Symantec Data Center Security: Server Advanced

(1)

Symantec™ Data Center Security: Server Advanced

Release Notes

Version 6.5

(2)

Symantec™ Data Center Security: Server Advanced Release Notes

Documentation version: 1.2

Legal Notice

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation 350 Ellis Street

Mountain View, CA 94043 http://www.symantec.com

(3)

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality.

The Technical Support group also creates content for our online Knowledge Base.

The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis

■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our website at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

■ Product release level

■ Hardware information

(4)

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

Customer service

Customer service information is available at the following URL:

Customer Service is available to assist with non-technical questions, such as the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals

(5)

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:

[email protected] Asia-Pacific and Japan

[email protected] Europe, Middle-East, and Africa

[email protected] North America and Latin America

(6)

Technical Support

... 3

Chapter 1 Introducing Symantec™ Data Center Security: Server Advanced

... 7

About Symantec Data Center Security: Server Advanced ... 7

About DCS:S and DCS:SA ... 9

About installation and prerequisites ... 10

Where to get more information ... 10

Additional release information ... 11

Chapter 2 New Features and Enhancements

... 12

New features in this release ... 12

Additional platform support ... 16

Chapter 3 Resolved Issues

... 18

Resolved issues in this release ... 18

Chapter 4 Known Issues and Limitations

... 21

Known issues in this release ... 21

Limitations in this release ... 29

Appendix A Appendix

... 31

Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later ... 31

Introducing Symantec™

Data Center Security:

Server Advanced

This chapter includes the following topics:

■ About Symantec Data Center Security: Server Advanced

■ About DCS:S and DCS:SA

■ Where to get more information

■ Additional release information

About Symantec Data Center Security: Server Advanced

Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides:

■ A policy-based host security agent for monitoring and protection.

■ Proactive attack prevention using the least privilege containment approach.

■ A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.

1

Chapter

(8)

Table 1-1 DCS:SA capabilities

Compliance Security and protection

■ Real-time monitoring and auditing

■ Host intrusion detection

■ File integrity monitoring

■ Configuration monitoring

■ Tracking and monitoring of user access

■ Logging and event reporting

■ Real-time proactive enforcement

■ Intrusion and malware prevention

■ System hardening

■ Application control

■ Privileged user access control

■ Vulnerability and patch mitigation

■ Does not use signatures or require continual updates to content

The major features of DCS:SA are as follows:

■ Intrusion detection facility for compliance auditing

■ Real-time file integrity monitoring

■ Granular change detection of registry values, file contents, and attributes

■ Operating system and application log monitoring

■ Local event correlation and smart response actions

■ Intrusion Prevention facility for malware prevention and system lockdown

■ Sandbox containment of operating system and application processes by an in-kernel reference monitor

■ Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches

■ Privileged user and program behavior

■ Anti-malware security

DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies.

■ Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems

■ Security orchestration using Operations Director. Operations Director is intended to:

■ Automate security provisioning workflow.

■ Provide application-centric security service.

■ Seamlessly integrate with VMware NSX.

8 Introducing Symantec™ Data Center Security: Server Advanced

About Symantec Data Center Security: Server Advanced

(9)

■ Provide out-of-box security product integration.

■ Centralized management environment for administering agents, policies, and events

■ Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP

■ Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems

The major benefits of DCS:SA are as follows:

■ Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.

■ Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected.

■ Provides visibility and control over the security posture of business-critical enterprise assets.

■ Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures.

About DCS:S and DCS:SA

This document describes the features of Symantec Data Center Security: Server Advanced (DCS:SA). If you have purchased Symantec Data Center Security: Server (DCS:S), you are only entitled to a subset of these features. The features and components included in each product are described below:

■ DCS:S entitles you to agentless anti-malware protection for your VMware guest VMs, via integration with the VMware NSX platform, as well as monitoring and hardening your VMware infrastructure.

In addition, DCS:S lets you orchestrate security using Operations Director. By using the intelligence of Operations Director, you can provision a vApp/VM with the right security policies.

