Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation
Just a quick note to Info Tech Service Providers and IT Service Desk Teams to make you aware of a recent announcement by Symantec and US-CERT about a vulnerability with the Symantec Antivirus Engine.
According to Symantec, their Anti-Virus Engine (AVE) was susceptible to memory access violation due to a kernel-level flaw when parsing a specifically-crafted PE header file. The most common symptom of a successful attack would result in an immediate system crash, aka. Blue Screen of Death (BSOD).
This issue is currently being resolved via normally scheduled LiveUpdate process. Symantec product engineers have addressed this in the latest AVE update, version 2018.104.22.168 release effective 5/16/2016 delivered to customers via LiveUpdate along with the usual definition and signature updates.
How can I verify that my client has been patched?
Symantec Endpoint Protection (SEP) Clients with AV content dated 2016-05-16 r24 (sequence number 160516024) and newer have already received this update. You can use that as an indicator that they have received the new engine. So, any system with older definitions are the ones to target as at risk.
Current Virus Definition & Security Update Versions from Symantec are listed below:
- Virus and Spyware Protection – Tuesday, May 17, 2016 r7 and newer
- Proactive Threat Protection – Friday, May 6, 2016 r11 and newer
- Network Threat Protection – Monday, May 16, 2016 r11 and newer
IT Information Security team will be working with IT Service Desk team to identify and remediate any SEP clients with out of date definitions. Please report any unresolved LiveUpdate issues via MU Support ticket or an e-mail to firstname.lastname@example.org.
- Security Advisories Relating to Symantec Products – Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation
- Symantec Releases Security Update
Symantec has released Anti-Virus Engine 2022.214.171.124 to address a vulnerability in Symantec Antivirus products. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. US-CERT encourages users and administrators to review the Symantec Security Advisory (link is external) for more information and apply the necessary update.
Thank you for your continued attention to information security,
Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: (304) 696-3270, @joncutler | BeHerd Feedback
[This information from 5/17/2016 security advisory e-mail to IT Service Providers and IT Service Desk]