• Todas as comunidades
    • Todas as comunidades
    • Fóruns
    • Idéias
    • Blogs
Avançado

O que você está procurando? Pergunte a um especialista!

Kudos4 Stats

Is it safe to install August 2019 Windows 7 update??

Hello,

Running W7 x64 , latest 22.18.0.213 NS and I'm gathering that info from Microsoft:

https://support.microsoft.com/en-us/help/4512486

Quoted from that KB:

"Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available."

So my question is, should I manually install this update and it's prerequisite: Prerequisite: The SHA-2 update (KB4474419) must be installed before installing this update. For more information on SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

or skip it for the moment??

Thanks.

P.S. I suppose the same issue should affect W10 also, but haven't the time yet to check my W 10 x64 systems.

Respostas

Kudos3 Stats

Re: Is it safe to install August 2019 Windows 7 update??

As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft will release an update to Windows 7 SP1 on August 13th, where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed. 

We have identified the potential for a negative interaction between Norton and the changes explained within the Microsoft KB. Symantec and Microsoft worked together to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed.

We will release a Norton patch in the coming days to support the installation of updates that are only SHA-2 signed.

We don’t expect much impact. We can recommend that the customers click on ‘Always Allow’ when there is an alert, thereby allowing the Microsoft applications to function seamlessly.

We will be posting about this issue on the public forums, if we see large impact.
We already have an Enterprise KB article for this issue. 

Norton Forums Global Community Administrator | Symantec Corporation 

Kudos4 Stats

Re: Is it safe to install August 2019 Windows 7 update??

I think that this significant issue with Norton Security and this month's Microsoft security updates should be stated in a pinned announcement at the top of the Norton Security section to make it much more visible as it will impact many Norton Security users.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

bjm_:

As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft will release an update to Windows 7 SP1 on August 13th, where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed. 

We have identified the potential for a negative interaction between Norton and the changes explained within the Microsoft KB. Symantec and Microsoft worked together to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed.

We will release a Norton patch in the coming days to support the installation of updates that are only SHA-2 signed.

We don’t expect much impact. We can recommend that the customers click on ‘Always Allow’ when there is an alert, thereby allowing the Microsoft applications to function seamlessly.

We will be posting about this issue on the public forums, if we see large impact.
We already have an Enterprise KB article for this issue. 

Norton Forums Global Community Administrator | Symantec Corporation 

Hey BJM_,

I manually install W7 Security only updates from MS Catalogue website, so the quoted text : "to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed." , how would work with Norton Security installed???

Cheers,

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Apostolos:

Hey BJM_,

I manually install W7 Security only updates from MS Catalogue website, so the quoted text : "to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed." , how would work with Norton Security installed???

Sorry.....  
Hopefully, with the Norton patch in the coming days, will come information re Microsoft Update Catalog website.

Lets hear from Community

Kudos3 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Apostolos , Snowman 1. Defer the update until Norton has an official statement AND it clearly states a patch is available BEFORE attempting to install those updates at a later time.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos5 Stats

Re: Is it safe to install August 2019 Windows 7 update??

I'm running Norton Security v. 22.18.0.213 on Win 7 SP-1 Pro x64.

Windows Update informed me that KB4474419 was available. I installed it, and my computer works fine.

This update, however, is not the problem. The problem is apparently with KB4512506 -- Monthly Rollup and KB4512486 -- Security-only update. Even after installing KB4474419, MS Updates didn't offer me either or the problematic ones.

The Symantic Enterprise KB article only indicates that the problem is with Enterprise Endpoint Solutions; it doesn't mention any of the Norton products at all. 

The answers provided to this Forum Thread are not at all clear except for this: "Defer the update until Norton has an official statement AND it clearly states a patch is available BEFORE attempting to install those updates at a later time."

This should be in big red letters at the at the head of this Forum. I'm sure lots of Norton users around the world are wondering what's going on with the August MS updates.

I'm wondering out loud how Norton intends to distribute its official statement and clearly state that a patch is available to address this specific issue.

Kudos2 Stats

Re: Is it safe to install August 2019 Windows 7 update??

The question also is what happens if a user tries to install manually those updates from Microsoft Catalogue.

https://support.microsoft.com/en-us/help/4512486

Will it install or Norton will destroy the installation process??

For the moment I manuallyinstalled KB4474419 and 2019-08 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4511872) with no side-effects.

I won't use Windows Update to update other components like Office or .NET Framework, (if available this month), until Symantec releases a patch.

Cheers,

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

The question also is what happens if a user tries to install manually those updates from Microsoft Catalogue.
I think this has been addressed in previous postings. Anyway, the short answer (as far as I understand) is "Don't do it".

For the moment I manually installed KB4474419 ...
As mentioned previously, there is apparently no problem with KB4474419. I installed it on several machines directly from Windows Update without incident.

I won't use Windows Update to update other components like Office or .NET Framework, (if available this month), until Symantec releases a patch.
Good idea, but it almost sounds like you don't trust M$ in this case.

To me, they've actually handled this MUCH better than Symantec. (And no, I'm definitely not a Microsoft fanboy!)