■ DCS:SA extends DCS:S and allows you to monitor and protect physical and virtual data centers using a combination of host-based intrusion detection (HIDS), intrusion prevention (HIPS), and least privilege access control. Fully instrumented

About DCS:S and DCS:SA

(10)

REST API provides corresponding API for all console actions to enable full internal and external Cloud automation.

About installation and prerequisites

For information on the installation of DCS:S, DCS:SA, and their installation prerequisites, refer to the DCS:SA Planning and Deployment Guide.

Where to get more information

Product manuals for DCS:SA are available on the DCS:SA product media. Updates to the documentation are available from the Symantec Technical Support and Business Critical Services (BCS) Web sites.

The DCS:SA product manuals are as follows:

■ Installation Guide Online Help

■ DCS:SA Online Help

■ Planning and Deployment Guide

■ Overview Guide

■ Administrator's Guide

■ Prevention Policy Reference Guide

■ Detection Policy Reference Guide

■ Agent Guide

■ Implementation Guide Integration with VMware NSX (for Security Virtual Appliance)

■ Operations Director Reference Guide

■ vSphere Support Guide

■ Release Notes

■ Platform and Feature Matrix

The following table lists additional information that is available from the Symantec Web sites.

Where to get more information

(11)

Table 1-2 Symantec Web sites Web address Type of

information

http://www.symantec.com/business/support/

Public Knowledge Base

Releases and updates

Manuals and other documentation Contact options

http://securityresponse.symantec.com Virus and other

threat information and updates

Additional release information

Symantec publishes the following release information in addition to the product-specific highlights for DCS:SA v6.5:

■ For troubleshooting the registration of Symantec Data Center Security plug-in for Operations Director, refer to the document

Manual_Registration_Data_Center_Security_Plug-in.pdf that is included in the ISO file.

■ DCS:SA v6.5 does not support TCP Segmentation Offload (TSO) and Large Receive Offload (LRO) for Guest Network Threat Protection. When the appropriate TSO/LRO support is present in the NSX software stack, DCS:SA may provide support in a future release.

■ DCS:SA v6.5 discontinues support for SUSE Linux Enterprise Server 32-bit.

■ DCS:SA v6.5 does not support Pentium III processors for Windows agent installations.

■ The online help content for the management console continues to support DCS:SA v6.0 with no further edits. For the updated help topics for DCS:SA v6.5, refer to the following link:

http://help.symantec.com/CS?locale=

EN_US&vid=v91088731_v99309261&ProdId=DCS1_0&context=DCS1.0 11 Introducing Symantec™ Data Center Security: Server Advanced

Additional release information

(12)

New Features and Enhancements

■ New features in this release

■ Additional platform support

New features in this release

DCS:S v6.5 includes the following new features:

Table 2-1 New features in DCS:S

Description Feature

DCS:S v6.5 provides intrusion prevention at network layers by monitoring the network traffic and blocking all suspicious activities.

Provides an option to choose

application-specific protection to optimize network through put.

New network-based intrusion prevention system and application-centric protection for many data center applications.

DCS:S v6.5 lets you configure the antivirus policies to enable quarantine of infected files and send them to the quarantine folder.

Capability to quarantine malware in a guest virtual machine with options to manage quarantine folders.

DCS:S v6.5 includes the following new features:

2

Chapter

(13)

Table 2-2 New features in DCS:S - Operations Director Description Feature

Operations Director lets you do the following:

■ Automate security provisioning workflow Security provisioning workflow gets triggered directly from vCenter upon creation of new virtual application. OD also automates the collaboration between the virtual infrastructure administrator and security administrator to reduce security provisioning time to minutes.

■ Provide application-centric security service Instantly assesses application security requirements during vApp/VM provisioning by using security tags. An intelligent rule engine identifies the appropriate security policies. OD also provides out-of-box tags and security policy mapping.

■ Seamlessly integrate with VMware NSX Leverages NSX platform and NSX compatible security services to create application-specific security groups and policies.

■ Provide out-of-box security product integration

Applies antimalware controls by using Symantec Data Center Security: Server, server hardening controls by using Symantec Data Center Security: Server Advanced, and automates application firewall rules by using Palo Alto Networks Next Generation Firewall.

