Symantec Critical System Protection Version 5.2.9...

of 32/32
Symantec Critical System Protection Version 5.2.9 Release Notes
  • date post

    16-Apr-2018
  • Category

    Documents

  • view

    216
  • download

    2

Embed Size (px)

Transcript of Symantec Critical System Protection Version 5.2.9...

  • Symantec Critical SystemProtection Version 5.2.9Release Notes

  • Symantec Critical SystemProtection Version 5.2.9Release Notes

    This document includes the following topics:

    About Symantec Critical System Protection

    What's new in release 5.2.9

    Resolved issues

    Known issues

    What you need to know before you install or upgrade your software

    Legal Notice

    About Symantec Critical System ProtectionWelcome to Symantec Critical System Protection, a flexible, multi-layer securitysolution for servers that detects abnormal system activities. Symantec CriticalSystem Protection prevents and blocks viruses and worms, hacking attacks, andzero-day vulnerability attacks. Symantec Critical SystemProtection also hardenssystems, enforcing behavior-based security policies on clients and servers.

    Symantec Critical System Protection includes a management console and servercomponents, and agent components that enforce policies on computers. Themanagement server andmanagement console runonWindowsoperating systems.The agent runs on Windows and UNIX operating systems.

    Among Symantec Critical System Protection's key features are:

  • Predefined application policies for commonMicrosoft interactive applications

    Out-of-the-box policies that continuously lock down the operating system,high-risk applications, and databases to prevent unauthorized executablesfrom being introduced and run

    Microsoft Windows, Sun Solaris, IBM AIX, and Linux platform support

    Among Symantec Critical System Protection's key benefits are:

    Provides proactive, host-based security against day-zero attacks

    Offers protection against buffer overflow and memory-based attacks

    Helps to maintain compliance with security policies by providing granularcontrol over programs and data

    For the most current version of the Release Notes, click the following link:

    Critical System Protection Documentation

    What's new in release 5.2.9

    Additional platform supportThe 5.2.9 release adds support for the following platforms:

    Support for IPSSupport for IDSPlatform

    New in 5.2.9Supported in previous releasesRHEL 6.x

    YesYesWindows 7 (32-bit and 64-bit)

    Please refer to the Symantec Critical System Protection Platform and FeatureMatrix for more detailed information on specific platforms and versions and thefeatures they support.

    SymantecCritical SystemProtection supportsReal-TimeFile IntegrityMonitoringon Red Hat Enterprise Linux and SUSE. The Real-Time File Integrity Monitorfeature supports the following filesystems on Linux:

    Ext 2/3/4

    ReiserFS

    VFAT

    Watched files or directories residing on other filesystems default to polling-basedfile monitoring.

    Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

    4

    http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION

  • You cannow run theSymantecCritical SystemProtectionweb console in InternetExplorer 9 and Firefox 12.

    Newly Frozen Agent PlatformsThe Solaris 9 Symantec Critical System Protection agent has been frozen as of5.2.8 MP4.

    Integration with Active DirectoryLog on as an administrator on the Symantec Critical System Protection consoleand definemultiple ActiveDirectory servers for user authentication. Then, createusers with Active Directory credentials and assign them any role including theadministrator role.

    Control access to a running processSymantec Critical System Protection provides Process Access Control feature toenable you to control access to a running process. You can specify if a callingprocess can open a target process and the permissions that it has to do so.

    By default, the ProcessAccess Control feature is enabled on the Symantec CriticalSystem Protection 5.2.9 agent. To use this feature, you must have at least a 5.2.9Prevention policy and a 5.2.9 agent.

    For more information, see Symantec Critical System Protection Prevention PolicyReference Guide.

    Search for assets quicklySymantec Critical System Protection lets you search assets based on a variety ofasset properties. The search results contain details about the asset, such assoftware version, IP address, group, history, and so on. You can select an assetand perform several actions on it. You can also export the search results to acomma-separated value (CSV) file.

    Disable duplicate agent registrationSymantec Critical System Protection provides you the ability to control theregistrationof duplicate agentswith themanagement server. Bydefault, SymantecCritical System Protection lets you register agents with similar identificationattributes, such as host name, IP address, agent name, and operating system.

    5Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

  • Symantec Critical SystemProtectionnowensures that for every agent registered,a unique agent record is maintained in Symantec Critical System Protectiondatabase to avoid duplicate agent registration with the management server.

    Export query results to multiple file formatsSymantecCritical SystemProtection lets you export query results to aCSV,HTML,or PDF file.

    View and export server configuration dataSymantecCritical SystemProtection lets youview themanagement server settingsfor the management server that is connected to the console.

    Organize custom programs by using tagsSymantec Critical System Protection lets you organize custom programs bygrouping them with tags. You can add one or more tags to each custom programand use the GroupTags tab to view the custom programs according to their tags.Also, you can search for a custom program by its group tag.

    Import large set of values for a parameter in a policySymantec Critical System Protection offers the option to import a large set ofvalues for a parameter in the Symantec Critical System Protection policy. Also,you can export the parameter values in the comma-separated value (CSV) fileformat.

    Symantec Critical System Protection now supports two sets ofprevention policy packs

    Symantec Critical SystemProtectionnow supports two sets of prevention policies:

    Minimum agent version 5.2.0 policiesYou can apply these policies to Symantec Critical System Protection agentversions 5.2.0 and later. The 5.2.0 policies support the Thread InjectionDetection feature.

    Minimum agent version 5.2.9 policiesYou can apply these policies to Symantec Critical System Protection agentversions 5.2.9 and later. The 5.2.9 policies support the Process Access Controlfeature. Since the Process Access Control feature is a superset of ThreadInjection Detection feature, the Thread Injection Detection rules have beenremoved from the 5.2.9 policies.

    Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

    6

  • The Process Access Control feature is not supported on Windows 2003 (64-bit)operating system. Because of this you cannot apply the default 5.2.9 policies onWindows 2003 (64-bit) systems.

    The following option is added to the 5.2.9Windows policies, which lets you selectwhether you want to apply this policy on Windows 2003 (64-bit) systems.

    Global options > Additional Parameter Settings > Allow policy to be applied toWindows 2003 64-bit systems

    Syslog-ng support for HP-UXSymantec Critical SystemProtection IDS agent now receive system log input fromthe syslog-ng on HP-UX.

    Symantec Critical System Protection assumes the following about the syslog-ngsetup:

    Syslog-ng is the primary system logger daemon and it is not usedsimultaneously with syslogd (as it is with the HP-UX DAUS utilities).

    Syslog-ng is configured by using the /etc/syslog-ng.conf file. You must createa symbolic link between /etc/syslog-ng.conf and the actual configuration filelocation, if the syslog-ng version installed on the system has any otherconfiguration path than /etc/syslog-ng.conf file path.

    You must set the following option, if the syslogd daemon is installed on thesystem:LocalAgent.ini [Syslog Collector] Syslog Daemon=SYSLOGNG

    Real-Time FIM is available on Linux platformsSymantec Critical System Protection IDS agent now supports the Real-Time FileIntegrity Monitoring (RT-FIM) feature on Linux operating systems. This resultsin more timely notification of file changes and allows the user and process eventcapture for supported filewatch operations.

    Please refer to the Symantec Critical System Protection Platform and FeatureMatrix for information on specific Linux platforms and versions that support thisfeature.

    Application Control Template policies removedThe Application Control Template policies have been removed from SymantecCritical System Protection. These policies are replaced by the Custom Preventionpolicy feature. TheApplication Control Templates policies let you create a customcontrol and maintain the custom controls in one workspace policy. Customers

    7Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

  • could propagate customcontrols from theirApplicationControl Template policiesto prevention policies in use. The Custom Prevention Policy feature provides thesame ability, but these Custom Prevention Policies can also be applied to assetgroups where Application Control Templates cannot.

    vSphere SupportSymantec Critical SystemProtection vSphere Support Pack 1.0 is integratedwiththe Symantec Critical System Protection 5.2.9 release. You are not required todownload and install the support pack separately. Moreover, the existing ESX 4.1prevention anddetectionpolicies are combined togetherwith vSphere 5.0 policies.Following are the features of this integration:

    Symantec Critical System Protection agent install contains the ESXi SupportUtility to monitor files and logs on ESXi 5.0 hosts. It is installed by default onRedHat 5.5 (32-bit and 64-bit) and SLES 10/11(32-bit and 64-bit) hosts.

    The Symantec Critical System Protection Detection Policy pack contains thefollowing:

    vSphere ESXi Detection Policy to monitor ESXi 5.0 hypervisor

    vSphere ESX Detection Policy, formerly known as ESX Server SecurityHardening Policy, to monitor ESX 4.1 hypervisor

    Three workspace policy packs are now available as part of the CD Image:

    SCSPvSphereDetectionPolicyWorkspacePack.zipThis policy pack contains the following workspace policies to monitor thevCenter 5.0 server:

    vSphere Application Detection policy

    vSphere Windows Baseline Detection policy

    SCSPvSphereProtectionPolicyWorkspacePack.zipThis policy pack contains the following workspace policies for bothminimum agent versions 5.2.0 and 5.2.9:

    vSphere Protection Policy to protect the vCenter 5.0 server

    ESX Protection Policy to protect the ESX 4.1 hypervisor

    The vSphere Report Pack is integrated with the Symantec Critical SystemProtection Report Pack.

    Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

    8

  • Resolved issues

    Console and Server Resolved issues

    Policy translation error for prevention policy customprogramsFix ID: 2570203

    If the custom prevention policy has one or more custom program defined in itand if such a policy is applied to a Symantec Critical System Protection agent, itcaused a policy translation error on the Symantec Critical System Protectionagent. The cause for this issue was the logical error in the XML processing whenthe policy cache is built on the Symantec Critical SystemProtection server beforeapplying it to the agent. If there are multiple custom programs defined, then theserver processes the policy XML to insert the ruleID for the custom programs,and there was error in the XML processing logic. This has been fixed now.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: 5.2.6.x, 5.2.8, and 5.2.8MP1

    Affected SymantecCritical SystemProtectionpolicy:NotApplicable to Preventionpolicies

    Policy application issueFix ID: 2411162

    In the previous releases, when the database ran in SQL 2000 compatibility mode,the newly created policies cannot be applied to the groups. The compatibilitymode was changed from SQL 2000 to SQL 2005 or SQL 2008, then newly createdpolicies could be applied to thegroups, but theSymantecCritical SystemProtectionconsole and database responded slowly. So, in order to resolve the issue of slowprocessing, the underlying database SQL query has been updated to make policyapplication faster.

    Affected operating systems: Windows

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Black box does not appear on reports anymoreThe issue that caused black box to appear onSymantec Critical SystemProtectionreports is fixed now.

    9Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Symantec Critical System Protection event export processtakes excess amount of timeFix ID: 2247056

    In the previous versions, exporting a large number of events from the Monitorstab, the export process took excess amount of time. This issue is fixed now.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    TheWindows Template policy allowed adding identical valuesand comment entries in the filewatch listFix ID: 2232992

    In the previous versions, you were able to add identical values and commententries in the filewatch list of the Windows Template policy. Now, if you try toadd identical values and comment entries, an error message appears as There isalready an identical value in the list.

