Symantec Critical System Protection Version 5.2.9...

Symantec Critical SystemProtection Version 5.2.9Release Notes

Symantec Critical SystemProtection Version 5.2.9Release Notes

This document includes the following topics:

■ About Symantec Critical System Protection

■ What's new in release 5.2.9

■ Resolved issues

■ Known issues

■ What you need to know before you install or upgrade your software

■ Legal Notice

About Symantec Critical System ProtectionWelcome to Symantec Critical System Protection, a flexible, multi-layer securitysolution for servers that detects abnormal system activities. Symantec CriticalSystem Protection prevents and blocks viruses and worms, hacking attacks, andzero-day vulnerability attacks. Symantec Critical SystemProtection also hardenssystems, enforcing behavior-based security policies on clients and servers.

Symantec Critical System Protection includes a management console and servercomponents, and agent components that enforce policies on computers. Themanagement server andmanagement console runonWindowsoperating systems.The agent runs on Windows and UNIX operating systems.

Among Symantec Critical System Protection's key features are:

■ Predefined application policies for commonMicrosoft interactive applications

■ Out-of-the-box policies that continuously lock down the operating system,high-risk applications, and databases to prevent unauthorized executablesfrom being introduced and run

■ Microsoft Windows, Sun Solaris, IBM AIX, and Linux platform support

Among Symantec Critical System Protection's key benefits are:

■ Provides proactive, host-based security against day-zero attacks

■ Offers protection against buffer overflow and memory-based attacks

■ Helps to maintain compliance with security policies by providing granularcontrol over programs and data

For the most current version of the Release Notes, click the following link:

Critical System Protection Documentation

What's new in release 5.2.9

Additional platform supportThe 5.2.9 release adds support for the following platforms:

Support for IPSSupport for IDSPlatform

New in 5.2.9Supported in previous releasesRHEL 6.x

YesYesWindows 7 (32-bit and 64-bit)

Please refer to the Symantec Critical System Protection Platform and FeatureMatrix for more detailed information on specific platforms and versions and thefeatures they support.

SymantecCritical SystemProtection supportsReal-TimeFile IntegrityMonitoringon Red Hat Enterprise Linux and SUSE. The Real-Time File Integrity Monitorfeature supports the following filesystems on Linux:

■ Ext 2/3/4

■ ReiserFS

■ VFAT

Watched files or directories residing on other filesystems default to polling-basedfile monitoring.

Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

4

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION

You cannow run theSymantecCritical SystemProtectionweb console in InternetExplorer 9 and Firefox 12.

Newly Frozen Agent PlatformsThe Solaris 9 Symantec Critical System Protection agent has been frozen as of5.2.8 MP4.

Integration with Active DirectoryLog on as an administrator on the Symantec Critical System Protection consoleand definemultiple ActiveDirectory servers for user authentication. Then, createusers with Active Directory credentials and assign them any role including theadministrator role.

Control access to a running processSymantec Critical System Protection provides Process Access Control feature toenable you to control access to a running process. You can specify if a callingprocess can open a target process and the permissions that it has to do so.

By default, the ProcessAccess Control feature is enabled on the Symantec CriticalSystem Protection 5.2.9 agent. To use this feature, you must have at least a 5.2.9Prevention policy and a 5.2.9 agent.

For more information, see Symantec Critical System Protection Prevention PolicyReference Guide.

Search for assets quicklySymantec Critical System Protection lets you search assets based on a variety ofasset properties. The search results contain details about the asset, such assoftware version, IP address, group, history, and so on. You can select an assetand perform several actions on it. You can also export the search results to acomma-separated value (CSV) file.

Disable duplicate agent registrationSymantec Critical System Protection provides you the ability to control theregistrationof duplicate agentswith themanagement server. Bydefault, SymantecCritical System Protection lets you register agents with similar identificationattributes, such as host name, IP address, agent name, and operating system.

5Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

Symantec Critical SystemProtectionnowensures that for every agent registered,a unique agent record is maintained in Symantec Critical System Protectiondatabase to avoid duplicate agent registration with the management server.

Export query results to multiple file formatsSymantecCritical SystemProtection lets you export query results to aCSV,HTML,or PDF file.

View and export server configuration dataSymantecCritical SystemProtection lets youview themanagement server settingsfor the management server that is connected to the console.

Organize custom programs by using tagsSymantec Critical System Protection lets you organize custom programs bygrouping them with tags. You can add one or more tags to each custom programand use the GroupTags tab to view the custom programs according to their tags.Also, you can search for a custom program by its group tag.

Import large set of values for a parameter in a policySymantec Critical System Protection offers the option to import a large set ofvalues for a parameter in the Symantec Critical System Protection policy. Also,you can export the parameter values in the comma-separated value (CSV) fileformat.

Symantec Critical System Protection now supports two sets ofprevention policy packs

Symantec Critical SystemProtectionnow supports two sets of prevention policies:

■ Minimum agent version 5.2.0 policiesYou can apply these policies to Symantec Critical System Protection agentversions 5.2.0 and later. The 5.2.0 policies support the Thread InjectionDetection feature.

■ Minimum agent version 5.2.9 policiesYou can apply these policies to Symantec Critical System Protection agentversions 5.2.9 and later. The 5.2.9 policies support the Process Access Controlfeature. Since the Process Access Control feature is a superset of ThreadInjection Detection feature, the Thread Injection Detection rules have beenremoved from the 5.2.9 policies.