Note:For DCS:SA, you can orchestrate security policies by integrating with Operations Director.

Security orchestration feature by using Symantec Data Center Security Operations Director (OD)

13 New Features and Enhancements

New features in this release

(14)

Table 2-2 New features in DCS:S - Operations Director (continued) Description

Feature

UMC is an appliance that provides a web-based console for NSX virtual data center protection and orchestration. The console is used to register and configure various features and products of Symantec Data Center Security.

UMC provides unification of the common tasks across DCS:S, DCS:SA, and Operations Director.

Unified Management Console (UMC)

DCS:SA v6.5 includes the following new features in Intrusion Detection:

Table 2-3 New features in DCS:SA - Intrusion Detection Description Feature

OpenStack-specific protection and detection policies are included in this release to monitor activities on OpenStack server and to harden the authentication module keystone.

This feature is available on the supported operating systems of Ubuntu and RHEL based OpenStack installations.

Capability to monitor and harden OpenStack servers

A new detection feature is added to UNIX and Linux systems to monitor changes in the Extended file attributes and Access Control List. For example, changes made by setfaclor setfattrib commands can be monitored by using detection policy.

Capability to monitor extended file attributes and access control list ACL changes

Real-time File Integrity Monitoring is now supported on the operating systems that are supported by Veritas File Systems.

RT-FIM support for VxFS

Windows and Linux agents can be installed on virtual instances of AWS. All the operating systems that are in the platform matrix document and available in an AWS environment are supported Support for AWS virtual systems

(15)

Table 2-3 New features in DCS:SA - Intrusion Detection (continued) Description

Feature

DCS:S agents can now coexist with SELinux and AppArmor in enforcement mode. Users are not required to disable or set to passive mode before the agent installation.

Support for Security-Enhanced Linux (SELinux)/AppArmor

DCS:S agents are now supported on RHEL 7.

Refer to the DCS:SA Platform Feature Matrix document for details.

Support for Red Hat Enterprise Linux 7.0

DCS:SA v6.5 includes the following new features in Intrusion Prevention:

Table 2-4 New features in DCS:SA - Intrusion Prevention Description Feature

Fully instrumented REST API provides corresponding API for all console actions to enable full internal and external Cloud automation.

RESTful API support for additional platforms and integration

The management server and the database have been enhanced to improve support for managing application data from a performance perspective.

Application-centric hardening (database schema changes)

New sandbox controls have been created to protect LAMP environments (Linux Apache MySQL PHP) that use the UNIX prevention policies. A new MySQL sandbox has been introduced, in addition to the PHP support that has been added to the existing Apache sandbox.

LAMP support on UNIX (new sandboxes for MySQL and PHP in UNIX policy)

The third-party libraries have been updated to include the latest security fixes. DCS:SA agents now use OpenSSL v1.0.1j, FIPS ECP v2.0.8, and cURL v7.38.0 libraries.

Upgraded third-party components (OpenSSL, cURL, FIPS)

(16)

Table 2-4 New features in DCS:SA - Intrusion Prevention (continued) Description

Feature

A list of processes that are prevented from being executed has been added to every sandbox. Exception list of processes that are allowed to run by using a specific command-line argument has also been added to the sandboxes.

Support for No-run list exception in prevention policy

The Windows prevention policies now provide support to block the execution of files that have non-executable file extensions.

Capability to block execution of files with non-executable extensions

RHEL 7 and CentOS 7 are now supported by DCS:SA agents.

Refer to the DCS:SA Platform Feature Matrix document for details.

Support for Red Hat Enterprise Linux 7.0 and CentOS 7

The access control lists on DCS:SA agent files have been tightened to provide additional protection from the Operating System.

ACL changes on Windows and UNIX

The Windows prevention policies have been enhanced to provide support to prevent processes from starting the Windows Service Control (SC) utility and from modifying the *ControlSet* service registry keys.

Capability to block modifications to Windows services

The DCS:SA v6.0 Windows prevention policies provide support for blocking software from registering components with the Windows registry.

Capability to block product registration

The DCS:SA v6.0 Windows prevention policy provides the capability to prevent processes from starting the Windows Installer process.

Capability to block the Windows Installer from executing

Additional platform support

DCS:SA v6.5 adds support on the following platforms:

Additional platform support

(17)

Table 2-5 New platform support

IPS IDS

Platform

Yes Yes

Security-Enhanced Linux (SELinux)

Yes Yes

Red Hat Enterprise Linux version 7

Yes Yes

OpenStack

Additional platform support

(18)

Resolved Issues

■ Resolved issues in this release

Resolved issues in this release

Table 3-1 DCS:SA resolved issues

Description Issue

For the agents installed on Windows 2012 R2, OS type and version "Windows server 2012” was displayed on the console instead of “Windows server 2012 R2”.

This issue has been fixed.

Affected operating systems: Windows 2012 R2

Affected DCS:SA versions: 6.0 MP1 and earlier

Windows 2012 R2 agents used to display the OS version and type as Windows 2012 on the console

In case of a policy in prevention disabled state, if the prevention ON/OFF slider control is used for enabling an individual sandbox or a group of sandboxes, it overrides the disabled state in the global policy level.

This issue has been fixed. Now you cannot enable prevention for an individual sandbox or a group of sandboxes when prevention is globally disabled in the policy.

In case of a policy in prevention disabled state, if the prevention ON/OFF slider control is used for enabling an individual sandbox or a group of sandboxes, it overrides the disabled state in the global policy level

3

Chapter

(19)

Table 3-1 DCS:SA resolved issues (continued) Description Issue

While opening a policy having predefined applications added in trusted updaters or in application rules, opening of the policy used to take long time.

Affected DCS:SA versions: 6.0 MP1 and 6.0 Policy used to take long time to load in a

console when predefined applications are added in trusted updaters or in application rules

The Database using custom SQL named instance with a custom port and having the SQL browser service OFF, Management server upgrade used to fail.

Affected operating systems: All Windows server supported platforms

Management server upgrade used to fail with custom SQL named instance listening on custom port with SQL browser service OFF

CPU utilization of SQL Server was high when application data was fetched from agents.

Affected DCS:SA versions: 6.0 MP1 and 6.0 In a specific scenario, CPU utilization of SQL

Server was high when application data was fetched from agents

'Superuser_Group_Created' event used to get generated along with

‘User_Password_Changed’ event when a user changed the password when the user password was set with specific settings such as No password expire and No warning for password expire.

Affected operating systems: All supported UNIX and Linux platforms

Affected DCS:SA Policy: UNIX Baseline Detection policy

'Superuser_Group_Created' event used to get generated when the user password was changed in a specific scenario

19 Resolved Issues Resolved issues in this release

(20)

Table 3-1 DCS:SA resolved issues (continued) Description Issue

When UNIX Baseline Detection Policy was applied on UNIX agents without selecting Root Logon Failure option under SSH Logon Failure, the policy failed to apply with the following error:

“Variable not found:

SSH_Logon_Failure_Root_Logon_Failure.SelectStrings%"

Affected operating systems: All supported Solaris and HP-UX platforms

Affected DCS:SA Policy: UNIX Baseline Detection policy

UNIX Baseline Detection Policy failed to apply on UNIX agents when Root Logon Failure option was not selected in the policy

Applying any IPS policy other than null policy on an agent used to fail when length of parameter value in a policy is greater than a certain limit.

Affected operating systems: All supported Windows agents

Affected DCS:SA versions: 6.0 and 6.0 MP1 In a specific scenario, translation used to fail

when any IPS policy other than null policy was applied on the agent

Installation of the agent used to fail on the Win XP embedded SP3 platform.

Affected DCS:SA versions: 6.0 MP1 and 6.0 Note:Win XP embedded is frozen in the DCS:SA 6.5. The updated installer is present in the legacy folder on DCS:SA6.5 CD image.

