Ivanti Device and Application Control Version History Since v2€¦ · Ivanti Device and...

1

Ivanti Device and Application Control Version History Since v2.6

Details NEW IN VERSION 5.1 Update 3 [18-Dec-2018]

• File-Type Filtering for the Portable Device Class The Portable Device class now supports file-type filtering. File filters can be used to limit access to specific file types (e.g. pdf, doc, xls). Up to now, file-type filtering was only available for use with the Removable Storage Devices, Floppy Disk Drives, and DVD/CD Drives device classes. With 5.1 Update 3, file filters can also be used with the Portable Device class. This would enable customers to restrict file transfers to and from mobile phones but allow pictures to be transferred, for example.

• Device Control event generated when encrypted media is unlocked

Additional logging has been added in 5.1 Update 3 so that an event is generated when encrypted media (e.g. USB key) is unlocked. This log event could then be used to trigger additional actions on the endpoint, for example.

• Windows Support Updates

We’ve added support for Windows 10 version 1809 (OS build 17763) which was released by Microsoft on Nov 13th. Refer to the following community article for details of Windows 10 version support with Ivanti Device and Application Control https://community.ivanti.com/docs/DOC-62154.

We’ve also added support for Windows Server 2019 which was released by Microsoft on Oct 2nd.

• Citrix XenApp and XenDesktop Support

We’ve added support for version 7.18 of Citrix XenApp and XenDesktop.

Components in this Release

Component Version

SK version 5.1.494

SCOMC version 5.1.500

SXS version 5.1.500

DB version 5.1.500

SMC version 5.1.500

https://community.ivanti.com/docs/DOC-62154

2

ISSUES RESOLVED IN VERSION 5.1 Update 3 [18-Dec-2018]

Problem ID Title

51197 Endpoint UI (RTNotify) on crashes randomly with unhandled exception "phase 2 file"

53658 HES 5.0: select user filter and schedule report causes reporting to fail

64411 Card reader unusable after installing agent (Windows 10 1709). Smartcard reader integrated with Dell Laptops not detected correctly.

64491 Issue with Surface Pro 4, Windows 10 1703 and Ivanti Device & Application Control Client 5.1 Update 1 (Computer hangs for few seconds before becoming ready when USB devices plugged in)

65653 Bitlocker Protection doesn't work without CD/DVD class permission being applied

65978 Client upgrade issue - SK.sys not updating if initial installation was LES 4.6 Update 2

66077 Device Explorer on Ivanti Device & Application Management Console unresponsive when accessed

66704 Problem with generation of 'client status' report - max size reached (Report seems to 'hang' and not to fully generate)

66820 "Microsoft Usbccid Smartcard Reader (WUDF)" device not working properly on some Dell Latitude models with Windows 10 1709 (Status listed as 'This device is not working properly because Windows cannot load the drivers required for this device. (Code 31).

66926 SADEC (Standalone Decryption Tool) 5.1.1 & 5.1.2 disabling secondary SSD

66942 Device Explorer unresponsive when accessed (occurs if device devid = parent_devid)

67135 USB storage may have an identifier written with upper and lower case letters resulting in duplicate entries

67326 Cannot shutdown a computer after SADEC (Standalone Decryption Tool) version 5.1 Update 2 is installed

67349 Several Win10 1803 apps crash while starting when Ivanti Device & Application Control client agent is installed

67367 EMSS (DC) client cannot be uninstalled if "ProfileImagePath" Expendable String Value does not exist

67516 Log Explorer | Scheduled Reports | The email subject will show garbled characters (???) when Chinese characters are used

3

NEW IN VERSION 5.1 Update 2 [29-May-2018] • More granular control over device attached/detached notifications

Additional controls have been added such that the IDAC Control system tray icon remains visible but notifications relating to 'device attached/detached' are now suppressed. For more information refer to https://community.ivanti.com/docs/DOC-67782.

• Authorization Wizard now scans inside MSP files Most Windows 10 and Office 2016 updates are delivered as MSP files rather than MSIs. In previous IDAC versions, the Authorization Wizard could only scan inside MSIs making it very difficult to whitelist updates that were delivered as MSPs. We've changed this in 5.1U2 so that the Auth Wizard now scans inside MSPs in addition to MSIs.

• Windows 10 version Support We've added support for Windows 10 version 1803 (OS build 17134) which was released by Microsoft on April 30th. Refer to the following community article for details of Windows version support with Ivanti Device and Application Control https://community.ivanti.com/docs/DOC-62154.

• Citrix XenApp and XenDesktop Support We've added support for versions 7.15 and 7.17 of Citrix XenApp and XenDesktop.

• 7zip library updated

We've updated the 7zip library to version 18.01 to address vulnerability CVE-2018-5996. 7zip versions prior to 18.00 contain insufficient exception handling which can lead to multiple memory corruptions and allow remote attackers to cause a denial of service attack or execute arbitrary code.

• SQL 2017 Support We've added support for Microsoft SQL 2017.

• Xtraction connector

Ivanti Xtraction is a selfservice, real-time reporting and dashboard solution that helps you meet your IT business intelligence needs with less effort. An Xtraction connector is now available for Ivanti Device and Application Control and is compatible with IDAC version 5.0 and later. For more information, refer to https://www.ivanti.com/products/xtraction.

Issues Resolved:



http://www.ivanti.com/products/xtraction

4

Ivanti Device and Application Control Version History Since v 2.6

NEW IN VERSION 5.1 Update 1 [24-Oct-2017] This update includes a variety of fixes for issues reported in previous releases.

Issues Resolved:

• Fixed an issue that caused upgrades from 4.6 SR3 to 5.1 to fail when using Default Keys. • Fixed an issue where application of policies to x86 machines would fail. • Fixed a policy issue that allowed access to blocked removable storage devices if no permissions

were applied. • Fixed an issue that caused network printing jobs to fail when users inserted USB Type C docking

stations into their devices. • Fixed a blue screen error that would occur when attempting to burn a CD. • Fixed a blue screen error that would occur after connecting laptop devices to docking stations. • Fixed an issue that prevented third-party applications from starting when the device had both Ivanti

Device and Application Control and Kaspersky Endpoint Security with AES Crypto Module installed. • Fixed an issue that blocked scripts assigned to an unauthorized file group when Macro and Script

Protection were set to Disabled. • Fixed an issue that caused Windows 10 to crash when running reports. • Fixed an issue that disrupted access to CD and DVD drives on devices with TrendMicro OfficeScan

installed. • Fixed an issue that prevented access to portable encrypted USB flash drives. This issue occurred

after removing a USB flash drive without first ejecting it from Windows.

RM 255126 Permissions issue with audio CD

DSI 230780 Authorization Wizard - Failed to scan path longer than 128 Char

RM 252951 Ivanti Device Control 5.0 CD\DVD Burning BSOD

DSI 284559 Windows 10 1703 - Ivanti DC 5.1.1 and FontDriverHost UMFD-0

DSI 269485 Win10 upgrade 1607/1706 to 1709 with IDAC 5.1.1 (See Note Above)

DSI 233189 After agent upgrade, keyboards mice and graphical cards are intermittently blocked with HP docking station

DSI 268900 SK.sys causing system crash with subsequent boot failure

DSI 234795 Policy Not Updating on Windows 10 endpoints with large CCH/SKR files

DSI 275749 Ivanti Device Control 5.1.1: Exclude function for queries not working

DSI 287160 Cannot print anymore using Edge on Win10 (1709)

DSI 234753 Ivanti Device Control 5.0 user certificates not showing in Media Authorizer with MS CA centralized

RM 252825 Ivanti Device Control and Symantec EP conflict - when SEP monitors DLL loading, .NET 2.0 applications stop working

DSI 345637 After Windows 10 where Client is installed updates to version 1709, Windows doesn't work properly.

DSI 274861 TLS certificate name from FQDN to short computer name

5


• Fixed a logging issue that caused some recorded device events to disappear. • Fixed an issue that prevented users from saving policy export DAT files consistently

Known Issues:

• When using Secure Volume Browser to copy a file from an encrypted device to another location, the copy does not complete successfully.

NEW IN VERSION 5.1 [25-Jul-2017] • We're Now Ivanti!If you haven't already heard, HEAT Software has merged with LANdesk to form

a brand-new company,Ivanti! We've renamed HEAT Endpoint Security Suite to Ivanti Device and Application Control. HEAT and Lumension still appear in certain areas of the product e.g. install folders and signing certificates.

• Data Loss PreventionUse Microsoft Window's Advanced Query Syntax to search the contents, properties, and tags (if supported) of MS Office (Word, Excel, PowerPoint) and PDF files for flagged keywords and phrases.

• File Type Filtering Expanded to Include MP4 Files • Added Device Support for Thunderbolt 3A LaCie D2 Thunderbolt 3 6TB removable was tested and

recognized as a USB and manageable accordingly. • Added Support for Citrix XenApp and XenDesktop 7.14.1 • Expanded Virtualization Support To Include Microsoft VDI (version 6.3.9600.18623)Limitations

related to this feature:Only USB devices are supported and those devices are not connected as actual devices currently. No encryption or filtering supported. Due to limitations the following are not supported:

• Windows Portable • DVD Burning • Shadowing • Printing The thin client requires the ESDI dll be added to the system32 folder

and the reg key set to point to it.No encryption of devices is supported as these are not connected as USBDevice log events can be used to create special device permissions. The device is not connected so requesting from the machine a list of devices will not work.File shadowing is not supported as the devices are not in a mode that the files are intercepted as being copied off.Server 2012 R2 server X64

• Maximum File Size for File ShadowingYou can now specify a maximum file size limit for file shadowing so you can avoid shadowing very large files that can use up available disk space. When files exceed the max file size, only the file name is shadowed.

• Removed support for Windows Vista and Windows Server 2008Windows Server 2008 R2 is still supported.

6


• Removed Support for the Manual Import of a Signature File During

InstallationThe option is still visible on the install pane but will not work if selected

• Publicly Available Help Online You can now access the Ivanti Device and Application Control Help content (both PDFs and WebHelp) at https:// help.ivanti.com. We encourage you to use the WebHelp as it's updated frequently, and new content is added on a regular basis.

Issues Resolved:

• Fixed an issue that caused the SXS service to crash when building a large number of new clients.

• Fixed the issue where the Macro and Script protection eventlog messages were controled by the DC device eventlog is on, when AC Execution eventlog should be the option to control it.\

• Fixed an issue that caused a black screen on reboot of a Lenovo Thinkpad Tablet 10 20E3

• Fixed an issue that caused only the C drive to be blocked on Citrix XenDesktop 4.x

• Fixed an issue that prevented a portable encrypted stick from unlocking when using SVolBro.

• Fixed an issue that caused a USB mouse to appear to be in use in VMWare and therefore could not be attached.

• Fixed an issue that caused Device Control policies to not get enforced when Kaspersky Endpoint Security 10 was installed.

• Fixed an issue that caused generic redirects to not work on the latest Citrix 7.11+

• Fixed an issue that caused Device Control to clash with Secure Islands IQ- Protector and Word to crash.

• Fixed an issue with encryption pop-ups and Device Attached notifications. • Fixed a minor visual issue in the Client Deployment Tool. • Fixed a license verification issue that prevented Application Control options

from enabling. • Fixed an issue where data could not be encrypted or stored if more than

approxmately 4GB. • Fixed an issue where MSI files were not being extracted by the Filetool. • Fixed an issue that caused unexpected SXE service behaviors and errors

when generating reports. • Fixed an issue that caused File Group Management to not function correctly • Fixed an issue where endpoints would hang when encrypting with BitLocker • Fixed an issue that prevented saving to a network share when using Microsoft Edge and Adobe

Reader DC. • Fixed an issue that caused system conflicts with Bromium.

7


• Fixed an issue that caused a stop code (unmountable boot volume error) when BitLocker and Unified

Write Filter were enabled. • Fixed a burning issue with encrypted discs

Known Issues:

• "Failed to install the hcmon driver" error when installing VMWare View® Client on a client machine. See KB 1688 for more details on this issue.

• There is an existing issue where a stop error can occur when the boot disk is encrypted with BitLocker and protected with UWF. Customers should not enable UWF in this case.

NEW IN VERSION 5.0 (build ) [05-Jan-2016]The Lumension Endpoint Security 5.0 release includes the following new features:

• HEAT Software Rebrand: If you haven't already heard, Lumension is now HEAT Software! As a result, we've renamed Lumension Endpoint Security to HEAT Endpoint Security. After upgrading to 5.0, you'll see some updated branding and a different color palette. We have moved the fresh installation directories from %Program Files%\Lumension Security to %Program Files% \HEAT Software. Upgrades will retain the existing folder locations so custom install locations and the %Program Files%\Lumension Security directories will remain. Certain file properties could not be updated to reflect the new product name. This will be corrected in the next release. NOTE: When upgrading installations with an installed service like SXS, the service display name will not be rebranded to HEAT Endpoint Security Application Server. The new executable will be used but the display name for all Lumension services upgraded in this release will remain as Lumension Endpoint Security Application Server.

• Support for Universal Disk Format (UDF) Removable Devices: You are no longer bound to a

4GB file size portable encryption limit.

• Support for Bitlocker in place of PGP: We've replaced the outdated and restricted PGP with support for Window's native and modern BitLocker encryption.

• Database Maintenance Tool Improvements: You can now schedule database maintenance tasks

to run at off-peak hours. We've also added 4 preconfigured templates for the most common tasks: Status & Audit 90+, Pwd Recovery 999+, Machine Scans 999+, Log and Shadow Files 90+.

• Access to Portable Encrypted Devices on Citrix: You can now use SVolBro rather than transparent

encryption to safely view the contents of an encrypted device using a new Administrator option (configured via sxopt). CAUTION: If this option is enabled the encryption of devices on that particular client is not supported.

• Support for Microsoft SQL Server 2016 and Windows Server 2016: You can now use the latest

addition to Microsoft's data platform as your database! • Migration to Cryptography Next Generation: This cryptography API is a replacement for the

original Windows CryptoAPI. It allows for the use of newer, stronger encryption and signing algorithms when implementing cryptography.

• Ongoing Stability Improvements

IMPORTANT: From v5.0, HEAT Endpoint Security does no longer officially supports Novell eDirectory Syncronization. Using the two solutions together is not recommended. IMPORTANT: In a fresh 5.0 installation, the KEYGEN tool generates a key pair in CNG format. These keys can't be used by older agents. Pre-5.0 keys will be supported by the new server and agents. In the event of a fresh 5.0 install but with older agents (for example for XP support), you must use the 4.6 KEYGEN tool. The Lumension Endpoint Security 5.0 release resolves the following issues:

8


• Fixed an issue where Power Settings (sleep, USB suspend) were not overridden by ES

encryption. • Created a script for performing an offline purge of the SX database for retaining a subset of

records and truncating the remaining large amounts of excess records. Contact support for more information.

• Fixed an Authorisation Wizard issue where a file was appearing in several groups though it was not assigned to any.

• Fixed an issue where an Administrator could not edit Comments for a device in Device Explorer. • Fixed an issue where a Log Explorer scheduled report would not run properly and did not produce

a CSV file when a certain characters are present in the SQL data. • Fixed an SVolBro issue where long folder/file paths that exceeded Windows' maximum path length

could be copied. • Fixed an issue where transparent access to portable encrypted drives was not possible. • Fixed an issue where access to HP RAM drives was blocked. • Fixed an issue on Windows 10 Ent with Credential Guard that was causing very high CPU usage. • Fixed an issue where two Syslog events were occasionally being generated for a single WRITE-

GRANTED event. • Fixed an issue where the SXS server could not connect to the SX database when TLS 1.2

encrypted connections are enforced. See KB 25686 Enabling TLS 1.2 Support for SXS server and SX database communication.

• Fixed an issue where the database script v445 had an incorrect naming structure that caused manual database upgrades to fail.

• Fixed an issue that blocked DFSRS.exe when client hardening was enabled. • Fixed an issue where SK.sys showed as legacy to Cluster Shared Volume, which caused Direct I/

O to disable and reduced performance. • Fixed an issue where large scheduled Log Explorer reports caused SXS to crash. • Fixed an issue where users encountered a "file could not be located" error when opening a

Microsoft document from an encrypyed CD/DVD while the Microsoft application was already open and running.

• Fixed an issue where a client installation under hardening stopped SK-NDIS from attaching itself to a network card with error 0x80070005.

• Fixed a client conflict issue with Bromium. • Fixed an issue where Temporary Permissions Offline did not work when SR2 endpoints made

requests to a SR3 server. • Fixed an issue where SysLog READ and WRITE GRANTED events recorded incorrect UniqueID

and ModelID. • Fixed an issue where the Authorisation Wizard stalled when scanning empty files (0kb). • Fixed an issue where the Microsoft Surface Book wireless device did not switch online/offline

states properly. • Fixed an issue where the HES installer was incorrectly requesting a minimum of SQL 2005 be

installed. It now requests a compatible version.

