Release Notes for Symantec Critical System Protection...

Release Notes for Symantec™Critical System ProtectionVersion 5.2.9 MP1

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Symantec Critical SystemProtection Version 5.2.9MP1 Release Notes

This document includes the following topics:

■ About the Release Notes for Symantec Critical System Protection

■ About Symantec Critical System Protection

■ What's new in release 5.2.9 MP1

■ Resolved issues

■ Known issues

About theReleaseNotes for SymantecCritical SystemProtection

This document may be revised between releases, as new information becomesavailable. You can view the latest release notes and other information by clickingone of the following links:

■ Symantec Critical System Protection Documentation in English

■ Symantec Critical System Protection Documentation in Simplified Chinese

■ Symantec Critical System Protection Documentation in Traditional Chinese

■ Symantec Critical System Protection Documentation in Japanese

■ Symantec Critical System Protection Documentation in Korean

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION&locale=zh_CN

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION&locale=zh_TW

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION&locale=ja_JP

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION&locale=ko_KR

Review the Release Notes in their entirety before you install or deploy SymantecCritical SystemProtection, or call for technical support. This document describesknown issues and provides additional information that is not included in thestandard documentation or the online help.

About Symantec Critical System ProtectionWelcome to Symantec Critical System Protection, a flexible, multi-layer securitysolution for servers that detects abnormal system activities. Symantec CriticalSystem Protection prevents and blocks viruses and worms, hacking attacks, andzero-day vulnerability attacks. Symantec Critical SystemProtection also hardenssystems, enforcing behavior-based security policies on clients and servers.

Symantec Critical System Protection includes a management console and servercomponents, and agent components that enforce policies on computers. Themanagement server andmanagement console runonWindowsoperating systems.The agent runs on Windows and UNIX operating systems.

Among Symantec Critical System Protection's key features are:

■ Predefined application policies for commonMicrosoft interactive applications

■ Out-of-the-box policies that continuously lock down the operating system,high-risk applications, and databases to prevent unauthorized executablesfrom being introduced and run

■ Microsoft Windows, Sun Solaris, IBM AIX, and Linux platform support

Among Symantec Critical System Protection's key benefits are:

■ Provides proactive, host-based security against day-zero attacks

■ Offers protection against buffer overflow and memory-based attacks

■ Helps to maintain compliance with security policies by providing granularcontrol over programs and data

What's new in release 5.2.9 MP1

Additional platform supportThe Symantec Critical System Protection 5.2.9 MP1 release adds agent supportfor the following platforms:

Symantec Critical System Protection Version 5.2.9 MP1 Release NotesAbout Symantec Critical System Protection

8

Table 1-1

Support for IPSSupport for IDSPlatform

YesYesWindows Server 2012 64-bit

YesYesWindows EmbeddedStandard7 (32-bit and64-bit)

(Default ApplicationCompatibility Template)

YesYesRedHatEnterprise Linux5.9(32-bit and 64-bit)

Supported in SymantecCritical System Protection5.2.8 MP4

Now supported in SymantecCritical System Protection5.2.9 MP1

Supported in SymantecCritical System Protection5.2.8 MP4

Now supported in SymantecCritical System Protection5.2.9 MP1

SUSE Linux EnterpriseServer 11 SP2 (32-bit and64-bit)

New in 5.2.9 MP1Supported in previousreleases

IBM AIX 7.1 TL1

YesYesCentOS 6.0, 6.1, 6.2, 6.364-bit

SUSE Linux Enterprise Server 11 SP2 is supported in Symantec Critical SystemProtection 5.2.8 MP4 and not supported in Symantec Critical SystemProtection5.2.9. SUSE 11 SP2 is newly added in Symantec Critical SystemProtection 5.2.9 MP1 for the Symantec Critical System Protection 5.2.9 series.

Symantec Critical System Protection Manager and Symantec Critical SystemProtection Console are supported on Windows Server 2012.

Note: Symantec Critical System Protection Manager installation on WindowsServer 2012 using Evaluation Database is only supported with existing SQLinstance.

For more information on specific platforms and versions and the features theysupport, see Symantec Critical System Protection Platform and Feature Matrix.

Additional release informationSymantec Critical System Protection now uses Apache Tomcat v7.0.28 and Java7 Update 9.