My understanding of computers is quite limited, but I assume that in order to block computers running Norton products, Microsoft had to invest some time and money in programming/reprogramming their Windows Update system. After all, the Aug 2019 Windows Update somehow immediately identified machines all around the world running Norton products and "miraculously" blocked the delivery of the potentially damaging updates.

In contrast, Symantec made available an inane statement about Enterprise Endpoint Solutions that doesn't even mention their Norton product line, which I assume brings in lots of money for them.

Anyway, I'm hanging on to see how this works out. My guess is that if and when Microsoft releases the potentially dangerous updates to Norton users, it's a reasonable assumption that they think the problem has been solved. Of course Symantec will address the issue at some point and update the Norton programs as required. I just wonder how they're going to let us know when this has been done.

In the recent past, I've only received new Norton versions when I manually run "LiveUpdate". I assume this practice will continue. Only when a new version is out will I check Windows Update to see if the problematic August 2019 Updates are available.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

FWIW.
​Offered x2 W7 64 Home Premium Updates. Both installed, OK.
KB4507449 installed, Last Month.
SinecoalCirph4.

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Apostolos, I just posted a thread in the Tech Outpost area concerning the latest update KB4512508 for Windows 10 from the August 13 patch cycle. Installing it cause SERIOUS heating issues on the one devices I installed it on. Although not related to Win 7, I see in your original post that you have a WIN10 system as well. Please advise if you see anything funky while updating your W10 system which may relate to that thread if you'd be so kind.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

"FWIW.
​Offered x2 W7 64 Home Premium Updates. Both installed, OK.
KB4507449 installed, Last Month.
SinecoalCirph4."

Last month?

 
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

houri. Last month?

​It appears in Windows Updates for 10/07/2019. LAST MONTH !
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

ITMA:

houri. Last month?

​It appears in Windows Updates for 10/07/2019. LAST MONTH !
SinecoalCirph4.

KB4507449, the July Monthly Rollup, had an issue with McAfee. There was no problem with Norton products as far as I'm aware.

Please excuse me, but I'm not sure I understand the relevance of your post. The problems under discussion here relate to The August Monthly Rollup KB4512506 (link is external) and KB4512486 (link is external) -- the Security-only update.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

The following article might be of interest to followers of this thread, though it really doesn't add any information toward a solution of the problem.

https://borncity.com/win/2019/08/14/symantec-norton-blocks-windows-updates-sha-2/

There have also been a couple of questions regarding manually installing the updates in question.

Microsoft wrote, "We recommend that you do not manually install affected updates until a solution is available."(https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486)

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

houri. Please excuse me, but I'm not sure I understand the relevance of your post.

I keep an eye out for current trends, in what's coming up, and what's gone 'phut'. Hopefully, to mitigate against the 'phuts', I'll see if there's a manual install available, and install it. So, I don't encounter, what others are experiencing. It's a continual process.
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

ITMA:

houri. Please excuse me, but I'm not sure I understand the relevance of your post.

I keep an eye out for current trends, in what's coming up, and what's gone 'phut'. Hopefully, to mitigate against the 'phuts', I'll see if there's a manual install available, and install it. So, I don't encounter, what others are experiencing. It's a continual process.
SinecoalCirph4.

So far so good. But I still don't see where you've addressed the August 2019 updates issue. 

I know you started your first post with FWIW, so you've certainly given yourself some breathing space. 

What I'd really like to know though, is whether you've installed the August 2019 Windows Update and, if so, what the outcome was.

Thanks for your ongoing feedback.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

So far so good. But I still don't see where you've addressed the August 2019 updates issue. I know you started your first post with FWIW, so you've certainly given yourself some breathing space. What I'd really like to know though, is whether you've installed the August 2019 Windows Update and, if so, what the outcome was.

houri.
It's all to do with changes to SHA-*, and how users best address the issue. Prudence dictates that when in doubt, wait for official fixes, and don't manually load updates, not offered by WU. What I do is exclusive to me; certainly not satisfactory elsewhere.
ALWAYS UTILISE 3RD PARTY ADVICE, WITH EXTREME CAUTION !
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

ITMA:

houri.
It's all to do with changes to SHA-*, and how users best address the issue. Prudence dictates that when in doubt, wait for official fixes, and don't manually load updates, not offered by WU. What I do is exclusive to me; certainly not satisfactory elsewhere.
ALWAYS UTILISE 3RD PARTY ADVICE, WITH EXTREME CAUTION !
SinecoalCirph4.

 @ IMTA

I find your evasiveness perplexing. As I wrote, "What I'd really like to know ... is whether you've installed the August 2019 Windows Update and, if so, what the outcome was."

Please excuse my persistence. To me this is not a philosophical debate regarding computer practice but rather a simple attempt to gather information about other people's experience with the August 2019 Microsoft Updates and the purported interaction issue with Norton products.

I will make make my own decision as to what to do. 

