Embed Size (px)
Citation preview
Release NotesNorman Enterprise Security 8.2
Suite Version: 8.2.8.10
- 3 -
NoticesVersion InformationNorman Enterprise Security Release Notes - Norman Enterprise Security Version 8.2 - Published: February2015Document Number: 02_204M_8.2_15581012
Copyright Information
Lumension Security, Inc.8660 East Hartford Drive, Suite 300Scottsdale, AZ 85255
Copyright© 1999-2014; Lumension Security, Inc.; all rights reserved. Covered by one or more ofU.S. Patent Nos. 6,990,660, 7,278,158, 7,487,495, 7,823,147, 7,870,606, and/or 7,894,514; otherpatents pending. This manual, as well as the software described in it, is furnished under license. No partof this manual may be reproduced, stored in a retrieval system, or transmitted in any form – electronic,mechanical, recording, or otherwise – except as permitted by such license.
LIMITATION OF LIABILITY/DISCLAIMER OF WARRANTY: LUMENSION SECURITY, INC. (LUMENSION)MAKES NO REPRESENTATIONS OR WARRANTIES WITH REGARD TO THE ACCURACY OR COMPLETENESSOF THE INFORMATION PROVIDED IN THIS MANUAL. LUMENSION RESERVES THE RIGHT TO MAKECHANGES TO THE INFORMATION DESCRIBED IN THIS MANUAL AT ANY TIME WITHOUT NOTICE ANDWITHOUT OBLIGATION TO NOTIFY ANY PERSON OF SUCH CHANGES. THE INFORMATION PROVIDED INTHIS MANUAL IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND, INCLUDING WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE INFORMATION PROVIDEDIN THIS MANUAL IS NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULT,AND THE ADVICE AND STRATEGIES CONTAINED MAY NOT BE SUITABLE FOR EVERY ORGANIZATION.NO WARRANTY MAY BE CREATED OR EXTENDED WITH RESPECT TO THIS MANUAL BY SALESREPRESENTATIVES OR WRITTEN SALES MATERIALS. LUMENSION SHALL NOT BE LIABLE TO ANY PERSONWHATSOEVER FOR ANY LOSS OF PROFIT OR DATA OR ANY OTHER DAMAGES ARISING FROM THEUSE OF THIS MANUAL, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL,CONSEQUENTIAL, OR OTHER DAMAGES.
Norman Enterprise Security
- 4 -
Trademark Information
Lumension®, Lumension® Endpoint Management and Security Suite, Lumension® Endpoint ManagementPlatform, Lumension® Patch and Remediation, Lumension® Enterprise Reporting, Lumension® SecurityConfiguration Management, Lumension® Content Wizard, Lumension® AntiVirus, Lumension® Wake onLAN, Lumension® Power Management, Lumension® Application Control, Lumension® Device Control,Lumension® Endpoint Security, Lumension® Intelligent Whitelisting, PatchLink®, PatchLink® Update™, theirassociated logos, and all other Lumension trademarks and trade names used here are the property ofLumension Security, Inc. or its affiliates in the U.S. and other countries.Norman®, Norman SandBox®, Norman Virus Control®, the Norman product and service names, theirassociated logos, and all other Norman trademarks and trade names used here are the property ofNorman ASA in the U.S., the European Union, and other countries.RSA Secured® is a registered trademark of RSA Security Inc.Apache is a trademark of the Apache Software Foundation.In addition, any other companies' names, trade names, trademarks, and products mentioned in thisdocument may be either registered trademarks or trademarks of their respective owners.
- 5 -
Part
IRelease Notes
In this section:
• New Features• FAQ• Issues Resolved• Known Issues
We are pleased to announce the general availability of NormanEnterprise Security 8.2 (Server Suite 8.2.8.10).
New FeaturesNorman Enterprise Security (NESEC) 8.2 has several new features in this release.
AntiVirus
New AntiVirus EngineEnhanced malware detection, reduced bandwidth utilization, and improved endpoint performance arebenefits the new engine delivers, all while maintaining feature parity with earlier versions of AntiVirus. Ifyou're upgrading from a pre-8.2 release, you need to update the NESEC Server and each NESEC Agentto take advantage of the all its capabilities.