Known Issues: • "Failed to install the hcmon driver" error when installing VMWare View® Client on a client

machine. See KB 1688 for more details on this issue. • There is an existing issue where a stop error can occur when the boot disk is encrypted with

BitLocker and protected with UWF. Customers should not enable UWF in this case.

9


NEW IN VERSION 4.6 SR3 (build 631) [02-Jun-2016]

The Lumension Endpoint Security 4.6 SR3 release includes the following new features:

• DC Audit Mode: You can now give users full access to all unmanaged devices and in return get logging information you can later use to create usage policies. Select the DC Audit Mode option in the Computer tab. WRITEAUDIT

and READ-AUDIT events are logged in sdcevent.log.

IMPORTANT: An endpoint is NOT secure while in audit mode. • DEVICE-DETACHED Events: You can now track when a device is disconnected from a computer. A

DEVICE-DETACHED event is

logged in sdcevent.log.

• Support for Bitlocker in place of PGP: We've replaced the outdated and restricted PGP with support for Window's native and modern

BitLocker encryption.

• Keyboards and mice managment: You can now manage keyboards and mice that use USB, PS/2, and Bluetooth with the new Keyboards/

Mice device type. The default device permission assigned is Read/Write (Low Priority).

• Device detection expanded: We've added support for NVMe and USB 3.1 (type A & type C) in LES Device Control. Keep in mind that

LES does not support any devices not natively supported on Windows 7, 8 and 10 or use third-party

drivers not certified by Microsoft.

• File type filtering support expanded: You can now filter these file types: • 7-Zip/Protected 7-Zip • Zip/Protected Zip • WinRAR/Protected WinRAR • Microsoft CAB • VHD • GZIP • ISO

The Lumension Endpoint Security 4.6 SR3 release resolves the following issues:

• Fixed an issue where the Secure Volume Browser crashes when burning/encrypting CDs. • Fixed an issue where filescan was failing when building the whitelist for application control. • Fixed an issue pulling full shadow files from another application server's data file directory.

10


• Fixed an issue where reports were not showing the proper event times based on the endpoint's

timezone and Daylight Savings Time (DST). See KB article "Understanding Log Event Timestamps" for more information.

• Validated that an administrator cannot format an encrypted disk until it is unlocked by Windows or Secure Volume Browser. This behavior began with LES 4.6 RTM.

• Fixed an issue where the model ID and unique ID were not correctly populated in the Log Explorer under certain circumstances.

• Fixed an issue that displayed garbled data in Database Explorer if you add new columns. • Fixed an issue where a paragraph character would appear in place of actual file name when using

Nero 2015 to burn a disc. • Fixed a documentation error in the Administration Guide concerning options used for client

deployment with Windows group policy. • Fixed a problem with USB access when using Citrix XenDesktop 7.x and an IGEL terminal. • Fixed an issue where if the name of a server exceeded 512 characters, the agent could not identify it

and connect. • Fixed an issue so the SXOPT command option 77 to set the whitelisted HID devices string is no

longer case sensitive. • Fixed an issue where an endpoint would BSOD or loose network connectivity upon upgrade to LES

4.6 SR2. • Fixed an issue where a user query with filtering in the Log Explorer resulted in an error. • Fixed a conflict where the SQL and VS2012 profiler would not run with LES client installed. • Fixed a problem with the online and offline permissions such that they function properly as

documented in the user guides. • Fixed a problem where encrypting a near full USB device would fail and result in lost data on the USB

device. • Fixed a problem where time changes due to endpoints across time zones and DST changes were

not logged or handled properly in the display and reports. See KB article "Understanding Log Event Timestamps" for more information.

• Fixed an issue where Wireless NIC was detected as class 100 when McAfee and LES with SK-NDIS were installed.

• Fixed a problem where LES and AVG would conflict when performing process injection resulting in application crashing.

• Fixed an issue where GlobalProtect VPN client appeared as an ethernet adapter in LES DC. • Fixed a problem where the recover password dialog (from RTNotify) pre-populated the Name field

with a random number.

Known Issues: • "Failed to install the hcmon driver" error when installing VMWare View® Client on a client machine.

See KB 1688 for more details on this issue.

11


NEW IN VERSION 4.6 SR2 (build 428) [27-Oct-2015]

The HEATsoftware Endpoint Security 4.6 SR2 release includes the following new features:

• Brand Refresh: If you haven't already heard, HEATsoftware has merged with FrontRange to form a brand-new company, HEAT Software! The HEATsoftware Endpoint Security name remains unchanged, but you'll see some updated branding in the interface and user guides.

• Updated Client Platform Support: SR2 adds full client support for a few additional platforms:

• Windows 10 Education, Enterprise, and Professional editions (32-bit and 64-bit) • XenApp 7.6 • XenDesktop 7.6

• Add Devices from Write Denied and Read Denied Events: You can now add devices to the list of

those managed by Device Control from Write Denied and Read Denied events: 1. From the Management Console, select View > Modules > Log Explorer. 2. Click Fetch Log. 3. Click Search or Browse and select the appropriate computer from the list, then click OK. 4. Find a Write Denied or Read Denied event in the Log Explorer window. 5. Right-click on the event and select Add Device(s). 6. Select the check box beside the device name and click Add Devices. 7. Click Close.

• More Print Shadowing Possibilities: We've improved HardwareID recognition to expand the range

of devices you can shadow printed

content on, including virtual printers (print to PDF).

• Client Support for Printing in Internet Explorer's Enhanced Protection Mode: We've added client support for printing from Internet Explorer tabs using the Enhanced Protection Mode feature in Windows 8 and higher.

• Force the Upload of Shadow Files on User Log Off: You can now use scomc.exe with the

options fetch, dismount, and maxround in your client log off scripts to force the upload of all shadow files to the HEATsoftware Endpoint Security server. See the Forcing the Upload of Shadow Files from a Client Upon User Log Off topic in the Device Control User Guide for more information. • Syntax: scomc.exe -fetch -dismount -maxround <# of attempts> • Options:

• -fetch: Specifies that shadow files are to be retrieved from the client. • -dismount: Dismounts removable media devices from the client. • -maxround: Specifies the maximum number of attempts to upload and remove

shadow files from a client. Retry attempts accepted are 2 to 9 (no value or any value outside that range will result in no retry attempts). IMPORTANT: The

maxround option must be the last option specified in the command line.

12


The HEATsoftware Endpoint Security 4.6 SR2 release resolves the following issues:

• Fixed an intermittent issue where SVOLBRO would crash when adding files to a CD for encryption. • Model ID and Unique ID can now be selected in Log Explorer and added concurrently to a policy.

Previous 4.6 versions incorrectly added only the model ID to the policy. • Fixed an issue with a Sophos conflict where the endpoint displayed a black screen following user

logon. The system did not crash and sometimes returned to normal after 3-4 minutes. This occurred with Windows 8.1 and Sophos 10.3, but could appear on other x64 systems.

• Updated the server address field in the Security Management Center to allow input and editing of up to 899 characters.

• Fixed a filtering issue where searching on ModelID in the Log Explorer templates was only working properly if all data was entered in lowercase. The search now works properly based on the tick box search parameters.

• Fixed an issue where Admin-Audit events were incorrectly displaying an entry in the Computer data field.

• Fixed a problem where a user with read/write access to the CD/DVD class for a user, local system, and local service could not burn an unencrypted CD/DVD.

• The Device Control agent now correctly identifies the UniqueID of the latest SDMS crypto keys such as those from IronKey.

• Fixed an issue where the Client Deployment Tool was not prompting for UAC elevation to provide the correct permissions.

• Fixed an intermittent issue where an SXS server would crash when providing a policy to an embedded agent.

• Fixed an issue that was preventing SVOLBRO from properly outputting file transfer events to the Windows Event Log.

• Fixed an issue with the Printers class where even if everyone was granted read and write permissions, the Windows default 'The Reader' would give an error. This issue occurred with Windows 8.1, but could occur with other Windows operating systems.

• Fixed an issue where when you right-click an already encrypted CD/DVD +RW, there is no option given to reformat the media to prepare it for burning new files.

• Fixed an issue specific to Windows XP SP3 where an endpoint would BSOD when using Roxio Creator 10 to burn files to CD/DVD with file shadowing enabled.

• Fixed an issue where scripts being added to an approved file group via Log Explorer were still incorrectly being blocked.

• Fixed an issue where iPhones were not being blocked by policy when iTunes were installed on an endpoint. Note that iTunes will now display an error as it cannot pull information from the attached iPhone device.

• Added the option 'INVALID-PASSWORD' as a selection in Type criteria on Log Explorer. • Fixed an issue where the Device Manager 'DVD Region' tab was missing when the client was

installed. • Fixed an issue where macros in Office 2010 and Office 2013 were not properly blocked when

macros were blocked by a policy. In some instances, the Office applications would crash and restart if the macro was run.

• Fixed an issue where the client did not install properly on 64-bit Windows XP SP2. • Fixed an issue where special characters, such as found in languages like Japanese, were not being

saved in csv reports created using Exe Explorer, Scan Explorer, and Database Explorer. • Updated the database installer to support silent installation to a custom DB instance. The format for

the installation commence is Msiexec /i "LESDB.msi" /qnNAMED_INSTANCE="Custom" /L*v %TMP %\setupdb_silent.log where Custom is replaced by your DB instance name.

13


• Fixed an issue where the search and report templates would not retain the selected time criteria

while searching or creating reports. • Fixed an issue where some syslog events generated by the endpoint did not include the client name

or fully qualified domain name. • Fixed an intermittent issue where an error occurred when attempting to encrypt a removable device.

The message 'An error occurred during encryption. The pipe has been ended.' would be displayed. • Added HardwareID information to most of the file shadowing events, so it is now possible to retrieve

the shadowing log and use Add Devices to policy.



FIX FOR VERSION 4.6 SR1 (build 280) [17-Jul-2015]

HEATsoftware Endpoint Security 4.6 SR1 and HEATsoftware App Control Terminal Services 4.6 SR1 were updated with this fix. Device Control Embedded 4.6 SR1 (build 278) release includes the following new features:

• Fixed a communication problem in SXS that displayed the error message "The DCOM connection to SXS failed. This module cannot load." when launching Log Explorer.

NEW IN VERSION 4.6 SR1 (build 278) [28-Apr-2015]


• A Device Control policy now enables you to send events directly to the Windows Event Log on the

endpoint. This capability can be enabled independent of normal device control logging. • The database now supports the Standard, Enterprise, and Express Editions of Microsoft SQL Server

2014. • NOTE: The msam and ndap folders, containing Citrix and Novell documentation and utilities

respectively, have been removed from the standard HEATsoftware Endpoint Security product packaging.

These files are still available from the HEATsoftware Customer Portal (https:// portal.HEATsoftware.com) on the

https://community.ivanti.com/external-link.jspa?url=https%3A%2F%2Fportal.HEATsoftware.com

https://community.ivanti.com/external-link.jspa?url=https%3A%2F%2Fportal.HEATsoftware.com

14


Downloads page under HEATsoftware Workshop.


• A machine removed from Active Directory and assigned to a computer group is now removed from the database after Domain Synchronization.

• Fixed an issue where the Application Server was not always logging to syslog when deleting managed devices via the 'Manage Devices' window.

• SVOLBRO now correctly displays the available disk space when the 'Create an Encrypted CD/ DVD...' option is selected.

• Fixed an error in the database maintenance routine where it was not properly purging records and returned error code 0x00040ec9.

• Updated section 'Understanding Application Server-Client Communications' of the Administrator Guide to provide a better description of setting up a proxy for LES components.

• Fixed a problem where SVOLBRO was crashing on XenApp 6.0/6.5 when attempting to access a removable CD/DVD drive.

• The database installer now recognizes MSSQLSERVER as a valid instance name during product setup.

• Updated section 'Generating a Key Pair' of the Quick Setup Guide to explain that keys must be placed in the sysWOW64 directory on x64 systems.

• The product functionality was updated such that if you insert an encrypted USB stick before the user logs on, the [Unlock Medium] password prompt will appear when the user is logged on to the machine. It had functioned in this fashion prior to version 4.6.

• Fixed a dialog pop-up when the user right clicks on the first column and selects "choose columns" in the database explorer tab.

• Updated section 'Permission Priority Order' of the Device Control User Guide to include a priority table for permission catagories such as temporary, online/offline, and scheduled.

• Fixed the compatibility problem between soft phone Enghouse Interactive CIM Agent 8 and the LES agent.

• Fixed an issue with the LES agent where it was incorrectly logging the size of shadowed files against the copy limit.

• Fixed the issue where scomc would crash when filetype filtering is enabled. • Provided clarification in section 'Supported Operating Systems' of the Quick Setup Guide and Setup

Guide that Windows 8.1 should not be used for the LES application server because the operating system limits the number of connections to endpoints.

• Fixed the detection problem for a USB "special purpose" sticks (CAD dongle / tachograph reader). • The AMD USB 3.0 Hub is now properly detected and defined as a bus controller. • Added clarification to section 'File Filters' of the Device Control User Guide that if you activate the

File Filtering feature for the DVD/CD class, the user will not be able to burn such media. • Corrected several French and German translation errors in RTNotify. • Fixed the issue in Media Authorizer where when the 'Add User' dialog opens, the name is already

preset with random symbols. • Fixed the compatibility problem between Kaspersky Endpoint Security 10.2.1.23 and the LES agent

on x64 operating systems. • Fixed an issue where escape characters are displayed in the error message when encrypting a USB

disk using a weak password on Windows XP SP3. • Corrected a Chinese translation error in the error message when encrypting USB disk using a weak

password. • Fixed the problem with SVOLBRO where burning an encrypted CD/DVD didn't work if MS CA

keyprovider is enabled.

15


• Fixed a problem where you could not encrypt a CD DVD by dragging files to SVOLBRO without

Local System Read/Write access. • Updated Setup Guide to state the Application Server service should be manually stopped on all

servers before updating the LES application and the client MSI is located at \client\setup.exe. • Fixed the issue where sk-ndis sometimes did not install correctly on Server 2008 R2 and Windows 7

x64. • Fixed the issue where device control blocks a hidden volume of Windows Embedded UWF (x86). • Provided clarification in section 'Default Options (Computer Tab)' of the Device Control User Guide

that when the 'Endpoint Status' option is set to 'Do not show' not only does the RTNotify icon get hidden but all notifications are also suppressed.

• Provided clarification in section 'Generating a Key Pair' of the Setup Guide on the public/private key locations on SXS depending on server architecture (x86 vs x64).

• Fixed an issue where a Windows 8.1 x64 system would crash when launching an application from a USB device with read shadowing enabled.



NEW IN VERSION 4.6 (build 162) [17-Dec-2014]

The HEATsoftware Endpoint Security 4.6 release includes the following new features:

• Support for Universal Data Format CD/DVDs. Media Authorizer can now hash media in the UDF format.

• Support for file shadowing of files burned to CD/DVD. Files copied to CD/DVDs using Windows

Media Burner can now be shadowed. • Current status of devices is shown in the Manage Devices window. The Manage Devices option

shows which devices are currently connected to a client so it is easy to assign a new policy. • RtNotify displays the date, time and server name from which the client received its last update.

The HEATsoftware Endpoint Security 4.6 release resolves the following issues:

• The option "Create encrypted CD/DVD" was greyed out when the user had Read\Write permissions. • Read-shadowing was not occurring when file filtering was enabled. • File hash import and export was causing SQL deadlocks. • Virtual channel XenApp 6.5 issue where only the first user who opened a session

could access a USB device. • Command and control service crashed when a USB card reader was used. • The option "Remove Computer Group" now shows a warning/confirmation dialog before

16


removal of the group.

• KeyLogger white-listing issue with Microsoft Wireless 2000 keyboard. • Security management console was crashing when sorting large data sets by column. • SVOLBRO issue where attempting to place a folder into one of its subfolders

resulted in a crash and data loss. • PowerShell 'Get-Netadapter' command was not returning information. • Audit log contained a code integrity warning for sxwmonXX.dll on Windows 7 and newer. • FileFilter permissions were not changing when the "Run as different user" capability was used. • Custom LES release 4.4.1307 issue where encrypted sticks would not unlock after upgrade to a

newer version. • SADEC utility issue where right-clicking on a folder in Windows Explorer caused a crash. • Switch User login function resulted in logged events always appearing as if they came from the first

user. • Export policy created a 0KB file on every second attempt. • Ask User option of the Macro and Script protection displayed the wrong Web site URL. • Issue where wscript and cscript were crashing. • Synchronization issue in the kernel driver SK.sys that caused a system crash.

Known Issues: • "Failed to install the hcmon driver" error when installing VMWare View® Client on a client

machine. See KB 1688 for more details on this issue.