Again, thank you for your ongoing input.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

I find your evasiveness perplexing. As I wrote, "What I'd really like to know ... is whether you've installed the August 2019 Windows Update and, if so, what the outcome was."
Please excuse my persistence. To me this is not a philosophical debate regarding computer practice but rather a simple attempt to gather information about other people's experience with the August 2019 Microsoft Updates and the purported interaction issue with Norton products.
I will make make my own decision as to what to do. 

 houri.
NOTHING LEFT TO MENTION !

SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Folks. Microsoft began the SHA-2 migration with monthly update back in March of this year. The final mitigation is with this month's roll up. IF, you have been staying on top of and installing regular updates as they are released you are ahead of the game. That being said, someone here said third party advice doesn't have merit. To each their own as installing updates is a decision which is user based. Personally, I stand by my previous statement NOT to install this update until Norton has patched their products. AND, its ready for prime time. NOT Norton just waiting to "see what the impact within the community is", then they patch. If you don't want data loss or the risk of it, don't patch unless you backup your system with an image on a regular basis.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Regarding the 7 entry on this thread from houri "... it doesn't mention any of the Norton products at all." and " I'm wondering out loud how Norton intends to distribute its official statement and clearly state that a patch is available to address this specific issue. "

Maybe following support article (which was referred to in the German Norton Forum by a moderator) might help you (hopefully it will be updated when there is an update)

https://support.norton.com/sp/en/us/home/current/solutions/v133892938

I think the Norton product line will be automatically updated via live update (probably around or before the 22nd of August - this is the possible release date of the Enterprise product line patches) and after that the (maybe manually triggered) automatic windows update will detect the compatible file version of the Norton driver and will offer the August security update.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Apostolos:

I manually install W7 Security only updates from MS Catalogue website, so the quoted text : "to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed." , how would work with Norton Security installed???

Cheers,

Technically Microsoft blocks the installation of the new updates which contains SHA-2 only signed files via a precondition check in their automatic windows update only (either on the existence of files with a specific version number or existence of a registry key). So when you download the msu directly this check will never be executed (the catalog website doesn't verify any prerequirements either) and it will install anytime (with any consequences) as this check is only contained in the metadata verified by the automatic windows update component - so you have to verify compatibility manually before executing the msu files.

https://support.microsoft.com/en-us/help/4512486

Officially you should NOT install it unless you have your Norton Security patched with the SHA-2 compatible version of the signature verification component which has to be released yet.

As soon as Norton installs the compatible patch the precondition will be true at the next automatic check and the update will be automatically offered by automatic windows updates. As far as I remember: If you download from the update catalog only to install the security-only update and not the cumulative update, you can do this by hiding the cumulative update with right mouse click and starting a new search.

So one possibility would be to install all applicable updates and then to set your automatic windows update to never or check but not download and as soon as you see KB4512506 or KB4512486 being offered downloading and installing them should be safe (at least on this computer).
Or you wait until there is more information about the location and version number of the compatible driver component of Norton (then you can verify compatibility manually and install the August security update when the compatible driver component is installed).

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

John Owens claimed in the Enterprise forums that there would be currently no known issues with the mentioned Windows Updates - at least for Symantec Endpoint Protection - and people having installed the update manually should have no problems, but this can't be guaranteed for future updates (Norton's signature verification component on Windows 7 SP1 and Windows 2008 R2 SP1 systems only is unable to verify the SHA-2 signatures of these files and so there is fear that it might give this critical system files a bad reputation at any time causing them to be deleted and thus your computer fail to boot).

It is not clear whether this can be also applied exactly to Norton because of the maybe different additional detection engines.

Regarding experiences: I installed KB4512506 manually on a testing computer after all other applicable updates had been installed (see prerequisites and latest SSU in the KB article). Strangely after that automatic windows updates wanted to install 4 updates which had been released in 2016 or before after that. This also occurs when you deinstall Norton, install all windows updates (the August security updates will be then automatically installed) and then reinstall Norton. I'm unsure whether automatic windows updates doesn't handle this case properly (as the update is being regarded as not installable with Norton and so it is confused that some files of those old updates don't match anymore and might even downgrade those files to a very early version - I haven't tried or verified what really would happen by installing them) or if Norton really messes up (deletes/blocks update of) the files as this does not occur when Norton is not being installed. Even if Norton doesn't mess anything up the automatic windows update detection behaves strangely when Norton is installed and so the resulting system state is questionable and probably unsupported by Microsoft and Symantec.

Officially Symantec has decided to have the updates blocked for the SHA-2 incompatible Norton/Symantec signature verification driver versions. For manual installs on these versions you'll probably be on your own and have to decide whether you risk the issues of false positives or temporarily replace your protection solution (be aware that there are warnings (German BSI and CERTs) against (company) computers with activated remote desktop and not having all August security-patches applied). You might need updated installer files when you remove Norton, install the updates and then want to install it again. You should also verify that you have backups of your Password Manager if you choose to deinstall Norton temporarily.

You could also think about upgrading your Windows 7 SP1 to a newer version (when I read the information correctly only the Windows 7 SP1 version of Norton is affected by this problem)  as it will be EOS soon (January 2020).

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

As a user of Norton Security I think that the way that Norton have handled their SHA-2 problem is appalling.