6

The Process Access Control feature is not supported on Windows 2003 (64-bit)operating system. Because of this you cannot apply the default 5.2.9 policies onWindows 2003 (64-bit) systems.

The following option is added to the 5.2.9Windows policies, which lets you selectwhether you want to apply this policy on Windows 2003 (64-bit) systems.

Global options > Additional Parameter Settings > Allow policy to be applied toWindows 2003 64-bit systems

Syslog-ng support for HP-UXSymantec Critical SystemProtection IDS agent now receive system log input fromthe syslog-ng on HP-UX.

Symantec Critical System Protection assumes the following about the syslog-ngsetup:

■ Syslog-ng is the primary system logger daemon and it is not usedsimultaneously with syslogd (as it is with the HP-UX DAUS utilities).

■ Syslog-ng is configured by using the /etc/syslog-ng.conf file. You must createa symbolic link between /etc/syslog-ng.conf and the actual configuration filelocation, if the syslog-ng version installed on the system has any otherconfiguration path than /etc/syslog-ng.conf file path.

■ You must set the following option, if the syslogd daemon is installed on thesystem:LocalAgent.ini [Syslog Collector] Syslog Daemon=SYSLOGNG

Real-Time FIM is available on Linux platformsSymantec Critical System Protection IDS agent now supports the Real-Time FileIntegrity Monitoring (RT-FIM) feature on Linux operating systems. This resultsin more timely notification of file changes and allows the user and process eventcapture for supported filewatch operations.

Please refer to the Symantec Critical System Protection Platform and FeatureMatrix for information on specific Linux platforms and versions that support thisfeature.

Application Control Template policies removedThe Application Control Template policies have been removed from SymantecCritical System Protection. These policies are replaced by the Custom Preventionpolicy feature. TheApplication Control Templates policies let you create a customcontrol and maintain the custom controls in one workspace policy. Customers

7Symantec Critical System Protection Version 5.2.9 Release NotesWhat's new in release 5.2.9

could propagate customcontrols from theirApplicationControl Template policiesto prevention policies in use. The Custom Prevention Policy feature provides thesame ability, but these Custom Prevention Policies can also be applied to assetgroups where Application Control Templates cannot.

vSphere SupportSymantec Critical SystemProtection vSphere Support Pack 1.0 is integratedwiththe Symantec Critical System Protection 5.2.9 release. You are not required todownload and install the support pack separately. Moreover, the existing ESX 4.1prevention anddetectionpolicies are combined togetherwith vSphere 5.0 policies.Following are the features of this integration:

■ Symantec Critical System Protection agent install contains the ESXi SupportUtility to monitor files and logs on ESXi 5.0 hosts. It is installed by default onRedHat 5.5 (32-bit and 64-bit) and SLES 10/11(32-bit and 64-bit) hosts.

■ The Symantec Critical System Protection Detection Policy pack contains thefollowing:

■ vSphere ESXi Detection Policy to monitor ESXi 5.0 hypervisor

■ vSphere ESX Detection Policy, formerly known as ESX Server SecurityHardening Policy, to monitor ESX 4.1 hypervisor

■ Three workspace policy packs are now available as part of the CD Image:

■ SCSPvSphereDetectionPolicyWorkspacePack.zipThis policy pack contains the following workspace policies to monitor thevCenter 5.0 server:

■ vSphere Application Detection policy

■ vSphere Windows Baseline Detection policy

■ SCSPvSphereProtectionPolicyWorkspacePack.zipThis policy pack contains the following workspace policies for bothminimum agent versions 5.2.0 and 5.2.9:

■ vSphere Protection Policy to protect the vCenter 5.0 server

■ ESX Protection Policy to protect the ESX 4.1 hypervisor

■ The vSphere Report Pack is integrated with the Symantec Critical SystemProtection Report Pack.


8

Resolved issues

Console and Server Resolved issues

Policy translation error for prevention policy customprogramsFix ID: 2570203

If the custom prevention policy has one or more custom program defined in itand if such a policy is applied to a Symantec Critical System Protection agent, itcaused a policy translation error on the Symantec Critical System Protectionagent. The cause for this issue was the logical error in the XML processing whenthe policy cache is built on the Symantec Critical SystemProtection server beforeapplying it to the agent. If there are multiple custom programs defined, then theserver processes the policy XML to insert the ruleID for the custom programs,and there was error in the XML processing logic. This has been fixed now.

Affected operating systems: All supported operating systems

Affected Symantec Critical System Protection versions: 5.2.6.x, 5.2.8, and 5.2.8MP1

Affected SymantecCritical SystemProtectionpolicy:NotApplicable to Preventionpolicies

Policy application issueFix ID: 2411162

In the previous releases, when the database ran in SQL 2000 compatibility mode,the newly created policies cannot be applied to the groups. The compatibilitymode was changed from SQL 2000 to SQL 2005 or SQL 2008, then newly createdpolicies could be applied to thegroups, but theSymantecCritical SystemProtectionconsole and database responded slowly. So, in order to resolve the issue of slowprocessing, the underlying database SQL query has been updated to make policyapplication faster.

