» Symantec - Roger's Information Security Blog

Posts tagged ‘Symantec’

Symantec Source Code Stolen

January 9, 2012, 12:25 am

Source code for Symantec Endpoint Protection 11 and Symantec Antivirus 10 has been stolen. According to speculation in news reports, the source code had been provided to the Indian government and was compromised from their servers. Security companies often provide source code to be able to sell software in a country. I suppose they are worried about NSA backdoors. This hack highlights the problems with loaning out your source code.

Symantec downplayed the severity of the report saying SAV 10 is no longer sold (end of support in July 2012) and SEP11 is 4-5 years old.

Even if the source code was a from a earlier version, I am confident the source code doesn’t change that much in a major build. Symantec Endpoint Protection 11 may have initially been released 4 or 5 years ago (can that be right?) but it is still the main version in use today. Its successor SEP 12.1 was only released in July and most people would wait before deployment.

I was a bit surprised by some of the reactions in to this disclosure. Rob Rachweld of Imperva says there is “not much hackers could learn from it” because they already analyze antimalware products. The Atlantic Wire quotes Bruce Schneier as saying it isn’t a big deal.

I think it is a big deal. Antivirus products do have vulnerabilities. Antivirus products are widely deployed and often it is possible to find out what a particular company is using. Isn’t code analysis easier than trying to blackbox test or trying to reverse engineer the code? Depending on how diligent Symantec has been, I think this could lead to more security updates for Endpoint Protection.

Chris Parden, Symantec spokesmen says the are developing a remediation process for enterprise customers still using affected products.

Tags: SEP, Symantec
Category: Antivirus | Comment

Scanning External Drives on Connection

January 7, 2012, 11:53 pm

Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system. They also submit it as an “idea”. The Idea section is where you can make product suggestions that users can discuss and vote up or down.

I often wonder where this idea comes from because it seems like a particularly bad idea. It seems like someone decided that was the only way to solve the problem of USB based malware like conficker. That isn’t the case and it can be very inconvenient.

If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive? I dont think so. Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.

Like most bad ideas this requirement comes from hardening guides and auditors. I was reading the Critical Security Controls and found the following:

Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

As I said, I think a full drive scan is completely unwarranted. Do any other antimalware products have this capability?

Tags: SANS, SEP, Symantec
Category: Antivirus | Comment

SEP 12.1 RU1 Released

November 18, 2011, 4:07 pm

Symantec Endpoint Protection 12.1 RU1 is out. The list of fixes and features is here.

I upgraded my test server no problem. That is the server where everything always works out fine.

SEP 12.1 RU1 is version 12.1.1000.157. The previous version was 12.1.671.4971. So of course when you log into SEPM, click on admin and Client Install Package, you sort by the version column and 12.1.671 is on top rather than 12.1.1000. Sigh. If I were picking version numbers, I would be careful to avoid numbers that often don’t sort correctly. So I’ll have to sort by the “created time” column to make sure I’m working with the correct package.

What’s New:
Mac Lion 10.7 support
Better support for mobile broadband adaptors that use NDIS6
Browser IPS for Firefox 5,6,7.

None of the fixes jump out at me as something I’ve seen.

Tags: Antivirus, SEP, Symantec
Category: Antivirus | Comment

Symantec vs the LastPass Update

November 5, 2011, 1:42 pm

A new version of the Lastpass toolbar was released late this week, and I dutifully installed it on my systems. During the installation, I was prompted by Symantec that less than 5 computers have been seen with this file thus I should only install it if I am sure it is safe. I clicked allow and continued the install. After the install winbiostandalone.exe was detected as Suspicious.Cloud.5.

According to Symantec:

Suspicious.Cloud.5 is a detection technology designed to detect entirely new
malware threats without traditional signatures. This technology is aimed at
detecting malicious software that has been intentionally mutated or morphed by
attackers.

So Symantec has become much more aggressive at tagging unknown files as suspicious and also uses aggressive heuristics to block files that have “bad” behavior. Symantec suggests that software developers submit their applications and new versions to https://submit.symantec.com/whitelist/isv/. Unfortunately it looks about as responsive and communicative as submitting to the app store. The form says it will take “a number of weeks” to whitelist software and you won’t hear back if your request is denied. If your application development includes a Release to Manufacturer period then you might have time for this delay. When you’re just releasing an update, I can’t imagine waiting on Symantec to whitelist you app. I can’t imagine a true application whitelisting app like Bit9 taking so long.

The file winbiostandalone.exe, according to the LastPass forum thread discussing this issue, is used with the fingerprint reader. So if you don’t use a fingerprint reader with LastPass you can just ignore this. I submitted the file detection as a false positive, but from what the Symantec forum says it is now a 72 hour turnaround for that report.

So what do you do? As an individual, you probably just ignore it. It is not an actual virus. An enterprise SEP admin could add whitelisting of the files involved and the download site. What about other applications. As I roll out SEP 12.1 to more employees, I figure I’ll be seeing a lot more of issues like this.

