Symantec Endpoint Protection system lockdown blocks definitions updates

book

Article ID: 158162

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Steps in Knowledge Base (KB) article Configuring system lockdown have been followed and system lockdown is enabled. However, Symantec Endpoint Protection (SEP) client is unable to update definitions.

If lockdown is in test mode, definitions are updated but block messages are also logged in client control log.

Depending on the type of Operating System, types and versions of definitions being updated, block messages similar but not limiting to below can be found in SEP client control log.

This is an examples from a Windows 7 64-bit system, showing the important fields only.

  • Action: Block
  • Test mode: Test
  • Description: System Lockdown
  • API: Load Dll
  • Rule name: LockDown
  • Caller process: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2100.2093.105\Bin\ccSvcHst.exe
  • Target: C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2100.2093.105\Data\Definitions\IPSDefs\tmp4a05.tmp\IPSFFPl.dll

 

And an example from a Windows XP 32-bit system

  • Action: Block
  • Test mode: Test
  • Description: System Lockdown
  • API: Load Dll
  • Rule name: LockDown
  • Caller process: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.2100.2093.105\Bin\ccSvcHst.exe
  • Target: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2100.2093.105\Data\Definitions\VirusDefs\tmp4c57.tmp\ECMSVR32.DLL

If system lockdown is fully enabled instead of in test mode, then SEP client system log may contain error stating "An update for Virus and Spyware Definitions Win32 failed to install.  Error: 0xE0010001, DuResult: 60".

Cause

This is not a product issue. New definitions contain new executable binary files whose fingerprints are not in the approved files' fingerprint list, so system lockdown blocks these new binaries when they are being loaded. Take the block message from the Windows 7 x64 system above for example, ccSvcHst.exe process (which is the Symantec Endpoint Protection service process) was blocked from loading a dll file IPSFFPl.dll in the new IPS definitions.

Resolution

Option 1 - Add the following 2 SEP file paths so that binaries under these paths are allowed even if they are not in the fingerprint list.

#HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATA#*\*
#HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\INSTALLDIR#*\*

Steps:

In Symantec Endpoint Protection Manager (SEPM) console

  1. In Clients page, select the group(s) and click Policies tab in the right pane.
  2. Click System Lockdown link under "Location-independent Policies and Settings".
  3. Click Add button under "The following files are approved:"
  4. Put the above 2 paths in and make sure "Use wildcard matching" is selected.
  5. Click OK and OK again to close all dialogue windows.

Please see screen shot below for reference.

 

 

Option 2 - If security policy demands a more strict control than option 1, fingerprint list can be updated to include new binaries in the new definitions.

Steps

  1. Prepare test computers using the baseline images with which the existing file fingerprint list was generated. The test computers should cover both 32-bit and 64-bit Operating Systems.
  2. Place the test computers into test client group where system lockdown is not enabled.
  3. Update the definitions on the test computers to the versions required.
  4. Run Checksum utility to generate a fingerprint list file which includes fingerprint for all new binaries in the updated definitions.
  5. Import the fingerprint list files at step 4 into SEPM.
  6. Merge the new fingerprint lists with the existing fingerprint list. Now the existing fingerprint list contains fingerprint for all new binaries in the updated definitions.
  7. Update the production computers with the same version of definitions at step 3.

For more detailed steps on how to generate fingerprint list file with checksum utility, how to import and merge fingerprint lists, please see Configuring system lockdown.

Further information:

SEP system lockdown feature, in whitelist mode (which is the default mode of system lockdown), puts the most strict control on what applications can run on a computer. So usually it is expected that the executable binary files do NOT change much on the computer. These changes include software upgrade, Windows update and SEP definitions update. Due to the strict control, frequent Windows update or SEP definitions update becomes unnecessary. If it does become necessary, then careful planning and administrative overhead is usually unavoidable. Please consider carefully on which computers should have system lockdown enabled.

For a KB article describing the same issue in SEP 11.x, please see related article below.

 

Applies To

 

SEP 12.1

Attachments