9Symantec Critical System Protection Version 5.2.9 MP1 Release NotesWhat's new in release 5.2.9 MP1

Server TelemetrySymantec Critical System Protection 5.2.9 MP1 has been enhanced with theManagement Server Telemetry feature to optionally collect and send anonymousCustomerAgent deployment statistics to theSymantecBackendTelemetryServer.This periodic data collection and submission is seamless to the end user and doesnot require anyadministrative interaction.Aspart of the telemetrydata, SymantecCritical System Protection Server sends statistics such as agent counts, eventcounts, and Symantec Critical System Protection Server settings. The ServerTelemetry is an opt-in or opt-out feature for the Symantec Critical SystemProtection Management Server. By default, Server Telemetry is enabled withSymantec Critical System Protection Server fresh install and upgrade from aprevious version. When this feature is enabled, you can optionally enter theCustomer Name in the provided text box. The customer name that is entered inthis text box is submitted to Symantec as part of telemetry data submission.

To disable the Server Telemetry feature from the management console

1 Click Admin > Settings > System Settings.

2 In the Data Collection page, uncheck the checkbox to stop Telemetry datacollection and submission.

New memory protection featuresSymantec Critical System Protection provides new protection mechanisms thatare designed to prevent malware from manipulating memory within a process toexecute exploit code on Windows systems. These proactive memory defensescomplement the existing Buffer Overflow Detection feature and comprise threeindividual policy controls that when enabled protect against unusual memoryallocations, unusual memory permission changes, and the disabling of DataExecution Prevention fromwithin a running process. Formore information aboutplatform coverage, see the Symantec Critical System Protection Platform/FeatureMatrix.

The Symantec Critical SystemProtection 5.2.9MP1prevention policies have beenenhanced to include the three new memory protection settings. These settingsare now organized under a Memory Controls section, which also contains theexisting buffer overflow setting. By default, the Memory Control protectionfeatures are enabled for common system services in the Core, Strict, and LimitedExecution policies. You can enable and tune the new memory protections foradditional process sets and custom programs in the same manner as performedfor other Symantec Critical System Protection prevention features.

Symantec Critical System Protection Version 5.2.9 MP1 Release NotesWhat's new in release 5.2.9 MP1

10

Note: Memory Controls are used for controlling unusual memory manipulationactivities within a process while Process Access Controls are used to controlmemory access between processes. For more information about configuring theMemory Control settings, see the Symantec Critical System Protection PreventionPolicy Reference Guide.

To benefit from these newmemory protection features youmust have a SymantecCritical System Protection 5.2.9MP1Management Server, Management Console,Policies, and deploy to a Symantec Critical System Protection 5.2.9 MP1 agent.

Change prevention feature state by using SISIPSConfig utilityWith SISIPSConfig utility you can enable or disable prevention feature on theagent. The command line -ipsstate on option or the -ipsstate off option isprovided to achieveprevention feature state change.OnWindows, you can executethis utility as follows:

sisipsconfig.exe -ipsstate on

This command enables the IPS drivers.

On UNIX or Linux, you can execute this utility as follows:

su - sisips -c "./sisipsconfig.sh -ipsstate on"

Note: To complete the change in prevention state, you have to restart the agentsystem. On fresh install, you can also set the agent driver state to the desired endstate byusing installation command switches. Formore information, seeSymantecCritical System Protection Installation Guide.

The sisipsconfig option toggleipsstate (-i) is now deprecated.

Change Prevention feature state by using Agent_Diagnostic policyCSP_Agent_Diagnostic policy has been enhanced with two new diagnosticfunctions, EnablePrevention and DisablePrevention that enable you to changethe prevention state of a group of agents from a central location.When you applythe CSP_Agent_Diagnostic policy with Disable Prevention function, the agentdisables the state of the IPS drivers. When you apply this policy with EnablePrevention function, the agent enables the IPS drivers.

The functions invoke the SISIPSConfig utility at the Agent with the -ipsstateon/off switch to enable or disable the state of IPS drivers. Use of theCSP_Agent_Diagnostic policy to enable or disable prevention generates a


corresponding Agent Status event at the Symantec Critical System ProtectionConsole.

