Symantec/Norton blocks Windows Updates (SHA-2)

Windows Update[German]Users of Windows systems that have Symantec Antivirus or Norton Antivirus installed are running into trouble as of August 2019-Patchday. These antivirus solutions are blocking the delivery of security updates signed with SHA-2 only, at least on Windows 7 SP1 and Windows Server 2008 R2.


SHA-2 signing, some details

Windows 7 SP1 (and its Windows Server 2008/2008 R2 counterparts) does not provide factory support for SHA-2 only signing of updates. Windows Update uses the SHA-1 signature that was previously included in the update packages.

I've addressed this, among other things, in the blog post Windows 7: From April 2019 'SHA-2-Support' is required. This is not a problem, because Microsoft has provided the relevant updates to SHA-2 support since months. So far, Microsoft has also provided dual-signed update packages signed with SHA-1 as well as SHA-2.

As of August 2019, however, the SHA-1 signature in the Windows 7 updates has been completely removed. These can only be installed if Windows 7 SP1, Windows Server 2008, Windows Server 2008 R2 and WSUS have been upgraded accordingly (see also WSUS: Endpoint decommissioned; SHA2 update required).

Symantec blocks SHA-2 only signed updates

Unfortunately there is a problem with the Windows updates for Windows 7 SP1 (and Windows Server 2008 R2) that have been exclusively signed by SHA-2 since August 2019. If Symantec Antivirus or Norton Antivirus is installed on these systems, Windows updates will no longer arrive. In August, this affects the security updates KB4512486 (Security Only) and KB4512506 (Monthly Rollup) for Windows 7/Windows Server 2008 R2.

Symantec has published the kb article Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed. Also Microsoft mentioned that issue within the 'known issues' of the Windows 7 SP1 updates support articles.


As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft has released an update to Windows 7 SP1 and Windows Server 2008 R2 SP1 on August 13th, 2019 where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed.. 

Updates that are only SHA-2 signed are not visible as an available download when certain versions of Symantec Endpoint Protection are installed.

The Symantec/Norton security solutions mentioned above probably identifies the new updates signed with SHA-2 only (due to the missing SHA1 signature) as malware and blocks these updates. As a result, the Windows systems will no longer be offered the required August 2019 security updates.

Microsoft and Symantec have identified the issue for Symantec Endpoint Protection. Symantec is currently working to provide an update to its security solutions so that SHA2-signed Windows updates can be reinstalled in Windows 7 / Windows 2008 R2. Also Norton antivirus products are affected in the same way.

Similar articles:
Microsoft Office Patchday (6. August 2019)
Microsoft Security Update Summary (13. August 2019)
Patchday: Updates für Windows 7/8.1/Server (13. August 2019)
Patchday Windows 10-Updates (13. August 2019)

Windows: Critical Patches (CVE-2019-1181/CVE-2019-1182) August 13, 2019
Windows 7: From April 2019 'SHA-2-Support' is required
SHA-2 patch for Windows 7 arrives on March 2019
WSUS: Endpoint decommissioned; SHA2 update required

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *