Release Notes
Norman Enterprise Security 8.0
Suite Version: 8.0.
8
.10
Notices
Version InformationNorman Enterprise Security Release Notes - Norman Enterprise Security Version 8.0 - Published: May 2014
Document Number: 02_204M_8.0_141431638
Copyright Information Lumension Security, Inc.
8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255
Copyright© 1999-2014; Lumension Security, Inc.; all rights reserved. Covered by one or more of U.S. Patent
Nos. 6,990,660, 7,278,158, 7,487,495, 7,823,147, 7,870,606, and/or 7,894,514; other patents pending. This manual, as well as the software described in it, is furnished under license. No part of this manual may be reproduced, stored in a retrieval system, or transmitted in any form – electronic, mechanical, recording, or otherwise – except as permitted by such license.
LIMITATION OF LIABILITY/DISCLAIMER OF WARRANTY: LUMENSION SECURITY, INC. (LUMENSION) MAKES NO REPRESENTATIONS OR WARRANTIES WITH REGARD TO THE ACCURACY OR COMPLETENESS OF THE INFORMATION PROVIDED IN THIS MANUAL. LUMENSION RESERVES THE RIGHT TO MAKE CHANGES TO THE INFORMATION DESCRIBED IN THIS MANUAL AT ANY TIME WITHOUT NOTICE AND WITHOUT OBLIGATION TO NOTIFY ANY PERSON OF SUCH CHANGES. THE INFORMATION PROVIDED IN THIS MANUAL IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE INFORMATION PROVIDED IN THIS MANUAL IS NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULT, AND THE ADVICE AND STRATEGIES CONTAINED MAY NOT BE SUITABLE FOR EVERY ORGANIZATION. NO WARRANTY MAY BE CREATED OR EXTENDED WITH RESPECT TO THIS MANUAL BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. LUMENSION SHALL NOT BE LIABLE TO ANY PERSON WHATSOEVER FOR ANY LOSS OF PROFIT OR DATA OR ANY OTHER DAMAGES ARISING FROM THE USE OF THIS MANUAL, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.
Trademark Information
Lumension®, Lumension® Endpoint Management and Security Suite, Lumension® Endpoint Management Platform, Lumension® Patch and Remediation, Lumension® Enterprise Reporting, Lumension® Security Configuration Management, Lumension® Content Wizard, Lumension® Risk Manager, Lumension® AntiVirus, Lumension® Wake on LAN, Lumension® Power Management, Lumension® Remote Management, Lumension® Scan™, Lumension® Application Control, Lumension® Device Control, Lumension® Endpoint Security, Lumension® Intelligent Whitelisting, PatchLink®, PatchLink® Update™, their associated logos, and all other Lumension trademarks and trade names used here are the property of Lumension Security, Inc. or its affiliates in the U.S. and other countries. Norman®, Norman SandBox®, Norman Virus Control®, the Norman product and service names, their associated logos, and all other Norman trademarks and trade names used here are the property of Norman ASA in the U.S., the European Union, and other countries.
RSA Secured® is a registered trademark of RSA Security Inc. Apache is a trademark of the Apache Software Foundation.
In addition, any other companies' names, trade names, trademarks, and products mentioned in this document may be either registered trademarks or trademarks of their respective owners.
Part
I
Release Notes
In this section:
•New Capabilities Included in This Release
•Frequently Asked Questions
•Issues Resolved
•Known Issues
We are pleased to announce the general availability of Norman Enterprise Security 8.0 (Server Suite 8.0.8.10).
New Capabilities Included in This Release
The Norman Enterprise Security (Norman ESEC) 8.0 release includes the following new capabilities. Core Platform
• The Norman ESEC user interface is redesigned to provide responsive interaction for customers. The new UI includes:
• Accessibility from a variety of screen resolutions, including mobile device displays. • An updated look and feel.
• Conformity to some internationalization requirements. • Improved accessibility for customers with disabilities.
• The Norman ESEC Agent and Server platforms are updated to improve stability and reliability during installs, uninstalls, and upgrades.
• The Groups page Endpoint Membership view has had an IP Address column added, which you can use to identify endpoints with identical names.
• Documentation for Smart Card Authentication support (Common Access Card Authentication Standard), enabling Norman ESEC sign-on using Smart Cards (available upon request).
Device Control
The NESEC version of Device Control now provides Online State Definition so that online and offline policies can use wired or server connectivity.
Patch and Remediation
• The Vulnerabilities page and other pages used to view security content have had new features added to help identify content of interest.
• The Package Status column can now be sorted, helping you quickly identify which packages have been cached.