Following is an example of anAgent Status event at the Symantec Critical SystemProtection Console when you use the policy to disable prevention:

SOURCE

Host IP Address 127.0.0.1

Agent Version 5.2.9.541

OS Type Windows

OS Version Server 2008 R2

Agent Type CSP Native Agent

EVENT

Event Type Agent Status

Event Category Real Time - Management

Event Severity Information

Event Priority 12

Event Date 03-Oct-2012 21:02:06 EDT

Post Date 03-Oct-2012 21:02:57 EDT

Post Delay 00:00:51

Event Count 1

Event ID 107

DETAILS

Message Prevention feature disabled.

Will take effect at next boot.

Service AgentConfigTool

Disposition Success

Message ID 10319

Note:To complete this change in prevention state, youmust restart the individualagent systems. The policy performs the function immediately after it is appliedto the agent. After confirming that the policy performed the enabled function,you must clear the policy from the agent.

Symantec recommends that you change the policy before amaintenance windowwhere the servers can be restarted, so that the policy change does not take affectat a later time, or at an unscheduled restart when the policy change may beforgotten.


12

Ability to identify the SCSP Manager that sent an event in a centralizedevent tracking database with multiple SCSP Managers

In a centralized database environment, when more than one SCSP Managers areconnected to the same database, it is useful to identify the Management Serverto which an agent currently communicates with. It is also useful to identify thenumber of agents each Management Server hosts when you have more than oneManagement Server.

Symantec Critical System Protection 5.2.9 MP1 is enhanced to provide thesecapabilities by storing theManagementServernameagainst everyagent. SymantecCritical SystemProtection nowuses theManagerName field to store themanagername to which an agent communicates to. The field is populated at the time ofregistration. The field is updatedwhenever an agent starts communicating to thefail over server. The new implementation takes care of existing agents, andpopulates the manager name when the agents starts communicating with theupdated server.

Symantec Critical System Protection has a new bar graph agent-serverdistribution that helps you visualize the distribution of agents amongst differentManagement Server. The new graph can be located under Reports tab. The exactpath is Queries > Symantec > #VERSION# > agents.

Affected operating systems: Not Applicable

Affected Symantec Critical System Protection versions: Release 5.2.9 and earlier

Affected Symantec Critical System Protection policy: Not Applicable

Windows Agent Collect Info script gathers information on SymantecCritical System Protection Kernel memory allocations

SymantecCritical SystemProtection5.2.9MP1Windowsagent installs adiagnosticutility, which is CSPTags.exe in the %SCSPAGENTROOT%\IPS\tools\ location. Thetool displays data on the memory allocations by the Symantec Critical SystemProtection driver components from the systempaged andnonpaged kernel pools.To run this tool, execute CSPTags.exe from the command line.

TheAgent Collect Info script collects output from the CSPTags.exe tool. This toolrequires the Pool Tag mode to be enabled on the system. Pool Tag Mode ispermanently enabled on Windows Server 2003 and later versions. If you run thistool on a system with a disabled pool tag mode, you receive a message to enablethe Tag mode.


Note: For more information on how to use memory pool monitor, seehttp://support.microsoft.com/kb/177415

Tag Mode can be enabled in the following ways:

■ By updating the registry

■ By executing the Gflags.exe utilityYou can also use the Global Flags Editor (Gflags.exe) utility to enable pooltagging. Gflags.exe is available in the Windows NT 4.0 Resource Kit and inthe \Support\Tools folder of Windows 2000/XP/Server 2003 CD-ROMs.

Note: As pool tagging is permanently enabled in Windows Server 2003, theEnable Pool Tagging check box in the Global Flags dialog box is dimmed andcommands to enable or disable pool tagging fail.

To change the registry value that enables tag mode for CSPTags.exe

Note: You can back up the registry before you modify it so that you can restorethe registry if an issue occurs.

1 Open the registry editor by typing regedit.exe command from the commandline.

2 Locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager

3 Note the value of GlobalFlag, or save the Session Manager key.

4 Double-click the GlobalFlag value in the right pane.

5 Change the value to 0x00000400 hexadecimal.

Note:Whenyou add the global flag value 0x00000400, it is displayed as 0x400after it is added. Ensure that you add all the leading zeros.

6 Restart the computer.

Note: After you complete using the CSPTags.exe either from the command lineor from the Agent Collect Info, modify the GlobalFlag value to the value that younote down in step 3.