    Affected operating systems: Windows

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Windows Template policy

    Symantec Critical System Protection policies now retain thepolicy values after export and importFix ID: 2525205

    After a policy is imported, you can see the parameter value in the imported policyeven if it was deleted in the original workspace policy that was exported. This hasbeen fixed.

    When you export a policy, the exported zip file contains policy settings fromworkspace policy and base compiled policy. It also exports the default parametervalues. When you specify such a policy zip file for importing a workspace policy,the parameter values in the workspace policy and those in the compiled policysettings are merged. When a merged parameter from workspace policy matchesa parameter already in the compiled policy, the parameter from the compiled

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    10

  • policy is overwritten. Since, the default parameter values were present in exportfile, it could match with the default parameter values. Now, instead it deletes thematching parameter in the compiled policy settings. This way it keeps the policyvalues after export and import .

    Affected operating systems: Windows

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Group policies are applied automaticallyFix ID: 1663174

    When you move an Symantec Critical System Protection agent to a group,Symantec Critical System Protection automatically clears the assigned policieson the agent and applies the group policies on the agent.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Timeout dialog box now displays the console name it isconnected toFix ID: 2232970

    In the previous versions, when multiple consoles were connected to differentmanagement servers with timeout console feature activated for all consoles, itwas difficult to identify which timeout dialog box was associated with whichconsole. Now, the timeout dialog box title displays the console name it is associatedto.

    Affected operating systems: Windows

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Applying a large number of custom policies on agents preventnew policy compilationFix ID: 2707487

    The issue that caused Symantec Critical SystemProtection to stop compiling newpolicies when you apply a large number (more than 21) of custom policies is fixednow.

    11Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • Affected operating systems: Windows

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Not Applicable

    Agent Resolved issues

    The ImportFileList function causes unknownerror in the parseron WindowsFix ID: 2430740

    The optional use of imported file lists by using the syntax%?-ImportFileList()?% results in a parsing error. This happenswhen youapply the policy and the file list doesnt exist. Given the optional syntax, themissing file list should be ignored. The Symantec Critical SystemProtection agenthas been updated to fix this issue.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected SymantecCritical SystemProtectionpolicy:NotApplicable to Preventionpolicies

    Agent Status event contains additional information for policyretranslations caused by the "Change in LocalIPs"Fix ID: 1002999

    Policy retranslations occur when the IPS service detects a change in the LocalIPs.In many circumstances, this causes a policy retranslation activity after every 10minutes and continues for hours or days. TheAgent Status event does not indicateneither the IP address changes nor the list of what the new local IP addressesconsist of.

    The IPS Service has been updated to include additional information in the AgentStatus event for policy retranslations caused by Change in LocalIPs". Now, theAgent Status event includes any added or deleted IP addresses. The followingexample displays the Agent Status event information.

    The old Agent Status event displayed the following information:

    MSTA,3,2007-03-11 22:26:00.354

    Z-0400,I,10,,5d8351365c0f4f97d801cb31f42b9660,10161,,,,,checkRetrans,,S,,Policy

    Retranslation,,,,,Policy Retranslated Triggered. Reason : Change in

    LocalIPs

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    12

  • The updated Agent Status event now displays the following information:

    MSTA,31,2012-04-26 16:20:29.921

    Z-0700,I,10,ISR,5591dff386c6e6b982e7f7fbf7a7af00,10161,,,,,checkRetrans,,S,,Policy

    Retranslation,,,,,"Policy Retranslated Triggered. Reason : Change in

    LocalIPAddresses (Added : 10.160.118.56 127.0.0.1 ) "

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected SymantecCritical SystemProtectionpolicy:NotApplicable to Preventionpolicies

    Unexpected IPS behavior with the use of multiple optionalparameters in the prevention policiesFix ID: 2748554

    The Symantec Critical System Protection agent-side translator componentincorrectly processes the prevention policies that use optional parameter values.If some parameter values exist on the system and some do not, then undesiredrules are introduced in the policy. This issue manifests only when there aremultiple items in the parameter list and some of the rules reference parametervalues that do not exist and some rules reference parameter values that exist.

    The agent-side translator processes the following prevention policy configurationcorrectly:

    A parameter list has two rules and one of the rules does not use any optionalvalues or has optional values but they all exist on the agent.

    The agent-side translator processes the following prevention policy configurationincorrectly:

    A parameter list has two rules with optional parameter values. The first rulecontains a value that exists on the agent, and the second rule contains a valuethat does not exist on the agent. Instead of the second rule being removed, thesecond rule remains and uses the corresponding value from the first rule.

    Following are the areas of impact:

    This issue affects the following lists:

    File Resource Lists with optional process attributes, such as Program, User,or Group.

    Registry Resource Lists with optional process attributes, such as Program,User, or Group.

    13Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • Process Control Lists (Custom Routing) with optional process attributes, suchas Program, User, or Group.

    Any Optional List usage

    This issue does not affect the following lists:

    Network Resource Lists

    The Symantec Critical SystemProtection agent has been updated to fix this issue.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection version: 5.2.X

    Affected Symantec Critical System Protection policy: All policy versions

    IPS is enabled by default while upgrading Symantec CriticalSystem Protection agent on IDS-only installationFix ID: 2778829

    When upgrading a platform for IDS-only feature set to include support for IPSfeature, the default behavior was to enable the IPS driver to be consistent with anew installation. Whereas, Symantec Critical System Protection disables the IPSdriver when you upgrade from a IDS-only feature that is set to a version whichsupports IPS.

    Symantec Critical System Protection agent is now fixed so that the IPS driver isenabled to be consistent with the new installation.

    Affected operating systems: All platforms that supported IDS-only features anddid not support IPS.