NEW IN VERSION 4.5 SR3 (build 2710) [06-Aug-2014]


• Client support for Windows 8.1 Embedded, Windows 8.1 Update 1, and XenDesktop 7.5. • Server support for Windows Server 2012 R2. • Apple® devices are now recognized by the Security Managment Console (SMC) and can have

policies

applied to them. A policy can be created to allow charging while still denying read and/or write access.

• Custom file types with related permissions can now be deleted when all the file types are selected in the File Type Filtering wizard.

• A progress bar is displayed when copying files with File Type Filtering. • Log files can now be assigned a maximum size limit.


• Corrected potential Transport Layer Security (TLS) vulnerability due to improper packet size.

17


• VPN over wireless LAN connections were being dropped as soon as the connection was made

because it was incorrectly identified as a wired connection and wireless was then dropped. • Shadowing permission was always displayed as DISABLED in RTNotify when the encryption

scope was set. The policy functioned properly however the display was incorrect if shadowing was ENABLED.

• Scheduled Reports failed to save if the data set contained non-ANSI characters. • HEATsoftware Endpoint Security database setup process contained hardcoded reference to the

name SX and would not allow any other database name. • HEATsoftware Endpoint Security database could no longer be set up manually without removing

spaces from the filename. • Updated user documentation to state Easy Exchange encryption is done in a single file or multiple

files (depending on removable media capacity) using a FAT structure. • Removable devices were still prompting for password when inserted on a protected endpoint with

decentralized encryption. • Special removable devices that require a separate PIN for access were not displaying the PIN

dialog box for access, when inserted on a protected endpoint with decentralized encryption. • Print shadow files were only saving to the default location and not a user-specified location. • SVOLBRO displayed the ambiguous error message "Unspecified error" when attempting to access

a device with non-FAT16 or FAT32 file format. • Deployment Tool could not uninstall or upgrade the client on Windows 2003 endpoints when

hardening was set to Extended. • Media Authorizer was not reading the option for the FAT32 2TB limit and considered it hardcoded at

128GB. • SVOLBRO was crashing when a .zip file was unpacked. • Media Authorizer was not able to grant access to special media (CD/DVD) for specific users. • Temporary Permissions were revoked prematurely based on the server time of the database and

not the time zone of the protected endpoint. • USB Rubber Ducky keylogger device was not blocked. • Attempting to Save a file under Manage Custom File Types following an error with a blank name

saves part of the error message instead. • Web site with Javascript was not displaying properly despite being whitelisted. • "The media has been unlocked" message box was still displayijng on a protected endpoint when an

encrypted USB whose login user has None permission for Removable Storage Devices was plugged in.

• iTunes and Blackberry Desktop Manager was causing protected Dell Vostro 3350/3360 to reboot. • Endpoint Maintenance was not working on a Windows 7 64-bit client. • The SMC was crashing if client key contained 0x0A or 0x0D control characters. • The HEATsoftware Device Control User Guide was updated to include the Added Read-only/Read-

Write/None and Defaults to Permissions Allowed for Portable Devices. • HEATsoftware Endpoint Security 4.5 incompatibility caused crash of the IBM Java Virtual Machine. • Unauthorized Script Detected dialog for a web page provided the wrong URL and did not always

handle permissions properly. • Log Explorer was displaying the size of filename shadowed files much smaller than actual size. • Pharos software was causing duplicate printer listings and issues with print shadowing. • Incompatibility with Checkpoint EPS client was causing a stop (blue screen) error. • Cutting a file from SVOLBRO and pasting it onto local computer was changing the current directory

to My Computer. • Request Temporary Access Offline for All Devices dialog box was incorrectly displaying Write-only

as an option without requiring Read as well. • SVOLBRO file copy was displaying "Overwrite Warning" even though there was no destination file

to overwrite. • SVOLBRO was crashing when opening a file after the folder was moved. • File filtering prevented the encrypted Removable Storage portion of a Kingston USB device from

opening.

18


• The msi uninstaller was not deactivating hardening when using the HD_MAINTENANCE_TICKET

option and not allowing the client removal. • The Permissions dialog box incorrectly displayed a blank entry for a User with the None permission

assigned to Removable Storage Devices. • Nitro PDF and svchost.exe were crashing after upgrade to HEATsoftware Endpoint Security 4.5

SR2. • Windows 8.1 Javascript was not working on Internet Explorer. • Different devices with no CM_DEVCAP_UNIQUEID set were still getting a Unique Id generated. • Data traffic was being logged against the copy limit when centralized encryption was used with a

removable device. • Documented that a custom shadow directory location can be set, but it cannot be created through

the shadow directory tool. • Samsung Android phone cannot install properly when client is on Windows XP 32-bit unless the

UMDF v1.9 drivers with Windows Media Player 11 are also installed. • Media Authorizer was not providing the "Easy Exchange" encryption method for some types of

media. • Scheduled reports were not saving properly because of invalid characters in the their filename. • Upgrades between clients for earlier HEATsoftware Endpoint Security 4.5 versions were failing on

Japanese endpoints. • Using Robocopy to copy files was failing when file-type filtering was enabled. • Documented the order of blocking precedence in the Application Control User Guide. The order is

User > Group (incl Everyone) > Global User Options > Machine > Global. • Domain names that contain an underscore '_' were not handled properly. • Lumix Maintenance UMDF USB Driver could not start in Windows Device Explorer. • Bitdefender clashed with the HEATsoftware Endpoint Security 4.5 SR2 client. • When using Online/Offline permissions for a WLAN, a delay of 5 minutes was observed upon

switching from LAN to WLAN when the WLAN NIC received a default Microsoft 169.254.x.x address. • Some Windows audio playback devices, such as Plantronics, could not be managed. • Password complexity information was updated in the Device Control User Guide. • Media Authorizer was providing a cryptic message when it failed to recognize a CD/DVD format and

failed to calculate the hash. • Client installation and upgrades were failing on some pre-Windows Vista operating systems. • On systems running Windows XP SP3, there was an error message when encrypting a USB device

by Media Authorizer and then exporting the key to the device. • A memory leak when using XenApp/XenDesktop was causing a stop (blue screen) error.

Known Issues: • Compliance Mode is not supported on Windows 2000. • During installation, HEATsoftware Device Control may not validate Certificate Authority for expired

or revoked certificates. • Automatic Load Balancing option may be disabled when updating the server, unless a user deletes

or modifies specific registry keys before or after the update process. • When logged into a Windows 7 system using remote desktop, domain users do not receive

HEATsoftware Endpoint Security event notifications. • Users may in some instances be unable to close the RTNotify dialog that displays immediately after

boot. • Hewlett-Packard® LaserJet™ 4250 DTN Network Printers are not blocked by

HEATsoftware Device Control and will work regardless of the device permissions settings. • "Failed to install the hcmon driver" error when installing VMWare View Client on a client machine.


19


WRITE-DENIED

• Administrators must assign Read/Write permissions to the LocalSystem for the Removable Storage

Devices class to allow users to encrypt removable media with Microsoft Windows 7 BitLocker To Go.

NEW IN VERSION 4.5 SR2 (build 2608) [17-Jan-2014]


• Network printers and Citrix® devices can now be added to Device Explorer through the right-click context menu on events in Log Explorer.

• HEATsoftware Endpoint Security now prompts the user if the Windows® Script Host is using the Internet Explorer® 9 script engine.

• Default size of the Status window has been increased and a user-selected size can now be saved. • Client support for Microsoft Windows 8.1 (32- and 64-bit) and Windows Server 2012 R2 (64 bit

only). • Portable Device class updates:

• Read-only access available. • Copy Limits are enforceable. • Shadowing capability added.


• User could not access a portable device when only assigned the Read/Write permission. Portable device was identified as a Removable Storage Device.

• All Log Explorer Reason column values were not documented in the User Guide/Help. • Resolved a performance issue observed when compiling projects using Microsoft Visual Studio®

2010 with a HEATsoftware Endpoint Security 4.4 SR10 client installed. • Updated the system requirements for the Windows® 2000 OS in the HEATsoftware Endpoint

Security Application Control User Guide. • "The requested allocation size was too large" error no longer displays in SVolBro when a user tries

to paste a file larger than the free space on the device. • 4.5 SXS installer would pass a license file check with a renamed license file, resulting in failures

later in the installation process. • Help file for "Synchronizing Local Users and User Groups" contained incomplete information. • Text in the German-language Password Recovery dialog in SVolBro required correction. • Left pane in SVolBro would not appear upon pressing F5 with focus on "Computer". • SVolBro in Citrix XenApp™ was not refreshing when a device was removed and

reconnected. • Printing issue was encountered when using PDF creator with shadowing enabled. • Issues occurred when copying/dragging files and folders to other folders. • Drive tree view in SVolBro did not refresh properly. • Selecting a Computer in the left pane of SVolBro would make the device information in the right

pane vanish. • Wrong context menu was being shown in the right pane of XenApp SVolBro. • SVolBro would show all device folders as encrypted upon extracting a folder from an encrypted stick

to the same device.

20


• SVolBro would go into an infinite loop of creating copies when extracting from an unencrypted

removable device to the same device. • Key pair generator would crash during exiting. • UMTS modems were not always blocked on Lenovo™ laptops. • USB audio would break-up when SCOMC was stopped on Lenovo laptops. • Folder with a specific name could not be moved in SVolBro. • SK-NDIS Miniport and Miniport WAN were retained after HEATsoftware Endpoint Security Agent

uninstall. • HEATsoftware Endpoint Security Client 4.5 SR1 and SR1.1 caused reboot loops to occur on

Windows 2000 machines. • Removable Devices were being classified as Portable Devices. • Installation of Microsoft Visio® and Project failed on endpoints with an MSI error. • VMWare® Tools installation/upgrade failed.

Known Issues: • Compliance Mode is not supported on Windows 2000. • During installation, HEATsoftware Device Control may not validate Certificate Authority for expired

or revoked certificates. • Automatic Load Balancing option may be disabled when updating the server, unless a user deletes

or modifies specific registry keys before or after the update process. • When logged into a Windows 7 system using remote desktop, domain users do not receive

HEATsoftware Endpoint Security event notifications. • Users may in some instances be unable to close the RTNotify dialog that displays immediately after

boot. • Hewlett-Packard® LaserJet™ 4250 DTN Network Printers are not blocked by

HEATsoftware Device Control and will work regardless of the device permissions settings. • Administrators must assign Read/Write permissions to the LocalSystem for the Removable Storage

Devices class to allow users to encrypt removable media with Microsoft Windows 7 BitLocker To Go.

NEW IN VERSION 4.5 SR1.1 (build 2537) [11-Oct-2013]

The HEATsoftware Endpoint Security 4.5 SR1.1 update contains only Console and Client components. It is not a full release. If you are experiencing any of the issues listed as resolved below, you may use this update to upgrade the console and clients in your environment.

The following issues are resolved in this update: • When installing or upgrading the LES client, the new version of the client would cause a timeout

and therefore not start. This is due to a security check and is seen only in specific environments.

21


The issue has been resolved by implementing a different security check of the new files which is not subject to environmental conditions.

• Explorer.exe was crashing after users right-clicked devices to encrypt, format, or unlock them. Windows Event Viewer cites dcext.dll as the cause of the crash. This issue was dependent on a combination of settings in the OS and versions of Windows components in place. The issue has been resolved.

• For users of LES Device Control in combination with Citrix XenApp 6.5, after applying the Citrix Hotfix Rollup Pack 2 (XA650W2K8R2X64R02) Device Control policies would not be enforced on unmanaged endpoints. This issue has been corrected.

• The SXOpt utility now supports machine names which begin with numbers. • OBJECT_NAME_NOT_FOUND Errors were appearing in ProcMon logs referencing JavaScript on

network locations. This has been corrected. • Canceling out of the Authorization Wizard could result in a crash. This has been resolved. • LES Application Control: If Macro and Script Protection is set to "Ask User", and a script is executed

using IE 9's script engine, the user was not prompted. This has been resolved. • Devices may now be added from WRITE-DENIED events, in addition to DEVICE-ATTACHED

events. This is primarily in support of adding network printers to be managed. • Secure Volume Browser would allow various invalid file operations. These are now properly

blocked. • Secure Volume Browser: The file name list in the left pane is now also cleared when Clear File List

is selected. • An extraneous NULL character has been removed from Log Explorer exports when exporting in

Unicode. • In some cases, when burning an ISO image to disc with Shadowing enabled, only two files are

shadowed. This has been corrected. • When changing Options in Machine-Specific Settings, and choosing not to send updates

immediately, updates would be sent upon closing the Options dialog. This has been fixed. • In some cases, Secure Volume Browser would crash if opened before an encrypted disc was

inserted. This has been resolved.

NEW IN VERSION 4.5 SR1 (build 2486) [03-Jul-2013]


• Added the ability for each supported archive type (RAR, ACE, CAB, MSI, LZ, and so on) to be detected separately and displayed in the management console. This also resolved the previous issue where MSI files were detected as both installers and archives.

• Devices encrypted with Citrix Xenapp can now be upgraded to HEATsoftware Endpoint Security decentralized encryption, when connected to an endpoint managed by the HEATsoftware Endpoint Security Client. The user also has the option of opening the Citrix-encrypted device with Secure Volume Browser. Important: No user data, encrypted or unencrypted, is lost during this upgrade process.

• Administrators can use the new Database Maintenance feature to clean up orphaned logs and attached shadow files, thus reducing the disk use on the HEATsoftware Endpoint Security servers. This maintenance can be scheduled in advance to run during off-peak hours and stopped after it has started.

22



• Resolved an issue with the SCOMC service failing to start after installation. • Resolved an issue where the SCOMC service would crash after burning a DVD or Blu-ray with

CDBurnerXP when file shadowing was enabled. • Resolved an issue where Microsoft Windows Server 2008 R2 SP1 could freeze when performing a

system state backup. • Resolved an issue where administrators were unable to add Network printers to the Printers Device

class. • Added Japanese translations of Device Classes to RTNotify. • Resolved an issue where File Filtering could allow the copying of some blocked file types to a USB

device. • Resolved a delay when unlocking a Secure Volume Browser 4.5 encrypted device which was

encrypted on a machine that did not have the HEATsoftware Endpoint Security Client installed. • Updated File Type Filtering for MSI and CAB files to include newer variants of these file formats. • Resolved an issue where HEATsoftware Endpoint Security Application Server could crash when

importing an SFD file. • Resolved a conflict between HEATsoftware Endpoint Security 4.5 and Symantec Endpoint

Protection 12.2.2015.2015 which could result in a system hang. • Added File Type Filtering support for an additional variant of the JPEG file format. • Resolved an issue where shadow files were generated when tool-tips were displayed in Windows

Explorer by mousing over the file names. Resolved an issue where accessing an encrypted CD/DVD from a managed endpoint using the

Secure Volume Browser instance on the disc rather than the HEATsoftware Endpoint Security client instance could result in an error and exit of the Secure Volume Browser

NEW IN VERSION 4.5 (build 2242) [25-Jan-2013]

The HEATsoftware Endpoint Security 4.5 release includes the following new features:

• Support for Windows 8 • Support for Windows Server 2012 • Support for SQL Server 2012 • The ability to Shadow Print jobs to local and network printers • The ability for Administrators to create custom file type filters • The ability to block TrueCrypt encrypted devices • Improved performance in certain Log Queries

The HEATsoftware Endpoint Security 4.5 release resolves the following issues:

• When File Type Filtering rules were in use, some file types were intermittently not recognized when

23


attaching an encrypted thumb-drive.

• Certificate generation for TLS would fail to complete if Microsoft KB2661254 was installed. • Users were unable to encrypt large drives using easy exchange. • Users were unable to uninstall the Symantec Workspace Visualization application when the

HEATsoftware Endpoint Security client was installed. • Creating an encrypted CD/DVD on Windows XP would cause the Secure Volume Browser to

generate an error. • Installation of the HEATsoftware Endpoint Security client on Windows XP required a second reboot

to

re-enable the Ethernet adapter. • If a zero-byte file was mapped into memory, application blocking was triggered regardless of the

permissions settings. • After upgrading to HEATsoftware Endpoint Security 4.4 SR10/SR11, some device permissions

settings

were evaluated differently than with previous HEATsoftware Endpoint Security versions. • Host permissions were not being applied to VMware Workstation 9 virtual operating systems. • Some Windows 7 laptop users were reporting periodic system failures. • Users were unable to install the HEATsoftware Endpoint Security 4.4 SR11 client if disk mirroring

was

enabled.

NEW IN VERSION 4.4 SR11 (build 2112) [15-Aug-2012] NO LONGER SUPPORTED

• Resolved an issue where the client, after initially resolving the HEATsoftware Endpoint Security server IP Address, would continue using only that IP Address rather than re-resolving the DNS name if the IP Address became unavailable.

• Resolved an issue where the syslog events for READ-GRANTED and WRITEGRANTED events were in UTC time, while other events were logged in endpoint time. All events sent to syslog are now logged in UTC time.