Installation of the agent used to fail on Win XP embedded SP3

20 Resolved Issues Resolved issues in this release

(21)

Known Issues and Limitations

■ Known issues in this release

■ Limitations in this release

Known issues in this release

Table 4-1lists the issues that are known in this release for DCS:S.

Table 4-1 DCS:S known issues

Workaround/recommendation Issue description

To resolve this, you must do one of the following:

■ Log in to SVA and delete extra NTP servers from the /etc/ntp.conf file, and restart the NTP daemon.

■ Modify the function ntp_config() in /etc/dhcp/dhclient.d/ntp.sh as follows:

ntp_config() { return #do nothing } SVA adds the NTP servers in the /etc/ntp.conf

file, when SVA is configured for DHCP IP and the DHCP server in the network is configured to offer NTP Servers.

To resolve this issue, you must restart the host ESX computer.

At times, the netsec service fails to start when the SVA service is deployed. The error message 'Failed to initialize the DVFilter API library' is logged in the netsec.log file, although it is not displayed on the user interface.

4

Chapter

(22)

Table 4-1 DCS:S known issues (continued)

No workaround is available currently.

The threats that are not in either the HTTP request or HTTP response header are blocked, but may not display the "Threat Detected and Blocked" message in the guest virtual machine's browser.

Follow the VMware best practices for configuration of security groups and virtual machine management to minimize this situation.

Note:There is no notification of this situation in the management console or the NSX management console.

NSX 6.1.2 may send network traffic to the SVA before NSX 6.1.2 provides guest network threat protection policy information for that network traffic. Until the policy information is received, the network traffic remains unprotected.

Follow the best practices when you establish the security groups and apply the network threat protection policies to the security groups to minimize this delay.

In NSX 6.1.2 environments, there may be delays in propagating Guest Network Security protection information from NSX 6.1.2 to the SVA. Until the security virtual appliance fetches the information, the network flow remains unprotected.

Follow the best practices when you establish the security groups and apply network threat protection policies to those security groups for appropriate protection.

Guest Network Security monitors network traffic through integration with NSX 6.1.2.

NSX informs the SVA when to start and stop monitoring network.

Create a new security group and apply a security policy to the security group.

NSX 6.1.2 network introspection may send network traffic to the SVA that does not comply with the network introspection security policy and rules configured in NSX. DCS:S v6.5 examines all the network traffic that is sent to the security virtual appliance by NSX 6.1.2.

vCenter 5.5 Update 2 does not correctly propagate the usb.present setting in the SVA.OVFfile. usb.present is correctly configured in the SVA.OVF file, but when the OVF is deployed, vCenter does not propagate the setting correctly.

Use the REST API script to re-publish the policies.

When a configuration policy is updated and LiveUpdate is run, the policies are not published.

22 Known Issues and Limitations

Known issues in this release

(23)

The Top 10 GVMs with virus threats remediated graph on the Home page does not display the bar for the guest virtual machine that has a lower virus count as compared to the other GVMs, although the name of the GVM is displayed correctly.

However, the virus count is displayed as a tooltip on mouse hover. You can also drill-down to the Events page by clicking the label.

To allow root to mount a specific folder, follow these steps:

■ In the Policies workspace on the DCS:SA console, open the policy or create a new UNIX policy.

■ Click Sandboxes > Root Program Options.

■ Under General Settings, check Allow mounting and unmounting of filesystems (mount, umount).

■ In the File Rules section, check Writeable Resource List >Allow Modifications to these files.

■ In the List of files that can be modified list, add the mount point. For example, /tmp)

■ Save the policy.

Mount fails on an agent that has the NFS client with protection is enabled, even though mounting is allowed in the policy.

DCS:S v6.5 supports OpenSSL 1.0.1j. If you are currently on an OpenSSL version that is earlier than 1.0.1j, then you must upgrade to v1.0.1j.

Warning messages are displayed in case of OpenSSL version incompatibility.

The NSX Security Group page displays the virtual machines with operating system from Windows family. When a VM goes into auto-sleep mode, the VM entry is not displayed under the NSX Security Group page. This is a known limitation and will be addressed in future release.