The problem should not have happened in the first place - Microsoft gave notice about the SHA-2 signing change months ago.

Given that the problem did happen I would then expect the following from a professional, customer-focused organization:

- An apology to customers recognizing that the problem should not have happened and giving a commitment to investigate why it happened and then put in place measures to try to prevent a similar situation in future.

- An official statement that includes the following information:
a) Which versions of which Norton / Symantec products in which Windows environments have the SHA-2 problem.
b) An estimated date when each Norton / Symantec product will be fixed.
c) Where to go for status updates - if the estimated fix dates change and announcing when the problem has actually been fixed for each product version.
d) What actions a user is expected to take for each product and when to take them.

The very limited information that Norton / Symantec have officially published seems to relate to Symantec Endpoint Protection, which is a product that I do not use. It is not clear whether the estimated timescales for fixing Symantec Endpoint Protection have any bearing on the timescale for fixing Norton Security.

On 13th Aug bjm_ helpfully obtained and posted a comment from the Norton Forums Global Community Administrator in this thread:

https://community.norton.com/en/comment/8190831#comment-8190831

To my mind this seems to indicate that Norton don't seem to think this issue is a big deal:
- It says 'We don't expect much impact'.
- It says 'We will be posting about this issue on the public forums, if we see large impact.'

5 days have now elapsed.

I think that Norton are underestimating the feelings of Norton users regarding their SHA-2 problem and that their response to the problem has been inadequate.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

- An apology to customers recognizing that the problem should not have happened and giving a commitment to investigate why it happened and then put in place measures to try to prevent a similar situation in future.

I agree that it is a shame that they haven't noticed that earlier (as MS published information about this going to be happen as early as Nov 2018, but with uncertain time frame).

As they seem to have had no fix ready to be deployed their decision to have the update precautionously blocked to prevent the possibility of their customer's computers not booting up any more is understandable. I think we would have been much more angry on them when they forgot to prepare their product AND then let automatic updates make the computers unusable. And we would also not have been happy when they deployed a quick untested patch with the possibility of crashing the systems.

In combination with the RDP security issues and no clear communication how to proceed now the situation clearly isn't ideal. The question is whether they really could not implement a temporary whitelist of the new system files and thus allowing the updates to be installed (maybe they decided not to do that, because they probably would have to use weak SHA checksums and MS will have a good reason for not using them anymore or because it would have also had the possibility to negatively effect the systems stability).

As John_Owen stated that there seems to be no negative effect on manually installing the updates on systems with SEP (although he does NOT recommend that), an official statement of Symantec whether this is also true for the Norton product line and how to proceed would be nice, but I personally think they are waiting and going to release the updates around the 22nd of August and then this will not matter anymore (unless you are responsible for a company and have to decide how to properly safeguard your systems against all vulnerabilities in the meantime).

I don't work for Symantec/Norton so I don't have secret/further information nor can I speak for them, but I will try to answer your questions with the currently available informations.

The very limited information that Norton / Symantec have officially published seems to relate to Symantec Endpoint Protection, which is a product that I do not use.

I posted the link from the German Norton forum in this thread before (I think they will update it when they have patches available):

https://support.norton.com/sp/en/us/home/current/solutions/v133892938

a) Which versions of which Norton / Symantec products in which Windows environments have the SHA-2 problem.

I think the information about the reasons from John_Owens (a Symantec Technical Support Employee) about this issue for Symantec Endpoint Protection is applicable to Norton as well:

https://www.symantec.com/connect/forums/issue-about-sha2-windows-update-...

The issue is that the file verification component for Norton running on Windows 7 SP1/Windows 2008 R2 SP1 systems can't handle SHA2 signatures (on other systems there seems to be a newer verification component and thus they should not be affected). As Microsoft has switched to SHA2 only file signature with the latest updates there was the possibility that Norton might distrust the new system files (as it can't verify the signature to be a trusted Microsoft signature) and this could lead in combination with other false positive detections to the decision to delete/block critical system files causing your system to fail to boot.

Norton on Windows 10 should not be affected as Microsoft switched there earlier to SHA2 only signatures and so there this issue would have been triggered earlier: https://support.microsoft.com/en-us/help/4472027

Norton on Windows 8.1 should currently also not be affected (if it not already uses the newer verification component - I think it does already), because MS seems to have not changed to SHA2 only signature of system components yet.

b) An estimated date when each Norton / Symantec product will be fixed.

I don't have real information, but when SEP is being fixed on about 22nd of August, I think they will deploy similar updates to Norton about this date, but check the support documents and new posts.

c) Where to go for status updates - if the estimated fix dates change and announcing when the problem has actually been fixed for each product version.

As John_Owen stated SEP will only receive fixes for the latest versions. Regarding status updates I would refer to the official support documents for Norton (posted above) and Endpoint Protection

d) What actions a user is expected to take for each product and when to take them.

If you are not running Windows 7 SP1 you probably have to do nothing.

When you are running Windows 7 SP1 there are two possibilities:

1) When you are not a business user (and not running RDP) you probably are using Norton products and you will have to be more careful when you are online (as you don't have all the security patches) until the Norton patches are released.

