Symantec fixes the SHA-2 patch problem for Win7

Topic

New Reply

Remember how Microsoft put in a block, preventing the Win7 August Patch Tuesday patches from installing on systems with Symantec Endpoint Protection?
[See the full post at: Symantec fixes the SHA-2 patch problem for Win7]

5 users thanked author for this post.

RDRguy, GreatAndPowerfulTech, AngryJohnny75, abbodi86, Myst

Reply | Quote

Replies

[EP]

both MS AND Symantec have not yet updated their support articles regarding any new software updates for Symantec Endpoint Protection, woody.

the support article from Symantec regarding SHA-2 still remains with a date of Aug. 16:
https://support.symantec.com/us/en/article.tech255857.html

maybe Symantec will update their support article on Wed. the 21st

• This reply was modified 5 years, 8 months ago by EP.

Reply | Quote

The article I just read does have a fix for the SHA-2 conflict.
https://support.symantec.com/us/en/article.tech255857.html
As follows –
“SEP 14.2 RU1 MP1 (14.2.4814.1101) English is available for download via MySymantec. 14.2 RU1 MP1 Localized language versions are targeted for availability via MySymantec on August 21, 2019.

Symantec is continuing to work on additional releases of Symantec Endpoint Protection to address this situation:

14.2 RU1
14.2 MP1”

MacOS iPadOS and sometimes SOS

Reply | Quote

In their Question/Answer section at that Syamntec link provided:

Question:

“Will “X” version of SEP receive a hotfix?”

Answer:

“We are planning to deliver hotfix releases based off of 14.2 RU1 MP1, 14.2 RU1, and 14.2 MP1.”

So I’ll wait for the hotfix and that come via Norton Security Suite’s updating functionality instead of having to sign-in and have to download and install that whole mess all over again.

I still have not installed that Windows 7 July Security Only Update on any of my laptops and it’s still DEFOCN 2 at AW for the Aug 2019 problem patches and really Symantic had to have Known that MS was switching to SHA-2 only as that’s been stated for a good long time by MS/Others. And that whole Q and A part should have been included by the Press in any reporting for the Windows 7/Windows 2008 R2 updates that are only SHA-2 issue.

Now all Symantic has to fix is their Norton Security Suite’s habit of taking over my system’s DEFRAG scheduling and a few other of its computer maintenance Tasks that I have explicitly turned off. Symantec needs to try and sell a Virus/Firewall Only variant for folks that do not want any Nagging Nanny-ware that can not have some features explicitly turned off and actually have those features actually stay Turned Off.

Reply | Quote

When I try to access the above link from my Win7 PC for the SHA-2 Symantec article at https://support.symantec.com/us/en/article.tech255857.html it does not have any updates listed as I’ve noted above in quotes from their site – And it shows “Last Updated August 16, 2019”. But when I’m on my Apple devices it does state the following, with a “Last Updated August 20, 2019” …

“SEP 14.2 RU1 MP1 (14.2.4814.1101) English is available for download via MySymantec. 14.2 RU1 MP1 Localized language versions are targeted for availability via MySymantec on August 21, 2019.

Symantec is continuing to work on additional releases of Symantec Endpoint Protection to address this situation:

14.2 RU1
14.2 MP1”

What’s up with this? Before checking the same link I made sure to do a Live Update for the Win7 PC on my Norton AV, and it did show there was a patch. I’ve checked my “History” and it does not list a patch for the SHA-2 issue.

MacOS iPadOS and sometimes SOS

1 user thanked author for this post.

Bluetrix

Reply | Quote

The communication from Symantec has been horrendous. Given the severity of the problem, one would expect better treatment of their customers. I hope this isn’t an indication of things to come now that Symantec is in disarray (sale of enterprise division, LifeLock consumer, etc).

In this case, I don’t blame Microsoft. They provided sufficient advance notice of SHA2 changes and Symantec should have been better prepared to deal with it. Why they are not communicating with their customer base is beyond me.

Symantec Forum – Is it safe to install August 2019 Windows 7 update??
community.norton.com/en/forums/it-safe-install-august-2019-windows-7-update

Windows 7 SP1 August Windows Update not available to some Norton customers
support.norton.com/sp/en/us/home/current/solutions/v133892938

Symantec/Norton blocks Windows Updates (Born)
borncity.com/win/2019/08/14/symantec-norton-blocks-windows-updates-sha-2/

Microsoft: August 13, 2019—KB4512486 (Security-only)
support.microsoft.com/en-us/help/4512486/

A bit off-topic, but I apologize to Group B for not releasing findings regarding telemetry from last month’s security only debacle (KB4507456). I had an unexpected medical emergency that resulted in surgery (things happen when you get old).

Keep the faith people. Win 7 is still the best consumer OS ever created.

– Carl – (aka CA)

Edit for content, please stay on topic.

2 users thanked author for this post.

GoneToPlaid, Myst

Reply | Quote

anonymous wrote:

The communication from Symantec has been horrendous. Given the severity of the problem, one would expect better treatment of their customers. I hope this isn’t an indication of things to come now that Symantec is in disarray (sale of enterprise division, LifeLock consumer, etc).