(24)

To resolve this issue, re-deploy the Symantec service and verify that the CD-ROM drive is specified correctly for all Symantec service SVA virtual machines.

At the time of Symantec service deployment, the SVA virtual machine must include a virtual CD-ROM drive of the Datastore ISO file type with a valid datastore and ISO path specified.

For example: [datastore1]Symantec DataCenter Security Service for VMware NSX.iso

An occasional issue is observed where the virtual CD-ROM is not specified correctly. As a result, network traffic is not protected and a fatal level of events are observed within the SVA netsec.log: "Failed to read agent name.

DVFilterApi init() failed".

If the LiveUpdate proxy server settings are missing, any user with the administrator privileges can configure the settings through the SVA Configuration Policy. However, editing of Proxy Server settings is allowed only through the UMC console.

The Edit option is not supported through SVA configuration policy.

While using Guest Network Threat protection, ensure that the v6.5 SVA config policy is used.

Guest Network Threat protection is introduced with DCS:S v6.5. Network threat protection does not function with SVA configuration policies of versions older than 6.5.

Manually update the root directory to c:\Program Files\<x86>\Symantec\Data Center Security Server\Server and then register a product with UMC.

When you upgrade from any previous DCS:S version to DCS v6.5, the root directory does not get updated. As a result, you cannot register a product with the Unified Management Console (UMC).

Symantec recommends that you update all content types upon security virtual appliance deployment.

The EICAR virus file may not get detected over SMB v1 connection with the default content definitions on the security virtual appliance.

While using Guest Network Threat protection, ensure that you use the v6.5 SVA config policy.

Guest Network Threat protection is introduced with DCS:S v6.5. Network threat protection does not function with SVA Config policies of versions earlier than v6.5.

(25)

Table 4-1lists the issues that are known in this release for DCS:SA.

Table 4-2 DCS:SA known issues

Use the Backspace key to delete the entire text till the point you want to edit and retype the content.

For alert notifications, the Subject and the email body support only partial Text editor features. The placement of the cursor cannot be changed to select and delete the content.

Intermediate text selection by using the mouse is possible, but deletion is not supported.

Do not use the Obey Application Data Restrictions option along with the Run with

* privileges feature. You must remove the alternative privilege lists and disable the Obey Application Data Restrictions option on the alternative privileges sandboxes.

Application Data Protection Rules prevent services from accessing their application data if given alternate privileges.

Disable prevention on the agent and restart the computer before you upgrade to DCS:SA v6.5.

To disable prevention, run the following command:

./sisipsconfig.sh -i

Note:The pkgadd and pkgrm commands do not work after the installation of 5.2.6-x agent.

Upgrade of agents with v5.2.6 to DCS:SA v6.5 fails on Solaris 10 SPARC U10 and U11 platforms with the following error message:

Network error: Software caused connection abort

The same error message is displayed if you try to uninstall the product by using the following command:

pkgrm SYMCcsp

To resolve this issue, after the server upgrade, modify the java.security file to enable Sun providers.

For more details, refer to the topic

Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or laterin the Appendix A.

The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the Management Server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5.

(26)

Table 4-2 DCS:SA known issues (continued)

To resolve this issue, do the following:

■ Stop the Symantec Data Center Security Server Manager service.

■ Locate the server.xml file on the server machine at the following location:

<installation directory>\server\tomcat\conf\

■ In the server.xml file, add SSLv2Hello in sslEnabledProtocols to the following SSL Connector instances:

■ Tomcat stand-alone agent service

■ Tomcat stand-alone console service

■ Tomcat stand-alone service The updated entry must be

sslEnabledProtocols="TLSv1,TLS v1.1,TLSv1.2,SSLv2Hello"

■ Start the Symantec Data Center Security Server Manager service.

Note:Symantec recommends that you use an XML editor to update the server.xml file.

The CSP v5.2.0 agents fail to communicate with the DCS:SA v6.5 server when the java.securityfile has been updated to fix the issue,

"The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the Management Server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5".