For installation of the Norton patches I think the only thing you have to do is to trigger live update regularly (as product updates are deployed via live update on the Norton product line) and check afterwards whether Windows update will offer you newer Windows updates after triggering a search. As soon as Windows detects that the Norton file verification component has been updated with a compatible version it should start offering the updates on a new update search (maybe MS has to update the WU metadata for verification, but this is something Symantec has to take care of if they not already have agreed on the version number of the fixed component or a "I'm compatible"-registry key).

2) When you are a business user  you should consider how to protect against the RDP and other security holes and when you are using Endpoint Protection you have to check whether you are current on maintenance (eligible to download the released patches) as it seems that Symantec won't publish these via liveupdate for Endpoint Protection, but you will have to manually download and apply them.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Beating a dead horse here it appears folks. Windows 10 is all set for the SHA-2 change? Not entirely as I had issues on a couple of machines with the latest Win10 monthly update. Over heating, CPU fans stopped working. Yep!! It was drivers that caused those issues. SHA-2? I cannot prove it either way. Are Windows 7 and Norton ready? For some yes, others maybe not. Microsoft has advised AGAINST manually installing the Win7 updates as others here have stated. WU checks for signing while a manual install doesn't. WAIT for Norton to deliver an official statement and hotfix. The impact is already obvious so. Don't ask for possible issues when others are warning about them. Just my dime!! @Sunil_GA

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

In the Enterprise Forum John_Owens said

Out of an abundance of caution we worked with MSFT to have the update hidden so that the potential for a False Positive could be prevented. The reason for this is that the version of SymVT that's in use with legacy Operating Systems (Win7/Win2K8R2) does not have the ability to see SHA-2 signatures.

By removing the signature from the evaluation process, there is the potential that the final reputation score is impacted which may result in Conviction/Exoneration variance. For this update, we observed no such False Positives.

However, it's possible a future update may have different behavior, so it's in everyone's best interest to pick up one of the fixed releases as soon as they're available so that this concern can be avoided.

Once the machines have the SEP hotfix installed they will be update the MS updates and it will not be blocked. We are not working with MS to remove the block/hiding for updates being delivered by Windows Update.  The hotfix must be installed on these systems once available.  

I think the same is applicable to Norton with the difference that they are probably going to deliver the patch automatically via live update.

The file verification driver of Norton on Windows 7 SP1 systems currently can't verify SHA-2 signatures and even if currently there might be no negative noticable impact, some future definition updates could contain detections which trigger by incident on critical system files and as Norton can't whitelist the critical system files by verification of their signatures they might be deleted. When this happens, you might experience serious impacts (crash, system not booting). If this should happen during a firmware update or something other critical steps your hardware might even be damaged.

So is it guaranteed to be SAFE to install the August update (not KB4474419 which is always offered, but the monthly updates)?

I would say NO otherwise Symantec wouldn't have requested the install blocker for automatic updates.

But you are free to consider the situation and the possible impacts on your environment yourself. Officially suggestion by Symantec and Microsoft seems to be wait until the fix has been deployed via live update (for Norton product line) and then automatic windows updates will offer all the previously blocked Windows updates automatically on next search.

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

And what about the monthly rollup 2019-08 preview KB4512514 now available via Windows Update (Win7 x64) ?

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

I think that NortonTester has provided some useful information and also made some educated guesses in some areas.

However only Norton has the information needed to give definitive statements.

Some examples of why we need more information from Norton:

- The support article below currently gives no estimated date for a fix to Norton Security:
https://support.norton.com/sp/en/us/home/current/solutions/v133892938

- NortonUser has guessed that Norton Security might be updated in a similar timeframe to Symantec Endpoint Protection. However it is seems possible that the code for Symantec Endpoint Protection is not the same as the code for Norton Security and that fixes to the Enterprise product (Symantec Endpoint Protection) might be prioritised over fixes to the consumer products such as Norton Security. So it seems possible that Norton Security may not be fixed until some time later.

- There seem to be multiple consumer products. I currently have Norton Security on my systems. There is also Norton 360 (I think that there may be other Norton variants as well). Do they all have the same SHA-2 problem? Will they be fixed at the same time? There is currently a pinned thread 'New Norton 360 Upgrade offer for existing customers'. If Norton 360 does not have the SHA-2 problem or it will be fixed much sooner than Norton Security then I might consider trying to switch at least one of my PCs from Norton Security to Norton 360 (e.g. if the absence of Microsoft Security Updates becomes major problem due to a widespread active threat).


To clarify/restate - my issues are:

- At the moment I am in the position where I have paid good money for a Norton Security product that is actually compromising my security by preventing me from installing Microsoft Security Updates.

- This should not have happened. Microsoft communicated the SHA-2 signing change months in advance. Norton have given no apology to their customers for their mistake and no commitment to investigate what went wrong and then put in place measures to try to prevent a similar situation in future. Norton might want to consider extending the subscription period for existing Norton users as a goodwill gesture.