Tags: LastPass, Symantec
Category: Antivirus | 1 Comment

Symantec Report on Chemical Industry Phishing

November 2, 2011, 12:33 am

Symantec published a report earlier this week about an attack on the Chemical Industry. They call this attack Nitro.

In one example of the attack, an encrypted 7zip file is used. Encryption prevents scanners from examining the contents of the file.

Some SMTP gateways, block encrypted files by default. Most places find that hurts productivity more than it helps.

PhishMe asks if your employees have been trained on how to respond to password protected files. Their phishing training can cover this.

A third option is to look at a vender who will use every word in the message body as a password on the encrypted file. This doesn’t help in attacks where the password is in a second email. One could also wonder if you’re specifically targeted will the attacker try to obfuscate the password in some manner so it one pattern is visible to the user while a computer would read it a different way. Would a passphrase confound this type of attack? Obviously the file must be detectable as a virus by whatever Antivirus you are using as well.

The most basic phishing awareness would foil the pictured email. No major vender would be mailing you patches.

Tags: Phishing, Symantec
Category: Antivirus | Comment

More Fun with SEP GUIDs.

October 15, 2011, 10:18 pm

After fighting with duplicate hardware IDs in Symantec Endpoint Protection not that long ago, it was surprising to find the problem back again. Were these left over from the original problem, or was this a return engagement. And if it was a problem cropping up again, was it caused by someone forgetting to do the ghost load correctly or something else?

Symantec Endpoint Encryption uses a hardware ID as a GUID to differentiate clients. If a GUID is cloned to multiple computers your reporting and policies are affected. We tend not to find these problems until we move a client to a new group and find other computers showing up in the new group instead.

It turns out the old SEP 11 instructions for preparing to clone a image don’t quite work with 12.1. With SEP12.1 on Windows 7 64 bit, we found an additional copy of sephwid.xml in C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\sephwid.xml. It wasn’t mentioned in the SEP11 instructions, and every machine from the image ended up with the same hardware ID. If you are manually fixing duplicate GUIDs keep that in mind.

It turns out there are instructions specifically for SEP12.1.

How to prepare a Symantec Endpoint Protection 12.1 client for cloning – http://www.symantec.com/docs/HOWTO54706

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients – http://www.symantec.com/docs/TECH163349

They don’t give manual instructions (at the time of this writing) on removing the hardware ID in 12.1, but they do provide a executable for the job. I haven’t tested this exe out, but one thing bothers me. The instructions say if you use tamper protection you must disable this. If you require a password to stop the smc service you must disable that. We don’t use tamper protection, but we do require a password to stop the smc service using the smc -stop command. I wish they would allow me to provide the password at the command line as the sylink dropper tool can do. The good news is that by setting up a separate policy for these clients in order to disable the password requirement to stop the SMC, you can then identify the remnant accounts based on the duplicate hardware ID that could be deleted.

Tags: SEP, Symantec
Category: Antivirus | 1 Comment

SEPM Database Fun

September 30, 2011, 4:14 pm

Tuesday morning I received an email no Symantec Endpoint Manager admin wants to receive

From: SEPM_Server@ [mailto:SEPM_Server@]
Sent: Tuesday, September 27, 2011 12:13 AM
To: Roger
Subject: Database is down

Message from:
Server name: asdfasdf
Server IP: x.x.x.x
The Symantec Endpoint Protection Manager database has gone down and needs immediate attention.

I went through several likely candidates in the Symantec KB but couldn’t find anything to fix the issue. The database wouldn’t start. As a side note, has anyone else had issues with many search results in the Symantec KB beign a “file not found”?

I ended up reinstalling SEPM and restoring a previous backup because I couldn’t get anything else to work.

The fun didn’t end there. The next day at the same time (midnight) the database died again. This time I called support first thing rather than after me trying many solutions. It was the same as the day before. Really nothing they knew how to do with the database down. I did the same uninstall/reinstall database restore to get services back for the end users. After hours, I installed from scratch and configured much of it by hand. If you find your database backups are corrupt and need to do this.

1.   Export all the policy files and any other setting that is exportable.
2. Make sure your configuration is up to date.   There are a lot of screens in SEPM but you’ll be glad you screenshot every last one of them and kept it up to date.
3. Even without the database, you can use the recovery file so your clients are still able to check in.   Otherwise they’d need a reinstall or a sylink.xml.
4. In the tomcat/etc directory under the SEPM install, edit conf.properties and change scm.agent.roupcreation to true.   Restart SEPM.   This allows clients to create the groups they were previously assigned to.   Otherwise all clients would end up in the default group.   Even after creating a new group, the group ID wouldn’t match and you would be stuck moving all clients manually.

I spent three long nights on this issue. I was very glad to have “Essential” support so I could get support on the line outside business hours. Hopefully this was a one time issue. I suspect the database was a little hinky after the upgrade to 12.1.