• A new Vendor column has been added, letting you sort content items according to their creator. • A new Vendor Release Date column has been added, helping you see what content have been released
most recently.
Operating System Support
• Server support has been added for the following operating systems: • Windows Server 2012
• Windows Server 2012 R2
• Agent support is added for the following operating systems (Norman ESEC: Patch and Remediation supported these modules in 7.3 SP1):
• Windows Server 2012 • Windows Server 2012 R2 • Windows 8.1
Attention: NESEC 8.0 will be the final release to support Windows Server 2003. This operating system will not be supported for the next NESEC release. Therefore, it will not be possible to upgrade from 8.0 to the next release if your NESEC Server is installed on Windows Server 2003.
Database Server Support • Support has been added for:
• SQL Server 2012
Attention: NESEC 8.0 will be the final release to support SQL Server 2005. This database will not be
supported for the next NESEC release. Therefore, it will not be possible to upgrade from 8.0 to the next release if your NESEC Server is installed using SQL Server 2005.
Release Notes
Frequently Asked Questions
How Do I Deploy 8.0?Server • New customers can install Norman ESEC 8.0 by downloading the
installer from the Norman Support Site (http://www.norman.com/ support/).
• Existing customers can upgrade their Norman ESEC Server by
selecting Tools > Installation Manager, navigating to the New/Update Components tab and selecting 8.0 (8.0.8.10), which contains the new components for the platform and features.
Agent • Customers can install the agent by logging into an endpoint, navigating
to the Norman ESEC Web console, and selecting Tools > Download Agent Installer. Install agent version 8.0.8.10.
• Customers can upgrade to their existing endpoints to 8.0.8.10 by selecting Agent Versions from the Manage > Endpoints page. How Do I Determine if my Upgrade Was Successful?
Server Following upgrade to 8.0.8.10, navigate to Help > About using the Norman ESEC Web console. The Server Suite Version will display '8.0.8.10'.
Agent Upgraded agents are visible in the Norman ESEC Web console by navigating to Manage > Endpoints. The Agent version for the endpoint will display '8.0.8.10'.
Issues Resolved
The Norman Enterprise Security (Norman ESEC) 8.0 release resolves the following issues. NESEC Platform (Core)
ID Description
14291 Fixed issue on Deployment and Tasks page where expanded deployments would not display child endpoints. Child deployments are now displayed for all expanded deployments.
14400 Fixed issue where Norman ESEC Agents that have hardening enabled could be uninstalled from the command line.
ID Description
14402 Fixed issue of empty files being created within the endpoint "\application data\Norman\lmagent\download\" folder.
14403 Fixed issue where Cyrillic OU names could not be properly added to endpoint AD membership. Cyrillic names are now supported.
15143 Fixed error where users logged in with a username starting with the "$" character could not use Discovery Scan Jobs and Agent Management jobs. Users with this character are now supported.
16561 Fixed issue where endpoints that changed AD group were improperly classified within the Groups page Directory Service Groups hierarchy. All endpoints that have changed AD group are now classified properly.
16563 Fixed issue where each endpoint sent its full inventory following
registration, resulting in slow performance. Inventory is no longer sent upon registration.
16565 Fixed error where the presence of the eps.sys file from a previous install would cause an Agent install/uninstall/upgrade failure. The Agent can still be installed/uninstalled/upgraded if the file is present.
16594 Fixed issue where data exported from the Information tab for an endpoint that has AntiVirus module installed would result in an "Internal Server Error". This data can now be exported.
17456 Fixed issue where endpoints with both the Device Control and Device Control modules installed and in FIPS mode could not be locked down.
17608 Fixed issue when the Web console had the Home page opened for long periods of time, excessive bandwidth was consumed by the Server Information widget.
17841 Fixed issue where users deleted from the system still displayed as under assignment to a role. These users are now completely removed from the system.
19345 Fixed error where Agents re-register when using Juniper Networks Network Connect 6.5.0. Agents no longer try to re-register AntiVirus Module
ID Description
Release Notes
ID Description
17199 Fixed issue where AntiVirus engine and definition file downloads cause endpoints to hang for several minutes. Endpoint performance is improved during downloads.
17839 Fixed issue where Windows XP endpoints with the AntiVirus module installed experience slow performance or hangs due to contention on
CmpRegistryLock. Endpoint performance is improved.
17951 Fixed issue where a failed definition update would leave temporary files.
18321 Fixed issue where Email Notification alerts for Virus and Malware events are sent despite the event being removed from the system. Email for deleted events are no longer sent.