14

http://support.microsoft.com/kb/177415

To make the change by using Gflags.exe

1 Click Start > Run.

2 Type gflags.exe, and then click OK.

3 Select Enable Pool Tagging.

4 Click Apply, and then click OK.

5 Restart the computer.

Note: After you complete using the CSPTags.exe either from the command lineor from the Agent Collect Info, repeat these steps to disable pool tagging.

Resolved issues

Console and Server Resolved issues

SymantecCritical SystemProtection alert failswith errorwhenEvent date range criteria is usedFix ID: 2842730

Whenever an alert is configured using Event date range filter, the alert is notgenerated at all and the following SQL Exception is reported in the alert-log file:

<< Error fetching events java.sql.SQLException:

Must declare the scalar variable @@dateadd >>

The issue has been addressed by updating the SQL queries.

Affected operating systems: Windows operating systems


Affected Symantec Critical System Protection policy: Not Applicable

Agent Resolved issues

After upgrade, IDS eventsmayno longer be logged to the SCSPManagerFix ID: 2809750

15Symantec Critical System Protection Version 5.2.9 MP1 Release NotesResolved issues

During upgrade, the existing log rules are merged into the new agent.ini file. Ifthe existing IDS log rules in the agent.ini file contain brackets "[" and "]" in therule text, the INI merge may not complete successfully and events may fail to beforwarded to the server properly. TheAgent Installer has beenupdated to properlyhandle the existence of brackets with log rule fields.

Affected operating systems: All UNIX based Operating systems (AIX, Solaris,Linux, and HP-UX)

Affected Symantec Critical System Protection Versions: All SCSP versions beforeSCSP 5.2.9 MP1

SISIDS daemon monitors incorrect sets of files resulting in ahigh memory usage or missing IDS Filewatch eventsFix ID: 2837976, 2941712

Symantec Critical SystemProtection agent causes the IDSdaemon (sisidsdaemon)tomonitor incorrect sets of files due to issues in theway the File Collector trackedfiles beingmonitored. Thewildcard patterns that consists of only an asterisk afterthe last path separator such as /usr/* were unaffected.

The issue only occurred for wildcard patterns meeting the following criteria:

■ The File Collector expanded the scope of the file pattern being watched.Therefore, potentially causing highmemory to be consumed as incorrect fileswere added to the set of those files beingmonitored. Sometimes, the additionalmemory structures tracking the extra fileswere alsonot cleared frommemoryeven when the detection policy was cleared. However, events against theincorrectly enlarged set of files were filtered correctly.Following are the conditions for high memory usage to occur:

Note: All the following conditions must exist.

■ A File Watch rule that contains a wildcard in a select string for a file namesuch as /var/www/*.html , where the wildcard and a portion of the filename are both present in the file watch select string

Note:Use of wildcard for the entire file name such as /var/www/* does notcause high memory usage.

■ After the IDS File Watch policy is applied, new files are frequently addedto a monitored folder such as /var/www/.

Symantec Critical System Protection Version 5.2.9 MP1 Release NotesResolved issues

16

■ The File Collector incompletely expanded the patterns being used. Therefore,ignoring some files that should have beenmonitored. This issue only occurredfor search depths greater than 1.Following are the conditions for missing IDS file watch events:

Note: All the following conditions must exist.

■ FileWatch rule that containswildcard in a select string for a file name suchas /var/www/*.html, where the wildcard and portion of file name both arepresent in the file watch select string

■ FileWatch rule has searchdepth (number of subdirectory levels tomonitor)greater than 1.

■ More than one subdirectory in any directory below the directory beingmonitored up to the search depth set.

Both issues have been resolved in Symantec Critical SystemProtection 5.2.9MP1.

Workarounds:

File Collector patterns that contain only a single asterisk after the last pathseparator are handled correctly in previous Symantec Critical System Protectionversions. More complex patterns with a search depth of 1 may be used in caseswhere the number of files in the monitored directory does not grow significantlyover time.