• Resolved an issue where WRITE-GRANTED events were erroneously logged and showing a file size of 0 bytes when users accessed removable media.

• Resolved an issue where users were unable to format encrypted DVD-RAM media using the Secure Volume Browser on some Windows XP systems. The resolution of this issue includes: • The change made to HEATsoftwareEndpoint Security 4.4 SR11 and • Ensuring that IMAPI2 is installed on the system. Please refer to http://www.microsoft.com/en-

us/download/details.aspx?id=17073 for details regarding the installation of IMAPI2. • Resolved an issue where the Secure Volume Browser would display the free disk space on

encrypted volumes inaccurately when using Secure Volume Browser via Citrix XenApp. • Resolved an issue causing Windows Explorer to sporadically hang when the HEATsoftware

Endpoint Security client was installed on a Citrix XenApp 6.0 server. • Resolved an issue that would cause the operating system to crash if a user attempted to fetch the

logs between when a large application was initially launched, from a CD/DVD which had filename shadowing for read and write enabled, and the actual start of the application.

• Resolved an issue where Windows Vista or higher laptops that contained an HP un2420 Mobile Broadband Module Network Device would crash when resuming from sleep mode.

https://community.ivanti.com/external-link.jspa?url=http%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D17073



24


NEW IN VERSION 4.4 SR10 (build 2014) [15-May-2012] NO LONGER SUPPORTED


• With File Type Filtering enabled, files can now be opened directly from removable storage devices without

first having to copy them to the local drive. • Added support for Novell Client 2 SP1. • Added File Type filtering support for .ZED archives. • The Client Status report is now sortable by the Computer, Client Hardening Status, Client Last Log

Upload,

Client Policy Date, and Client Policy Status columns. • Added support for Windows Embedded Standard 7.


• When logging into a machine with both the HEATsoftware Endpoint Security Client and an anti-virus

application, users would receive a COM Surrogate has stopped working error. • When adding media with Media Authorizer, if the disc had already been added, the error message

displayed

did not contain enough information to identify the existing media. The messaging has been enhanced.

• eDirectory permissions were not properly updated on endpoints running Microsoft Windows 7 x64 with Novell Client 2 SP1.

• Following an error with FileTool.exe the HEATsoftware Endpoint Security service would stop. • When changing a computer option within Device Explorer, updates would be sent to the device

although the

change was canceled. • The drive letter of an encrypted device would remain although the device had already been safely

removed. • The Application Control Client displayed notification that an unauthorized file had been blocked

although the file was never executed or accessed.

• When using the Secure Volume Browser within a Citrix XenApp environment: • The Windows Event log did not capture the user account when recording log entries. • Garbled text would display when viewing the Windows Event log using InterSect Alliance Snare. • Users were unable to expand the folder structure (left-hand pane) of the Secure Volume

Browser.

25


• When attempting to create and rename a folder using the Secure Volume Browser, the Citrix

server would crash. • The Encrypt Remote Device option was disabled.

• Users could not burn a CD formatted with Live File System if FileName Shadowing was enabled. • The Management Console displayed multiple domains when attempting to add a workgroup

computer, thus

preventing the user from managing the computer. • Audio .cda files would not play when the HEATsoftware Endpoint Security Client was installed. • The DEVICE-ATTACHED event was not generated for the Wireless NIC device class.

NEW IN VERSION 4.4 SR9 (build 1574) [17-Jan-2012] NO LONGER SUPPORTED


• A conflict with the Impero client that resulted in the client being unable to start was corrected. • Some devices were being displayed with a deprecated device class of "NEM" although permissions

were being properly enforced. The devices now display as the proper device class. • The console was displaying the Device Model instead of the Managed Device Name in Log

Explorer. This has been corrected. • If an encrypted device is connected to an endpoint and a user without permissions to unencrypted

devices logs in, the Access Denied notification was displayed before the user had the opportunity to unlock the device. This notification is now only displayed if the device is unlocked and the user does not have permissions to access the device.

• Installation of the LES 4.4 SR7 client could trigger a Security Audit Event with EventID 6281. A registry value was added to exclude protected process from worms injection, thereby not triggering the event.

• Authorization Wizard was not properly processing an older version of InstallShield .CAB files. Support for this format has been restored.

• A conflict with Skype, which resulted in the application crashing or not being able to display a window, was corrected.

• The Client Status Report displayed an incorrectly calculated total number of clients when reporting on "All clients listed in the Database". The calculation has been corrected.

• When adding media with Media Authorizer, if the disc had already been added, the error message displayed did not contain enough information to identify the existing media. The messaging has been enhanced.

• When Secure Volume Browser was being streamed via Citrix XenApp hidden files on encrypted devices were being displayed. Hidden files are no longer displayed.

• Secure Volume Browser can now mount volumes which are mapped to subfolders. • When using Explorer to burn a CD or DVD on Windows 7 endpoints with a client installed, the Burn

to Disc and Delete Temporary Files buttons were disabled. This has been corrected. • On a computer with SADEC installed, CD/DVD's encrypted with Portable Encryption could not be

unlocked using Secure Volume Browser. This has been changed. • In the User Explorer, when sending updates to computers, the option to select users was also

available. When sending updates to computers, only computers can be selected now.

26


NEW IN VERSION 4.4 SR8 (build 1564) [31-Aug-2011] NO LONGER SUPPORTED


• Support for SQL Server 2008 R2 • The ability to encrypt devices from endpoints that do not have an HEATsoftware Endpoint Security

client, but are being served applications via Citrix XenApp (6 or higher). The user can launch the Secure Volume Browser executable file (SVOLBRO.exe) and use the utility to encrypt devices at the unmanaged endpoint. The Secure Volume Browser needs to be published to the user or on a desktop that is published to the user in order for them to access it.

• The ability to exclude specific applications from HEATsoftware Endpoint Security protection through a registry based extension configuration. Previously, protection had to be disabled altogether if there was a conflicting application. Now, you can specify which applications for HEATsoftware Endpoint Security to ignore.

• Configurable capacity limit for portable encryption. The previous fixed limit of 128GB for encrypting portable devices is now configurable. Administrators can specify the maximum size of devices to be encrypted using portable encryption. Lower sizes are recommended for environments with older endpoints with little memory available, larger limits can be used when the endpoints are equipped with modern amounts of memory. The limit can be configured from 32 GB to 2 TB.

• The Secure Volume Browser can now be configured to log file transfers in the Windows Event Log on the local machine.

• The ability to disable file copy data tracking. When Copy Limit policies are not in use, the HEATsoftware Endpoint Security client still tracks file copy data. This can impact some low- bandwidth environments with high file copy activity. You can now disable this tracking through the use of a registry key. To disable file copy data tracking; Set the CopyLimitsDisabled DWORD value located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters equal to 1.


• Reduced the likelihood of deadlocks and primary key violations in the 4.3 to 4.4 database upgrade process.

• Resolved a conflict with ActivKey which resulted in a bluescreen when shutting down • Resolved an issue in Log Explorer where exclusions were not applied when more than one criterion

was specified for exclusion. • Resolved an issue where if both copy limits and file type filtering were applied and the user was at

or near the copy limit it was not possible to delete large files from the device. • Resolved an issue where the Authorization Wizard was attempting to make a network connection

prior to starting, which caused a delay during startup. The Authorization Wizard now starts immediately.

• Resolved a conflict between LAN Crypt 3.71 and the HEATsoftware Endpoint Security client. • Resolved an issue where a read-denied notification was displayed if a service attempted to read

from an encrypted device, that had been attached during boot, prior to the user unlocking the device.

27


• Resolved an issue where the Eikon Excel add-in would crash when the HEATsoftware Endpoint

Security client was installed. • Resolved an Authorization Wizard compatibility issue with InstallShield Archives (CAB files).

NEW IN VERSION 4.4 SR7 (build 1550) [3-May-2011] NO LONGER SUPPORTED

Issues Resolved • Performance issues in the console have been addressed which improved refresh times and shorter

delays when displaying large reports. • Sorting large reports will no longer cause sporadic Management Console crashes. • Instances where scheduled reports sporadically returned no data, although data did exist, have

been resolved. • The Device Explorer module properly displays all device classes and refreshes without issue when

modified. • Instances where Device Control had difficulty differentiating between different, yet similar, USB

devices have been resolved. • Administrators can now configure the Application Server to log and skip duplicate SIDs and other

ACL errors during directory sync. • Copy limits are now enforced when using File Type Filtering.

New Features • You can now whitelist specific HID devices like barcode scanners or USB console switches

(Avocent etc) which could otherwise trigger false keylogger alerts. Please contact Support for details. • By installing the agent on a Citrix XenApp server, you can now manage device access at a class

level through XenApp on unmanaged endpoints. You can assign device class level permissions to Users and User Groups, and these permissions will be enforced on endpoints using XenApp applications..

• A new Device Explorer class of Citrix Network Shares has been added. The documentation covers this new functionality.

• SQL Server 2008 SP2 x86-x64 supported. (SQL Server 2008R2 certification pending for SR7, use this one at your own risk)

• Windows 7 SP1 x86-x64 supported. • IE9 x86 supported. (IE9 x64 not recommended)

NEW IN VERSION 4.4 SR6 (build 1452) [24-jan-2011] NO LONGER SUPPORTED

Issues Resolved • USB Thumb-drives that have dual CD/removable partitions (or certain MFP devices or docking

stations) can be safely removed without incident.

28


• When a user connects a device, that they do not have the necessary permissions to access, only a

single log entry is created per event. • The conflict between the HEATsoftware Endpoint Security client and Sophos Antivirus has been

resolved. • Attempts to scan a remote directory will no longer cause the Authorization Service to crash. • A translation error in the Italian version of RTNotify.exe has been resolved.

NEW IN VERSION 4.4 SR5 (build 1447) [19-oct-2010] NO LONGER SUPPORTED

Issues Resolved • When encrypting devices, the Retain Data option is now available to users who do not have read

access to unencrypted devices. • When an application is blocked from a Novell mapped drive, the file detail information is now

properly displayed in the Unauthorized Application Detected dialog. • Instances of some SD card readers causing the user to be prompted to encrypt the device although

no card was present have been resolved. • To save a scheduled report for export a destination path must be specified. • Setting the permissions for wireless devices will no longer display incorrect CD/DVD permissions on

the endpoint. The CD/DVD permissions are now displayed correctly on the endpoint. • Instances where disconnecting a CD Recorder during the burn process could result in a system

crash have been resolved. • When shadowing during write operations, the log event user is now properly recorded as the logged

in user instead of SYSTEM. • Log Explorer queries with multiple machine and user exclusions will no longer cause an excessive

load on the SQL Server.HEATsoftware Endpoint Security • Log Explorer query speed has been significantly improved for large installations using machine

criteria. • Conflicts with the Aladdin Secret Disk authentication token have been resolved. • Corrected a typo in the German version of RTnotify.

Known Issues • It is currently not possible to manage workstations using Novell Client 2 (any version). When using

Citrix XenApp/XenDesktop with HEATsoftware Application Control the following 2 known issues apply:

• MSIEXEC, and any setup.exe file that uses MSIEXEC, will not work if the HEATsoftware Endpoint Security client is installed. Workaround: Contact HEATsoftware Support (http:// support.HEATsoftware.com) for assistance.

• The pop-up message generated when an application is blocked will incorrectly indicate that the application failed to start rather than indicating that it was blocked by HEATsoftware Application Control.

https://community.ivanti.com/external-link.jspa?url=http%3A%2F%2Fsupport.HEATsoftware.com%2F



29


NEW IN VERSION 4.4 SR4 (build 1401) [13-jul-2010] NO LONGER SUPPORTED

Issues Resolved • The Symbol® MC70 (Motorola® MC70) Wireless Barcode Scanner is properly recognized and

managed. • Compatibility between the Secure Volume Browser and various shell extensions has been

improved. • Secure Volume Browser will recognize all files, including files with the same name but different

extensions, when the Hide extensions for Known File Types option is selected within Windows Explorer.

• When opening a file from an encrypted device with the Secure Volume Browser a message will display reminding the user that the file has been opened as read-only.

• System crashes, which may have occurred when copying data to an encrypted Trek Thumbdrive™ Mini (TDMINIG4) USB device on Windows 2000 endpoints have been resolved.

• The Google Chrome browser is now compatible with HEATsoftware Endpoint Security 4.4 SR4 on 64-bit Windows XP in Sandbox mode.

• Instances of some reports exporting incorrect data when the original report had blank columns have been resolved.

• False keylogger alerts have been minimized by allowing the keyboard to move to any internal USB port without triggering an alert.

• Instances of a deadlock occurring and causing the system to hang during login, when using Windows XP and HEATsoftware Endpoint Security 4.4 SR3, have been resolved.

• Instances of SCOMC being unstable at startup using Novell eDirectory 8 and Zenworks 7 have been resolved.

Known Issues • When shadowing DVD burning on Windows Vista or Windows 7 using builtin IMAPI2, an error is

generated on the client and the burn process fails. • When allocating memory for Java applications (JAR files), Java requires a contiguous block of

memory. If a contiguous block of memory is not available, such as when a driver (including the HEATsoftware Endpoint Security driver) occupies a portion of the memory space Java is trying to allocate, an error will be generated and the Java application will not run. This is a well-documented Java issue and is not an issue with HEATsoftware Endpoint Security. For additional details refer to HEATsoftware knowledge base article 727.

• In Log Explorer, if you attempt to view a large (> 2 GB) shadow file on a system with 1 GB, or less, of memory the console will crash.

• The User Account Control (UAC) setting in Windows Vista can have an impact on HEATsoftware Application Control enforcement. This is by design of UAC and is not a HEATsoftware Endpoint Security issue. For additional information, refer to HEATsoftware Support (http:// support.HEATsoftware.com).

• Within Log Explorer, when creating a custom query which includes a File Path, using a backslash (\) within the path may return no results. Workaround: Instead of a backslash (\), use an asterisk (*).

• Some CD/DVD disk formats may not be supported for file name shadowing reports. • Compliance Mode is not supported on Windows 2000.



30


• During installation, HEATsoftware Device Control may not validate Certificate Authority for expired

or revoked certificates. • When applying file filtering for archive type files, HEATsoftware Device Control may evaluate .msi

type files as archive type files. • HEATsoftware Device Control may not manage USB removable storage devices by unique ID for

devices that have encryption software/hardware pre-installed. • The Automatic Load Balancing option may be disabled when updating the server, unless a user

deletes or modifies specific registry keys before or after the update process. • Administrators must assign Read/Write permissions to the LocalSystem for the Removable Storage

Devices class to allow users to encrypt removable media with Microsoft Windows 7 BitLocker To Go. • Log Explorer reports scheduled for Once or Daily frequency will be produced one hour later than

scheduled. Workaround: If you need reports of these types to run at a specific time, schedule them for one hour earlier.

• New installations and upgrades to HEATsoftware Application Control 4.4 SR4 on Windows 2000 endpoints must first apply Update Rollup 1 for Windows 2000 SP4. Following the application of Update Rollup 1 for Windows 2000 SP4, a small patch should be run (contact support) or the HEATsoftware Endpoint Security 4.4 SR4 client must be uninstalled and re-installed. Upgrading, instead of uninstalling, will leave HEATsoftware Application Control unable to block applications (HEATsoftware Device Control is not affected). This is due to a known issue in Windows Update (please refer to Microsoft KB 891861 for additional details). If your endpoints have already been patched to this level, you can disregard this procedure.

• It is currently not possible to manage per-machine permissions for workstations using Novell Zenworks 10.

IF YOU UPGRADE FROM v4.4 SR3 TO SR4, THERE IS NO NEED TO UPGRADE THE DATABASE

NEW IN VERSION 4.4 SR3 (build 1206) [3-apr-2010] NO LONGER SUPPORTED

Solved in this version • The IBM™ (Lenovo™) ThinkPad® T61 fingerprint reader is no longer disabled when the

HEATsoftware Device Control client is installed (please contact support for details). • CD/DVDs can now be assigned again to user groups in Media Authorizer. • When performing database maintenance in a multi-server installation, the shadow files from all data

file directories (DFDs) are now removed. • The passwords used with an encrypted CD/DVD can now be up to 60 characters long. • If a file changes, the hash will be automatically recalculated. • Driver conflicts with the ROCKEY USB dongle have been corrected.

31


NEW IN VERSION 4.4 SR2 (build 1080) [13-jan-2010] NO LONGER SUPPORTED

New in this version • The Encrypt Medium wizard for encrypting Removable Storage Device class media allows users to

attach a device to a client running HEATsoftware Endpoint Security that launches a series of device encryption options for the end user. The encryption options available for user selection are controlled centrally by the administrator using the Device Control default options shown in the Management Console.

• The Encrypt Medium utility provides a simple, streamlined encryption experience for the end user. • The Encrypt Medium utility options allow an administrator to predetermine user access methods that

allow users options to add password-enabled, Windows or PGP users, to save or erase existing data on the device, and to save or erase data from unused sectors on the device.

