search cancel

SSHELPER portal abuse coverage details for Symantec Endpoint Protection clients 14.x


Article ID: 222524


Updated On:


Endpoint Protection Endpoint Protection Cloud Endpoint Protection for VDI


After reading the below article you are concerned and looking to verify if the SSHELPER.EXE portal functionality is protected against third party application or user abuse.  In the below article it is explained that SSHELPER.EXE a Symantec signed and valid binary can be chained to execute Java script and or CSCRIPT to be used to download other objects from network sources. 


The SSHELPER binary is a singed valid Symantec binary used to facilitate the processing of internal Symantec objects for Symantec Endpoint Protection clients.  The operations can be exposed with 'elevated local access' for snooping,  but cannot be used to overwrite or execute any files directly.


All versions of Windows X86 and X64. 
All versions of SEP 14.x


Security Response built IPS signatures to detect and stop any third party attempts or user sourced attempts to hijack the SSHELPER process, files or active jobs.  This fully mitigates the vector.

Additional Information

Resolved :: IPS publication 5/6/2021