Affected Symantec Critical SystemProtection versions: Symantec Critical SystemProtection Release 5.2.9 and earlier

Affected Symantec Critical System Protection platforms: All UNIX and Linuxagents

Upgrading AIX 6.1 Technology Level from TL4 or prior to TL5or later may require re-installing Symantec Critical SystemProtectionFix ID: 2944967

Different versions of Symantec Critical System Protection driver for AIX 6.1 arerequired forTL4 andprior versions andTL5 and later versions. During installationon AIX 6.1 TL4 or prior, the appropriate IPS driver file is staged to the systemdriver directory /usr/lib/drivers directory. However, after upgrading the AIX6.1 Technology Level from TL4 or prior to TL5 or later, due to an issue with thedriver refresh logic in the 5.2.x installer, the correct version of the driver filemaynot be copied automatically. Therefore, resulting in the mismatch of the driver


file with the new TL. This may cause the following issues that affect thefunctionality of the product and overall system stability:

■ Unexpected system hangs

■ Running the getagentinfo.sh script for product support may cause the /tmpfilesystem to fill up.

■ Functionality of the IPS driver is not as expected (prevention policy noteffective and events does not occur properly).

■ Symptomshowsupby executing the su sisips c "./sisipsconfig.sh pset

command and getting a nearly empty or corrupt process list.

SYMPTOM:

To determine if you are impacted by this issue, execute the following commandas a root user:

su sisips c "./sisipsconfig.sh pset

If the output contains an empty or corrupt process list, you are impacted by thisissue.

WORKAROUND:

To recover, reinstall the Symantec Critical System Protection agent or manuallycopy the correct driver file by running the following command:

/etc/methods/sisipsctrl -m

Reboot the system.

The issue with the driver refresh logic has been resolved in Symantec CriticalSystemProtection 5.2.9MP1. In addition, the SymantecCritical SystemProtection5.2.9 MP1 installer does not let you install the agent on older unsupported TLs.For AIX 6.1 the unsupported TLs are TL3 and prior versions and for AIX 5.3 theunsupported TLs are TL8 and prior versions.

Affected operating systems: AIX 6.1 with IPS functionality enabled

Affected Symantec Critical System Protection Versions: All 5.2.x versions ofSymantec Critical System Protection before 5.2.9 MP1

On a busy system, CPU utilization increases 5-10% with thedefault installation without any detection policyFix ID: 2939809

Default installation of Symantec Critical System Protection increases CPUutilization on a system with active Windows Event logging. Installing Symantec


18

Critical System Protection on a system with high CPU usage such as greater than80% can overload the system. As a result, the system can become slower and lessresponsive.

SISIDS service may take up additional amount of CPU directly proportional tonumber of Windows Events per second being created or inserted on a system.

The relationship between Windows EPS and IDS service CPU usage depends onother factors. Following are some known factors on Windows 2008 and 2012:

■ Number of CPUs on the system

■ Amount of memory on the system

■ IDS policy customization

■ Total number of the Symantec Critical System Protection events that aresubmitted to IDS service for evaluation

This factor includes all sources such as Windows Event log, File monitoring, IPSevents, Registry events, Windows Event log, Audit events, and so on.

This issue has been resolved in 5.2.9 MP1.

Workaround:

If you do not use the IDS feature, turn off the Event Log collector through theConsole by using Agent configuration.

Affected operating systems: All versions of Windows 2008/7/2012

Affected Symantec Critical SystemProtection versions: Symantec Critical SystemProtection 5.2.4 – Symantec Critical System Protection 5.2.9

Affected Symantec Critical System Protection component: Windows Event Logcollector of IDS component

Allow enabling Prevention feature after upgrade on Detectiononly platformsFix ID: 2940696, 2908156, 2962795

In previous versions of the Symantec Critical System Protection agent, when youupgrade a platform that did not support the Prevention feature to a version ofthe agent that adds support for the Prevention feature, Symantec Critical SystemProtection completely disables and disallow re-enabling the prevention feature.The behavior has been corrected to allow the prevention feature to be re-enabled(allow IPS drivers to loaded) on a platform that was previously an IDS-onlyplatform.


Now during upgrade to a platform that adds support for the Prevention feature,the installer displays a message. The message indicates you to toggle the featurestate ON by running the following command:

su - sisips -c './sisipsconfig.sh -ipsstate on'

If you cannot toggle or enable IPS after an upgrade to a version where thePrevention feature is supported, you can uninstall, reinstall, or upgrade toSymantec Critical System Protection 5.2.9 MP1.