- When the issue did happen Norton did not put in place an effective problem management process that included effective communication with their customers. It is now 6 days since the problem became public on 13th August (and given that Microsoft blocked updates on Patch Tuesday I assume that Norton must have been aware of the problem sometime before 13th August).

- I do not have enough information to make any judgement on whether the Norton / Microsoft decision to block the August Microsoft Security Updates was the correct decision. Clearly there are tradeoffs and risk assessments to be made. This decision may need to change in future (e.g. if there is a widespread active threat that requires the Microsoft Security Updates to be applied).

- It should not be necessary for users such as bjm_, NortonTester and myself to have to spend time hunting around for information, trying to persuade Norton to publish it or trying to guess when fixes might be released.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

If you don't see the image because it is in moderation, you should find it in the attached zip-file too.

For anyone interested in manually verifying whether Norton should be compatible: there might be a possibility to do so without using automatic Windows Update directly.

wsusscn2.cab probably contain the detection rules automatic updates use to verify whether Symantec/Norton is fixed. You can download this file (warning it has more than 530 MB) from Microsoft.

When you search (via search function) for the KB number of the first cumulative KB being blocked (kb4512506-x64 - I used the x64 version, somebody else might want to repeat the steps for x86 to be sure, but at a quick look I saw the same interesting prerequirement being used for x86) from the end of the file up to the beginning you get the FileLocation-ID. This you use for another search to find out in which PayloadFiles-Section this id is referenced. Now you should have found the Update-Entry for KB4512506 and now it becomes interesting.

You see that there are many prerequisite update IDs. When you carefully repeat the search for them, they should refer to updates with an old creation date, so they aren't interesting. But one of them references an update with a recent creation date. It currently has revisionid 29643205. Use this number and look to which file its this number belongs according to index.xml: package68.

In package68.cab you will find a file with the name 29643205 (depending on your archive program you will see it multiple times (Windows doesn't handle folders in .cab-files well and might show you this file from different folders in parallel)). In the folder "c" there should be the file we need. I copied its content into the last paragraph.

Here you can see that this prerequirement is fulfilled when there is either no vtDataVersion DWORD entry in a specific registry key (probably no Norton/Symantec installed - not our case) OR when the vtDataVersion is greater than 17 (unfortunately I'm unsure if this should be the hexadecimal value or the decimal value - if it is hexadecimal it would be greater than the decimal value 23). In case the picture isn't visible: the DWORD entry should be in HKLM\System\CurrentControlSet\Services\SymEFASI\Parameters - but as we are in a home user forum be warned: please DO NOT MODIFY IT MANUALLY and DO NOT USE REGISTRY EDITOR IF YOU ARE NOT COMPLETELY SURE WHAT YOU ARE DOING.

I currently don't have access to the W7 computer with Norton installed, so maybe someone experienced might want to verify whether this is really the registry key which blocks the automatic updates on Norton systems (and when the fix is released someone should be able to solve the question whether it was a hexadecimal or a decimal value).

Someone with experience with the WUA api and developer tools will say my method to extract the metadata is very slow and stupid, but it worked and I think even non-programmers could repeat the steps - a good xml editor would have been better - don't use IE as it hangs up/crashes on these huge files.

File Attachment: 
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

I contacted (German) Norton Support via chat some hours ago and told them about this thread and that we would like to have more information about estimate timeframes, ... and what to do with BSI recommendation to uninstall Norton temporarily and that we would like to receive infos either in this Forum Thread or on the Norton support page which has been previously linked.

I don't have a serial number connected to my account (as I only "support" Norton on computers of my friends (they have valid licenses) as I have switched away from Norton to another AV solution some time ago) and used an nonexistant email adress for opening the case. Albeit the person at support was nice and promised me to talk to technical support and forward the information about the BSI news, you as verified paying users might want to try to contact the English Norton Support as I'm not sure if anyone from Norton already knew about our wish to receive more information and verified paying customers might be even more important (I think I haven't seen a moderator commenting on this issue and probably nobody else has contacted the Norton Support yet, so they probably didn't notice this Forum Thread).

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Installed Norton Security (on a Win 8.1 machine) only to see if the key exists. It does. Maybe the Enterprise information is NOT applicable and Norton Security uses an old version on Win 8.1 to (you should see the VTDataVersion is EXACTLY 17 decimal, thus not greater than 17). Either Win 8.1 users have had luck that the SHA2 change seems to happen there later or this key is not an indicator whether the driver really is capable of handling SHA2, but only used as indicator for the last version which had not been capable on Windows 7.

Out of curiousity I tried to upgrade to the really latest Norton Security (latestns-Download gave me a 22.17 version) by manipulating the download link to the probably latest 22.18 version (announced on German Norton Forum - and if I had looked it was also announced by the opener of this thread), but LiveUpdate didn't found anything new, so the file path hasn't changed and th VTDataVersion hasn't either. Maybe there would be a newer beta version somewhere which already uses a patched SymEFASI (but that wouldn't be safe either).

So at least it is now clear that this registry key is the indicator (at least for Windows 7) whether Norton (and not only SEP) has been successfully updated with SHA2 capable signature verification driver. So let's see what happens on 22nd of August (which probably will be one day later in my timezone).

