Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed

book

Article ID: 175700

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft has released an update to Windows 7 SP1 and Windows Server 2008 R2 SP1 on August 13th, 2019 where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed.

Microsoft KB4512506/KB4512486 is not visible as an available download with currently available versions of Symantec Endpoint Protection 14.x/12.1.x installed. 

Cause

Symantec has identified the potential for a negative interaction between Symantec Endpoint Protection and the contents of future Windows Updates as a result of the changes in this Microsoft KB. 

Out of an abundance of caution, Symantec and Microsoft worked together to only allow the update to be visible to versions of Symantec Endpoint Protection that fully support SHA-2 signed Windows executables replaced by this and future updates to Windows 7 SP1 and Windows 2008 R2 SP1.

Environment

This issue is specific to Windows 7 SP1 and Windows Server 2008 R2 SP1. All currently available versions of Symantec Endpoint Protection are affected.

Newer Operating Systems (Windows 8, Windows Server 2012, Windows Server 2016, Windows 10, etc) are unaffected as they load a different Symantec component that already contains SHA-2 support.

 

Note: Symantec Endpoint Protection clients using Web Traffic Redirection may see issues when API calls are made to make proxy changes to the system.

Resolution

Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection.

Microsoft KB4512506/KB4512486 and future updates can be safely installed and the soft block was removed on August 27th, 2019.

Symantec will continue to maintain the safety of these updates via content even after Windows 7/Server 2008 R2 will reach End of Life (EoL) on January 14, 2020, but in order to return the client’s ability to gather SHA-2 information on Microsoft signed files, we recommend that one of these upgrades be applied:

  • SEP 14.2 RU1 MP1 (14.2.4814.1101) has been certified and is available for download via MySymantec.
  • SEP 14.2 RU1 (14.2.3357.1000) has been certified and is available upon request through Symantec Technical Support.
  • SEP 14.2 MP1 (14.2.1057.0103) has been certified and is available upon request through Symantec Technical Support.

These can be applied as part of any upcoming routine operational activities associated with maintaining Symantec Endpoint Protection.


Frequently Asked Questions

Question Answer
What if KB4512486/KB4512506 has already been applied? The soft block request was made out of an abundance of caution. While there is no impact to customers that have already applied this update, Symantec Engineeering recommends picking up one of our upcoming releases as soon as possible.
How are the hotfixes applied? Is a reboot required? SEP hotfix releases are the equivalent to full builds of the client software. Everything required to perform a normal update to a new version is applicable here, including a single reboot. Endpoints can be upgraded from any previous version of SEP directly to one of the hotfix releases.
Will this issue impact Windows 2012, 8.1, and 2012 R2 on September 10th, 2019? No. Operating Systems that are Windows 8 or greater load a different Symantec component which already supports evaluation of SHA-2 signatures.
Will "X" version of SEP receive a hotfix? We are planning to deliver hotfix releases based off of 14.2 RU1 MP1, 14.2 RU1, and 14.2 MP1.
What SEP release is needed for Windows 2008 (non-R2)? Windows 2008 support was removed in SEP 14.2 RU1 and later. The 14.2 MP1-based release can be used with this Operating System. Windows 2008 R2 support remains available in all current releases.
Does the hotfix release for 14.2 MP1 include the fixes for SYMSA1487, SYMSA1479, and SYMSA1468? Yes, all the hotfix release builds contain fixes for SYMSA1487, SYMSA1479, and SYMSA1468.