    The Rule name does not appear in certain instances forResource List items in the prevention policiesFix ID: 2568857 and 2669259

    When a file, registry, or PAC resource list parameter entry contains a referenceto a custom list in one of its attributes, the rule name in the custom list for theresource path always gets used. In the event that the custom list for the resourcepath does not have a rule name but the parameter entry does, the rule name iscurrently left blank.

    This has been fixed in the agent software by concatenating the rule-name specifiedin the outer parameter entrywith the rule-name specified in the inner referencedcustom list for the resource path.

    When both Outer and Inner rule-names are non-empty:Outer rule-name text. Inner rule-name text

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    14

  • When Outer rule-name is non-empty and Inner rule-name is empty:Outer rule-name text

    When Outer rule-name is empty and Inner rule-name is non-empty:Inner rule-name text

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection version: 5.2.0 and later versions

    Affected Symantec Critical System Protection policy: This fix is not applicable tothe IPS policies

    Protection of Symbolic Links in UnixFix ID: 2273442, 2347797, and 2521649

    The Symantec Critical System Protection version prevention policies allow youto specify a symbolic link for UNIX operating systems to protect files anddirectories. The Symantec Critical System Protection agent translates symboliclinks to the targeted file-path and protects these targeted file-paths. In additionto this, we have added protection for the symbolic links itself in Symantec CriticalSystem Protection 5.2.9. Symbolic links can no longer be modified or deleted andrecreated again to change their targeted file-path. As a consequence of this fix,the out of the boxUNIXprotection policy tightens down the linux systems further./etc/init.d is a symbolic link to thepaths/etc/rc*.d/init.d for linuxoperatingsystems. /etc/init.d can no longer be modified, deleted, and created once thepolicy is applied.

    Affected operating systems: All UNIX operating systems that support IPS

    Affected Symantec Critical System Protection version: All 5.2.x versions

    Affected Symantec Critical System Protection policy: None

    Prevention Policy Resolved issues

    Unix Prevention policy blocking Apache communication onSolaris 10Fix ID: 2690756

    In the previous releases, the Unix Prevention policy blocked the Apache WebServer communication onSolaris 10.OnSolaris 10, the defaultApache installationdirectoryhas been changed to /usr/apache2. TheUnixPreventionpolicyhas beenupdated to reflect this new Apache install directory.

    Affected operating systems: Solaris 10

    15Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Unix Protection policy(sym_unix_protection_sbp m5.2.0 v211, sym_unix_protection_sbp m5.2.9 v214)

    Full Privilege PSET now support Resource ListsFix ID: 2731643, 2683172, 2731655, and 2683176

    The Full Privilege PSETs now support Resource Lists. However, these resourcelists do not block process, file and registry access on Windows. The resource listsalso do not block file & process access on UNIX. This behavior is because the FullPrivilege PSETs allow full access to all these resources by design. So, even thelimited and no access lists would only log but not block resource access.

    Prevention policy blocks Symantec Endpoint Protection andWindows servicesFix ID: 2685160

    When Symantec Critical System Protection and Symantec Endpoint Protection(SEP) agents are installed on the same machine, the Symantec Critical SystemProtection prevention policies blocks some of the Symantec Endpoint Protectionservices to perform required actions. In addition, it also blocks some of theWindows services to start correctly, such as Task Scheduler.

    This issue is fixed now.

    Affected operating systems: Windows

    Affected Symantec Critical System Protection version: 5.2.X

    Affected Symantec Critical System Protection policy:Sym_win_protection_core_sbp, Sym_win_protection_strict_sbp, andSym_win_protection_ltd_exec_sbp

    Prevention policy blocks the Symantec Endpoint ProtectionManager Remote Push featureFix ID: 2727261

    When Symantec Critical System Protection agent and Symantec EndpointProtection Manager (SEPM) are installed on the same machine, the SymantecCritical System Protection prevention policies blocks the Remote Push SEPMfeature.

    If you want to use the SEPM Remote Push feature, you must either disableprevention on the target Symantec Critical System Protection systems until the

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    16

  • Symantec Endpoint Protection client installation is complete, or you can adjustthePreventionpolicy to allowSEPMtoaccess additional resources listed as follows:

    Policy exceptions to add to allow the SEPM Remote Push feature

    Policy Settings > Global Policy Options > Network Rules > Inbound NetworkRules > List of rules to control connections into this system > Add >Action: Allow, Protocol: Both TCP and UDP, Local Port: 445, Remote IP: SEPMserver IP, Remote Port: Any, Logging: Do not log.

    Policy Settings > Process Sets > Host Security Programs > General Settings >SysCall Options > Allow creation of hardlinks

    Policy Settings >Process Sets >Global PolicyOptions >hsecurity_ps >RegistryRules > Writable Resource Lists > Allow modifications to these Registry Keys> "\Registry\Machine\SOFTWARE\Symantec\Symantec EndpointProtection\CurrentVersion".

    Policy Settings > Process Sets > Interactive ProgramOptions > int_stdpriv_ps> File Rules > File Rules > Allow modifications to these files >Resource Path:"%systemdrive%\Temp\Clt-Inst\*"

    Policy Settings > Process Sets > Service Options > Core OS Service Options >svc_safepriv_ps > File Rules > File Rules > Allow modifications to these files>Resource Path: "\DEVICE\HARDDISK?\DR?"Program Path: "%systemroot%\system32\MsiExec.exe"

    Affected operating systems: Windows

    Affected Symantec Critical System Protection version: 5.2.X

    Affected Symantec Critical System Protection policy:Sym_win_protection_core_sbp, Sym_win_protection_strict_sbp, andSym_win_protection_ltd_exec_sbp

    The svc_stdpriv_ps PSET does not obey the List of ProgramsServices should not execute parameterFix ID: 2593805

    The svc_stdpriv_ps PSET was missing the rules for the programs services shouldnot start option or parameter. This has been fixed in the policies.