18575 Fixed issue where Alert Email Notifications were not populated with endpoint/alert information. Emails now contain endpoint and alert information.
18591 Fixed issue where av.sys causes endpoint to crash.
18989 Fixed exception thrown at completion of an AntiVirus scan. This scenario no longer creates exceptions.
19683 Fixed issue where the AntiVirus Engine and Definition downloaded an hour off schedule due to daylight saving time.
19759 Fixed issue where a Recurring Virus and Malware Scan would run an hour off schedule due to daylight saving time.
19821 Fixed issue where Real-time Monitoring could not quarantine a specific virus after LMAgent restart.
Device Control Module
ID Description
13490 Fixed issue where Policy Information (report and endpoint details) was missing Reporting and Monitor Interval values. This information now displays consistently.
13516 Fixed issue with Microsoft ASP.NET Request Filtering bypassing Cross-Site Scripting Vulnerability.
13540 Fixed issue where some RTNotify UI elements were not localized into Japanese. These elements are now localized.
13789 Fixed issue where endpoint event viewer logs event ID 7016 repeatedly. This event is no longer logged redundantly.
ID Description
13825 Fixed issue where users were unable to fully encrypt a 1 TB external hard drive. Drive encryption has been successfully tested up to 2 TB.
13893 Fixed issue where the All devices value missing was in Device class dropdown when granting temporary permissions. This value is now available for temporary permissions.
13982 Fixed inability to add Comments for instances in Device Collections in the Device Library. Comments can now be added.
14045 Fixed issue where Centrino wireless card never blocked and always identified as class 100. This wireless card can now be blocked, and it is also correctly identified as a Certrino wireless card.
14059 Fixed issue where Device Control upgrade fails with "Key mismatched error".
14060 Fixed violation of PRIMARY KEY constraint 'PK_DeviceInstance' during Device Control upgrade.
15048 Fixed Shadow file with non-western characters saved under name in an unreadable format. The file is now saved in a readable format.
15384 Fixed issue where secure volume browser crashes when burning/encrypting CDs. Secure volume browser is now stable in this scenario.
19079 Fixed Device Event "query name is already in use" warning after query deletion then using the same name to create new query.
Application Control Module
ID Description
15133 Fixed issue where Non-Authorized Application Detected dialog does not use a Norman ESEC-design task bar icon on the endpoint. Norman ESEC task bar icon now displays consistently.
19878 The Application Control Tab in the NESEC Agent Control Panel has been updated so that it accurately reflects when Application Control policies have been applied to the endpoint.
Patch and Remediation Module
Release Notes
ID Description
14332 Stability: Fixed issue where DAgent.exe causes an unknown error.
15141 Fixed error where packages are cached despite Checksum or SHA-1 validation failure. All content is re-hashed and rejected if mismatched on download.
15144 Fixed issue where agents installed to a non-default drive during initial install are moved to the default drive after upgrade. Patch and Remediation module now installs under the Norman ESEC Agent default or custom install path.
16283 Fixed issue where NoficationManager.exe crashed if the machine.config is read-only.
16286 Fixed issue where Fast Path servers added to an Agent Policy Set were not validated. Fast Path entries are now validated before the policy is saved.
17605 Fixed issue where Notifications presented to the user consumed high levels of CPU.
18986 Fixed issue where cached packages ignored the OverWrite flag provided by the GSS. Cached packages now respect flag.
19183 Fixed issue where re-used fingerprint caused false-positives. Scripted fingerprint execution is now randomized to prevent conflicts and has enhanced error checking.
19347 Fixed issue where German endpoints showing the Reboot dialog would display an undefined variable instead of the package name. The dialog now displays input entered during deployment configuration.
20032 The Vulnerability Analysis Report has been updated to include Content Type data and to provide consistency of terminology use across the product. Wake on LAN Module
ID Description
13078 Fixed issue where some endpoints in a custom group were not powered on using the Agent Policy Set HOP option. All endpoints will be powered on now when using HOP.
Known Issues
The Norman Enterprise Security (Norman ESEC) 8.0 release contains the following known issues. NESEC Platform (Core)
ID Description
N/A When installing Norman ESEC on Windows Server 2012R2, installation fails if you have not installed Firefox 24.x ESR.
Cause: The default Web browser installed on 2012R2, Internet Explorer 11, does not include support for Microsoft Silverlight, which is required to complete installation.
Workaround: Download and install Firefox 24.x ESR before installing Norman ESEC.
17999 When upgrading Norman Enterprise Security 7.1 (any version) or 7.2.0.10 to version 8.0, the server upgrade does not complete due to limitations in Microsoft Silverlight.