Affected operating systems: Red Hat Enterprise Linux 5.x/6.x and AIX 5.3 32-bit(upgrading to 64-bit)

Affected Symantec Critical System Protection versions:

■ Symantec Critical System Protection 5.2.8 GA with Red Hat Enterprise Linux6/6.1 64-bit

■ Symantec Critical SystemProtection 5.2.8MP2withRedHat Enterprise Linux5.7/6/6.1/6.2 64-bit

■ Symantec Critical SystemProtection 5.2.8MP3withRedHat Enterprise Linux6/6.1/6.2 64-bit

■ Symantec Critical System Protection 5.2.8 MP4 on Red Hat Enterprise Linux6/6.1/6.2/6.3 64-bit

■ Symantec Critical SystemProtection 5.2.8 and 5.2.9withAIX 5.3 32-bit kernelchanged to AIX 5.3 64-bit

Prevention Policy Resolved issues

IPS Registry Resource Rule will not match registry pathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetFix ID: 2982383

Symantec Critical System Protection 5.2.9 and previous versions do not matchthe registry paths that begin withHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. CurrentControlSet is a linkto one of the ControlSets such as ControlSet001, ControlSet002, and so on.

For example, if you create a Read Only Registry Resource rule by addingHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XYZ\* to theGlobalRead Only Registry Resource list, you still cannot create a new registry key underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XYZ\

This issue has now been resolved in Symantec Critical System Protection 5.2.9MP1 IPS policies.


20

Workaround:

The workaround is to use *ControlSet* in the Registry rule to get the desiredbehavior. In the given example, you can specify the path asHKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\XYZ\*.



Affected Symantec Critical SystemProtection policy: All Prevention Policies fromSymantec Critical System Protection 5.2.9 and earlier

SCSP Agent Event Viewer programwill not work if IPS CustomRouting is used to route all applications for a user to a custompsetFix ID: 2965330

If you create a Custom PSET rule to control all applications for a user by a singlecustom pset, then even if you configure the policy to allow users to launch theSymantec Critical System Protection Agent Event Viewer, the user cannot startthe Agent Event Viewer.

Symantec Critical System Protection Agent Event Viewer needs to be routed tothe scsptools_ps pset to function correctly. The Custom Program Template didnot have a rule to route the EventViewer program to scsptools_ps pset. As a result,if you create a custom program pset to route all programs to the custom pset andapply the policy and launch theAgent EventViewer, theAgent EventViewer staysin the custompset instead of being routed to scsptools_ps pset and does not start.

This Agent Event Viewer routing issue is now resolved in 5.2.9 MP1 IPS policies.




IPS Policy fails to apply when referencing certain generalservices level port and host component listsFix ID: 2916166

When configuring the Outbound host list, the Outbound tcp port list or theOutbound udp port list in the Windows prevention policies, if you select one ofthe following address or port components and apply the policy, a translation erroroccurs and the policy fails to apply.


general daemon tcp inbound port component

general daemon tcp outbound port component

general daemon udp inbound port component

general daemon udp outbound port component

general daemon inbound hosts component

general daemon outbound hosts component

These general services reference the undefined daemon lists instead of the servicelists. The error is generated as the parameter that the choice selects referencesa parameter list that does not exist.

The correct services list is now referenced for these components.

Workaround:

Manually type thenameof the services listwhere youwant to reference as follows:

Add %svc_connect_tcp_list% in a PSET specific port component list instead ofusing the choice general daemon tcp outbound port component. The user mustalso enable the general service TCP Outbound port option and add any item tothe list.

The following display names for port and address choiceswere incorrect andhavebeen replaced with their correct values:

group specific udp inbound port component

group specific udp outbound port component

group specific inbound hosts component

group specific outbound hosts component

Following are the correct names:

general service udp inbound port component

general service udp outbound port component

general service inbound hosts component

general service outbound hosts component





22

Detection Policy Resolved issues

Registry Watch does not detect any changes to\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetFix ID: 2802250

IDS policies from Symantec Critical System Protection 5.2.9 and before does notmonitor any changes that are made in\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Therefore, if you create aregistry watch rule using the Windows Baseline Detection or Windows Templatepolicy to monitor changes in\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\*, anychanges to the registryin \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\* does not generate IDSevents.

This issue has now been resolved in Symantec Critical System Protection 5.2.9MP1 IDS policies.

