Symantec has posted the advisory “SYM16-015 - Symantec Decomposer Engine Security Update”. This document describes the options available for responding to this advisory as a user of Symantec Endpoint Protection 12.1.
Responding to SYM16-015
Apply one of the following solutions:
The client computers get the content update directly from the Symantec Endpoint Protection Manager or through a Group Update Provider, or by running LiveUpdate.
Note: If you apply the content update to a Symantec Endpoint Protection 12.1.6 MP5 client, and later change the feature set or repair this installation, the updated components revert to their original version. You must then upgrade to 12.1.6 MP6.
- This content update only applies to Symantec Endpoint Protection 12.1.6 MP5 clients. Earlier clients do not apply this update.
- If the Virus and Spyware Protection feature is not installed, then the client does not apply the update.
Verify that the clients applied the update
You can determine which clients have not yet applied the update by the following methods:
- Verify the presence of a registry value
- Use a Host Integrity policy
Verify the presence of a registry value
When the update has been successfully applied, it writes one of the following registry keys:
- On 32-bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\HOTFIXREVISION
- On 64-bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\HOTFIXREVISION
You can use a script to check for the presence of this registry value.
Note: If you apply the update, and later change the feature set or repair this installation, the key remains even though the updated files revert to an earlier original version.
Use a Host Integrity policy
With the use a Host Integrity (HI) policy, you can determine whether or not the appropriate files were updated. After the policy has propagated, you can then view the Compliance Logs to see which clients passed and which clients failed the Host Integrity compliance check.
I. Create the Host Integrity policy
- In Symantec Endpoint Protection Manager, click Policies > Host Integrity, and then click Add a Host Integrity policy.
You can also modify an existing policy that always checks Host Integrity, and add the same requirements listed in steps 5-8.
- On the Overview pane, enter a policy name and a description. For example, enter “Check for SYM16-015 Protection” and “Checks client computers to ensure they have applied the updates necessary to address SYM16-015.”
- On the Requirements pane, leave Always do Host Integrity checking selected. Under Host Integrity Requirements, click Add.
- In the Add Requirement window, leave Windows selected as the client platform. Under Select requirement, click Custom requirement.
- In the Custom Requirement window, click Add, and then click IF..THEN...
- Click the area under IF, and then click the dropdown to select File: Compare file version to.
- Under File name and path, enter the following:
#HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\\CCROOT#\ccScanW.dll
- Select File version is greater than, and then enter the following:
- Click the area under THEN, and then under Comment, enter Return Pass.
- Click Add, and then click Return. In the right pane, Pass is selected by default.
- Under END IF, click Pass, and then in the right pane, click Fail as the result of the requirement.
- Click OK to save the requirement, then click OK again to save the policy changes.
II. Assign the Host Integrity policy
- After you save the policy changes, you are prompted to assign it to a client group if it is not already assigned to one. Click Yes to assign it to the client groups. You can click My Company if policy inheritance is enabled for all child groups. Otherwise, click all groups to which you want this policy to apply.
Caution: Only one Host Integrity policy can apply to a group at a time. If you assign this policy to a group that already has a Host Integrity policy assigned, it will overwrite the existing policy.
- Click Assign to assign the policy.
If the policy is not new and is already assigned to a group or groups, then the new requirement automatically applies to them.
III. Check the Compliance Log
- In Symantec Endpoint Protection Manager, click Monitors > Logs, and select the following:
- For log type, select Compliance.
- For log content, select Client Host Integrity.
- For time range, select Past week.
- Click View Log.
- In the results that display, under the Compliance Description column, look for “Host Integrity check failed” for the requirement that you previously created.