Affected operating systems: Windows

Affected Symantec Critical System Protection versions: Release 5.2.8 and older

Affected Symantec Critical System Protection policy: Not Applicable

Black box does not appear on reports anymoreThe issue that caused black box to appear onSymantec Critical SystemProtectionreports is fixed now.

9Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues




Symantec Critical System Protection event export processtakes excess amount of timeFix ID: 2247056

In the previous versions, exporting a large number of events from the Monitorstab, the export process took excess amount of time. This issue is fixed now.




TheWindows Template policy allowed adding identical valuesand comment entries in the filewatch listFix ID: 2232992

In the previous versions, you were able to add identical values and commententries in the filewatch list of the Windows Template policy. Now, if you try toadd identical values and comment entries, an error message appears as There isalready an identical value in the list.



Affected Symantec Critical System Protection policy: Windows Template policy

Symantec Critical System Protection policies now retain thepolicy values after export and importFix ID: 2525205

After a policy is imported, you can see the parameter value in the imported policyeven if it was deleted in the original workspace policy that was exported. This hasbeen fixed.

When you export a policy, the exported zip file contains policy settings fromworkspace policy and base compiled policy. It also exports the default parametervalues. When you specify such a policy zip file for importing a workspace policy,the parameter values in the workspace policy and those in the compiled policysettings are merged. When a merged parameter from workspace policy matchesa parameter already in the compiled policy, the parameter from the compiled

Symantec Critical System Protection Version 5.2.9 Release NotesResolved issues

10

policy is overwritten. Since, the default parameter values were present in exportfile, it could match with the default parameter values. Now, instead it deletes thematching parameter in the compiled policy settings. This way it keeps the policyvalues after export and import .




Group policies are applied automaticallyFix ID: 1663174

When you move an Symantec Critical System Protection agent to a group,Symantec Critical System Protection automatically clears the assigned policieson the agent and applies the group policies on the agent.




Timeout dialog box now displays the console name it isconnected toFix ID: 2232970

In the previous versions, when multiple consoles were connected to differentmanagement servers with timeout console feature activated for all consoles, itwas difficult to identify which timeout dialog box was associated with whichconsole. Now, the timeout dialog box title displays the console name it is associatedto.




Applying a large number of custom policies on agents preventnew policy compilationFix ID: 2707487

The issue that caused Symantec Critical SystemProtection to stop compiling newpolicies when you apply a large number (more than 21) of custom policies is fixednow.





Agent Resolved issues

The ImportFileList function causes unknownerror in the parseron WindowsFix ID: 2430740

The optional use of imported file lists by using the syntax%?-ImportFileList(<path>)?% results in a parsing error. This happenswhen youapply the policy and the file list doesn’t exist. Given the optional syntax, themissing file list should be ignored. The Symantec Critical SystemProtection agenthas been updated to fix this issue.




Agent Status event contains additional information for policyretranslations caused by the "Change in LocalIPs"Fix ID: 1002999

Policy retranslations occur when the IPS service detects a change in the LocalIPs.In many circumstances, this causes a policy retranslation activity after every 10minutes and continues for hours or days. TheAgent Status event does not indicateneither the IP address changes nor the list of what the new local IP addressesconsist of.

The IPS Service has been updated to include additional information in the AgentStatus event for policy retranslations caused by “Change in LocalIPs". Now, theAgent Status event includes any added or deleted IP addresses. The followingexample displays the Agent Status event information.

The old Agent Status event displayed the following information:

MSTA,3,2007-03-11 22:26:00.354

Z-0400,I,10,,5d8351365c0f4f97d801cb31f42b9660,10161,,,,,checkRetrans,,S,,Policy

Retranslation,,,,,Policy Retranslated Triggered. Reason : Change in

LocalIPs


12

The updated Agent Status event now displays the following information:

MSTA,31,2012-04-26 16:20:29.921

Z-0700,I,10,ISR,5591dff386c6e6b982e7f7fbf7a7af00,10161,,,,,checkRetrans,,S,,Policy

Retranslation,,,,,"Policy Retranslated Triggered. Reason : Change in

LocalIPAddresses (Added : 10.160.118.56 127.0.0.1 ) "




Unexpected IPS behavior with the use of multiple optionalparameters in the prevention policiesFix ID: 2748554

The Symantec Critical System Protection agent-side translator componentincorrectly processes the prevention policies that use optional parameter values.If some parameter values exist on the system and some do not, then undesiredrules are introduced in the policy. This issue manifests only when there aremultiple items in the parameter list and some of the rules reference parametervalues that do not exist and some rules reference parameter values that exist.

The agent-side translator processes the following prevention policy configurationcorrectly:

A parameter list has two rules and one of the rules does not use any optionalvalues or has optional values but they all exist on the agent.

The agent-side translator processes the following prevention policy configurationincorrectly:

A parameter list has two rules with optional parameter values. The first rulecontains a value that exists on the agent, and the second rule contains a valuethat does not exist on the agent. Instead of the second rule being removed, thesecond rule remains and uses the corresponding value from the first rule.

Following are the areas of impact:

This issue affects the following lists:

■ File Resource Lists with optional process attributes, such as Program, User,or Group.

■ Registry Resource Lists with optional process attributes, such as Program,User, or Group.


■ Process Control Lists (Custom Routing) with optional process attributes, suchas Program, User, or Group.