Workaround:

A registry watch is created to monitor changes in\HKEY_LOCAL_MACHINE\System\*ControlSet*\ instead of\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\.



Affected Symantec Critical System Protection policy: All Detection Policies fromSCSP 5.2.9 and before

Known issues

Does not record CD/DVD burning activity eventSymantec Critical System Protection does not record CD/DVD burning activityevent.

Following is the policy option:

■ System External Device Activity->CD/DVD Burning Activity

Affected operating systems: Windows 7, Windows Server 2012

Affected Symantec Critical System Protection version: 5.2.9 and 5.2.9 MP1

23Symantec Critical System Protection Version 5.2.9 MP1 Release NotesKnown issues

Affected Symantec Critical SystemProtection policy:WindowsBaselineDetectionPolicy

Incorrect display of agent status in the console after agent installationID: 2989427

When you install new agents with Prevention (IPS) enabled, the console displayfor the agent should show an indicator (a small blue triangle) that the systemneeds to be restarted.

On Linux and UNIX systems, a misleading agent status is displayed when theunprotected shield icon is shown for an agent instead of the reboot-needed icon.

Workaround:

Ensure that agents are restarted after an installation or an upgrade.

Affected platforms: All Linux and UNIX agents

Affected Symantec Critical System Protection Versions: 5.2 RU9, 5.2 RU9 MP1

Adding symbolic links in the global or daemon no-access list may notprotect the referenced resource

ID: 2989449

Issue

When a global no-access rule protects a symbolic link, the directory or file towhich it points cannot be protected on subsequent applications of the policy.

Cause

By default, the agent's policy translator is bound by the global and daemonno-access rules. Therefore, it is impossible for it to follow a protected symboliclink to protect the directory to which the symbolic link points. This applies todirectories in the UNIX or Windows filesystems and to Registry keys in theWindows Registry.

Workaround

Add the variables for the global and daemon no-access lists to the appropriateRead-OnlyResourceList for the scspagent_pspset. This allows thepolicy translatorapplication to traverse protected symlinks when determining what to protect.

Symantec Critical System Protection Version 5.2.9 MP1 Release NotesKnown issues

24

Note: You need to apply the modified policy twice to ensure that the correctionis acted on by the agent. On the first application, access to the original set ofno-access resources may be blocked. A second application ensures that theworkaround is taken up by the agent in all cases. To apply the policy a secondtime, re-open it in the editor, toggle any checkbox on, then toggle it off again,re-save, and then reapply to the set of agents.

Steps for UNIX policy workaround

1 Open the policy editor for the current policy applied to a set of agents. Do thefollowing:

2 Click HOME > Policy Settings > Process Sets

■ > Daemon Options > Core OS Daemon Options

■ > Symantec Critical System Protection Agent Daemon [scspagent_ps]

■ Click Edit to expand.

■ > File Rules

■ > Read-only Resource Lists

■ > Block modification to these files

■ Enable the option.

■ Click Edit, and then click Add.

■ Add the following variable reference to the Resource Path field:%-global_nafiles_list%

■ Click OK.

■ Repeat the procedure for the rest of theUNIX files (_nafiles_) variablesin the following table.

Variables for Read-only Resource ListResource typePlatformpolicy

%-global_nafiles_list%

%-global_nafiles_logtrivial_list%

%-daemon_nafiles_list%

%-daemon_nafiles_logtrivial_list%

FilesUNIX

Affected Symantec Critical System Protection Versions: All versions

Affected platforms: UNIX and Linux

25Symantec Critical System Protection Version 5.2.9 MP1 Release NotesKnown issues

Symantec Critical System Protection 5.2.9 MP1 Beta version ofmanagement server cannot be upgraded to Symantec Critical SystemProtection 5.2.9 MP1 GA version

ID: 2951382

If you have installed the Symantec Critical System Protection 5.2.9 MP1 Betaversion of the management server and want to upgrade to Symantec CriticalSystemProtection 5.2.9MP1GAversion, youmust uninstall the Symantec CriticalSystemProtection 5.2.9MP1Betamanagement server andperforma clean installof the Symantec Critical System Protection 5.2.9 MP1 GA version.

Symantec Critical System Protection Version 5.2.9 MP1 Release NotesKnown issues

26

Release Notes for Symantec Critical System Protection...

Documents

Transcript of Release Notes for Symantec Critical System Protection...