I understand all the frustration. For whatever reason Symantec has, to have been on the jagged edge of compatibility with MS for the SHA-2, I still respect their reputation of high performance in AV protection. I’ve had Norton for many years and was with them when they were trying to iron out all the kinks, from slo-mo performance issues to hogging resources. I do believe they’ve become a great company in device protection, especially where the PC is concerned. This has been just another mishap in our world of crazy communication amongst the corporate conglomerate. I will stay a Norton consumer for the security of my devices as long as they continue to offer excellent protection.

MacOS iPadOS and sometimes SOS

Reply | Quote

From the first link that you listed from, Sunil_GA AdminAdministrator30 this was posted in that Symantec forum:

” Posted: 20-Aug-2019 | 12:27PM • Permalink

Hi Everyone,

Norton Security 22.18.0.222 has been released targeting Windows 7 SP1 customers with Norton 22.18.0.213 installed. This build fixes the Norton installation issue on Windows 7 machines. Once this patch is applied, Windows 7 customers can apply the latest Windows Update patch.

Note: This is a throttled release. The version change is for Windows 7 users ONLY

Sunil_GA | Norton Forums Administrator | Symantec Corporation “

So I ran My Norton Security Suite’s LiveUpdate and received the update(140MB or so in size) and rebooted just to be safe and that brought my software to version 22.18.0.222 and has the SHA-2 fixes(Hopefully) applied.

1 user thanked author for this post.

Myst

Reply | Quote

Sorry, but I should have mentioned that the Norton update (consumer) will not be available to everyone immediately.

Symantec policy is to release rolling updates. This means that updates are released in stages. It may be a few days or longer before the update appears in Live Update. Why? This mitigates the damage caused should the update prove to be problematic.

Even if you do receive the update, it would be wise to follow Woody’s and Sue’s advice regarding application of this month’s patches. Keep in mind that some people here have machines that we can sacrifice for testing purposes. Personally, I am not going to apply Group B patches to my daily driver yet, but will do so on some sacrificial lambs.

– Carl –

1 user thanked author for this post.

Myst

Reply | Quote

If history is any guide, folks who have their Norton AV through Comcast/Xfinity will be among he last to receive this “rolling” update!  At least that has been my experience.

Reply | Quote

I have that ISP and I ran Norton’s live update is received the fix on Aug 21st. Comcast’s version is just some cosmetic branding with roughly the same features enabled as the regular versions of Norton Security Suite.

I really wish that Comcast would get Symantec to issue a Firewall/Virus only edition of Norton like was available in the past without all that other unnecessary functionality that most folks do not want or need.

Reply | Quote

I got my Norton 360 updates today. The ‘big one’ (137MB) and two smaller 2-3MB ones that followed up a few hours later.  Had to reboot after the first one.  Running Win7 Pro and no (appearent) issues.

"War is the remedy our enemies have chosen. And I say let us give them all they want" ----- William T. Sherman

1 user thanked author for this post.

Myst

Reply | Quote

I also had a 137 mb update and with it listing there was a Patch. I figured this would all have shown up in my History as the SHA-2 Patch etc. but nothing listed as such. And I fully expected a Reboot but that didn’t happen. So I rebooted anyway to see if maybe the patch would show up in History. Nothing came up but the normal Norton updates. Maybe tomorrow. And I’ll update everybody once something worthwhile happens.

I meant to add that I have not Checked for Updates in WU. I’m waiting to get a better picture of what Symantec will do with their SHA-2 Patch once it hits my Win7 PC. And of course I won’t be checking or running updates for the Win7 until the DEFCON level hits a higher number.

MacOS iPadOS and sometimes SOS

Reply | Quote

I was monitoring two computers on the same network. One received the Norton update (“Apply Now”/”Apply Later”) today while the other did not. This is not uncommon. I’ve seen a delay of up to 3 days on more than one occasion for large updates. Symantec is smart enough to not auto update all machines on the same network at the same time.

I always click “Apply Later” since Norton has messed up my gadgets in the past. I then rebooted the machine. The Norton update installed upon reboot and showed up in history as “LiveUpdate Sessions Completed” with no indication this was the SHA-2 fix.

Windows Update then did it’s update check and listed the August KB4512506 rollup as available for download/installation. The other computers on the network without the new Norton fix still have KB4512506 blocked (hidden) by Microsoft.

Oddly, one Norton employee claimed they are doing the fix without Microsoft’s help. I find this hard to believe however.

I’ve encountered no problems with the patched computer, but I have not applied any MS Group B patches yet.

– Carl –

1 user thanked author for this post.

Myst

Reply | Quote

Did a check for WU and KB4512506 August Monthly Rollup, KB4474419 August SHA-2 update KB890830 MSRT are showing up. All is good. It seems Norton did in fact download/install the SHA-2 fix awhile ago like I had thought initially. The update was 137MB. Had been in doubt it was installed because the PC never went through a required reboot. Now waiting for Woody to raise the Defcon level. Thanks for all the comments here, it helped get me back on track.