Tags: Symantec
Category: Antivirus | 4 Comments

Requiem for IM Manager

September 7, 2011, 9:27 am

When we first purchased IMLogic. I believe we had done a bakeoff with IMLogic, Akonix and Facetime. Public IM worms were common back then. And without a IM security product, virus outbreaks occurred and even when no infection occurred the help desk would get flooded with calls from people who got the viral message but didn’t click on the link thus were not infected.

IMLogic abated the IM threats in public IM and in the internal Live Communications Server. Back then it worked with Sybari Antigen to protect against file transfer malware as well.

But all was not well. Big Yellow needed an IM product and Microsoft needed antivirus for Exchange. Both IMLogic and Sybari were swallowed up. Things began to change. Symantec and Microsoft didn’t want to play ball the way IMLogic and Sybari had. The integration of IMLogic, now called Symantec IM Manager, and Sybari was dropped in favor of Symantec Antivirus. I really wasn’t happy when IMLogic support was merged into Symantec support.

Over time, things settled down, and Symantec IM Manager was relatively static. After a while you start to wonder exactly what is it doing for us? The number of real security detections/blocks is pretty much zero. Most users have moved on to Facebook for chat which isn’t protected.

Recently I began to wonder when support for Microsoft Lync was coming to Symantec IM Manager. The sad news is never. While nothing official has been announced, it looks like Symantec intends to end of life IM Manager. While support will be provided for some time for the existing version, the public IM providers may make changes that break the existing connector. If they do that, it is doubtful a fix would be available. As we upgrade to Lync our biggest use of IM Manager (OCS) will go away.

Symantec recommends going to their cloud solution. I can’t imagine that would be cost effective for us. We’re paying software maintenance right now and it is very cheap. Cloud services are subscription based. Its like buying software new every ear. It wouldn’t hurt to talk to sales, but I dont have the numbers to indicate the need to continue IM security.

Its kind of a sad thing, IM Manager on life support. But when there aren’t big worms, you don’t have new sales. I suspect the IM venders filter most of that in their database nowdays. Without the security need, it is back to being a compliance (IM Logging) sale. Most companies just don’t need that. Another reason I suspect Symantec is getting out is public IM is secondary to Facebook Chat and Skype. If there is no way to expand the product for Facebook, then it is incomplete.

So we’ll see what happens officially. Will they announce a End of Sale? Will the end of support be after my existing contract, or will we have issues?

Tags: IMLogic, Symantec
Category: General | 8 Comments

Great Experience with Symantec Support

July 20, 2011, 12:15 am

I had the best experience with Symantec support today. Late last night I put in a ticket for an issue with Endpoint Protection. When I got into work this morning I heard back from a guy who tracked down the answer. As I understand, he saw the issue in the wrong queue and snagged it. I knew it was a tough problem, but he knew exactly what to do.

I know it sounds dumb, but it was such a good experience, it really brighten my day and I had to tell someone about it.

Tags: Symantec
Category: Antivirus | Comment

SEP 12.1 Released

July 11, 2011, 11:08 pm

Symantec Endpoint Protection 12.1 was released on July 5th. A post on Symantec Connect says they are deploying the upgrade licenses via snail mail and sending in alphabetical order. To a certain extent, I can sympathize with a desire to not overwhelm support. But I feel that people who participated in the beta program should be given access to the bits immediately.

I logged into https://licensing.symantec .com and selected Version Upgrade. Next I selected “I Don’t Have an Upgrade ID”. Select your customer number and select upgrade on the following screen. If none of the one’s listed give you a SEP upgrade you’ll need to find your license pdf and use the customer number associated with the purchase of SEP.

I then had a valid serial number to use at https://fileconnect.symantec.com. After downloading the bits, I found that unfortunately SEP 12.1 is requiring me to use a license file. I figured this might be coming. in SEP11, Symantec required small business to use license files. I haven’t had to use a license file since we started using Symantec Antivirus more than 10 years ago. I feel like this is only an unnecessary complication.

Next I began working on an upgrade plan. I currently am running SEPM on a Windows 2003 server. This seems like a good time to change that to Windows 2008 R2. One method would be to bring up a second server with Windows 2008 R2 and SEPM 12.1. I prefer to keep my computers reporting to a server with the same name and IP. That means I’ll be using a disaster recovery scenario.

The first issue I’m finding is a lack of documentation for recovering SEP11 recovery files into a SEP12 server. I’m thinking I may be better off upgrading the existing server to SEP 12.1 and performing a DR backup, then turn the server off and bring up the Windows 2008R2. Another possibility is to put SEP11 on the Windows 2008R2 server and then upgrade it to SEP12. I prefer to keep the new server “cleaner” than that.

I would think this would be a relatively common scenario. But all I can find is the linked Symantec knowledge base article that states SEP11 DR files can’t be imported into the standard SEP12 DR files. I understand that. But I would still think it could be done manually.

I’ll be trying to get some more answers before doing the upgrade, even in the test environment.

Tags: SEP, Symantec
Category: Antivirus | 1 Comment

Roger's Information Security Blog