File Attachment: 
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Sharing !
​Checked my W7 64. Reg Entry '17'.
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Some more information / observations:

On 13th Aug (Patch Tuesday) when the SHA-2 problem became public I had Norton Security 22.18.0.213 installed on my Win 7 system and Windows Update was offering me the 2019-07 Preview KB4507437 rather than the Win 7 monthly rollup KB4512506.

Earlier today Windows Update was offering me KB4512514, the Aug 17th Preview of Monthly Rollup as an Optional Update.

https://support.microsoft.com/en-gb/help/4512514/windows-7-update-kb4512514
This update includes improvements and fixes that were a part of KB4512506 (released August 13, 2019) and also includes new quality improvements as a preview of the next Monthly Rollup update.
The "Known issues in this update" section still refers to the Symantec / Norton SHA-2 issue, however KB4512514 is being offered in Windows Update on systems with Norton Security, which is odd.
noghere has previously questioned this above:
https://community.norton.com/en/comment/8193381#comment-8193381

I just did LiveUpdate and got a big Norton Security update.
My Norton Security version is now 22.18.0.222.
My VTDataVersion is now 0x00000012 (18).

Windows Update is now offering me KB4512506, the 2019-08 Security Monthly Quality Rollup for Windows 7 for x64-based Systems as an Important update.
(It is also still offering me KB4512514, the Aug 17th Preview of Monthly Rollup as an Optional Update)

So Norton Security version 22.18.0.222 might have fixed the SHA-2 issue?

I am waiting for further information from Norton / Microsoft before actually installing any updates.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

FWIW!! Norton live update is not offering 22.18.0.222 on my machines presently. Nothing posted in forums for the update either. Will check on and off during the day for it.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

I'm in Germany, but I use US English Windows 7 pro x64 and English Norton Security. All of my computers (six, three desktops and three laptops) received the update to 22.18.0.222.

I updated, and the Windows Update issue appears to be completely resolved.

I can hardly praise Norton for the way they've handled this in regard to communication, but at least their programmers appear to have finally gotten it right.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

On the Windows 7 SP1 x64 computer I seem to have an older Norton Security version, but it received SymVTDataFile VT20190819.064, DataFileLoc 1612000.0DE and updated the VTDataVersion to (18).

So it seems that Norton is deploying the patched version and probably the only thing you have to do now is to start live update, maybe you have to reboot too and then you should receive the previously blocked Windows Updates with the security updates via automatic update again.

Be aware that the security updates from August (KB4512506 and security-only KB4512486) have had issues with VB6, VBScript, ... and you might have to install the optional KB4517297 to resolve this.

Accepted Solution
Kudos9 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Hi Everyone,

Norton Security 22.18.0.222 has been released targeting Windows 7 SP1 customers with Norton 22.18.0.213 installed. This build fixes the Norton installation issue on Windows 7 machines. Once this patch is applied, Windows 7 customers can apply the latest Windows Update patch.

Note: This is a throttled release. The version change is for Windows 7 users ONLY

Sunil_GA | Norton Forums Administrator | Symantec Corporation
Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

I can verify as a Win7 user that I received the Norton Security update 22.18.0.222 a few minutes ago.  Ran windows update and I'm now being offered the KB4512506 update.  I'm not installing the update yet as I've learned to wait a few weeks until any bugs are figured out ... but at least I'm now seeing it in Windows Update

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Norton Security 22.18.0.222 has been released targeting Windows 7 SP1 customers with Norton 22.18.0.213 installed.

Sharing. W7 32 Starter.
Installed 22.18.0.222.
Installed MS WU 20/08. KB4503548, KB4512514, KB4512193, KB4517297, KB4512193
Exists MS WU 14/08. KB890830, KB4474419, KB4512506.
Let's see if it's 'do' or 'die' ?
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

According to the English version (translations are not current) of KB4512506 (external Link to MS) there are at least two possible bugs which might cause troubles.

  • The first belongs to the x64 architecture with (U)EFI-Boot only (fail to boot)
  • The second could cause problems with VB6, VBScript, ... and is being fixed by installing the optional update KB4517297 (this bugs seems to occur even on newer OS releases).

But both have nothing to do whether you have Norton installed or not. So this is only a heads up.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

I hope this (or a similar) update will be later available for manual download. If someone has followed the recommendation of German BSI (see citation/manual translation below) to temporarily remove Norton and then wants to reinstall it after having had the Windows updates applied or for new installations with already applied Windows updates using an old version possibly might become an issue as they aren't compatible.

...

Das BSI schätzt diese Schwachstellen als äußerst kritisch ein und ruft Unternehmen genauso wie Bürgerinnen und Bürger auf, die verfügbaren Updates einzuspielen.

(manual translation: BSI considers these vulnerabilities to be critical at highest rate and urges businesses and inhabitants to apply the available updates)

...