■ Any Optional List usage

This issue does not affect the following lists:

■ Network Resource Lists

The Symantec Critical SystemProtection agent has been updated to fix this issue.


Affected Symantec Critical System Protection version: 5.2.X

Affected Symantec Critical System Protection policy: All policy versions

IPS is enabled by default while upgrading Symantec CriticalSystem Protection agent on IDS-only installationFix ID: 2778829

When upgrading a platform for IDS-only feature set to include support for IPSfeature, the default behavior was to enable the IPS driver to be consistent with anew installation. Whereas, Symantec Critical System Protection disables the IPSdriver when you upgrade from a IDS-only feature that is set to a version whichsupports IPS.

Symantec Critical System Protection agent is now fixed so that the IPS driver isenabled to be consistent with the new installation.

Affected operating systems: All platforms that supported IDS-only features anddid not support IPS.

The Rule name does not appear in certain instances forResource List items in the prevention policiesFix ID: 2568857 and 2669259

When a file, registry, or PAC resource list parameter entry contains a referenceto a custom list in one of its attributes, the rule name in the custom list for theresource path always gets used. In the event that the custom list for the resourcepath does not have a rule name but the parameter entry does, the rule name iscurrently left blank.

This has been fixed in the agent software by concatenating the rule-name specifiedin the outer parameter entrywith the rule-name specified in the inner referencedcustom list for the resource path.

■ When both Outer and Inner rule-names are non-empty:Outer rule-name text. Inner rule-name text


14

■ When Outer rule-name is non-empty and Inner rule-name is empty:Outer rule-name text

■ When Outer rule-name is empty and Inner rule-name is non-empty:Inner rule-name text


Affected Symantec Critical System Protection version: 5.2.0 and later versions

Affected Symantec Critical System Protection policy: This fix is not applicable tothe IPS policies

Protection of Symbolic Links in UnixFix ID: 2273442, 2347797, and 2521649

The Symantec Critical System Protection version prevention policies allow youto specify a symbolic link for UNIX operating systems to protect files anddirectories. The Symantec Critical System Protection agent translates symboliclinks to the targeted file-path and protects these targeted file-paths. In additionto this, we have added protection for the symbolic links itself in Symantec CriticalSystem Protection 5.2.9. Symbolic links can no longer be modified or deleted andrecreated again to change their targeted file-path. As a consequence of this fix,the out of the boxUNIXprotection policy tightens down the linux systems further./etc/init.d is a symbolic link to thepaths/etc/rc*.d/init.d for linuxoperatingsystems. /etc/init.d can no longer be modified, deleted, and created once thepolicy is applied.

Affected operating systems: All UNIX operating systems that support IPS

Affected Symantec Critical System Protection version: All 5.2.x versions

Affected Symantec Critical System Protection policy: None

Prevention Policy Resolved issues

Unix Prevention policy blocking Apache communication onSolaris 10Fix ID: 2690756

In the previous releases, the Unix Prevention policy blocked the Apache WebServer communication onSolaris 10.OnSolaris 10, the defaultApache installationdirectoryhas been changed to /usr/apache2. TheUnixPreventionpolicyhas beenupdated to reflect this new Apache install directory.

Affected operating systems: Solaris 10



Affected Symantec Critical System Protection policy: Unix Protection policy(sym_unix_protection_sbp m5.2.0 v211, sym_unix_protection_sbp m5.2.9 v214)

Full Privilege PSET now support Resource ListsFix ID: 2731643, 2683172, 2731655, and 2683176

The Full Privilege PSETs now support Resource Lists. However, these resourcelists do not block process, file and registry access on Windows. The resource listsalso do not block file & process access on UNIX. This behavior is because the FullPrivilege PSETs allow full access to all these resources by design. So, even thelimited and no access lists would only log but not block resource access.

Prevention policy blocks Symantec Endpoint Protection andWindows servicesFix ID: 2685160

When Symantec Critical System Protection and Symantec Endpoint Protection(SEP) agents are installed on the same machine, the Symantec Critical SystemProtection prevention policies blocks some of the Symantec Endpoint Protectionservices to perform required actions. In addition, it also blocks some of theWindows services to start correctly, such as Task Scheduler.

This issue is fixed now.



Affected Symantec Critical System Protection policy:Sym_win_protection_core_sbp, Sym_win_protection_strict_sbp, andSym_win_protection_ltd_exec_sbp

Prevention policy blocks the Symantec Endpoint ProtectionManager Remote Push featureFix ID: 2727261

When Symantec Critical System Protection agent and Symantec EndpointProtection Manager (SEPM) are installed on the same machine, the SymantecCritical System Protection prevention policies blocks the Remote Push SEPMfeature.

If you want to use the SEPM Remote Push feature, you must either disableprevention on the target Symantec Critical System Protection systems until the


16

Symantec Endpoint Protection client installation is complete, or you can adjustthePreventionpolicy to allowSEPMtoaccess additional resources listed as follows:

Policy exceptions to add to allow the SEPM Remote Push feature

■ Policy Settings > Global Policy Options > Network Rules > Inbound NetworkRules > List of rules to control connections into this system > Add >Action: Allow, Protocol: Both TCP and UDP, Local Port: 445, Remote IP: SEPMserver IP, Remote Port: Any, Logging: Do not log.