• The Encrypt Medium wizard encryption methods include options for portable, nonportable, and combined portable and nonportable device access. Portable device access allows users to access an encrypted device outside the network. Nonportable device access allows users to access an encrypted device only within the network.

• The Device Control shadowing option provides information to the Log Explorer describing the device model, model identification, and unique device identification for file information accessed or copied to a device, when Log Explorer reports are generated.

Solved in this version • The Log Explorer Device Log reports events with the device name and model identification

description for WRITE/READ_GRANTED criteria. • There is no longer a lockout period for HEATsoftware Device Control user access. • Adobe Indesign CS3 works properly when the HEATsoftware Device Control client is installed. • Wireless adapters recognized as device type 100, when the driver is correctly entered, are properly

recognized in the database. • When the Device Log default option is Disabled the client does not generate Medium- Inserted and

Device-Attached log entries. • When using HEATsoftware Endpoint Security Device Control filename shadowing, the temporary

filename created by Microsoft Word is replaced by the final filename when the filename renaming is complete.

• Aladdin eToken USB smart-card based devices are properly recognized by PGP Desktop when running the HEATsoftware Endpoint Security Device Control client.

• Access to CD/DVD drives functions properly for HEATsoftware Device Control installed on Windows Vista running Sophos Anti-Virus (versions 7.6.10 and 7.6.11).

• Device Control works properly for encryption of removable storage devices with a physical- write protect switch enabled.

• DigitalPersona Pro 4.4 biometric software works properly when the HEATsoftware Device Control client is installed.

• HEATsoftware Endpoint Security works properly when running Microsoft Driver Verifier software. • Citrix XenDesktop images will shutdown properly when Device Control is installed on them.

32


NEW IN VERSION 4.4 SR1 (build 1003) [4-sep-2009] NO LONGER SUPPORTED

Changes in this version • Windows 7 Support - The client and console are now supported on Windows 7 (x86 and x64) • Windows Server 2008 R2 Support - All components are now supported on Windows Server 2008

R2 (x64) • PGP Key Support - Use existing PGP keys to encrypt devices and CD/DVD's, for PGP Desktop

users • Multiple Users for Encrypting CD/DVD - The same capability of adding multiple users and multiple

user types for devices has been extended to CD/DVD encryption. This includes Passphrase Users, Windows Users, and PGP Users

• Prompt for Encryption - Users with the option to encrypt can be prompted to encrypt unencrypted devices when they are attached to the endpoint

• Ability to restrict encryption to Passphrase Users Only - This will be accomplished by allowing Admins to disable the PGP User and Windows User features.

• Admin control of "Retain Data" option - Admins can now set the default state of the Retain Data option. Furthermore, they can optionally enforce the setting.

• Changes to Path Rules Dialog - The Path Rules dialog can now be resized, and sorted by column header. Also, you can export the Path Rules to a CSV file. Finally, "Add New..." no longer overwrites

• Scan Explorer Improvements - The console no longer must wait for a scan to complete before allowing the Admin to continue working. Also, if an endpoint being scanned is shut down during the scan, we now simply cancel the scan. Also, scan messages in the console now specify the machine name the message refers to.

• Administrator's Guide - An additional document covering advanced usage topics will be added to supplement the Setup and User Guides.

• HEATsoftware Rebranding - The product will reflect the new branding: Endpoint Security, HEATsoftware Device Control, and HEATsoftware Application Control

FIXED IN SXS VERSION 4.4 (build 924) [5-aug-2009] NO LONGER SUPPORTED

• 71502 - ADO error 0x80040e07: compatibility with multiple datetime data type values • 71503 - ADO error 0x80040e37: compatibility with Case Sensitive (CS) SQL database collation • 72602 - Cannot open shadowed files from Log Explorer • See KB 695 for more information about this patch.

https://community.ivanti.com/external-link.jspa?url=http%3A%2F%2Fwww.HEATsoftware.com%2Fkb%2F695

33


NEW IN VERSION 4.4 (build 922) [16-jun-2009] NO LONGER SUPPORTED

New features • Syslog support from the client and the server allows administrators to combine and correlate

LES event information with other enterprise applications using Microsoft® Operations Manager (MOM) or any third party syslog server. This feature increases the capacity for custom reporting and administrator alerts.

• LES administrator-defined password complexity restrictions match Microsoft Active Directory® password complexity restrictions , allowing administrators to implement a homogenous password policy. Administrators can also specify the minimum password length.

• All server components are adapted to work on VMWare® and Microsoft® Windows Server® 2008 Hyper-V® virtual platforms.

• Increased Easy Exchange capacity supports removable storage media up to 128GB, which is a significant increase from the current 4GB limit.

• Extended endpoint encryption capacity provides removable storage device encryption for any capacity, which reduces administrative overhead.

• LES database speed and storage space optimization significantly improves storage capacity requirements for large enterprise users. HEATsoftware tests show more than a fifty percent reduction in LES database size.

• LES supports the Database and Application Server components on Windows Server 2008 (x86 and x64 versions).

• LES supports Microsoft SQL Server 2008® (x86 and x64 versions, full and express editions). • The Client Status report for LES clients shows:

• When policy was updated. • When log files were uploaded. • The LES product version number. • The name of the Application Server that the client connected to.

• LES administrators have separate setting options for execution logging and script logging which can reduce the database size by turning off script logging and maintaining execution logging.

Issues Resolved • Local Authorization pop-ups appeared when browsing files • Explorer appeared to hang when browsing large folders, especially on network drives • The Other column values in the Log Explorer module are represented correctly as binary data in the

MEDIUM-ENCRYPTED log entry for HEATsoftware Device Control. • Removed user access warnings for exporting an encryption key to the removable storage media

after Password Recovery. • Warning messages are no longer shown when a user recovers the password for an encrypted key

with full permissions. • The Log Explorer template User criteria field accepts the underscore "_" character. • You can add another user to the list of users when the Log Explorer template criteria for User is

specified. • Bus-specific user access permissions are correctly applied for new devices the first time the device

connects to the LES client computer.

34


• All user group membership permissions are considered when applying permissions for Sanctuary

Management Console (SMC) users that are members of multiple user groups with different permissions.

• LES administrators may configure the RTNotify window to display LES client Status for all configured device models and instances for the system, or only for device models and instances that the user as permissions for.

• The Medium Encrypted message for CD/DVD is generated independently from the Device Log option setting so that a user can recover the password for an encrypted CD/DVD.

• Microsoft Word shadowed files opened in the Log Explorer close properly. • The Hardening rule is expanded to protect the complete SXdata folder, including shadowfiles. • After five attempts to unlock an encrypted removable storage device using a password, a user is

prompted to retry unlocking the device after fifteen minutes elapse. • LES is compatible with v-GO Single Sign-On ® (SS) Session Manager by PassLogix. • HEATsoftware Device Control shows the device model, mode l ID and unique ID for device files

transferred or read when shadowing is enabled. • Database Explorer shows all database records for file groups when using the LES Authorization

Service for the WSUS server. • A user can recover a password for USB removable storage device connected to a computer running

a different version of Microsoft Windows than the computer used to encrypt the device. • The procedure to assign key pair for the Application Server is modified to generate a new record in

the Serverkeys table when the previous key pair is deleted, so that Offline Permissions and Password Recovery work properly.

• HEATsoftware Device Control (German version) allows a user to add new removable storage media with the Media Authorizer and then delete the media from the database.

• Log files with trailing white spaces in some log record fields upload to the LES database without returning the SQL Server #dvidx error.

• The HEATsoftware Application Control filetool is modified to work with more *.exe file types. • A new script is available to delete all log entries from the LES database up to a specified date,

except for MEDIUM-ENCRYPTED log entries. • A script is available to filter WRITE-DENIED log event files for the LocalSystem user account when

client hardening is enabled. • USB removable storage devices can be encrypted with the option to retain existing data on the

device. • When encrypting a USB removable storage device from a Windows Vista 32-bit operating system

that has UAC disabled, you do not have to format the device. • The Log Explorer query generates results when the user group role is specified as Yes. • Virtual USB printer devices are shown in the USB Printer device class. • The LES client upgrade now checks the GPO setting "may not process the legacy run list" on the

LES client. • Executable applications launch properly on computers running both Almis® (Risk Analysis/Portfolio)

software and LES. • The MEDIUM-INSERTED log event for USB removable storage devices shows the unique ID,

model ID, or device ID. • File content filtering is enabled for scheduled, temporary, offline, and online permissions. • The Export medium key option is enabled on the LES client when defining only Export to file

permission. • The Secure Volume Browser (SvolBro) functions properly when using an encrypted CD/DVD on a

non-LES computer. • The Location field in the User Explorer remains for local users when assigned to file groups. • Logitech webcams can now be unplugged during usage without locking up the application using

them.

35


NEW IN VERSION 4.3 Service Release 1 (SR1 - build 25) [13-jan-2009] NO LONGER SUPPORTED

New in Sanctuary Application Control (all editions) • New logging option, 'Log Access Denied' will now only log what was really prevented/blocked from

executing on the endpoints; 'Log Denied and Unmanaged Execution' which is substituting the 4.3.2 and older 'Log Access Denied' Execution Log option, which previously resulted in excessive logging, especially impacting script logging.

• Local Authorization pop-ups appeared when browsing files • Explorer appeared to hang when browsing large folders, especially on network drives

New in Sanctuary Device Control • Some removable storage devices were not blocked the first time they were connected. • Renamed devices in the console were not properly renamed in the logs. • In some cases Secure Volume Browser was unable to open files on encrypted CD/DVD's.

NEW IN VERSION 4.3.2 [31-jul-2008] (4.3 GA release) NO LONGER SUPPORTED

New in all Sanctuary Products • The Reports module has been radically changed and modernized to be consistent with all other

modules in the console. • You can now also use our Sanctuary products, Sanctuary Device Control and Sanctuary Application

Control, to protect machines with Windows 2003 and Windows XP 64-bit operating systems. The Sanctuary Client Driver is fully operational in machines that use such Microsoft's OS.

• You can now install the Sanctuary Database in Microsoft SQL Server 2005 64-bit. • Sanctuary's client driver memory footprint on Windows Vista 32-bit OS is now considerably reduced

to a strict minimum. • You can now take advantage of the new shortcut keys specially defined to quickly access the

different modules available from the Sanctuary Management Console -- depending if you are using Sanctuary Device Control, Sanctuary Application Control, or both.

• The Log Explorer module, use to report on user and administrator's actions, has been completely redefined. We have reorganized common features in only three tabs and it is now even more easy to use.

• RTnotify.exe now consumes a lot less memory no matter how many policies are configured (now maximum 12MB).

• Many fixes implemented, please refer to the readme for more information.

36


New in Sanctuary Application Control (all editions) • Administrators now have the option to associate predefined File Groups to Well-Known users

when importing the Standard File Definitions (SFD) when using an option in the Import Standard File Definitions dialog directly from the management console. This complements with the following point.

• The Standard File Definitions (SFD) importing is no longer available during the Application Server installation. This is done to speed up the installation process. However, this is still possible using the Import Standard File Definitions menu item of the management console.

New in Sanctuary Device Control • We have added and extended the functionality for our browser tool for encrypted devices

(SVolBro.exe) and it now allows you to encrypt CDs/DVDs. We believe this is an invaluable tool to help protect corporate data during transport or archive.

• You can now open directly an encrypted file using SVolBro (Secure Volume Browser). The file is placed in the user's temporary directory. You can modify the file but you cannot return it to the medium. You can, on the other hand, save it to your hard disk drive and then do a copy and paste or a drag & drop operation.

• A new class, Portable Devices, has been defined in the Device Explorer of the Management Console that embraces the new breed of convergent device. This class categorizes smart storage devices like the new MP3 players, digital still cameras, mobile phones, storage devices, and so forth.

• PGP-encrypted devices are now recognized directly in Sanctuary-protected environments. This gives you the clear advantage of encrypting removable devices using either the long proven Pretty Good Privacy or Sanctuary's technology.

• The Event Notification rule now has a "Do not notify me again" checkbox to limit the number of messages the user receives when trying to, intentionally or unintentionally, break a defined policy. This modification was done because some applications insist on accessing data on the users' behalf generating a very high quantity of notification messages that the user must bear.

• You can now also define the Shadow rule, a full copy of data transferred from system-based devices, by bus type. If you are using DVDs/CDs or removable devices you can also define the encryption type.

37


VERSION 4.3.1 [25-jun-2008] was a 4.3 OEM oriented release NO LONGER SUPPORTED

VERSION 4.3.0 [10-jun-2008] was a limited 4.3 ramp-up release NO LONGER SUPPORTED

FIXES IN VERSION 4.2.6 (private release) [27-jun-2008] NO LONGER SUPPORTED

Fixed in all Sanctuary Products • SCOMC.EXE could potentially crash with a memory error at startup, when it was trying to process

logs with unknown SIDs.

FIXES IN VERSION 4.2.5 (private release) [23-jan-2008] NO LONGER SUPPORTED

Fixed in all Sanctuary Products • Incompatibility with SMS Inventory tool that could lead to excessive memory usage when a huge

exe file was scanned by SMS • Slow browsing of huge files over the network with Windows Explorer

VERSION 4.2.4 was not publicly released

FIXES IN VERSION 4.2.3 (private release) [07-dec-2007] NO LONGER SUPPORTED

Fixed in all Sanctuary Products • Incompatibility with SMS Inventory tool that could lead to system instability when an SMS scan was

in progress

38


FIXES IN VERSION 4.2.2 [04-sep-2007] NO LONGER SUPPORTED

Fixed in all Sanctuary Products • Incompatibility with multiple applications, including: Microsoft Internet Explorer 6.5/7 with certain

Java-related plug-ins, Macromedia Contribute v.1.0, F-Secure v.7.0, Xerox Docuprint 5.x. • With Client Hardening in place, 16 bit applications generated an error message. The user could

successfully execute the application by clicking on the Ignore button on the error dialog. • Upgrade issues from v.4.1.x and prior client versions on certain hardware. • Scheduled reports were processed all at once rather than as scheduled. • Missing query results for "yesterday" during certain periods of the day. • Server report was missing new 4.2 settings.

Fixed in Sanctuary Device Control • Limited policy enforcement for certain hardware devices, including: Mode3 floppy drives, Infrared

device class, Certain HP USB printers, Kodak Scanner connected through a SCSI controller. • Missing language translation on new dialog boxes. • Online/Offline permissions were not effective for the WiFi class for certain hardware. • Adding certain devices could cause the console to close unexpectedly. • Upgrade issues coming from a 2.x database version. • Incorrect criteria for default template, "Shadow files over 10 MB this month". • Queries containing file size produced inconsistent results.

Fixed in Sanctuary Application Control • FileTool error when a non-standard file header was encountered. • When system resources are low, very large permission files may only be partially written to the

client. • User Explorer error when trying to assign a file group that contained a nested file group to a domain

user.

NEW IN VERSION 4.2.1 [14-jul-2007] NO LONGER SUPPORTED

Fixed in all Sanctuary Products • Older versions of the Sanctuary client may not have worked properly when connected to a

Sanctuary Server which has been upgraded to v.4.2. • The "Endpoint Status" and "Endpoint Notification" options were not working when set for specific

machines.

39


• Scheduled reports were returning incorrect data, displaying "Device Control" and/or "Application

Control" registers rather than the relevant information in some cases. • 16 bit applications generated an error message. The user could successfully execute the application

by clicking on the "Ignore" button on the error dialog. • The Sanctuary Database upgrade from v4.1.3 to v4.2.0 aborted when there were offline SQL

databases. • A mistaken message appeared when uninstalling the Sanctuary Client Driver reporting that it "failed

to uninstall support for WiFi cards WAN" even though there was not such card present or connection established.

Fixed in Sanctuary Device Control • Portions of Sanctuary Application Control were active in Device Control only installations which

caused a conflict with Internet Explorer 6 and 7. • The Sanctuary Management Console closed prematurely from Log Explorer when the administrator

tried to add a device that was already managed (i.e., already existed in the database of administered devices).

• Secure Volume Browser (SvolBro.exe), the application used to browse decentralized encrypted devices, was closing unexpectedly when clicking repeatedly on the left working panel.

NEW IN VERSION 4.2.0 [25-jun-2007] NO LONGER SUPPORTED

New in all Sanctuary Products • Custom Reports - Custom queries can be automatically generated in an HTML, XML or CSV

format and delivered via email or network file share, simplifying audit compliance and streamlining management reporting in a format that can be easily integrated into a third party system.

• Enhanced Long - Term Log Records - Expands log records to store username along with existing ID, delivering enhanced user identification even after a username has been removed from the Directory, thus enabling easier analysis of ex-employee device and application activity.