(27)

In order to verify that you are not affected by this issue, do the following:

■ Locate the server.xml file on the upgraded server machine at the following location: <installation

directory>\server\tomcat\conf\

■ Check whether

“sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

entry is inside the following SSL Connector instances:

■ Tomcat stand-alone service To resolve this issue, do the following:

■ Stop the Symantec Data Center Security Server Manager service.

■ Locate the server.xml file on the upgraded server machine at the following location: <installation

directory>\server\tomcat\conf\

■ Edit the server.xml file, and move sslEnabledProtocols="TLSv1,TLS v1.1,TLSv1.2"entry inside the following SSL Connector instances:

■ Tomcat stand-alone service

■ Start the Symantec Data Center Security Server Manager service.

Note:Symantec recommends that you use an XML editor to update the server.xml file.

In a gradual server upgrade scenario that follows CSP v5.2.x to SDCS:SA v6.0 MP1 and then to DCS:SA v6.5, the management server may not enforce communication between server-agent and server-console to be in TLS protocol.

If a Security-Enhanced Linux (SELinux) system is changed from "Disabled" or

"Permissive" mode to "Enforcing" mode after an agent installation, the system boots in the

"Maintenance" mode when you apply a predefined UNIX prevention policy and restart the machine.

(28)

To resolve this issue, re-execute the configfips.vbsfile to enable FIPS.

For information on how to enable FIPS, refer to the FIPS 140-2 Compliance Guide.

FIPS mode gets disabled after you upgrade the Management Server from SDCS:SA v6.0 MP1 to DCS:SA to v6.5.

The Alert Filter > Preview Events link takes the user to the Events List page. The "Sort"

operation on columns is currently not supported.

To resolve this issue, do the following:

■ In all the three connectors in the server.xml file located at <installation directory>\server\tomcat\conf\ on the Tomcat only server, rename the keystore file path "Critical System Protection" to

"Data Center Security Server". Example, keystoreFile="C:\Program Files (x86)\Symantec\Critical System Protection\Server\server-cert.ssl" Change to keystoreFile="C:\Program Files (x86)\Symantec\Data Center Security Server\Server\server-cert.ssl"

■ Restart the Symantec Data Center Security Server Manager service.

A server with Tomcat-only installation fails to communicate with the database and does not start its Server Manager service if the server.xmlfile of the upgraded server is used for installing DCS:SA v6.5 on the Tomcat-only server. The server is unable to locate the server-cert.ssl file as the server.xml contains the old product installation path, which does not get updated.

The module fields specified in a network rule are ignored and the rule is matched based on other fields in the rule. The rule does not match any of the module fields.

For the agents installed on Windows 2003 or earlier, all module attributes are ignored if specified in the rules. Such rules are matched based on the other fields of the rule.

(29)

To resolve the issue, do the following:

■ Login to the system as a root user.

■ Modify the permissions of the following library files to add read permission to other users:

■ <AgentInstallDir>/IPS/bin/libgcc_s.a

■ <AgentInstallDir>/IPS/bin/libstdc++.a On AIX agents, users other than sisips/root

are not able to run sisipsoverride tool

Table 4-3lists the issue that is known in this release for DCS:S - Operations Director.

Table 4-3 DCS:S - Operations Director known issue

Symantec recommends that you can use only the specified special characters in the name of a vApp/VM to be provisioned.

Note:Using any other special characters can cause issues with provisioning of the vApp/VM.

DCS:S - Operations Director now supports PAN-OS 6.1.3. However while naming a vApp/VM to be provisioned, you can use only special characters like period (.),

underscore(_), or hyphen (-).

.

Limitations in this release

DCS:SA v6.5 contains the following limitations for internationalization:

■ The Description field for events is generated by the agents, which cannot be localized

■ The data that you export cannot not be localized.

■ The non-English guest virtual machine names, MOID, and security groups are not displayed in the localized form.

■ The error strings that are generated from the server cannot be localized. For example, instances such as duplicate policy creation, invalid file upload and so on.

■ The data for the Date column for the Recent Events pane in the Assets workspace cannot be localized.

■ The data for the Date column in the Notification page cannot be localized.