■ Policy Settings > Process Sets > Host Security Programs > General Settings >SysCall Options > Allow creation of hardlinks

■ Policy Settings >Process Sets >Global PolicyOptions >hsecurity_ps >RegistryRules > Writable Resource Lists > Allow modifications to these Registry Keys> "\Registry\Machine\SOFTWARE\Symantec\Symantec EndpointProtection\CurrentVersion".

■ Policy Settings > Process Sets > Interactive ProgramOptions > int_stdpriv_ps> File Rules > File Rules > Allow modifications to these files >Resource Path:"%systemdrive%\Temp\Clt-Inst\*"

■ Policy Settings > Process Sets > Service Options > Core OS Service Options >svc_safepriv_ps > File Rules > File Rules > Allow modifications to these files>Resource Path: "\DEVICE\HARDDISK?\DR?"Program Path: "%systemroot%\system32\MsiExec.exe"



Affected Symantec Critical System Protection policy:Sym_win_protection_core_sbp, Sym_win_protection_strict_sbp, andSym_win_protection_ltd_exec_sbp

The svc_stdpriv_ps PSET does not obey the List of ProgramsServices should not execute parameterFix ID: 2593805

The svc_stdpriv_ps PSET was missing the rules for the programs services shouldnot start option or parameter. This has been fixed in the policies.

Affected operating Systems: All Windows operating systems


Affected Symantec Critical SystemProtection policy:Windowsprotection policies


After applying the IPS targeted policy from 5.2.8.MP3, theSymantec Critical System Protection agent services do notstart on SolarisFix ID: 2807793

The IPS Targeted Prevention policy routing rules was updated to fix this issue.

Affected operating Systems: Solaris operating systems

Affected Symantec Critical System Protection versions: Release 5.2.8

Affected Symantec Critical System Protection policy: Unix Targeted Preventionpolicy

Detection Policy Resolved issues

Log off rule options are disabled by defaultFix ID: 2423369

In the Unix Baseline Detection policy, all logoff rule options under SystemLoginActivityandAccessMonitor>SystemLogoffMonitor are unchecked by default.This was done to reduce the number of events that are generated by the policyand end-user input which expressed limited need for these types of events.Whenupgrading anolder versionof thepolicywith thenewversion, you shouldmanuallyuncheck these options if they are not required.

Affected operating systems: Linux and UNIX


Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

Suspicious Permission Change Detection option no longerexistsFix ID: 2561637

TheSuspiciousPermissionChangeDetection option has been removed from theUnix Baseline Detection policy.

Affected operating systems: Linux and UNIX




18

vSphere Support Resolved issues

Error message appears while configuring the ESXi SupportUtility on Redhat 5.5 and SUSE Linux 10 operating systemsDuring ESXi Support Utility configuration rfs_config.sh

-[setup/addHost/modifyHost/deleteHost], if you use https to communicatewith the ESXi 5.0 hypervisor you may see the following error message as shownbelow:

Server version unavailable at https://<ESXi 5.0

Hypervisor>:443/sdk/vimService.wsdl at

/usr/lib/perl5/5.8.8/VMWare/VICommon.pm line 545

This error does not affect the working of the ESXi Support Utility configuration.


Affected operating systems: RedHat 5.5 or SUSE Linux 10/11 (32-bit and 64-bit)systems that ware configured to monitor the ESXi 5 hypervisor

Affected Symantec Critical System Protection versions: vSphere Support Pack1.0 to 5.2.9


Errormessageappearswhile upgrading theESXi SupportUtilityFix ID: 2758126

While configuring the RFS tool by running rfs_config.sh -upgrade commandto upgrade from vSphere Support Pack 1.0 to 5.2.9, you see the following errormessage:

mv: cannot move `/opt/Symantec/scspagent/IDS/bin/esxi_fim/data/<esxi

host>' to a subdirectory of itself,





Missing similar File-Watch events if the sameevent is triggeredacross multiple VMX filesFix ID: 2794484, 2759526, 2761215


If multiple VMX files in a single ESXi host or multiple ESXi hosts are updated inthe same synchronization interval that trigger the same detection rule, only oneevent is generated for a single VMX file. This is caused due to a rule of suppressionof similar events in the policy for 5 seconds after the first one triggers.





Missing rules in the description field of vSphere ApplicationDetection PolicyFix ID: 2767751

Some of the rules in the description field does not appear for vSphere ApplicationDetection Policy.


Affected operating systems: Windows (64-bit) machines with vCenter installed.


Affected Symantec Critical System Protection policy: vSphere ApplicationDetection Policy

Multiple filewatch events are reported when a file is modifiedin real timeFix ID: 2758257

The 5.2.9 Symantec Critical System Protection agent provides real-time filemonitoring. When the RFS tool mirrors the files obtained from the ESXi host, itgenerates four events for removal of the original file with the new file obtainedfrom the ESXi host.






20

Known issues

Console and Server Known issues

Disk Free Space information does not appearFix ID: 2481716

TheDisk Free Space information does not appear in the Symantec Critical SystemProtection Database Status query.