New in Sanctuary Application Control (all editions) • Scripts and Macros Protection - Extends application policy enforcement by controlling the execution

of specific VBScript, Microsoft Office VBA and JavaScript with central authorization or a prompt to local users, thus enabling business without compromising protection.

• Optional Pathrule Logging - Provides full flexibility to either log or not log pathrule allowed activity even when whitelist allowed activity is not logged, giving administrators the option to audit specific files that are executing based upon pathrules without the noise of all allowed activity.

New in Sanctuary Device Control • Password Lockout - Lockout will be activated after a number of failed password attempts, reducing

the risk of hackers or unauthorized users breaking into devices to view confidential data.

40


• Password Recover - Allows for access to devices when passwords are forgotten or locked, enabling

secure recovery of encrypted data on removable devices to increase user productivity and to gain access to data stored on ex-employees encrypted removable storage devices.

• Retain Existing Data During Decentralized Encryption - Provides the user with an option to delete or retain existing data found on a removable storage device prior to Decentralized Encryption, simplifying the user experience while enforcing corporate encryption policies.

• Offline Temporary Permissions - Enables the generation of temporary permissions on demand, even when the user is not connected to the network, using a challenge/response system between the user and the administrator.

NEW IN VERSION 4.1.3 [15-may-2007] NO LONGER SUPPORTED

New in all Sanctuary Products • New DB connection loss handling. Instead of shutting down when recurring DB connection problems

are detected (old behavior), the Sanctuary Server ignores DB connection problems for a period of time; if problems persist, it stops accepting client and console connections until it detects that DB connectivity is restored.

• New endpoint data reception facility. Previously, the Sanctuary Server would insert endpoint data (logs and shadow files) as soon as they were received from the Sanctuary Client, without limiting the number of concurrent inserts. This could overload the DB server when surges of client upload activity occured. The new endpoint data facility places all incoming data in a staging queue, from which endpoint data batches are generated and dispatched in a more regular fashion, without stressing the DB. Advanced configuration parameters are available to fine-tune batching and dispatching of endpoint data; statistical information is available in the Windows Application Event Log to help examine and fine-tune the configuration.

Fixed in all Sanctuary Products • Standby mode was not working properly, reboot was necessary to recover from standby (affects

only 4.1.2). • An incompatibility with certain laptop wireless hardware could result in a STOP error (affects only

4.1.2). • Under certain conditions, clients could generate log entries that could not be stored in the DB.

Fixed in Sanctuary Device Control • Certain internal device class definitions were not processed properly by the client, causing

shutdown-time issues.

41


NEW IN VERSION 4.1.2 [03-apr-2007] NO LONGER SUPPORTED

New in all Sanctuary Products • A new eDirectory Translation option has been added to show or not Novells accounts information to

use them to define permissions. This option is only relevant if you also have Novells client installed. • The client uses a list of Sanctuary Application Servers IP addresses or Fully Qualified Domain

Names (FQDN) defined at installation time (that can be changed later if required). If the client driver cannot communicate directly with these servers, it will try to use all proxies defined in the Internet connection of the current user to do this.

New in Sanctuary Device Control • Our definition of an online/offline client - depending if a connection can be establish or not with

Sanctuary Application Server - can now be changed to the traditional one: a client is offline when no network connection can be established and online otherwise. There is a new machine option called Online/Offline state definition to reflect this change. Do not modify it if you want to keep compatibility with older versions of the client driver or if you are not using wireless network cards.

Fixed in all Sanctuary Products • The client driver was randomly erasing some critical windows registry keys - under some specific

configurations - exhausting the system resources. • The Vodafone UMTS card was blocked with the installation of Sanctuarys client driver. • Microsofts SQL server was reporting a deadlock situation when several queries were run

simultaneously. This condition arises, for example, when doing concurrently a large amount of client log uploads and Sanctuarys Management Console Log Explorer module queries. We implemented a fix to solve this situation avoiding locks where possible.

• Client deployment using the transform and MSI file directly by using Group Policy was not possible in the case where non-TLS communication was desired. The user needed to create a new transform file using freeware external tools. This is now part of the transform file the Client Deployment Tool creates.

• Sanctuary Application Servers setup was not recognizing correctly non-IP addresses when updating from previous versions.

• Fixed an issue where some Kodak camera software interfered with the client driver workings. • Minor changes were done in the Sanctuary Management Console and Sanctuary Client Deployment

tool title bars. • Resolved an issue where Sanctuary Client Driver failed when large quantities of I/O data were

processed (for example, during a backup operation) • A query done by the Log Explorer module of the management console was consuming all memory

when run through a very large SQL database. • Rephrased an unclear error message dialog text that appears when the endpoint machines clock is

not synchronized with the one of the Sanctuary Application Servers. • Sanctuary Client Driver was having problems working with a Testo 164 temperature data-logger. • Fixed an issue with an unresponsive Sanctuary Client Driver while using some SmartCard drivers.

42


• Some computers have several serial ports that can be (wrongly) configured as being in the same

address - for example two COM2 ports. This caused unexpected results in the client driver.

Fixed in Sanctuary Application Control • Fixed a problem where Ultimaco software was interfering with the client communication server

hashing authorization process due to inappropriate file sharing methods of this encryption solution. • The Non-blocking mode option was not respected when defined for more than one user/user group

at a time.

Fixed in Sanctuary Device Control • Fixed an issue where some USB pens were not correctly recognized in the Device Explorer module

due to an upper/lower-case problem (e.g. USB Flash Disk vs. USB Flash DISK). • Fixed an issue where the Device Explorer module was not communicating correctly with the

Sanctuary Application Server when it was installed on a different machine. • "Safely Remove Hardware" tray option was not working correctly. • The internal hard disk containing the OS is normally not included in the Removable Devices device

class. An issue with some specific HDD control drivers that were including themselves in this class was fixed.

• Fixed an issue where centrally encrypted hard disk drives - single or multiple partitions - were not correctly recognized. This issue was only occurring when the client driver was installed on a Windows XP SP2 operating system.

VERSION 4.1.1 was not publicly released

NEW IN VERSION 4.1.0 [18-jan-2007] NO LONGER SUPPORTED This release enhances and optimizes Sanctuary Device Control, Sanctuary Custom Edition, Sanctuary Server Edition and Sanctuary Terminal Services Edition as described below:

New in all Sanctuary Products • Advanced security option to authenticate and encrypt communication between the Sanctuary Client

and Application Server using the TLS (Transport Layer Security) protocol. This option may also be implemented for Server to Server communications in multi-server environments. When configured without TLS, Sanctuary will continue to authenticate the messages to ensure the integrity of the information passed.

• Server Settings report available in Sanctuarys Management Console, provides detailed configuration data about your installed Application Server(s). This is an invaluable source of information for troubleshooting and configuration setup.

43


New in Sanctuary Application Control (all editions) • Display of the parent-child relationship between File Groups in the User Explorer module includes

more visual cues in order to help clarify the indirect file assignments done when creating these relationships. (Nested file groups are not available in Sanctuary Standard Edition)

New in Sanctuary Device Control • A new Browse button allows you to quickly find user and groups in your Active Directory from the

"Choose user" dialog, when defining permissions. • The default 'Copy Limit' restrictions installed by the program have been changed to No limit for

the Removable Storage Device class. Default access continues to be None unless changed by the administrator.

• The 'Bluetooth radio devices' and 'Infrared Ports (IrDA) classes have been removed from the Device Explorer module and can now be directly controlled from the permissions dialog.

• Standard notification added for decentralized encryption to inform the user that a device must be encrypted before it can be used. The administrator can, of course, create an event notification to keep users informed with other messages.

Fixed in all Sanctuary Products • The management console installation now always properly recognizes when the Administrator

wishes to keep an older and newer version of the console installed. • Error messages have been reworded to provide the user with more description of the problem and

how to resolve it. • The Default Options dialog can only be seen by Administrators with rights; previously it was

incorrectly displayed, although those without rights could not change the options. • When creating an installation package in the Client Deployment Tool and afterwards deleting it, the

directory is now properly erased as part of the deletion process. • The error response time has been improved when setting a different server port in Client setup and

receiving no answer from the specified Sanctuary Application (SXS) Server. • Sanctuary Application Sever setup now checks the previous database installation and informs you if

you should also update the database.

Fixed in Sanctuary Application Control • When doing automatic detection with FileTool.exe, all SYS files required to run 16-bits applications

are now automatically added to that pre-defined File Group. • The Sanctuary File Definitions (pre-authorized operating system files provided by HEATsoftware)

have been updated to reflect latest service packs. • FileTool.exe now fully supports the scanning of large archive (>1GB) files.

Fixed in Sanctuary Device Control • Sanctuary Application Server (SXS) related issues are now logged in the Window's Event Log

simplifying the troubleshooting process when dealing with Data File Directory related issues such as

44


shadow files not being accessible by the Management Console.. This option allows Administrators to correct any problem so that they may be accessed via Log Explorer.

• It is no longer necessary to create an event notification rule to inform the user that a device must be encrypted before it can be used, one will be provided by default. The administrator can, of course, create an event notification to keep users informed with other messages.

• Removed an incorrect empty directory at the end of the volume tree listing in Secure Volume Browser tool (SVolBro.exe used to decrypt media).

• Hidden folders are now correctly shown in Secure Volume Browser tool (SVolBro.exe used to decrypt media).

• Addressed multiple issues in Secure Volume Browser tool (SVolBro.exe used to decrypt media) found in Japanese systems and resolved several other minor issues.

• Correct message is now displayed when the user tries to export an encryption key to the medium itself.

• Keyboard shortcuts (like Alt+F to open the File menu) now work correctly in the Device Explorer module.

• The copy limit feature now works when used with file type filtering. • Import/Export checkboxes in the Filter dialog are now inactive when no file type is selected.

NEW IN VERSION 4.0.3 [28-nov-2006] NO LONGER SUPPORTED

Sanctuary Application Control • The Authorization Wizard incorrectly showed already scanned and authorized files as 'non-

authorized', fixed. • Fixed issue in which Versatile File Processor Tool (FileTool) incorrectly assigned some file hashes

to clean group instead of Filetool. • Fixed issue that caused our file import/export command-line tool (fimpex.exe) to crash while trying to

incorporate new hashes to the database. • Fixed issue with Versatile File Processor Tool (FileTool) authorization that caused looping on select

files, freezing the machine and using up to 99% of the CPU. • A new <not assigned> option has been added to the criteria that can be queried in the Log Explorer

module. This allows queries that include those files currently not assigned to any File Group. • Corrected incorrect German allow/deny message translation in the Local Authorization dialog. • To support Sanctuary Authorization Service it is necessary to disable Windows Server Update

Services (WSUS) Express Installation Files. This was not documented, see the admin guide for more information.

Sanctuary Device Control • Fixed a decentralized encryption error when shadowing was set to filename only for user Everyone. • Defining a Shadow rule for read data and read/write permissions for a user, caused data copy

operations to the device to fail. • Some problems were reported, and fixed, when sending updates to a workstation belonging to a

computer group using the Device Explorer module. • Fixed a problem detected while doing a Drag & Drop operation from the desktop to the Sanctuary

Volume Browser (SVolBro) the files were also placed in the recycle bin.

45


• If a Drag & Drop operation to the Sanctuary Volume Browser (SVolBro) was cancelled, the involved

files were left in the recycle bin. • The Log Explorer module inserted new devices in the root class, while the Device Manager dialog

placed some of them in the User Defined class. • The empty disk space left on an encrypted disk, after ciphering and formatting it using the Easy

Exchange method, lead to user confusion. This is now fixed and there is no empty space left available for the user.

• Fixed an issue where shadowing on the LPT/Parallel Ports class was not working properly in some cases where data was buffered.

• Windows Explorer was crashing with clients installed in a Japanese Windows XP SP1 when a file filtering was active within permissions.

• Fixed a device-blocking problem with Sanctuary Device Control and its client working in VMware. Notice that USB device still cannot be used in VMware environments.

• Sanctuary Volume Browser (SVolBro) did not allow creating a folder on an encrypted USB key in a Japanese environment.

• While cancelling a replacing file operation from the internal HDD to a Sanctuary Volume Browser (SVolBro) window, the tool deleted the original file.

• The program now advice the action to take when inserting a decentralize encrypted device in a machine protected by Sanctuary.

• Fixed issue where a computer kept its old permissions when moved from one computer group to another.

• Sanctuary Volume Browser (SVolBro) used for decentralized encryption and Easy Exchange was not working correctly when doing copy/paste operations.

• The contextual menu of the Log Explorer module now include two new items: Open and Open With used to explore shadowed files (only full shadow). See details in the Admin Guide.

• Fixed some issues that arise when trying to encrypt a device in a German OS while Client hardening was activated.

• If working in a Novell environment, user names were shown as SID identifiers in the Log Explorer module. Now it shows the last Novell user that logged to that machine.

• Fixed an error that occurred when trying to encrypt specific USB key brands. • Fixed issue that prevented the user to add several uniquely identified removable storage devices

while using the Log Explorer module.

Client localization

• Corrected incorrect Japanese translation in the client help file and message errors. • Corrected incorrect German translation in the invitation message to encrypt a removable device

(using decentralized encryption).

Client Deploy/Installation • Fixed a client installation crash that occurred after a new install in certain cases involving multi-

threaded systems. • Fixed deploy tool issue in which Sanctuary mishandled Server names beginning with numbers.

46


VERSIONS 4.0.1 and 4.0.2 were not publicly released

NEW IN VERSION 4.0.0 [03-oct-2006] NO LONGER SUPPORTED

• We now support decentralized encryption where the administrator can force the users to cipher all or some removable storage devices connected to their computers. This lightens the burden of doing this task centrally on those organizations that rely on encrypted removable devices for their daily work. The task of exporting the encryption file is also transferred to the users.

• We previously classified device models as devices in their respective class. We are furthering extending this classification down to the precise unique individual device and showing this relation in the Device Explorer as devices inside models, inside generic device classes.

• Shadow rules can now be assigned either when the user reads or/and writes data to/from file- system based devices such as Recordable DVD/CD, DVD/CD, removable storage devices, floppy disks, Zip and PCMCIA drives, as well as to serial and parallel ports. Some of these devices only support a partial shadowing only the files name and not the complete content.

• Our encrypted volume browser Sanctuary Volume Browser svolbro.exe- has been extensively redesigned and now has the functionality of a mini-Windows Explorer. It can also be used through the command line using parameters. Users can now change the encrypted removable media password using the interface only if the encryption key has been exported to the medium itself.

• The permissions dialog has been extensively revised to include features such as bus and drive type, and more control over several option regulating removable storage media access. Permissions now also have the added functionality of allowing a decentralized encryption schema and the possibility of exporting the encryption key to the medium itself or to a file.

• The Removable Storage Devices class can now include explicit permissions for secondary HDD. This extends even more the permission functionality by allowing the administrator to choose among HDD, non-HDD, and both and to select the bus type and encryption schema (All, Encrypted, or Decrypted) as well.

• Sanctuary administrators can now associate a list of allowed file types to groups of users. Separated lists are allowed for inbound and outbound file copy. File type control is not based on its extension but in a series of checks on the header to ensure that the extension has not been renamed and that the file corresponds to the one authorized or banned. Administrators can create rules based on device type usage with file type filtering.

• Our Sanctuary Device Control Stand-Alone Decryption (SADEC) tool now not only supports removable media encryption but also external HDD encryption.

• General Read/Write permissions now support optative file filtering for Floppies, DVD/CD and removable devices. Administrators can define, using this feature, file filters that deny/allow read/ write access for the most common file types: MS Office, video, music, PDF, etc. Use them to control precisely what can be written/read from defined device classes. These file filters are not recognize by extension type (the most basic verification) but at the file structure level, avoiding extension forgery.

• Some device classes found in the Device Explorer module have been renamed (or NO LONGER SUPPORTED):

Name in previous versions New class name for this version

Palm Handheld Devices (USB) Palm Handheld Devices

RIM BlackBerry Handhelds (USB) RIM BlackBerry Handhelds

47


Unauthorized Encrypted Media NO LONGER SUPPORTED. All permissions for this class, if they exist, are transferred to the Removable Storage Devices class and defined with the Import setting activated.

Windows CE Handheld Devices (USB) Windows CE Handheld Devices • The client setup has been modified to control even more of the options shown in the Windows Add

or Remove Programs dialog. • Local administrators cannot uninstall, repair, or update the client component if not explicitly

authorized to do so. To do this endpoint maintenance, they require an assigned ticket by the hour or for a period.

• The client and server components setups are now common to all our products. • Sanctuary Application Control Suite and Sanctuary Device Control logs were previously collected

and stored in separate files. They now form a unified, unique log. The consoles Log Explorer module has been redesign to include even more flexibility and powerful query options.

• Our Sanctuary client includes even more languages: English, German, French, Spanish, Italian, Portuguese, Swedish, Dutch, Russian, Japanese, simplified Chinese, and traditional Chinese.