Workaround: Install the following software manually before beginning upgrade:
• Microsoft .NET Framework 4 (Web Installer)
• Microsoft KB 2836939 (http://support.microsoft.com/kb/2836939
• Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) (install on both x86 and x64 servers)
• Microsoft Visual C++ 2010 SP1 Redistributable Package (x64) (install on x64 server)
19660 After upgrading Norman Enterprise Security to version 8.0 and opening Installation Manager, you are prompted by a dialog to install prerequisites if they aren't installed already. During this process, a dialog may prompt you to reboot. If you manually restart the server instead of using the dialog
Reboot button, the reboot prompt will not be cleared the next time you try to launch Installation Manager.
Workaround: Reboot your server using the Reboot button available in the dialog. The bug is resolved after the reboot completes.
111787 Registered ghosted agents will not re-register, but instead overwrites existing agent records.
Release Notes
ID Description
multiple When viewing the Web console using the Internet Explorer in Metro for Windows 8+ or Windows Server 2012+, UI features display incorrectly, including:
• Installation Manager: the Silverlight Plugin is not supported.
• Log In Screen: Credentials are not saved after selecting "Remember My Credentials".
• Directory Browser: Files types selectable for upload are limit. • Trusted Updater Wizard does not function correctly.
Workaround: Use Internet Explorer 10 or another supported Web browser from the desktop.
Application Control Module
ID Description
18886 Application Control may get blocked initially when upgrading locked-down endpoints from 7.1.0.70 (or earlier) due to a timing issue. The upgrades automatically retry within five minutes and succeed. However, these endpoints will have already received blocked notifications, which may cause confusion.
19647 Upgrading the Windows OS on a locked-down endpoint may result in Windows files being blocked by Application Control.
Workaround: Take endpoints out of lock down before upgrading the OS.
20036 While Blocking Notifications are provided for blocked .exe files, they are not provided for blocked DLLs. Users will receive a Windows or Application error message indicating that the DLL was blocked.
160429 Application Installs (such as Google Chrome) may require multiple Trusted Updaters on locked-down endpoints.
multiple Upgrading, installing, or uninstalling modules on the Norman ESEC server may fail in the Norman ESEC server is locked down with Application Control. Locking down the Norman ESEC server is not recommended at this time.
ID Description
multiple Some Norman files (such as XMLDeltaParser.exe, DAgent.exe, and Agent.Common.dll) are occasionally blocked following lock down of the NESEC Agent 7.3 and earlier. NESEC Agent 7.3 SP1 and later are not affected. However, this issue may be encountered on upgrades of locked-down endpoints from earlier releases, such as 7.3.
Workaround: Create a Supplemental Easy Lockdown Policy (SELP) containing the blocked files to be applied before upgrading pre-7.3 SP1 endpoints to guarantee no issues following upgrade. Contact Norman Support to have this policy applied in your environment.
AntiVirus Module
ID Description
14401 The path name of the virus gets garbled if it contains Japanese characters.
159822 Custom Scan Results post to the Norman ESEC server as being performed by a Recurring Scan Policy instead of a Custom Scan.
Device Control Module
ID Description
N/A Regardless of the SK-NDIS setting you select when upgrading from NES 4.x or Norman ESEC 7.x to Norman ESEC 8.0, the SK-NDIS setting on the endpoint before the upgrade is displayed in the Device Control section of the .
When you set SK-NDIS to install when upgrading an endpoint that does not have SK-NDIS installed, the will report that SK-NDIS is installed when in fact it is not. Reversely, when you set SK-NDIS to not install when upgrading an endpoint that has SK-NDIS installed the will report that SK-NDIS is not installed when in fact it is. You can confirm the actual installation status by querying the SK-NDIS service.
Workaround: Uninstall the Device Control module from the endpoint and then re-install it with the appropriate SK-NDIS setting.
163122 When managing media collections, CD/DVDs must be removed
individually. When multiple CD/DVDs are selected and moved, only 1 is moved.
multiple Certain devices may get blocked as they are not identified correctly by Device Control. This issue has been encountered with devices such as
Release Notes
ID Description
multiple The Device Event Log Query Wizard displays inaccurate errors when changing scheduling, or going back and forth between wizard pages. Patch and Remediation Module
ID Description
14285 The Deployment and Tasks on the Endpoint Details page displays deployments not applicable to the endpoint that have select operating systems installed.
142935 High Memory Usage for managed Solaris 10 endpoints can occur during the Discover Applicable Updates task.
145430 Bandwidth Throttling in Agent policy set does not include Patch Components.