The workaround to view this information is as follows:

To view the Disk Free Space information

1 Log into the SQL Server database by using SQL Server Management studio.

2 Type sa as the user name.

3 Expand Databases > SCSPDB database > Programmability > StoredProcedures, and then select dbo.SCSP_DBSTATUS.

4 Right-clickdbo.SCSP_DBSTATUS, and then selectExecuteStoredProcedure

5 Check Pass Null Value

6 Click OK.

In the Results pane, under DB File Usage, view the Disk Free Spaceinformation


Affected Symantec Critical System Protection versions: Release 5.2.8.X, 5.2.6.X


Description information does not appear in Symantec CriticalSystem Protection console for rules in the policiesIf any text contains a single-quote character (‘) or a semicolon character (;), thewhole text does not appear in description text fields for custom programs orcustom rules in policy editor in the Symantec Critical System Protection console.Moreover, none of the input text fields allow any of these two characters to betyped in. These two characters can get into the text when a policy is importedthrough the console. Symantec Critical System Protection console displays thepre-existing text in all the text fields except for the description fields for customrules or custom programs in the policy editor.

21Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

The workaround for this issue is to remove the single-quote character (‘) orsemicolon character (;) from the description text for custom rules or programsbefore you import a policy.

To remove single-quote character (‘) or semicolon character (;)

1 Log into the SQL Server database by using SQL Server Management studio.

2 Type sa as the user name.

3 Expand Databases > SCSPDB database > Tables and then selectdbo.OPTIONSETTING.

4 Right-click dbo.OPTIONSETTING, and then select Edit top 200 rows.

5 Identify the rows for which ‘optval’ column value equals name of the customrule or program.

6 Edit the value of OptDesc column to remove the single-quote character (‘) orsemicolon character (;) from the description.




Agent Known issues

Agent triggers many log events on Windows systemWhen you monitor a UNIX or Linux log file on a Windows system, the agenttriggersmany log events. These events have the last one or two letters of the textentered as a delimiter value in the LogWatch.ini file.

Affected operating systems: All Windows operating systems

Affected Symantec Critical System Protection version: 5.2.9


Agent remains flagged for longer duration onSymantecCriticalSystem Protection consoleFix ID: 2603627

The Symantec Critical System Protection agent remains flagged for a longerduration on the console after you install a newversion of SymantecCritical SystemProtection. This issue occurs during the agent communications polling cycle.When the Symantec Critical System Protection IPS process checks for theavailability of the Symantec Critical System Protection IDS process (which is not

Symantec Critical System Protection Version 5.2.9 Release NotesKnown issues

22

yet started), the handshake between the process does not happen and the agentis flagged. The agent becomes online after thenext agent communicationspollingcycle.




Apply the Symantec Critical SystemProtection server's defaultprevention configs parameters manuallyWhen you upgrade to a newer version of Symantec Critical System Protection, itdoes not reregister existing agent and the agent retains old prevention configsassigned to it. Youmustmanually apply the Symantec Critical System Protectionserver's default prevention configs parameters.




Overlapped I/O error occurs during AD configuration onWindows 2003 32-bitFix ID: 2810881

When you configure an Active directory role on Windows 2003 32-bit operatingsystem, it may fail if Symantec Critical System Protection agent is installed.Symantec Critical System Protection agent on Windows 2003 32-bit operatingsystem by default activates file system filter driver, which is known to triggerOverlapped I/O error.

The operation failed with the following error:

Overlapped I/O operation is in progress.

Solution:

Configure Active Directory role before installing the Symantec Critical SystemProtection agent. If it is installed already, remove all prevention and detectionpolices, stop all Symantec Critical System Protection agent services, and thenconfigure the server role as Active Directory sever. If the error persists, uninstallSymantec Critical SystemProtection agent. Once the sever is configured asActiveDirectory server, Symantec Critical System Protection agent can be re-installedor re-enabled.

Affected Operating System: Windows 2003 32-bit


Symantec Critical System Protection version: 5.2.6 and newer

Memory Leak when Symantec Critical System ProtectionPrevention and Symantec Endpoint Protection 12.1 are usedtogetherFix ID: 2822546

If you have Symantec Critical System Protection installed with the Preventionfeature enabled and youhave Symantec Endpoint Protection 12.1 installed on thesame system, Symantec Critical SystemProtection creates an extra process entryin its data structures for each Windows process that exits. The issue occursregardless of the Prevention policy applied, including if the Null policy is applied.The issue does not occur without Symantec Endpoint Protection present or withSymantec Endpoint Protection 11.0 present. The issue does not occur if theSymantec Critical System Protection Prevention feature is disabled.

The leak is relatively small (approximately 1KBper process) and is directly relatedto the number of processes existing on the system. If the system contains onlylong-running processes with few processes exiting, the leak will be negligible. Ifthe systemhas applications that constantly start and stop processes, the leakwillbe greater.

This issuewill be fixed in theSymantecCritical SystemProtection5.2.9GArelease.

Operating Systems affected: All Windows operating systems

Affected Symantec Critical System Protection versions: All agent versions

Affected Symantec Critical System Protection policy: Not applicable

Unexpected IPS behavior when using multiple optionalparameters in the Exception Lists for buffer overflow andThread Injection DetectionFix ID: 2893056

The Symantec Critical System Protection Agent incorrectly processes bufferoverflow and Thread Injection Exception Lists in the prevention policies that useoptional parameter values. If someparameter values exist on the systemand someparameter values do not exist, then undesired rules are introduced in the policy.This issuemanifests only when there aremultiple items in the parameter list andsome of the rules reference parameter values that do not exist and some rulesreference parameter values that exist.