    Affected operating Systems: All Windows operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical SystemProtection policy:Windowsprotection policies

    17Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • After applying the IPS targeted policy from 5.2.8.MP3, theSymantec Critical System Protection agent services do notstart on SolarisFix ID: 2807793

    The IPS Targeted Prevention policy routing rules was updated to fix this issue.

    Affected operating Systems: Solaris operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8

    Affected Symantec Critical System Protection policy: Unix Targeted Preventionpolicy

    Detection Policy Resolved issues

    Log off rule options are disabled by defaultFix ID: 2423369

    In the Unix Baseline Detection policy, all logoff rule options under SystemLoginActivityandAccessMonitor>SystemLogoffMonitor are unchecked by default.This was done to reduce the number of events that are generated by the policyand end-user input which expressed limited need for these types of events.Whenupgrading anolder versionof thepolicywith thenewversion, you shouldmanuallyuncheck these options if they are not required.

    Affected operating systems: Linux and UNIX

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Suspicious Permission Change Detection option no longerexistsFix ID: 2561637

    TheSuspiciousPermissionChangeDetection option has been removed from theUnix Baseline Detection policy.

    Affected operating systems: Linux and UNIX

    Affected Symantec Critical System Protection versions: Release 5.2.8 and older

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    18

  • vSphere Support Resolved issues

    Error message appears while configuring the ESXi SupportUtility on Redhat 5.5 and SUSE Linux 10 operating systemsDuring ESXi Support Utility configuration rfs_config.sh-[setup/addHost/modifyHost/deleteHost], if you use https to communicatewith the ESXi 5.0 hypervisor you may see the following error message as shownbelow:

    Server version unavailable at https://:443/sdk/vimService.wsdl at

    /usr/lib/perl5/5.8.8/VMWare/VICommon.pm line 545

    This error does not affect the working of the ESXi Support Utility configuration.

    This issue is fixed now.

    Affected operating systems: RedHat 5.5 or SUSE Linux 10/11 (32-bit and 64-bit)systems that ware configured to monitor the ESXi 5 hypervisor

    Affected Symantec Critical System Protection versions: vSphere Support Pack1.0 to 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Errormessageappearswhile upgrading theESXi SupportUtilityFix ID: 2758126

    While configuring the RFS tool by running rfs_config.sh -upgrade commandto upgrade from vSphere Support Pack 1.0 to 5.2.9, you see the following errormessage:

    mv: cannot move `/opt/Symantec/scspagent/IDS/bin/esxi_fim/data/' to a subdirectory of itself,

    This issue is fixed now.

    Affected operating systems: RedHat 5.5 or SUSE Linux 10/11 (32-bit and 64-bit)systems that ware configured to monitor the ESXi 5 hypervisor

    Affected Symantec Critical System Protection versions: Release 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Missing similar File-Watch events if the sameevent is triggeredacross multiple VMX filesFix ID: 2794484, 2759526, 2761215

    19Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

  • If multiple VMX files in a single ESXi host or multiple ESXi hosts are updated inthe same synchronization interval that trigger the same detection rule, only oneevent is generated for a single VMX file. This is caused due to a rule of suppressionof similar events in the policy for 5 seconds after the first one triggers.

    This issue is fixed now.

    Affected operating systems: RedHat 5.5 or SUSE Linux 10/11 (32-bit and 64-bit)systems that ware configured to monitor the ESXi 5 hypervisor

    Affected Symantec Critical System Protection versions: vSphere Support Pack1.0 to 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Missing rules in the description field of vSphere ApplicationDetection PolicyFix ID: 2767751

    Some of the rules in the description field does not appear for vSphere ApplicationDetection Policy.

    This issue is fixed now.

    Affected operating systems: Windows (64-bit) machines with vCenter installed.

    Affected Symantec Critical System Protection versions: Release 5.2.9

    Affected Symantec Critical System Protection policy: vSphere ApplicationDetection Policy

    Multiple filewatch events are reported when a file is modifiedin real timeFix ID: 2758257

    The 5.2.9 Symantec Critical System Protection agent provides real-time filemonitoring. When the RFS tool mirrors the files obtained from the ESXi host, itgenerates four events for removal of the original file with the new file obtainedfrom the ESXi host.

    This issue is fixed now.

    Affected operating systems: RedHat 5.5 or SUSE Linux 10/11 (32-bit and 64-bit)systems that ware configured to monitor the ESXi 5 hypervisor

    Affected Symantec Critical System Protection versions: Release 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

    20

  • Known issues

    Console and Server Known issues

    Disk Free Space information does not appearFix ID: 2481716

    TheDisk Free Space information does not appear in the Symantec Critical SystemProtection Database Status query.

    The workaround to view this information is as follows:

    To view the Disk Free Space information

    1 Log into the SQL Server database by using SQL Server Management studio.

    2 Type sa as the user name.

    3 Expand Databases > SCSPDB database > Programmability > StoredProcedures, and then select dbo.SCSP_DBSTATUS.

    4 Right-clickdbo.SCSP_DBSTATUS, and then selectExecuteStoredProcedure

    5 Check Pass Null Value

    6 Click OK.

    In the Results pane, under DB File Usage, view the Disk Free Spaceinformation

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.8.X, 5.2.6.X

    Affected Symantec Critical System Protection policy: Not Applicable

    Description information does not appear in Symantec CriticalSystem Protection console for rules in the policiesIf any text contains a single-quote character () or a semicolon character (;), thewhole text does not appear in description text fields for custom programs orcustom rules in policy editor in the Symantec Critical System Protection console.Moreover, none of the input text fields allow any of these two characters to betyped in. These two characters can get into the text when a policy is importedthrough the console. Symantec Critical System Protection console displays thepre-existing text in all the text fields except for the description fields for customrules or custom programs in the policy editor.