• Permissions/authorization lists sent to clients are now differential instead of the previous, full, update schema.

• Sanctuary Management Console has been completely redesigned and now is common to all our products. The options shown depend of the purchased licenses.

• Sanctuary client now parses all shadow (for Sanctuary Device Control) and log information before compressing and sending it to the server, which, in turn, saves it in a compressed format. The data file directory (DFD) where this information is saved, can now reside in several application servers it was limited to one shared directory in previous versions. This makes the whole process quicker and more efficient (see next paragraph).

• The previous limitation of all servers using the same, single, shared, Data File Directory (DFD) has been removed. Now it is possible for each server to use its own, distinct, one. This improves performance in multi-server installations as each server can be configured to store its data files in a location that is physically closer, or reachable through a high-speed network connection. It also helps spread disk load, as each directory only contains part of the files.

• A new data directory, called Audit File Directory (AFD), has been added to Sanctuarys structure to spread even more disk load. This new directory contains some of the files previously included in the Data File Directory configuration. It holds, among others, history and audit files.

• Reports are now displayed in a new window contained in Sanctuary Management Console instead of using an external HTML viewer. You can save them as CSV files and open them using a third party tool.

• Administrators using the management console now have a precise license (or evaluation file) days remaining count down.

• Support of Novell ZENworks eDirectory identity cache when eDirectory is not present/available (DLU) when users boot their computers (e.g. remote laptops). See Novells Web site for more information and instructions on how to activate this mode.

• MSDE 2000 has been replaced with Microsoft SQL Server 2005 Express Edition in the default Sanctuary product installation CD.

• Machine and program options have changed (new, renamed or NO LONGER SUPPORTED) so they are more descriptive and reflect better the program philosophy:

New name (version 4.x and later) Old name (version 3.x or previous) Applies to

Certificate Generation Certificate Generation SDC

Client Hardening Client Hardening SAC; SDC

48


Device Log Centralized Device Control Log SDC

Device Log Throttling Suppress Recurring Log Events SDC

Encrypted Media Password Encrypted Media Export Password SDC

Execution Blocking Blocking Mode SAC

Execution Eventlog Eventlog Mode SAC

Execution Log Log Mode SAC

Execution Notification Notification Mode SAC

Local Authorization Local Authorization SAC

Log Upload Delay Log Upload Delay SAC; SDC**

Log Upload Interval Log Upload Interval SAC; SDC**

Log Upload Threshold Max Log Lines Before Log Upload SAC; SDC**

Log Upload Time Log Upload Time SAC; SDC**

Macro and Script Protection Macro and Script Protection SAC

Relaxed Logon Relaxed Logon SAC

Relaxed Logon Time Relaxed Logon Time SAC

Sanctuary Status Device Control Status Window SAC**; SDC

Server Address Sanctuary Application Server Address SAC

Shadow Directory Shadow Directory SDC

Update Notification User Notification .

USB Keylogger USB Keylogger SDC

* Notification Text SAC

* Server Connect Timeout SAC

* Server Connect Failure Lockout SAC

* Shadow File Upload Delay SDC

* Sanctuary Application Server Address SDC

* Encrypted Media Key Export SDC

* NO LONGER SUPPORTED ** new SAC=Sanctuary Application Control Suite SDC= Sanctuary Device Control

49


NEW IN VERSION 3.2.1 [17-jun-2006] NO LONGER SUPPORTED

• The Sanctuary Application Server setup was displaying an "Could not get the database ID of Administrators (error 9)" error when updating from previous versions of our product in those cases where several "administrator" user accounts were wrongly listed with different security identifiers (SID) number in Windows' user database table.

• SXS setup does not import the SFD in the DB even though import SFD options are checked. • Windows XP Embedded machines displayed a "Low on virtual memory" error at startup after the

installation of the Sanctuary client. • Support information in Add/Remove Programs listing corrected

NEW IN VERSION 3.2.0 [29-apr-2006] NO LONGER SUPPORTED

• The new Sanctuary Client unifies formerly disjoint Application and Device Control clients. The availability of Application or Device Control is governed by the license file deployed at the server.

• The transfer of the Application Control policies has been greatly improved. The improvements dramatically reduce network traffic in most cases, and generally utilize slow links more efficiently.

• Serverless installations, initially supported only for Device Control, are now supported generally. Multiple setup options are available through the Sanctuary Deploy tool.

• Novells eDirectory integration, initially available only for Device Control, is now available generally. eDirectory accounts and organizational units can be synchronized with the Sanctuary Database (special procedure required), and then can be used in Application and Device Control policies interchangeably (certain restrictions apply) with Windows and Active Directory accounts.

• Novells NetWare shares are fully supported in Application Control path rules and execution logs. • The new Sanctuary Client no longer uses TCP Port 33114 to communicate with the Sanctuary

Application Server. • The Sanctuary Deploy tool now supports drag and drop to add machines to the deployment list from

the external Microsoft Windows Network (from the My Network Places icon) selection dialog. • The Sanctuary Server can be configured not to support older Sanctuary Clients. This reduces the

attack surface of the Server and is recommended as an extra security pre-caution.

NEW IN VERSION 3.1.2 [16-mar-2006] NO LONGER SUPPORTED

• RTnotify could not always show the correct removable device names after upgrading from an older version of Device Control.

• Fixed a blocking issue when some types of USB memory sticks were plugged in, which were previously never used on the machine.

50


NEW IN VERSION 3.1.1 [03-feb-2006] NO LONGER SUPPORTED

• Certain parallel port printers could not be managed. • User permissions report was wrongly reporting permissions assigned via an Active Directory group

even when some users did not belong to any such group. • Some old USB modems with proprietary drivers required LocalSystem permissions to work properly. • Some machine specific options were not correctly overriding global options. • The user might be unnecessarily prompted for credentials when working in a signed/encrypted email

environment. • Device status might display incorrect user permissions in Novell environments. • eDirectory account aliases were synchronized in addition to eDirectory accounts. • The eDirectory synchronization script was incompatible with certain machine naming schemes in

ZenWorks. • The eDirectory synchronization script was incompatible with SQL Server 2005. • Sanctuary Volume Browser required administrative privileges. • Read-only permissions on DVD/CD devices were blocking certain read-only operations. • There was an incompatibility with Pinnacle 9.3 Studio Plus. • The client did not upload the analysis files for the DVD/CD images shadowed in the file-name-only

mode. • Full-volume encryption could fail on large volumes. • The client driver could leak paged pool memory that sometimes could cause the client computer to

fail. • High performance file servers might exhibit degradation in I/O throughput. • Shadow reports could display negative shadow sizes. • Shadowing on high performance file servers might misbehave.

NEW IN VERSION 3.1.0 [13-dec-2005] NO LONGER SUPPORTED

• Novell support with the Novell Edition of SDC 3.1 only (Novell version 6.5 or above; version 5.x requires confirmation). Using our synchronization tool, it is now possible to synchronize with the Novell eDirectory structure and set permissions for Novell objects.

• Shadowing is now supported for all CD/DVD recording types superseding previous format limitations.

• The communication service now filters all policies and rules to match those of the computer/user it is working with resulting in less traffic with the Sanctuary Application Server. The client now uses a compression algorithm that forms part of the communication protocol.

• Using our Easy Exchange encryption mode, authorized users can now access encrypted removable devices outside the company without the need to install any kind of software whatsoever, and without administrative privileges.

• You can now define 'root-level permissions' using the Device Explorer module. These permissions are not attached to a particular device class or type, but to the root of the Device Explorer tree and apply to all devices that a user(s)/group(s) use. You can simulate a "non-blocking mode" for all devices by giving a root level Read/Write permission to a particular user or group. Using this 'non- blocking' mode you can create a log without denying access to devices and supervise their use, facilitating the deployment on environments where the device population is unknown.

51


• A new 'Event Notification' rule has been added to inform the user with specific messages when

access is denied. This message can be defined in the language of your choice for each device class, device group, or even at the root level. Using this feature, the administrator can specify custom messages informing, for example, a helpdesk phone number or a note that depends on the device that caused the access deny event.

• Shadow rules can now be applied to Device/Device Group(s). You can, for example, decide not to 'Shadow' secondary HDD by placing them in a Device Group while 'Shadowing' any other removable drives.

• You can now block the USB version of the hardware Keylogger. This device captures all data typed at the keyboard (USB type), including passwords and other sensitive data. Be aware that there is also a software version of the Keylogger that can be banned using Sanctuary Custom Edition.

• The Sanctuary Clients can now be deployed without specifying a server address(s) that can immediately be validated: the server at the provided address (addresses) is contacted during the actual setup to make sure the client can communicate with it. If this communication is not achieved, the installation can still continue using exported permissions provided as input parameters for the setup or, if they are not provided, a client with the most restrictive permission mode can be installed.

• You can now quickly add a previously unknown device using the context menu for each 'device- attached' message reported in the 'Log Explorer' module (centralized logging must be enabled). This provides an elegant solution for device discovery when associated with a root-level Read/Write permission to the 'Everybody' group in 'non-blocking' mode (see previous paragraphs). This is a quick alternative to the 'Manage Devices' dialog.

• The client driver now displays messages in Spanish besides being already localized in French and German.

• The exported settings are no longer computer specific and can be imported at any machine using the Device Control client. Exported settings can also be imported when installing offline clients.

• Corrections were done to the clients silent deployment mode installation. It was causing some problems in machines where there was a USB removable key already plugged-in.

• Fixed an issue with client deployment through Group Policy Object. • Fixed an issue with authorizing multisession CDs.

NEW IN VERSION 3.0.5 (backpropagated service release) [mar-2006] NO LONGER SUPPORTED

• RTnotify could not always show the correct removable device names after upgrading from an older version of Device Control.

• Fixed a blocking issue when some types of USB memory sticks were plugged in, which were previously never used on the machine.

NEW IN VERSION 3.0.4 (backpropagated service release) [jan-2006] NO LONGER SUPPORTED

• Certain parallel port printers could not be managed. • High performance file servers might exhibit degradation in I/O throughput.

52


NEW IN VERSION 3.0.3 [nov-2005] NO LONGER SUPPORTED

• Fixed a problem when upgrading to the latest version of our client in a machine with older versions of Safeguard installed. This only manifested itself when some specific types of USB memory stick were already plugged in the machine.

• Some older versions of pcAnywhere (10 and below) caused the video drivers of a Sanctuary client to fail. There are no problems with the latest versions of this software and our client.

• Fixed device classification error on machines with multiple identical hard drives installed. • Fixed boot device identification problem at start-up on slow machines (Pentium III 700 MHz and

lower). • Some servers with specific configurations were reporting false redundant event messages (Events

with ID 55) that populated the Windows event log unnecessarily. • Error Events with ID 39 logged. SXS did not set the reply size correctly. • PS/2 keyboards were blocked during remote assistance.

NEW IN VERSION 3.0.2 [sep-2005] NO LONGER SUPPORTED

• Some client computers had problems when working with Roxio's Easy CD Creator and burning a DVD/CD that could lead to an incompatibility.

• Windows XP CD burning facility was not working correctly. It was previously necessary to assign Read/Write permission to the 'Local System' account to the 'DVD/CD Drives' class - a non acceptable condition in some corporations. This problem does not affect the burning of these media using the latest versions of Ahead's Nero Burning ROM or Roxio Easy CD Creator. This same problem happened for modems, scanners, smart card readers, printers (USB or LPT), and unknown devices classes: the 'Sanctuary Device Control' will deny all proxy access in Windows XP when having an interactive and a remote user unless the correct permissions were set.

• It was not possible to create a device group under the Modem/Secondary Network Access Devices class.

• The Intel 2200 WiFi chipset, a very popular standard in laptops, was not previously supported and could lead to an incompatibility.

• Certain devices connecting through the serial port (COM) - for example, Palm devices - were causing an incompatibility on the client PC.

• When exceeding the quota assigned to a device via a 'Copy Limit' rule and if the 'Centralized Device Control Logging' option was activated, the resulting information was not correctly formatted and, thus, not displaying acceptably in the 'Log Explorer' window.

• The 'Certificate Generation' option (found in the 'Default Options' dialog) was not working correctly with the default value assigned (Not Configured). The program only automatically generated the certificate if the option was enable. The user cannot use an encrypted device if he has no valid certificate.

• Minor errors were reported when working with previous versions of the client. • Pinnacle's 'Instant CD Copier" software violates the Windows Driver Model and is incompatible with

Sanctuary solutions; systems running this Pinnacle program may be at risk.

53


NEW IN VERSION 3.0.1 [aug-2005] NO LONGER SUPPORTED

• Fixed: Previously, if you created a Computer Group in the Device Explorer module and re- synchronize domains, the computer group was erased along with its permissions.

• There is a new right-click menu item called Show All Members for Computer Groups. It will show all 'invisible' computers belonging to a 'Computer Group' (in the 'Microsoft Windows Network' section of the 'Device Explorer'). When you insert a computer in a group and you do not assign it permissions, it is not shown to avoid cluttering the entry with unnecessary information. You can display those computers again to change permissions or copy them to other 'Computer Groups' using this command.

• New: A full copy of the media is now stored and parsed locally when you choose to shadow files. This avoids big amounts of data transfer between the clients and the server. When you select to shadow only files names, just the copied file name list is sent to the server and not their full content.

• Some minor cosmetic fixes.

NEW IN VERSION 3.0.0 [jul-2005] NO LONGER SUPPORTED

Corrected Problems • Fixed: Previously, if you did not synchronize your domain on a regular basis, client computers used

to receive a temporary ID along with their permissions. When a computer was disconnected from the network, its permissions were not valid anymore and the user could not access them. The client software has been improved to detect such situations and request the permission updates from Sanctuary Application Server (SXS).

• Fixed: SXS prevents queries on an unreasonable amount of shadowing data to keep available physical resources.

• Fixed: Shadowing reports now inform correctly terabytes totals. • Fixed: Incompatibility with several burning software applications (Ahead's Nero, Roxio).

Important Notes • WINDOWS NT4 is no longer supported in this version. • The device access logging to the local Event Viewer is no longer available. It has been superseded

by the 'Central Logging' option. • The 'Copy Limit' now also applies to Administrators. If you do not want to limit data copied to a

device by the administrators, then modify the default copy limit rule defined in the 'Device Explorer' module.

• We now distribute MSDE SP4 along with the product. • You should setup an automatic synchronization with the domain (sxdomain.exe). Please refer to the

Setup Guide for more details.

54


New Features • Enhanced search and filter capabilities added to the previously called 'Administrator Audit' (now 'Log

Explorer'). • Offline updates: Now you can send update to computers not connected to the network using a file. • It is now possible to define online/offline permissions. This makes it possible for users the access

certain devices when they are online and apply a different device policy when they are offline. Online: The client can communicate directly with the server. Offline: The client cannot communicate directly with the server.

• Temporary and Scheduled permissions now apply in the pre-defined LOCAL client time. If you define permissions from 08h00 to 17h00, they will always apply between 08h00 and 17h00 local client computer time, whatever the time zone.

• Future temporary permissions can now be defined: For example, an Administrator can assign access to a user's floppy disk drive from September 1st to September 15th because he will attend a trade show.

• The 'Device Explorer' module now supports Drag & Drop and Cut and Paste operations. • You can now have simultaneous Per-Device/Class/Computer Group/Device Group permissions.

You do not need to switch anymore from one mode to another. You can now define permissions for a class and device model at the same time! Using this feature you can set, for example, access to all types of removable devices for Administrators but limit certain user to his MP3 reader (classified also as a removable device).

• The Classes in the 'Device Explorer' module have been renamed and new icons used to conform to the Windows XP standard class-naming scheme.

noeldw name

CDDVD/ / DCVDD- RDOrivMes

Floppy Disk Drives

Removable Storage Devices

COM/ Serial Ports

55


LPT/ Parallel Ports

TapPeE Drives

Modem/ Secondary Network Access Devices

Smart Card Readers

Windows CE DHeavnidcheesld (DUeSvBic)es (USB)

Palm OHaSndheld HDaenvidcheesld D(UeSvBic)es (USB)

SImcagninnegr Devices

User Defined Devices

UPrSinBters P(UriSnBte)r

56


BRlIaMckBerry (BUlaScBk)Berry Handhelds (USB)

Unauthorized Encrypted Media

PBrlueevtioosthly aRnadio oDpetvioicnes

PWriereviloeussly NseICt s during setup

IPnrferavrioeudsly aPnorts o(IprDtioAn)

PSe/v2iously aPnorts option

PBrioemvioeutrsicly Dhaenvdicles in other classes

• Shadowing and Copy Limit, previously know as options, have now become rules and are set directly from the 'Device Explorer' module. Rules can be set on a per-user-basis. This now allows you to define shadowing per user/group. Rules cannot be overwritten and can only be defined at the class- level. The same applies to PS/2 port blocking, Bluetooth and Wireless.