The agent processes the following prevention policy configuration correctly:


24

A parameter list has two rules ormore rules and the rules do not use any optionalvalues or have optional values but they all exist on the agent.

The agent processes the following prevention policy configuration incorrectly:

A parameter list has two or more rules with optional parameter values. One ormore rules contains a value that exists on the agent, and at least one other rulecontains a value that does not exist on the agent. Instead of the rule containingthenon-existent valuebeing removed, the rule remains anduses the correspondingvalue from the other rules.

Following are the areas of impact:

This issue affects the following lists:

Buffer overflow and Thread Injection Exception List

This issue does not affect the following lists:

■ Network Resource Lists

■ File Resource Lists with optional process attributes such as Program, User, orGroup.

■ Registry Resource Lists with optional process attributes such as Program,User, or Group.

■ Process Control Lists (Custom Routing) with optional process attributes suchas Program, User, or Group.



Affected Symantec Critical System Protection policy: All policy versions

Detection Policy Known issues

Unable to record successful SU logoff eventsFix ID: 2560861

Symantec Critical SystemProtection does not record successful SU logoff events.

Following are the policy options:

■ System Login Activity and Access Monitor > System Logoff Monitor > Su toroot Logoff

■ System Login Activity and Access Monitor > System Logoff Monitor > Su tonon-root Logoff

Affected operating system: HP-UX, Solaris, and AIX




Does not record CD/DVD burning activity eventSymantec Critical System Protection does not record CD/DVD burning activityevent.

Following is the policy option:

■ System External Device Activity->CD/DVD Burning Activity

Affected operating systems: Windows 7


Affected Symantec Critical SystemProtection policy:WindowsBaselineDetectionPolicy

Does not record multiple SU eventsSymantecCritical SystemProtectiondoesnot recordmultiple successful SUeventsin the same session.

Following are the policy options:

■ System Login Activity and Access Monitor->System Login SuccessMonitor->SU Operations Options->SU to root

■ System Login Activity and Access Monitor->System Login SuccessMonitor->SU Operations Options->SU to non-root

Affected operating systems: HP-UX



Symantec Critical System Protection default baseline policynow records the IIS logFix ID: 2695047

Symantec Critical System Protection Windows Baseline policy monitors the IISlog located at the following directory:

%SystemDrive%\Inetpub\Logs\LogFiles\W3SVC\*.log.


26

You canmodify the Baseline Detection policy tomonitor the logs that are locatedin other directories.



Affected Symantec Critical SystemProtection policy:WindowsBaselineDetectionpolicy

Two UNIX Activity Log (BTMP) events are generated for onefailed loginFix ID: 2672231

On Red Hat Enterprise Linux 6.1, for every login failure of a non-root user, twoentries are marked in Syslog.

Affected operating systems: Red Hat Enterprise Linux 6.1



Logon_failure event generated for each successful local loginFix ID: 2672231

OnRedHat Enterprise Linux 6.1, for every successful non-root userGNOME login,the gdmprocesswrites alsowrites a btmp log entrywhich results in an erroneousLogon_failure event being generated in addition to the successful login event.

Affected operating systems: Red Hat Enterprise Linux 6.1



Telnet andRlogin successful logons for root user are not loggedby default Unix Baseline Detection policyFixID: 2868291

On Solaris 11, telnet and Rlogin successful logons for root user are not logged bydefault Unix Baseline Detection policy.


The workaround to log the event is as follows:

1 Open Unix Baseline Detection policy and click System Login Activity andAccess Monitor.

2 In System Login Success Monitor > Telnet and Rlogin logon Options, clickEdit beside Root logon.

3 Modify *UserLoggedin*-sh*remote_login* to *UserLoggedin*remote_login*in select strings.

Affected operating systems: Solaris 11



vSphere Support Known issues

Alternate install location for vSphere 5.0 applicationsThe vSphere Application Detection policy uses the environment variables toreference the VMware-installed path locations, such as%programw6432%\VMware\Infrastructure\*. If you have installed the vCentersoftware in an alternate drive or path location, such as E:\VMware, then youshould adjust vSphereApplicationDetectionpolicy’s vSphereServices FIMcustomrule options "Files to Watch" and “Files to ignore” file paths to reference thealternate location, such as E:\VMware\*. .

Affected operating systems: vCenter Server Installation at an alternate installlocation on a Windows 2003/2003R2/2008/2008R2 (64-bit) operating system


Affected Symantec Critical System Protection policy: vSphere ApplicationDetection policy

Error message appears while configuring the ESXi supportutility on RHEL 5.5 (64-bit) operating systemsDuring ESXi Support Utility configuration rfs_config.sh

-[setup/addHost/modifyHost/deleteHost/upgrade], youmayseeasegmentationfault error as shown below:

./rfs_config.sh: line 232: 3902 Segmentation fault ** glibc detected

*** /usr/bin/perl: munmap_chunk(): invalid pointer:


28

This error may or may not follow a stack trace. This error does not affect theworking of the ESXi Support Utility configuration and it can be ignored.

