Qualys flags SEP (Symantec Endpoint Protection) 12.1 clients as vulnerable to SYM16-013 even though you have confirmed that the SEP clients have the latest IPS (Intrusion Prevention System) definitions and the latest CIDS (Client Intrusion Detection System) engine.
Qualys vulnerability scanner was used to scan a PC.
Qualys is checking for the following registry value to check whether a machine is vulnerable or not:
Key: HKLM\SOFTWARE\Wow6432Node\Symantec\SymNetDrv Value: Version = 220.127.116.11
This particular value does not pertain to the version of the CIDS engine.
A more appropriate way to check whether the machine is vulnerable by checking registry keys and file versions is the following:
Start by checking the ImagePath for the CIDS driver. The name and driver is different depending on whether you are running a 32-bit or 64-bit operating system:
64 bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVia64, and find the path to the driver in the ImagePath value. 32-bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVix86, and find the path to the driver in the ImagePath value.
The ImagePath points directly at the IDS driver file which changes locations each time the machine updates its IPS definitions.
Check for the IDS driver (SYS-file) in the discovered ImagePath and query the file's version. If the file's version is 18.104.22.168 or greater then the machine should not be vulnerable to SYM16-013.
Qualys reportedly resolved this issue in their software early August 2016. Should you observe the issue above then please work with Qualys to update whatever signatures or software responsible for the scan.
Subscribing will provide email updates when this Article is updated. Login is required.