    21Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

  • The workaround for this issue is to remove the single-quote character () orsemicolon character (;) from the description text for custom rules or programsbefore you import a policy.

    To remove single-quote character () or semicolon character (;)

    1 Log into the SQL Server database by using SQL Server Management studio.

    2 Type sa as the user name.

    3 Expand Databases > SCSPDB database > Tables and then selectdbo.OPTIONSETTING.

    4 Right-click dbo.OPTIONSETTING, and then select Edit top 200 rows.

    5 Identify the rows for which optval column value equals name of the customrule or program.

    6 Edit the value of OptDesc column to remove the single-quote character () orsemicolon character (;) from the description.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Agent Known issues

    Agent triggers many log events on Windows systemWhen you monitor a UNIX or Linux log file on a Windows system, the agenttriggersmany log events. These events have the last one or two letters of the textentered as a delimiter value in the LogWatch.ini file.

    Affected operating systems: All Windows operating systems

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Agent remains flagged for longer duration onSymantecCriticalSystem Protection consoleFix ID: 2603627

    The Symantec Critical System Protection agent remains flagged for a longerduration on the console after you install a newversion of SymantecCritical SystemProtection. This issue occurs during the agent communications polling cycle.When the Symantec Critical System Protection IPS process checks for theavailability of the Symantec Critical System Protection IDS process (which is not

    Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

    22

  • yet started), the handshake between the process does not happen and the agentis flagged. The agent becomes online after thenext agent communicationspollingcycle.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Apply the Symantec Critical SystemProtection server's defaultprevention configs parameters manuallyWhen you upgrade to a newer version of Symantec Critical System Protection, itdoes not reregister existing agent and the agent retains old prevention configsassigned to it. Youmustmanually apply the Symantec Critical System Protectionserver's default prevention configs parameters.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection versions: Release 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Overlapped I/O error occurs during AD configuration onWindows 2003 32-bitFix ID: 2810881

    When you configure an Active directory role on Windows 2003 32-bit operatingsystem, it may fail if Symantec Critical System Protection agent is installed.Symantec Critical System Protection agent on Windows 2003 32-bit operatingsystem by default activates file system filter driver, which is known to triggerOverlapped I/O error.

    The operation failed with the following error:

    Overlapped I/O operation is in progress.

    Solution:

    Configure Active Directory role before installing the Symantec Critical SystemProtection agent. If it is installed already, remove all prevention and detectionpolices, stop all Symantec Critical System Protection agent services, and thenconfigure the server role as Active Directory sever. If the error persists, uninstallSymantec Critical SystemProtection agent. Once the sever is configured asActiveDirectory server, Symantec Critical System Protection agent can be re-installedor re-enabled.

    Affected Operating System: Windows 2003 32-bit

    23Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

  • Symantec Critical System Protection version: 5.2.6 and newer

    Memory Leak when Symantec Critical System ProtectionPrevention and Symantec Endpoint Protection 12.1 are usedtogetherFix ID: 2822546

    If you have Symantec Critical System Protection installed with the Preventionfeature enabled and youhave Symantec Endpoint Protection 12.1 installed on thesame system, Symantec Critical SystemProtection creates an extra process entryin its data structures for each Windows process that exits. The issue occursregardless of the Prevention policy applied, including if the Null policy is applied.The issue does not occur without Symantec Endpoint Protection present or withSymantec Endpoint Protection 11.0 present. The issue does not occur if theSymantec Critical System Protection Prevention feature is disabled.

    The leak is relatively small (approximately 1KBper process) and is directly relatedto the number of processes existing on the system. If the system contains onlylong-running processes with few processes exiting, the leak will be negligible. Ifthe systemhas applications that constantly start and stop processes, the leakwillbe greater.

    This issuewill be fixed in theSymantecCritical SystemProtection5.2.9GArelease.

    Operating Systems affected: All Windows operating systems

    Affected Symantec Critical System Protection versions: All agent versions

    Affected Symantec Critical System Protection policy: Not applicable

    Unexpected IPS behavior when using multiple optionalparameters in the Exception Lists for buffer overflow andThread Injection DetectionFix ID: 2893056

    The Symantec Critical System Protection Agent incorrectly processes bufferoverflow and Thread Injection Exception Lists in the prevention policies that useoptional parameter values. If someparameter values exist on the systemand someparameter values do not exist, then undesired rules are introduced in the policy.This issuemanifests only when there aremultiple items in the parameter list andsome of the rules reference parameter values that do not exist and some rulesreference parameter values that exist.

    The agent processes the following prevention policy configuration correctly:

    Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

    24

  • A parameter list has two rules ormore rules and the rules do not use any optionalvalues or have optional values but they all exist on the agent.

    The agent processes the following prevention policy configuration incorrectly:

    A parameter list has two or more rules with optional parameter values. One ormore rules contains a value that exists on the agent, and at least one other rulecontains a value that does not exist on the agent. Instead of the rule containingthenon-existent valuebeing removed, the rule remains anduses the correspondingvalue from the other rules.

    Following are the areas of impact:

    This issue affects the following lists:

    Buffer overflow and Thread Injection Exception List

    This issue does not affect the following lists:

    Network Resource Lists

    File Resource Lists with optional process attributes such as Program, User, orGroup.

    Registry Resource Lists with optional process attributes such as Program,User, or Group.

    Process Control Lists (Custom Routing) with optional process attributes suchas Program, User, or Group.

    Affected operating systems: All supported operating systems

    Affected Symantec Critical System Protection version: 5.2.X

    Affected Symantec Critical System Protection policy: All policy versions

    Detection Policy Known issues

    Unable to record successful SU logoff eventsFix ID: 2560861

    Symantec Critical SystemProtection does not record successful SU logoff events.