Probleme ergeben sich für Nutzer der Antiviren-Software Symantec beziehungsweise Norton unter Windows 7 und Windows Server 2008. Diese können die bereitgestellten Windows-Updates nicht verarbeiten, in Folge kommt es zu Systemabstürzen. Daher hat Microsoft das Sicherheitsupdate für Systeme blockiert, auf denen diese AV-Programme installiert sind. Microsoft rät auch von einer manuellen Einspielung der Updates ab. Diese AV-Programme sollten bis zur Behebung des Problems vorübergehend deinstalliert werden, damit die Windows-Updates eingespielt werden können.

(manual translation: Issues arise for users of Symantec/Norton AV solution customers running Windows 7 and Windows Server 2008. They aren't compatible with the Windows Updates and system crashes occur. Microsoft has blocked updates on these systems and strongly discourages from applying them manually. Until they have been fixed those AV solutions should be temporarily uninstalled to allow installation of the Windows Updates.

But it is great that users with installed Norton now can also receive the Windows security updates of August.

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Sunil_GA:

... The version change is for Windows 7 users ONLY

If I understood John_Owens on the Symantec Endpoint Protection Forum correctly he thinks that only Windows 7 is affected. As the vtDataVersion was the same on Windows 8.1 yesterday (17) I don't know whether the driver really had been fixed there already (for Norton solutions) and the registry key was only the indicator for "update finally happened on the Windows 7 driver too".

Could you verify whether Norton on Windows 8.1 really uses an fixed driver? Otherwise (as this change is for Windows 7 only and Windows 8.1 will have the switch to SHA2 at next patch day (September) there would be issues for Norton customers on Windows 8.1 (and maybe Windows Server 2012 / 2012R2 for business customers with SEP).

Thank you.

Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Folks: The product release thread was update a while ago. Version 22.18.0.222 is "targeted to ONLY Windows 7 users" for the incompatibility issue.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos1 Stats

Re: Is it safe to install August 2019 Windows 7 update??

Sharing !
Updated W7 64 Daily Driver, to
22.18.0.222. Ran MS WU; offered KB4512506 & KB4503548. Installed, OK.
Not looking for anything not offered.
Currently: Good-2-Go !
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

ITMA:

... offered KB4512506 & KB4503548. Installed, OK.
Not looking for anything not offered.

For me it is not clear whether you gave the Windows Update search a second try after installing KB4503548 (.Net Framework 4.8). As far as I remember after installing this update you should be offered the security update for .Net Framework 4.8 from July - it seems to be not included in the .Net Framework 4.8 bundle, but maybe I am wrong and MS has included it and updated the metadata in the meantime.

You should also be offered KB4517297 in the optional updates category (not automatically checked - just in case you are using VBA (Office macros) or old VB6 programs you might want to install it too).

And for higher security it might be necessary to reset the Internet zone security settings to disable VBScript (see the known issues section in the KB article for KB4512506), but write down any manual changes you might have done, so you can reapply them after the reset.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Hi NortonTester.
I was offered KB4512193, 08/19 Preview .Net Framework; but as it's only a 'PREVIEW', I gave it a miss.
To the best of my knowledge. KB4517297 comes as a Manual Install from the MS Catalogue.
Whether Microsoft or Norton; after an install, I check the functionality of the install, and search for further updates.
Simply, I installed what I was offered, stand alone; no sideshows were manipulated, in the installing of updates.
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

ITMA:

... I was offered KB4512193, 08/19 Preview .Net Framework; but as it's only a 'PREVIEW', I gave it a miss ...

I didn't want you to install the preview. On my systems with another AV solution I was offered following update (which had been installed on the patch day in July before, but without .Net 4.8 being installed) on patch day after installing the .Net Framework 4.8 update:

2019-07 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 (KB4507420)  

ITMA:

... To the best of my knowledge. KB4517297 comes as a Manual Install from the MS Catalogue. ...

Maybe I only read the part "This issue is resolved in KB4517297, which is an optional update." and stopped reading, because I thought that optional = in the optional category of automatic Windows Updates. You are correct, the KB article states "It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS)" and seems to be not being offered via automatic Windows updates - it might be included in the preview of the next monthly rollup, but currently it isn't clear whether this is true as its KB doesn't state this as being fixed and doesn't mention this issue as being known.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

NortonTester.
Although KB4507420 installed 07-2019: it's no longer in 'Installed Updates'. Equally, .NET Framework 4.8, is all that now appears in 'Installed Updates' & Programs and Features, representing .NET.
SinecoalCirph4.

Kudos0

Re: Is it safe to install August 2019 Windows 7 update??

Maybe I only read the part "This issue is resolved in KB4517297, which is an optional update." and stopped reading, because I thought that optional = in the optional category of automatic Windows Updates. You are correct, the KB article states "It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS)" and seems to be not being offered via automatic Windows updates - it might be included in the preview of the next monthly rollup, but currently it isn't clear whether this is true as its KB doesn't state this as being fixed and doesn't mention this issue as being known.

Interesting news from 'AskWoody' !
A whole new KB4517297, to inspire your enthusiasm.
https://www.askwoody.com/2019/microsoft-re-issues-the-win7-vb-vba-vbscri...

This thread is closed from further comment. Please visit the forum to start a new thread.