SSHELPER portal abuse coverage details for Symantec Endpoint Protection clients 14.x

book

Article ID: 222524

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud Endpoint Protection for VDI

Issue/Introduction

After reading the below article you are concerned and looking to verify if the SSHELPER.EXE portal functionality is protected against third party application or user abuse.  In the below article it is explained that SSHELPER.EXE a Symantec signed and valid binary can be chained to execute Java script and or CSCRIPT to be used to download other objects from network sources.

https://nasbench.medium.com/symantec-endpoint-protection-meets-com-using-symantec-sshelper-as-a-lolbin-40d515a121ce 

Cause

The SSHELPER binary is a singed valid Symantec binary used to facilitate the processing of internal Symantec objects for Symantec Endpoint Protection clients.  The operations can be exposed with 'elevated local access' for snooping,  but cannot be used to overwrite or execute any files directly.

Environment

All versions of Windows X86 and X64. 
All versions of SEP 14.x

Resolution

Security Response built IPS signatures to detect and stop any third party attempts or user sourced attempts to hijack the SSHELPER process, files or active jobs.  This fully mitigates the vector.

Additional Information

Resolved :: IPS publication 5/6/2021