    Following are the policy options:

    System Login Activity and Access Monitor > System Logoff Monitor > Su toroot Logoff

    System Login Activity and Access Monitor > System Logoff Monitor > Su tonon-root Logoff

    Affected operating system: HP-UX, Solaris, and AIX

    25Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

  • Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Does not record CD/DVD burning activity eventSymantec Critical System Protection does not record CD/DVD burning activityevent.

    Following is the policy option:

    System External Device Activity->CD/DVD Burning Activity

    Affected operating systems: Windows 7

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical SystemProtection policy:WindowsBaselineDetectionPolicy

    Does not record multiple SU eventsSymantecCritical SystemProtectiondoesnot recordmultiple successful SUeventsin the same session.

    Following are the policy options:

    System Login Activity and Access Monitor->System Login SuccessMonitor->SU Operations Options->SU to root

    System Login Activity and Access Monitor->System Login SuccessMonitor->SU Operations Options->SU to non-root

    Affected operating systems: HP-UX

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Symantec Critical System Protection default baseline policynow records the IIS logFix ID: 2695047

    Symantec Critical System Protection Windows Baseline policy monitors the IISlog located at the following directory:

    %SystemDrive%\Inetpub\Logs\LogFiles\W3SVC\*.log.

    Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

    26

  • You canmodify the Baseline Detection policy tomonitor the logs that are locatedin other directories.

    Affected operating systems: Windows

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical SystemProtection policy:WindowsBaselineDetectionpolicy

    Two UNIX Activity Log (BTMP) events are generated for onefailed loginFix ID: 2672231

    On Red Hat Enterprise Linux 6.1, for every login failure of a non-root user, twoentries are marked in Syslog.

    Affected operating systems: Red Hat Enterprise Linux 6.1

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Logon_failure event generated for each successful local loginFix ID: 2672231

    OnRedHat Enterprise Linux 6.1, for every successful non-root userGNOME login,the gdmprocesswrites alsowrites a btmp log entrywhich results in an erroneousLogon_failure event being generated in addition to the successful login event.

    Affected operating systems: Red Hat Enterprise Linux 6.1

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    Telnet andRlogin successful logons for root user are not loggedby default Unix Baseline Detection policyFixID: 2868291

    On Solaris 11, telnet and Rlogin successful logons for root user are not logged bydefault Unix Baseline Detection policy.

    27Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

  • The workaround to log the event is as follows:

    1 Open Unix Baseline Detection policy and click System Login Activity andAccess Monitor.

    2 In System Login Success Monitor > Telnet and Rlogin logon Options, clickEdit beside Root logon.

    3 Modify *UserLoggedin*-sh*remote_login* to *UserLoggedin*remote_login*in select strings.

    Affected operating systems: Solaris 11

    Affected Symantec Critical System Protection version: 5.2.9

    Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

    vSphere Support Known issues

    Alternate install location for vSphere 5.0 applicationsThe vSphere Application Detection policy uses the environment variables toreference the VMware-installed path locations, such as%programw6432%\VMware\Infrastructure\*. If you have installed the vCentersoftware in an alternate drive or path location, such as E:\VMware, then youshould adjust vSphereApplicationDetectionpolicys vSphereServices FIMcustomrule options "Files to Watch" and Files to ignore file paths to reference thealternate location, such as E:\VMware\*. .

    Affected operating systems: vCenter Server Installation at an alternate installlocation on a Windows 2003/2003R2/2008/2008R2 (64-bit) operating system

    Affected Symantec Critical System Protection versions: vSphere Support Pack1.0 to 5.2.9

    Affected Symantec Critical System Protection policy: vSphere ApplicationDetection policy

    Error message appears while configuring the ESXi supportutility on RHEL 5.5 (64-bit) operating systemsDuring ESXi Support Utility configuration rfs_config.sh-[setup/addHost/modifyHost/deleteHost/upgrade], youmayseeasegmentationfault error as shown below:

    ./rfs_config.sh: line 232: 3902 Segmentation fault ** glibc detected

    *** /usr/bin/perl: munmap_chunk(): invalid pointer:

    Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

    28

  • This error may or may not follow a stack trace. This error does not affect theworking of the ESXi Support Utility configuration and it can be ignored.

    Affected operating systems: Red Hat Enterprise Linux 5.5 (64-bit) systems thatare configured to monitor the ESXi 5 hypervisor

    Affected Symantec Critical System Protection versions: vSphere Support Pack1.0 to 5.2.9

    Affected Symantec Critical System Protection policy: Not Applicable

    Ability to Add a second rule-name for rules in vSphere ESXDetection PolicyFix ID: 2839023

    Someof the rule nameshaveAdd/Remove/Import/Export buttons forRuleNamesin the vSphere ESX Detection policy (formerly known as ESX Server SecurityHardening Policy). This gives the impression thatmultiple rule names are allowedfor a rule. However, adding a second rule name using the Add button results inthe policy failing to apply. Only a single rule name is allowed for a rule.

    Affected operating systems: ESX 4.1

    Affected Symantec Critical System Protection versions: 5.2.x

    Affected Symantec Critical System Protection policy: vSphere ESX DetectionPolicy, ESX Server Security Hardening Policy

    What you need to know before you install or upgradeyour software

    The Symantec Critical System Protection Implementation Guide contains detailedinformation about how to install the Symantec Critical System Protectioncomponents. If you are installing for the first-time, you should install, configure,and test Symantec Critical System Protection in a test environment.

    For the latest andmost complete information about the release and known issuesand workarounds, refer to the readme file that accompanies this release.