Limitations in this release

(30)

■ The user input fields on some of the web console pages do not accept single quotation mark ('), except for Extensions, Folders, and Files fields from the Add Policy page.

■ Clicking the browser back button is not supported in UMC. You must use the menu options to traverse to the UMC workspace.

■ After you log in to UMC and select a registered product from the UMC product switcher, if you again select UMC in the product switcher, it does not change the selected product to UMC. For example, if you log in to UMC and select OD from the product switcher, you cannot come back to UMC by selecting UMC in the product switcher.

DCS:SA v6.5 contains the following limitation in the Java console:

■ After an upgrade to DCS:SA v6.5, clicking on Help in the Java console does not launch the online help.

To avoid this issue, you must take a backup of thewebui.warfile from the following location before you perform an upgrade:

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\webapps

Place the file at the same location after the upgrade and then restart the Symantec Data Center Security Server Manager service.

DCS:SA v6.5 contains the following limitation in the Unified Management Console:

■ UMC allows multiple users to log in simultaneously on the same computer.

Limitations in this release

(31)

Appendix

This appendix includes the following topics:

■ Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later

Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later

The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the management server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5.

This issue occurs in the following specific scenario:

■ When you have a server that was upgraded from CSP 5.2.0 or earlier to DCS:SA v6.5 and which has certificates that have MD5withRSA as the signature algorithm.

■ When you have Windows, Solaris, AIX, or HP-UX with agents v5.2.9 MP5 with Hotfix 1 or later, or Linux agents with OpenSSL version 1.0.1g or later.

In such a scenario, perform the following steps to re-establish the agent-server communication:

■ Stop the DCS:SA Management Server service from Windows Service Control Manager (SCM).

■ Locate thejava.securityfile present at the following location:

<SERVER_INSTALL_ROOT>\jre\lib\security

■ Comment the following security provider list (use # at the start of the line) in the java.securityfile. You can use any text editor to edit this file.

security.provider.1=com.rsa.jsse.JsseProvider security.provider.2=sun.security.jgss.SunProvider

A

Appendix

(32)

security.provider.3=com.sun.security.sasl.Provider

security.provider.4=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.5=sun.security.smartcardio.SunPCSC

security.provider.6=sun.security.provider.Sun security.provider.7=sun.security.rsa.SunRsaSign security.provider.8=sun.security.ec.SunEC

security.provider.9=com.sun.net.ssl.internal.ssl.Provider security.provider.10=com.sun.crypto.provider.SunJCE security.provider.11=sun.security.mscapi.SunMSCAPI

■ Add the following list of security providers in thejava.securityfile:

# List of providers and their preference orders (for MD5withRSA as signature algorithm):

security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC

security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC

security.provider.10=sun.security.mscapi.SunMSCAPI

■ Start the DCS:SA Management Server Service from Windows Service Control Manager (SCM).

After you make these changes, FIPS mode is not enforced as FIPS does not support MD5 as a signature algorithm. To enforce the FIPS mode, revert the changes made in the security provider list.

For more details, refer to the DCS:SA FIPS 140-2 Compliance Guide.

32 Appendix Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later

Symantec Data Center Security: Server Advanced

Symantec™ Data Center Security: Server Advanced

Release Notes

Version 6.5

Symantec™ Data Center Security: Server Advanced Release Notes

Legal Notice

Technical Support

Contacting Technical Support

Licensing and registration

Customer service

Support agreement resources

Technical Support

Chapter 1 Introducing Symantec™ Data Center Security: Server Advanced

Chapter 2 New Features and Enhancements

Chapter 3 Resolved Issues

Chapter 4 Known Issues and Limitations

Appendix A Appendix

Contents

Introducing Symantec™

Data Center Security:

Server Advanced

About Symantec Data Center Security: Server Advanced

1

Chapter

About DCS:S and DCS:SA

About installation and prerequisites

Where to get more information

Additional release information

New Features and Enhancements

New features in this release

2

Chapter

Additional platform support

Resolved Issues

Resolved issues in this release

3

Chapter

Known Issues and Limitations

Known issues in this release

4

Chapter

Limitations in this release

Appendix

Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later

A

Appendix