[German]Systems using Symantec Endpoint Protection (Symantec SEP) on Windows will probably dropping BlueScreens after the last SEP update. The reason is a SEP update from 10/14/2019. Here is some information on this topic, that has been confirmed by Symantec.
German blog reader Ralf M. informed me yesterday afternoon about the issue via mail (thanks for that). But I had already noticed it via the following tweet from Woody Leonhard.
Symantec acknowledges that the Endpoint Protection client is throwing bluescreens BAD_POOL_CALLER (c2) or KERNEL_MODE_HEAP_CORRUPTION (13A). There’s a solution. Tied to Proactive threat prevention? https://t.co/KMLn4DQLMo
— Woody Leonhard (@AskWoody) October 15, 2019
There are BlueScreen issues with Symantec Endpoint Protection (Symantec SEP). This probably affects all Windows versions. Judging by the tweet above, Symantec has already admitted the problem. I didn’t have time to post yesterday, hence the post.
The error description
Within the Symantec forum this thread, titled BSOD caused by SEP update? a user posted to a discussion at reddit. After a Symantec SEP update on October 14, 2019, a user got BlueScreens on his machines. The BSOD occurs before they can do or verify anything. So the problem occurs while deDas seems to affect all Windows versions – there are postings for Windows 7, Windows 8.1 and Windows 10. Windows servers are also affected and are restarting randomly. A user describes how he got out of the situation by safe mode and uninstalling the update from the BSOD loop.
We were seeing it on Windows 8 and 10. It would Blue Screen before we could do anything so we had to safe mode and clean wipe.
Another user suspects a connection with a faulty IPS Signature R61 and writes that the TECH256643 Signature R62 fixes this. One suggestion from a user was to block communication with Symantec.com in the firewall.
Did anyone try a temp FW block to “Symantec.com”? I’d think it would be way too much work to manually touch all your systems to roll them back/forward. If you can stop the BSOD with a FW, then your system is up… IMHO.
That seems to have helped some people. The other solution is to block the buggy update for Symantec SEP.
Symantec acknowledges the issue
Symantec released an official support article TECH256643 on October 15, 2019 confirming the bug. Symantec writes about it.
Endpoint Protection Client gets a Blue Screen Of Death (BSOD) BAD_POOL_CALLER (c2) or KERNEL_MODE_HEAP_CORRUPTION (13A)
When run LiveUpdate, Endpoint Protection Client gets a Blue Screen Of Death (BSOD) indicates IDSvix86.sys/IDSvia64.sys is the cause of the exception BAD_POOL_CALLER (c2) or KERNEL_MODE_HEAP_CORRUPTION (13A).
When BSOD happens, Intrusion Prevention signature version is 2019/10/14 r61.
As a workaround, Symantec has released an update to the affected Intrusion Prevention Signature version 2019/10/14 r61 for the systems affected by the BSOD. Signature 2019/10/14 r62 is intended to resolve the issue. You should run LiveUpdate again to download the latest Intrusion Prevention signature.
If BSODs occur that prevent the LiveUpdate of SEPM, the affected machines should boot in Safe Mode with Network and try the LiveUpdate again. Then reboot the machine. Anyone who is unable to run the Symantec LiveUpdate again there due to the BlueSceens that occur can follow the following hint from the reddit.com thread:
For those with the issue of not being able to grab the definition without a bsod, grab this and install offline
This applies to Symantec Endpoint Protection 12.1 or later. Any of you affected by the bug?