    For informationaboutSymantecCritical SystemProtection features andplatforms,see the Platform and FeatureMatrix located in the docs folder on the product discthat contains this release.

    29Symantec Critical System Protection Version 5.2.9 Release NotesWhat you need to know before you install or upgrade your software

  • Table 1-1 Overview of an installation

    DescriptionActionStep

    When planning your installation, you may need to consider the following:

    Network architecture and policy distribution

    Firewalls

    Name resolution

    IP routing

    Plan the installation1

    All the computers on which you install Symantec Critical System Protectionshould meet or exceed the recommended operating system and hardwarerequirements.

    Review the systemrequirements

    2

    You can install the management console and management server on the samecomputer or on separate computers. You can install agents on any computer.All computers must run a supported operating system.

    Decide on thecomputers to install thesoftware components

    3

    You can install the following management server installation types:

    An evaluation installation that runs SQL Server 2005 Express on the localsystem

    An evaluation installation that uses an existing MS SQL instance on SQLServer 2005 or newer version. Upgrades fromany previousMSSQL instanceversions are not supported. If you have evaluation installation with olderMS SQL instance, upgrade it to SQL Server 2005 or newer version and beginthe management server installation.

    A production installation with Tomcat and the database schema.

    The Symantec Critical System Protection Manager supports Microsoft SQLServer 2005 and all newer versions. If you use an existing MS SQL instancein production installation, the database instance must be on MS SQL Server2005ornewerversion.Upgrades fromanypreviousMSSQL instanceversionsare not supported.

    The Tomcat component only

    Decide on themanagement serverinstallation type

    4

    The installation packages unpack installation files into the directory that isspecified by the TEMP environment variable. The volume that contains thisdirectory must have at least 200 MB of available disk space. If this volume doesnot have the required disk space, you must change your TEMP environmentvariable.

    Configure the TEMPenvironment variable

    5

    You begin the installation by installing the management server.

    Management server installationpromptsyou to enter a series of values consistingof port numbers, user names, passwords, and so on. Each database that you caninstall uses different default settings and options for the management serverand database.

    Install themanagementserver

    6

    Symantec Critical System Protection Version 5.2.9 Release NotesWhat you need to know before you install or upgrade your software

    30

  • Table 1-1 Overview of an installation (continued)

    DescriptionActionStep

    Install the management console after you install the management server.

    The management console installation also installs the authoring environment.

    Themanagement console installationdoesnot promptyou to enter port numbersor server names. You enter this information after installation, when youconfigure the management console.

    Install themanagementconsole

    7

    Management console configuration prompts you to enter a series of valuesconsisting of port numbers, passwords, and a server name. In a few instances,the port numbers must match the port numbers that were specified duringmanagement server installation.

    Configure themanagement console

    8

    Install the agents after you install themanagement server, and after you installand configure the management console.

    The agent installation prompts you to enter a series of agent values consistingof port numbers, management server name, etc.

    Install the agents9

    Legal NoticeCopyright 2012 Symantec Corporation. All rights reserved.

    Symantec and the Symantec Logo are trademarks or registered trademarks ofSymantec Corporation or its affiliates in theU.S. and other countries. Other namesmay be trademarks of their respective owners.

    This Symantec product may contain third party software for which Symantec isrequired to provide attribution to the third party (Third Party Programs). Someof the Third Party Programs are available under open source or free softwarelicenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free softwarelicenses. Please see the Third Party Legal Notice Appendix to this Documentationor TPIP ReadMe File accompanying this Symantec product for more informationon the Third Party Programs.

    The product described in this document is distributed under licenses restrictingits use, copying, distribution, and decompilation/reverse engineering. No part ofthis documentmay be reproduced in any formby anymeanswithout priorwrittenauthorization of Symantec Corporation and its licensors, if any.

    THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSEORNON-INFRINGEMENT,AREDISCLAIMED,EXCEPTTOTHEEXTENT

    31Symantec Critical System Protection Version 5.2.9 Release NotesLegal Notice

  • THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOTBE LIABLE FOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTIONWITHTHE FURNISHING, PERFORMANCE, ORUSEOF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

    TheLicensedSoftware andDocumentationaredeemed tobe commercial computersoftware as defined in FAR 12.212 and subject to restricted rights as defined inFAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" andDFARS 227.7202, "Rights in Commercial Computer Software or CommercialComputer SoftwareDocumentation", as applicable, and any successor regulations.Any use, modification, reproduction release, performance, display or disclosureof the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.

    Symantec Corporation350 Ellis StreetMountain View, CA 94043

    http://www.symantec.com

    Printed in the United States of America.

    10 9 8 7 6 5 4 3 2 1

    Symantec Critical System Protection Version 5.2.9 Release NotesLegal Notice

    32

    http://www.symantec.com

    Symantec Critical System Protection Version 5.2.9 Release NotesSymantec Critical System Protection Version 5.2.9 Release NotesAbout Symantec Critical System ProtectionWhat's new in release 5.2.9Additional platform supportNewly Frozen Agent PlatformsIntegration with Active DirectoryControl access to a running processSearch for assets quicklyDisable duplicate agent registrationExport query results to multiple file formatsView and export server configuration dataOrganize custom programs by using tagsImport large set of values for a parameter in a policySymantec Critical System Protection now supports two sets of prevention policy packsSyslog-ng support for HP-UXReal-Time FIM is available on Linux platformsApplication Control Template policies removedvSphere Support

    Resolved issuesConsole and Server Resolved issuesAgent Resolved issuesPrevention Policy Resolved issuesDetection Policy Resolved issuesvSphere Support Resolved issues

    Known issuesConsole and Server Known issuesAgent Known issuesDetection Policy Known issuesvSphere Support Known issues

    What you need to know before you install or upgrade your softwareLegal Notice