search cancel

Qualys flags Endpoint Protection 12.1 client with latest IPS definitions as vulnerable to SYM16-013

book

Article ID: 163477

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Qualys flags SEP (Symantec Endpoint Protection) 12.1 clients as vulnerable to SYM16-013 even though you have confirmed that the SEP clients have the latest IPS (Intrusion Prevention System) definitions and the latest CIDS (Client Intrusion Detection System) engine.


Cause

Qualys is checking for the following registry value to check whether a machine is vulnerable or not:

Key: HKLM\SOFTWARE\Wow6432Node\Symantec\SymNetDrv
Value: Version = 14.0.5.2

This particular value does not pertain to the version of the CIDS engine.

Environment

Qualys vulnerability scanner was used to scan a PC.

Resolution

A more appropriate way to check whether the machine is vulnerable by checking registry keys and file versions is the following:

  • Start by checking the ImagePath for the CIDS driver. The name and driver is different depending on whether you are running a 32-bit or 64-bit operating system:

64 bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVia64, and find the path to the driver in the ImagePath value.
32-bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVix86, and find the path to the driver in the ImagePath value.

The ImagePath points directly at the IDS driver file which changes locations each time the machine updates its IPS definitions. 
‚Äč

  • Check for the IDS driver (SYS-file) in the discovered ImagePath and query the file's version. If the file's version is 15.0.6.11 or greater then the machine should not be vulnerable to SYM16-013.

Qualys reportedly resolved this issue in their software early August 2016. Should you observe the issue above then please work with Qualys to update whatever signatures or software responsible for the scan.