MacOS iPadOS and sometimes SOS

1 user thanked author for this post.

abbodi86

Reply | Quote

W7 32 Starter.
Adopting a Cavalier Attitude.
I installed the latest Norton Security version, and all the WU auto & manual updates, I could find.
Exists MS WU 14/08. KB890830, KB4474419, KB4512506.
Installed MS WU 20/08. KB4503548, KB4512514, KB4512193, KB4517297, KB4512193

Currently, all is, OK.

ps. Expendable. The machine is so slow, a box of snails could crunch numbers quicker.
January 2020, ain’t too far away, the EOL-4-W7 ?
pps. Not so Cavalier with my W7 64 Daily Driver. Updating with Caution.

Reply | Quote

Should we run the LIVE UPDATE every day until we get the new update or should we just wait a week or so and then do a LIVE UPDATE?

Reply | Quote

The update needs to be applied to your Norton products before you try to update Windows using Windows Update. So you will need to run Live Update sometime before that. How often you run Live Update is up to you.

We are still at DEFCON 2, which means wait to update Windows.

Reply | Quote

Hopefully some other Norton users will report back on any of their post Norton SHA-2 patching successes/failures, once that required Symantec/Norton patching has been completed and then after they have installed the Windows 7 Aug 2019 KBs.

I’m still waiting for DEFCON-2 to go higher for the other NON-Symantec related issues to be resolved.

Reply | Quote

Received the update yesterday on my Win 7 and all the Aug. updates are now showing up. Just waiting on the DEFCON to raise.  Did not receive any updates on my Win 10 PC. I’m going to assume that a new version for Win. 10 will follow.

Reply | Quote

anonymous wrote:

Received the update yesterday on my Win 7 and all the Aug. updates are now showing up. Just waiting on the DEFCON to raise.  Did not receive any updates on my Win 10 PC. I’m going to assume that a new version for Win. 10 will follow.

This specific Symantec issue was confined to Windows 7/Server 2008R2; you won’t see additional Windows 10 patches queued for installation as a result of an updated Symantec endpoint.

Reply | Quote

I would expect Win. 10 to get an updated version minus the Win. 7 fix, if for no other reason, other than to keep the version numbers in sync.

Reply | Quote

what version of Win10 are you using?
if running Win10 v1903, you won’t receive any new fixes until end of August

read the FAQ in this Symantec article.

Will this issue impact Windows 2012, 8.1, and 2012 R2 on September 10th, 2019?

No. Operating Systems that are Windows 8 or greater load a different Symantec component which already supports evaluation of SHA-2 signatures.

Reply | Quote

Symantec support article updated FRI Aug. 23 again:
https://support.symantec.com/us/en/article.tech255857.html

only SEP 14.2 RU1 MP1 and SEP 14.2 MP1 versions of Symantec Endpoint Protection (SEP) have the SHA-2 fixes. only 14.2 RU1 (w/out MP1) is the only version w/out the fix

2 users thanked author for this post.

RDRguy, Microfix

Reply | Quote

[RDRguy]

Symantec support article was updated today, Tue Aug. 27 with the following statement:

Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection.

Microsoft KB4512506/KB4512486 and future updates can be safely installed and the soft block was removed on August 27th, 2019.

Symantec will continue to maintain the safety of these updates via content, but in order to return the client’s ability to gather SHA-2 information on Microsoft signed files, we recommend that one of these upgrades be applied:

SEP 14.2 RU1 MP1 (14.2.4814.1101) has been certified and is available for download via MySymantec.

SEP 14.2 RU1 (14.2.3357.1000) has been certified and is available upon request through Symantec Technical Support.

SEP 14.2 MP1 (14.2.1057.0103) has been certified and is available upon request through Symantec Technical Support.

Reference:
https://support.symantec.com/us/en/article.tech255857.html

Microsoft also updated their Aug 13 update articles today for KB4512506 (Monthly Rollup) & KB4512486 (Security-only update) with the following statement:

The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7 and Windows 2008 R2. Symantec has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional details and please reach out to Symantec or Norton support if you encounter any issues.

Reference:
https://support.microsoft.com/en-us/help/4512506

https://support.microsoft.com/en-us/help/4512486

Now the real question is, was there ever any problem with Symantec Endpoint Protection not being able to properly handle the Windows 7 SHA-2 updated files.

I’ll soon find out as one of my Win7 systems is still running Endpoint Protection version 12.1 RU6 MP10 (12.1.6.7454.7000).

I’ll give it a try after a full backup & of course DEFCON 3

Win7 - PRO & Ultimate, x64 & x86
Win8.1 - PRO, x64 & x86
Groups A, B & ABS

• This reply was modified 5 years, 8 months ago by RDRguy.

1 user thanked author for this post.

woody

Reply | Quote

Confirmation that Microsoft withdrew their hold on the Aug 2019 Windows 7 rollup & security updates on my system having Symantec Endpoint Protection installed is depicted below …

Win7 - PRO & Ultimate, x64 & x86
Win8.1 - PRO, x64 & x86
Groups A, B & ABS

2 users thanked author for this post.

woody, geekdom

Reply | Quote