantime if any of your users see this, you can let them know that there isn't actually a problem.

Link to comment
Share on other sites

1 minute ago, DConnell said:

@Mando I hope you don't mind me piggybacking onto your thread, but IMO this is somewhat relevant.

 

For those running versions of SEP that are compatible with the fix, there's a minor issue. On Windows Server 2008 and higher, and Windows 10, SEP's system tray icon will show 2 problems. However, when youopen the program, it will show everything as fine. According to Symantec It's just a cosmetic issue - SEP is working properly.

 

I can confirm that this happens with SEP 14.0 MP2 with  Windows 10. Symantec is apparently working on a fix. In the meantime if any of your users see this, you can let them know that there isn't actually a problem.

Not at all matey. good to know thanks!

 

I think weve spotted that also, is that the inbound fix for Feb 18th? 

 

 

Link to comment
Share on other sites

ok good news (for windows 7), out of 200 test systems weve trialled, none with the KBs (KB4056897) are affected with the issue.

 

Win 8/8.1/10/2k8/2k12/2k16 upwards are on 12 though and test boxes newer than 7 are affected.

 

 

 

 

Link to comment
Share on other sites

7 minutes ago, Mando said:

Not at all matey. good to know thanks!

 

I think weve spotted that also, is that the inbound fix for Feb 18th? 

 

 

The article I read didn't have an ETA for the fix, but that might have changed. It may not be a priority for Symantec, given only the tray notification is affected.

Link to comment
Share on other sites

ive confirmed with my SEP counterpart stateside, hes confirmed its in the feb 18th fix, as well as a few other issues we reported to them.

 

what a gift from symantec for me, 18th of Feb is my birthday lol

 

 

 

 

Link to comment
Share on other sites

@Mando  Thank you for that. I knew that there were issues with SEP, would I be right to wait until Feb 18th and then get the new version then install the window update? We are on SEP 14 with win 10 boxes, one 2012 server, and one 2008 server.

  • Like 2
Link to comment
Share on other sites

58 minutes ago, Danielx64 said:

@Mando  Thank you for that. I knew that there were issues with SEP, would I be right to wait until Feb 18th and then get the new version then install the window update? We are on SEP 14 with win 10 boxes, one 2012 server, and one 2008 server.

Reading some of the info i got sent through, he stated one option was to upgrade the global estate to v 14.0.x we didnt due to validation requirements for our estate, and the SEPM issues he spotted, which fixes should be here feb 18th. From that i suspect the actual v14 is ok for general use, our issues were with SEPM in 14.

 

The actual scan engine issue only seems to affect 12.1.2 MP5 and lower, ive pinged him a message to ask your specific query, if hes still around he will respond fairly quickly.

 

tbh until i have it 100% confirmed from my "guru" id would suggest grabbing a W10 test box, install std 14 and try a full sys scan, its the scan engine we had an issue with.

 

 

 

Link to comment
Share on other sites

Aaaaand my server estate is upgraded and rebooted to 12.1.5 MP9.

 

Just 1 hyperV host to do tomorrow and my PDC them i am ready for Win mitigation patching next week...yaaay 6hours OT from home @double time so far! I reckon another hour should do it, but im shot, I was in the office by 08:00 this morning.

 

Keeping going is asking for a screw up after a 14hour stint, at 45 im getting too old for this **** :p 

Link to comment
Share on other sites

I been keeping an eye on this: https://support.symantec.com/en_US/article.TECH248552.html and it sates this:

 

Quote
  • Question: When will the hotfixes be available?
    • Answer: Symantec is targeting the availability of all 4 hotfix builds for January 17th, 2018.
 

Is the date that you got @Mandoa typo or Symantec changed their mind?

Link to comment
Share on other sites

1 hour ago, Danielx64 said:

I been keeping an eye on this: https://support.symantec.com/en_US/article.TECH248552.html and it sates this:

 

Is the date that you got @Mandoa typo or Symantec changed their mind?

Tbh im on a couple days off, so id take symantecs date as gospel, probs accelerated their release due to 12s pre mp6 issues with 10 n server 2k12 to 16

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.