• If you are upgrading from a previous version of Sanctuary Device Control, it may be useful for you to know about options changes. The following table summarizes them:

new

57


funcvti2o.n8ality

opitnion v3.0

NFlowppy sahadow mruolede in the Device Explorer

CNDow/ Da VD sruhlaedow minode the Device Explorer

PNSow/2 paort rule in the Device Explorer

RNeomw ovable aStorage Druelevices sinhadow mthoede Device Explorer

CNOowM sahadow mruolede in the Device Explorer

NLPoTw

58


sahadow mruolede in the Device Explorer

MNowdem sahadow mruolede in the Device Explorer

NInofrwared (aIrDA) pruolret in the Device Explorer

BNlouwetooth paort rule in the Device Explorer

SRheonwamed toay iDcoenvice Control Status Window. Allows more definitions

UStsilel r naontification option

59


DRepilcaeced cboyntrol lCoegntralized mDeovdiece Control Logging

DNaoiwly caopy lriumleit in the Device Explorer

STitmille asynnchronization ionptetirovnal

Stilal dowed failne uoptoioand delay or time

Stilal dow dainrectory option

Stilnl ctuary anplication soeprtvioenr address

ESntilcl rypted manedia koepytion export

ESntilcl rypted manedia option

60


export password

TSheecyondary haarerd ndoriwves treated like Removable Storage Device

CSteilrltificate gaenneration option

CSteilnl tralized daenvice coopntitornol logging

Stuilpl press arencurring loopgtion events

• You can now change the device name and edit device rules comments in the 'Device Explorer' module. Comments can be added to devices, device groups, media, computers and computer groups.

• You can now set shadowing and copy limit per user. Previously this was only possible per machine. The 'Shadow Files Explorer' has been renamed to 'Log Explorer'.

• A new column has been added to allow you quickly find the shadow entries with attached data (using a clip symbol). The size of file copied is now available even if you only choose the 'File Name' option.

• New: Every time there is a change to the network connections, the client tries to upload any available shadow files and download new permissions rules.

• New: When you choose to shadow only the file names, a full copy of the media is now stored and parsed locally, avoiding big amounts of data transfer between the clients and the server. When you select to shadow only the files names, just the list of files copied to the media is sent to the server and not their full content.

• The client notification window is now resizable. You can choose to show or hide whether or not shadowing is enabled. It now shows the copy limit status and the user/computer name as an aid when calling the internal helpdesk requesting modifications to the permissions. You may restrict the list of shown devices to only those allowed to the logged user.

• The 'User To Media' and 'Media Explorer' modules have now been merged in the 'Media Authorizer' module. You can now add CDs/DVDs and assign them to users in the same module. This module is much faster and easier to use, and it supports a large number of permissions.

61


• User Access: If an administrator has no access to a piece of functionality in the software, the

corresponding module in the Management Console will be hidden. If, for example, an administrator has no access to Shadowing, then he will not see the 'Log Explorer' module.

• More options and fine-tuning have been added to the administrator capabilities. In addition to the traditional roles, you can now refine administrator roles for: managing devices, managing time based permissions, managing media permissions, reviewing shadowing information without viewing shadow files content. Simple Administrators can now always see all permissions defined at the default settings level. Administrators can also create permissions on the machine they manage for every user including the well-known accounts.

• The previously three client drivers have been merged into a unique component called Sanctuary Device Protection Module (SDPM). This driver provides a more flexible platform for recognition devices. Communication routines are now handled in a user-mode component called Sanctuary Control Client (SCC) that allows more flexibility when conveying information to the application server and dividing the communication and protection modules.

• Deploy: Allows UNC-paths for the Deploy-Packages. It also shows the amount of computers/ selection in the computers screen.

• The console now allows you to send updates to individual machines or a selection of machines. The Send updates to all function can now be performed in a synchronous (when clicking on the 'Yes' button) or asynchronous way (if clicking on the 'No' button), allowing you to continue working in the console while the updates are sent to your clients.

NEW IN VERSION 2.8.7c (backpropagated service release) [nov-2005] NO LONGER SUPPORTED EXCEPT FOR NT4 INSTALLS

• Fixed an incompatibility during client install on a hard disk encrypted with Safeguard Easy 4.10. • Per-device permissions change forbidden if an SMC user is not Enterprise Admin. • Xircom PCMCIA ISDN Modem was always blocked. • Error Events with ID 39 logged. SXS did not set the reply size correctly. • PS/2 keyboards were blocked during remote assistance.

NEW IN VERSION 2.8.7 [apr-2005] NO LONGER SUPPORTED

• Added support for AVM BlueFritz Bluetooth stack. • Added support for the ActiveKey smart card readers. • Improved handling of LDAP timeouts with the SXS application server. • Fixed client logon thread instability, which caused excessive CPU usage in certain hardware

environments.

62


NEW IN VERSION 2.8.5/2.8.6 [jan-2005] NO LONGER SUPPORTED

• On Windows XP SP2 some local printers connected to the LPT port were blocked while the correct access permissions were configured.

• Fixed an incompatibility in the client drivers on machines running Windows XP SP2 with the latest hot fixes. This problem is hardware related and does not appear on every configuration, more specific to Pentium IV multithreading support in the Windows XP kernel.

• Fixed the Open With behavior in Shadow Files Explorer. • Added support for Identix Biometric Fingerprint Readers. • Added a "PS/2 Port" option. When this option is enabled, the PS/2 mouse and keyboard are

blocked. • The deployment tool can now query/install/uninstall on a selection of the computers list. • When querying a computer, the deployment tool now reports the computer operating system version

and service pack level. • Added additional logging information in the Sanctuary Application Server log during domain

synchronization. See "VerboseSyncLogging" in HKLM\system\CurrentControlSet\services\sxs \parameters.

• Fixed setup issue with SQL Server 7.0 and multiple instances.

NEW IN VERSION 2.8.4 [dec-2004] NO LONGER SUPPORTED

• Fixed a memory leak in the client driver when the Centralized Device Control Logging option is enabled and the Suppress recurring log event option is used.


• Authorization of multisession CDs is now fully supported. • Large lists of authorized media (CD and encrypted media) are handled correctly. • Client restart is no longer required when new devices are defined. • Enhanced multi-user support (Terminal Server, Remote Desktop, RunAs, scheduled tasks). • Users may now be allowed to access unauthorized media (if they possess a valid encryption key)

through the 'Unauthorized Encrypted Media' device class. • Encrypted media are fully supported in the per-device permission mode. • Explicit access-denied entries in the 'Removable' (or per-device) class disallow access to encrypted

media (as with CD/DVD permissions and authorized media). • Encrypted media authorized by a third party may now be imported centrally (from the Sanctuary

Device Console); if the encryption key has been exported to a file, the medium need not be physically present.

• Encrypted media may now be exported centrally (from the Sanctuary Device Console); if the encryption key is exported to a file, the medium need not be physically present.

• The 'Removable' class now has another shadow level, which applies to encrypted media. The content of encrypted media will be shadowed only when this shadow level is selected.

63


• WLD logs are no longer erased from client machines. This enables the administrator to re-visit

managed device settings without requiring the user to re-attach the device. A timestamp that is shown in the managed devices console facilitates the process.

• Secondary hard drives may now be treated as removable media. This applies to both hot-swappable hard drives and internal hard drives.

• Per-device permissions may now be specified for scanners. Use the normal procedure to manage scanner models.

• Device Explorer supports multi-selection of devices and permissions to simplify administration tasks. • Global devices permissions have two priority classes, which is useful for exceptions in device

permissions. • All Device Control events may now be logged centrally. The logs are available through the Shadow

File Explorer. • A user may request an update through the status icon. This is useful if the user connects through

a dial-up connection or VPN, in which case the Device Control client may fail communicate with the server.

• Automatic certificate generation can be disabled. This option should only be used if you experience problems caused by automatic certificate generation. If automatic certificate generation is disabled, encrypted media may become inaccessible.

• The ITrans application has been replaced with Deploy. Deploy is a GUI application fully supporting the ITrans functionality. The main feature of Deploy is the support of push-installations and upgrades, as well as querying of client status.

• A script has been created to enable tighter integration with AD delegation. The script creates a special 'Manage Sanctuary Settings' permission that can be specified on organizational units, users, groups and computers.

NEW IN VERSION 2.8.2 [sep-2004] NO LONGER SUPPORTED

• Improved event logging for read-only devices • Fixed incompatibility between Device Control Client and Remote Desktop on Windows XP SP1

(rdpr.sys) • Fixed an issue in the Server-side handling of the shadow file upload • Fixed incompatibility between the Sanctuary Application Server version 2.8 and the SecureNT

Clients version 2.6.1

NEW IN VERSION 2.8.1 [aug-2004] NO LONGER SUPPORTED

• Fixed Aladdin eToken issue

NEW IN VERSION 2.8.0 [jun-2004] NO LONGER SUPPORTED

• Blocking of Wireless LAN as a client setup option: When installing the Sanctuary Device Control client, you have the option to configure the client drivers to block Wireless LAN adaptors. When

64


this setup option is activated, users cannot install or use wireless cards. This setting applies only to Wireless cards for which Windows does not require manufacturer-specific drivers or administrative privileges for installation.

• Removable Media Authorization (Media encryption): Sanctuary Device Control allows you to manage removable media (DiskOnKey disks, zip, memory sticks) per-instance by means of encryption. The encrypted media can be assigned to specific users, allowing them to exchange confidential data using removable media.

• USB printers support: Sanctuary Device Control allows you to control the access to USB printers connected to client computers.

• Bluetooth: Bluetooth offers an extremely easy way to connect peripherals to a PC, completely bypassing any access restrictions in place for a regular corporate network. Sanctuary Device Control now allows the disabling of Bluetooth through a simple option.

• Shadowing report: The first report presents you the list of users copying data to devices grouped by devices. The second report allows you to know, for all users, the total amount of data copied to the different devices.

• Administrators' roles: The User Access module has been extended to allow more granularity on the control of the access to the different components of the Sanctuary Device Console. For example, the access to the shadowing information can be restricted to the company auditors.

NEW IN VERSION 2.7.6 (backpropagated service release) [jul-2004] NO LONGER SUPPORTED

• Improved handling of timed out network IO (slow logons, exhaustion of non-paged pool).

NEW IN VERSION 2.7.5 [may-2004] NO LONGER SUPPORTED

• Fixed Server stability problems when CD/DVD image shadows are uploaded.

NEW IN VERSION 2.7.4 [apr-2004] NO LONGER SUPPORTED

• Improved Server stability and memory handling on multi-cpu machines. • Improved handling of the client timeouts to avoid negative impact on the logon times in heavily

loaded environments. • Solved the following problem: SecureNT driver was using a growing number of handles each time

the user was locking / unlocking his station. This problem was only happening when the machine could not connect to the Sanctuary Application Server.

• Solved some connectivity problems when a Palm Vx is synchronized using the COM interface. The fix also solves connectivity problems when some models of Nokia and Sony Ericsson mobile phones are used as modems connected through a serial interface.

• Fixed incompatibility with the cheque scanner driver SEACUSB.SYS when the device is connected through a USB 2.0 interface.

• Improved handling of USB External Hard Disks under Windows XP.

65


• Improved the "shadow file names only" mode. Some valid blocks were erroneously seen as unused

blocks containing data and were reported in the log files.


• External USB ISDN modems with built-in drivers can now be blocked: Windows XP has a built- in support for several USB ISDN modems. When a user plugs such a device in the computer, Windows recognizes it as a network adapter. As network adapters are not blocked by SecureNT, the user could use this modem. If you want to block unconditionally this type of modem on a machine protected by SecureNT, apply the registry file BlockISDN.reg from the BIN\SND folder.

• Support for more fingerprint readers: The Bloomberg and Biolink fingerprint readers are now supported.

• Fixed incompatibility with some modem adapters under NT4 SP6a • Fixed incompatibility with NAI when the shadow upload time was set to 0 • Added Setup autorun functionality

NEW IN VERSION 2.7.2 [oct-2003] NO LONGER SUPPORTED

• Under Windows 2003 if you unplug & plug back again the smart card reader, you could not access it anymore

• Compaq IPAQ H5500 did not take new permissions • Windows XP: problem with the SecureNT client drivers when the server was not available • Windows NT4: No upload of shadow files when an exact time was specified • CD-ROM drives appeared locked despite permissions • Windows 2003: No shadowing for COM port and LPT was possible • Shadow driver, fix for multi-CPU machine equipped with multi File Filter Drivers • PCMCIA Multi Media Adapter was seen as an "Unknown" device and permissions assigned to it did

not take effect • Solved problem concerning upgrade of server components fails when the user running the setup

has no right to make any RPC call to sxs • SND Setup is now compatible with Windows 2003 • Various corrections to the PDF documentation on the CD

NEW IN VERSION 2.7.1 [jul-2003] NO LONGER SUPPORTED

• Implementation of the boot message retry mechanism. This retry mechanism improves the reception of permissions, especially under Windows XP.

• Fix for some HP scanners being blocked. Some old models of HP scanners could not be accessed anymore even though permissions had been set correctly for the scanners class.

66


NEW IN VERSION 2.7.0 [jun-2003] NO LONGER SUPPORTED

User Defined Devices • The ability to manage devices beyond those supported by default. Any device that is not managed

out-of-the-box can now be added as a user defined device and have permissions applied the usual way. By default, SecureNT provides very strict security; devices unknown to it are disabled. However, the use of some devices such as PDAs may be allowed by adding them to the list of user defined devices.

Per-device permissions • Sometimes a built-in device type may be too general and it may be desirable to implement a finer

grained control down to the device model. For instance, rather than grant permissions to use any removable media you may want to restrict access to a specific, company-approved model. Together with user defined devices, SecureNT provides a unified model for an ad-hoc device management.

CD-ROM/DVD Shadowing • Shadowing has been extended to cover the following writable media formats: CD-R, CD-RW, DVD-

R, DVD+R, DVD-RW. Shadowing means that data written to these media are intercepted and made available for auditing. The recent spread of writable media and the Plug and Play capabilities of Windows XP make it extremely easy, for example, for any user to plug in a CDR unit and copy large amounts of potentially sensitive data. By default, SecureNT disables writing to such media, and when writing must be enabled you can optionally elect to shadow the data.

Path Rules • Application Execution Control now includes the ability to manage applications based on their

locations. Locations that are under the control of administrators, such as company network shares, are inherently safe. The administrator can take advantage of such locations by setting path rules rather than authorizing individual executable files. Path rules, when used in conjunction with hash rules, offer greater flexibility without compromising security.

Enhanced Infrared control • Infrared ports offer, through IrDA, an extremely easy way to connect peripherals or other computers

to a PC; it will even serve as a network • interface, completely bypassing any access restrictions in place for a regular corporate network.

SecureNT now allows disabling of infrared ports through a simple setting, restoring the certainty that network communications pass only through authorized and secured channels.

67


NEW IN VERSION 2.6.5 (backpropagated service release) [feb-2004] NO LONGER SUPPORTED

• Fixed incompatibility with the cheque scanner driver SEACUSB.SYS when the • device is connected through a USB 2.0 interface.

NEW IN VERSION 2.6.4 (backpropagated service release) [oct-2003] NO LONGER SUPPORTED

• Work-around for incompatibility caused by the Intel Ethernet Driver cancelling a network receive. • Fix for an incompatibility when logging on Windows 2003

NEW IN VERSION 2.6.3 [may-2003] NO LONGER SUPPORTED

• Boot and Logon messages are now fully asynchronous • Fixed incompatibility between SecureNT and Tiny Personal Firewall • Fixed a HP scanner problem

NEW IN VERSION 2.6.2 [mar-2003] NO LONGER SUPPORTED

• The Authorization Wizard can now handle InstallShield archives. • The server setup has been enhanced to support SQL Server named instances.

NEW IN VERSION 2.6.1 [feb-2003] NO LONGER SUPPORTED

• The server and client setup applications have been enhanced to automatically upgrade older versions of SecureNT.


• Workgroup support: SecureNT clients and the Sanctuary Application Server can now be installed on computers that are not members of a domain.

68


• Palm Support is now official and allows control over who has access to the PDA. V2.6 has been

tested, so far, with Palm v5x, m115 and m500 but is expected to work for all models. Support is limited to USB cradles since serial ones can be controlled via the COM port.

• The server setup has been considerably simplified and is now built using Windows Installer technology.

• Scanner support: the restriction in previous versions whereby scanners were blocked by the White List Driver has been removed in v2.6. Scanners can now be managed.

• A new option has been added to shadow only by file name instead of the entire file. Most options can now also be set on the fly (no reboot required).

• It is now possible to synchronize local users and groups from within the SMC by means of a context sensitive menu.

Ivanti Device and Application Control Version History Since v2€¦ · Ivanti Device and...

Documents

Transcript of Ivanti Device and Application Control Version History Since v2€¦ · Ivanti Device and...