Affected operating systems: Red Hat Enterprise Linux 5.5 (64-bit) systems thatare configured to monitor the ESXi 5 hypervisor



Ability to Add a second rule-name for rules in vSphere ESXDetection PolicyFix ID: 2839023

Someof the rule nameshaveAdd/Remove/Import/Export buttons forRuleNamesin the vSphere ESX Detection policy (formerly known as ESX Server SecurityHardening Policy). This gives the impression thatmultiple rule names are allowedfor a rule. However, adding a second rule name using the Add button results inthe policy failing to apply. Only a single rule name is allowed for a rule.

Affected operating systems: ESX 4.1

Affected Symantec Critical System Protection versions: 5.2.x

Affected Symantec Critical System Protection policy: vSphere ESX DetectionPolicy, ESX Server Security Hardening Policy

What you need to know before you install or upgradeyour software

The Symantec Critical System Protection Implementation Guide contains detailedinformation about how to install the Symantec Critical System Protectioncomponents. If you are installing for the first-time, you should install, configure,and test Symantec Critical System Protection in a test environment.

For the latest andmost complete information about the release and known issuesand workarounds, refer to the readme file that accompanies this release.

For informationaboutSymantecCritical SystemProtection features andplatforms,see the Platform and FeatureMatrix located in the docs folder on the product discthat contains this release.

29Symantec Critical System Protection Version 5.2.9 Release NotesWhat you need to know before you install or upgrade your software

Table 1-1 Overview of an installation

DescriptionActionStep

When planning your installation, you may need to consider the following:

■ Network architecture and policy distribution

■ Firewalls

■ Name resolution

■ IP routing

Plan the installation1

All the computers on which you install Symantec Critical System Protectionshould meet or exceed the recommended operating system and hardwarerequirements.

Review the systemrequirements

2

You can install the management console and management server on the samecomputer or on separate computers. You can install agents on any computer.All computers must run a supported operating system.

Decide on thecomputers to install thesoftware components

3

You can install the following management server installation types:

■ An evaluation installation that runs SQL Server 2005 Express on the localsystem

■ An evaluation installation that uses an existing MS SQL instance on SQLServer 2005 or newer version. Upgrades fromany previousMSSQL instanceversions are not supported. If you have evaluation installation with olderMS SQL instance, upgrade it to SQL Server 2005 or newer version and beginthe management server installation.

■ A production installation with Tomcat and the database schema.

The Symantec Critical System Protection Manager supports Microsoft SQLServer 2005 and all newer versions. If you use an existing MS SQL instancein production installation, the database instance must be on MS SQL Server2005ornewerversion.Upgrades fromanypreviousMSSQL instanceversionsare not supported.

■ The Tomcat component only

Decide on themanagement serverinstallation type

4

The installation packages unpack installation files into the directory that isspecified by the TEMP environment variable. The volume that contains thisdirectory must have at least 200 MB of available disk space. If this volume doesnot have the required disk space, you must change your TEMP environmentvariable.

Configure the TEMPenvironment variable

5

You begin the installation by installing the management server.

Management server installationpromptsyou to enter a series of values consistingof port numbers, user names, passwords, and so on. Each database that you caninstall uses different default settings and options for the management serverand database.

Install themanagementserver

6

Symantec Critical System Protection Version 5.2.9 Release NotesWhat you need to know before you install or upgrade your software

30

Table 1-1 Overview of an installation (continued)

DescriptionActionStep

Install the management console after you install the management server.

The management console installation also installs the authoring environment.

Themanagement console installationdoesnot promptyou to enter port numbersor server names. You enter this information after installation, when youconfigure the management console.

Install themanagementconsole

7

Management console configuration prompts you to enter a series of valuesconsisting of port numbers, passwords, and a server name. In a few instances,the port numbers must match the port numbers that were specified duringmanagement server installation.

Configure themanagement console

8

Install the agents after you install themanagement server, and after you installand configure the management console.

The agent installation prompts you to enter a series of agent values consistingof port numbers, management server name, etc.

Install the agents9

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks ofSymantec Corporation or its affiliates in theU.S. and other countries. Other namesmay be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec isrequired to provide attribution to the third party (“Third Party Programs”). Someof the Third Party Programs are available under open source or free softwarelicenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free softwarelicenses. Please see the Third Party Legal Notice Appendix to this Documentationor TPIP ReadMe File accompanying this Symantec product for more informationon the Third Party Programs.

The product described in this document is distributed under licenses restrictingits use, copying, distribution, and decompilation/reverse engineering. No part ofthis documentmay be reproduced in any formby anymeanswithout priorwrittenauthorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSEORNON-INFRINGEMENT,AREDISCLAIMED,EXCEPTTOTHEEXTENT

31Symantec Critical System Protection Version 5.2.9 Release NotesLegal Notice

THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOTBE LIABLE FOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTIONWITHTHE FURNISHING, PERFORMANCE, ORUSEOF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensedSoftware andDocumentationaredeemed tobe commercial computersoftware as defined in FAR 12.212 and subject to restricted rights as defined inFAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" andDFARS 227.7202, "Rights in Commercial Computer Software or CommercialComputer SoftwareDocumentation", as applicable, and any successor regulations.Any use, modification, reproduction release, performance, display or disclosureof the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

Symantec Critical System Protection Version 5.2.9 Release NotesLegal Notice

32

http://www.symantec.com

Symantec Critical System Protection Version 5.2.9...

Documents

Transcript of Symantec Critical System Protection Version 5.2.9...