Symantec AntiVirus or Symantec Client Security: SYM07-024 Symantec SYMTDI.SYS Device Driver Local Denial of Service

Symantec.com > Enterprise > Support > Knowledge Base

Symantec AntiVirus or Symantec Client Security: SYM07-024 Symantec SYMTDI.SYS Device Driver Local Denial of Service

Question/Issue:
You use Symantec AntiVirus or Symantec Client Security and want to know more about the SYM07-024 Symantec Client Security Internet E-mail AutoProtect vulnerability.

Solution:
An issue has been identified in some versions of Symantec's device driver SYMTDI.SYS which, if successfully exploited, could allow a local attacker to cause the system to crash.

For additional information on the SYM07-024 vulnerability, read the Symantec Security Response SYM07-024 advisory.

Mitigation

Upgrade to an unaffected build of Symantec AntiVirus or Symantec Client Security.
Use the SymNetDrvUpdater.exe to upgrade to an unaffected version of SYMTDI.SYS. This tool should not be used is you are planning on migrating to a version of Symantec Client Security 3.1 MR6 MP1, Symantec AntiVirus 10.1 MR6 MP1 or earlier.

Symantec has created fixed versions of Symantec AntiVirus and Symantec Client Security. The solution paths from each version of Symantec AntiVirus and Symantec Client Security are as follows:

Product	Affected Version	Solution
Symantec AntiVirus Corporate Edition	9.x, all builds prior to the solution	Symantec AntiVirus 9 MR6 MP1 or later
	10.0	Symantec AntiVirus 10.1 MR6 MP1 or later
	10.1	Symantec AntiVirus 10.1 MR6 MP1 or later
Symantec Client Security	2.x, all builds prior to the solution	Symantec Client Security 2 MR6 MP1 or later
	3.0	Symantec Client Security 3.1 MR6 MP1 or later
	3.1	Symantec Client Security 3.1 MR6 MP1 or later

The version of SYMTDI.SYS for Symantec AntiVirus 10.1 MR6 MP1 or Symantec Client Security 3.1 MR6 MP1 should be 6.0.6.604 or later.
The version of SYMTDI.SYS for Symantec AntiVirus 9 MR6-MP1 or Symantec Client Security 2 MR6-MP1 should be 5.5.6.604 or later.

To obtain the latest release, read the document How to obtain an update or an upgrade for your Symantec corporate product.

Some upgrade paths require migrating to Symantec Client Security 3.1 or Symantec AntiVirus 10.1. To obtain these products, read the document How to obtain an update or an upgrade for your Symantec corporate product. For instructions on how to migrate to those versions, read one of the following documents:

Migrating to Symantec Client Security 3.1
Migrating to Symantec Client Security 3.1 Small Business Edition
Migrating to Symantec AntiVirus 10.1 Corporate Edition
Migrating to Symantec AntiVirus 10.1 Small Business Edition

For information on upgrading to 9.0 MR6 MP1, read Applying Symantec Client Security 2.0 and Symantec AntiVirus 9.0 Maintenance Release 6 Maintenance Patch 1.

Localized versions of the updated builds of Symantec Client Security and Symantec AntiVirus are available.

Use the SymNetDrvUpdater tool

Symantec has created a tool for updating SYMTDI.SYS on versions of Symantec AntiVirus 10.0.2, Symantec Client Security 3.0.2 and later.
Versions prior to Symantec AntiVirus 10.0.2 and Symantec Client Security 3.0.2 should be updated to a non-vulnerable release of the product.
This tool should not be used is you are planning on migrating to a version of Symantec Client Security 3.1 MR6 MP1, Symantec AntiVirus 10.1 MR6 MP1 or earlier.

The tool can be downloaded from URL:

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_client_security/3.1/updates/SymNetDrvUpdater.zip

Command Line options

Option	Effect
/log	Creates a log file called SymNetDrvUpdater.log in the user temp variable (%tmp%)
/promptforcereboot	Forces a reboot with a message displayed to the user
/silentreboot	Forces a silent reboot
/promptoptionalreboot	User is given a choice to reboot now or later
/visible	Dialog box is displayed with a button to "Update SymNetDrv Binaries"

Functionality of the SymNetDrvUpdater.exe tool

The SymNetDrvUpdater.exe application runs in silent mode by default.

When you run the tool it gets the Symantec AntiVirus or Client Security version, if the version is greater than AntiVirus 10.0.2 or Client Security 3.0.2 the tool continues.
It replaces only the files that are already present on the system
The files are replaced on reboot. So the file versions will not change until a system reboot is completed
Use the /log command line option to create the log file SymNetDrvUpdater.log under the users temp directory (%TMP%).

The tool replaces the following files:

Default.rul
SNDInst.exe
SNDSrvc.exe
SNDunin.dll
Validate.dat
Snd.grd
Snd.sig
Snd.spm
SymNeti.dll
SymRedir.dll
symdns.sys
symfw.sys
symids.sys
symndis.sys
SymRedir.cat
SymRedir.inf
symredrv.sys
symtdi.sys

Document ID: 2007090409431648
Last Modified: 01/04/2008
Date Created: 09/04/2007
Operating System(s): Windows 2000, Windows XP Home, Windows XP Professional Edition, Windows XP Tablet PC, Windows 2000 Professional
Product(s): Symantec AntiVirus 10.1, Symantec AntiVirus Corporate Edition 10.0, Symantec AntiVirus Corporate Edition 9.0, Symantec Client Firewall 8.7, Symantec Client Security 3.0, Symantec Client Security 3.1
Release(s): SAV 10.0 [All Releases], SAV 9.0 [All Releases], Symantec AntiVirus 10.1 [All Releases], Symantec Client Firewall 8.7 [All Releases], Symantec Client Security 3.1 [All Releases], Symantec Client Security 3.x [All versions]