More Frequent and Smaller AntiVirus Engine and Definition UpdatesPublished each day are ~20 updates containing new code samples (signatures) of known viruses andmalware as well as periodic engine updates to improve detection and performance. Their averagefile size of ~100KB per update ensures network bandwidth is not overloaded during distribution toendpoints. Also, engine and definition updates now carry the same version number. You can still usethe AntiVirus Polling Frequency feature to limit the number of downloads per day to endpoints.
Norman Enterprise Security
- 6 -
Separate AntiVirus Engine and Definition Files for 32-bit and 64-bit Operating SystemsAntiVirus content delivery is optimized for the two architectures to improve engine performance onendpoints. You'll see changes in the Subscription Service area:
• Subscription Service History section of the Subscription Updates page upon replication.
Figure 1: 32-bit and 64-bit Content Replication Example
• File version information in the AntiVirus engine and definition versions (Server) section.
Figure 2: 32-bit and 64-bit File Version Information Example
New Global Subscription Service LocationThe NESEC Server downloads 8.2+ NESEC Agent content from http://cache.lumension.com/avcontent
Figure 3: Content Storage Location Example
Release Notes
- 7 -
Intervals for the Polling Frequency "Run Every" Option Changed to HoursThe Polling Frequency sets how frequently or when the NESEC Server checks for AntiVirus updates.The Run Every intervals are now 0.5 hours to 24 hours (default 8 hours).
Figure 4: Polling Frequency Intervals Example
Maximum "Delay AV definition distribution by" Setting Reduced to 23 HoursYou use the option in Agent Policy Sets to delay the distribution of newly downloaded AntiVirusupdates to endpoints. It must always be less than the Polling Frequency (minimum of 1 hour less). Forexample, if you maintain polling at the default 8 hour frequency, then the maximum delay you can setis 7 hours. If the delay set is greater than the Polling Frequency, the system will apply a delay equal tothe Polling Frequency minus 1 hour.
Important: If you are upgrading from 8.1 or earlier and currently use the Definition Distribution Delayfeature, you will need to define a delay for 8.2 agents
Figure 5: Definition Distribution Delay Example
Smart CachingThe durations of subsequent AntiVirus scans of all types are significantly shortened by skippingpreviously scanned files that have not been modified. A database of scanned files along with the optionparameters they were scanned with is maintained on the endpoint. A file rescan takes place only if afile is modified, scan option is set to a stricter setting, or definition update requires it. This reduces theperformance impact on endpoints and allows for more frequent recurring scans as subsequent scanshave reduced duration.
Norman Enterprise Security
- 8 -
Some Types of ZIP files are Scanned by the AntiVirus Engine Even if the "Scan Archives" Optionis DisabledSome operating systems and common applications are able to open such archives directly, skippingthe extracting phase that occurs before unpacked content is written to the file system. To providebetter detection, the engine determines heuristically whether a particular ZIP file should be scanned,using such criteria as the number and size of files in the archive, and whether the archive contains anexecutable file.
Scan CPU Utilization Setting Takes Into Consideration CPU Cores Available and Thread PriorityYou set the CPU utilization % threshold to control the level of impact the scan is to have on endpointperformance in Scan Now, Recurring Virus and Malware cans, and (EPUI) Full Scan/Custom Scan.Endpoint users will experience even less impact on system responsiveness as they perform commontasks while an AntiVirus scan is in-progress.
New Filesnames and Content Structure for Endpoint Scan LogsWe've made it easier to identify logs and read their contents:
• Real-Time Monitoring_yyyy_mmm_hh:mm:ss.log
• Recurring-scan _yyyy_mmm_hh:mm:ss.log
• ScanSummary.txt
• QuarantineScanRestore.log
• epui -custom-scan _ yyyy_mmm_hh:mm:ss.log
• epui -full-scan _ yyyy_mmm_hh:mm:ss.log
Their location remains unchanged: <Install_Dir>/EMSS/Endpoint Distribution Services/logs
Temporary Support for 7.2 to 8.1 Agents Until 31 July 2015If you've upgraded from a previous NESEC release, we're giving you ample time to upgrade agentsin your environment. You can continue to run pre-8.2 agents, managed through separate AntiVirusAgent version 7.2 to 8.1 sections we’ve provided for Definition File Distribution, Content StorageLocations, and Engine & Definition File Version Information.
Figure 6: Pre-8.2 Agent Section Examples
Release Notes
- 9 -
Endpoints that have not migrated to the new AntiVirus solution by 31 July 2015 will no longer receivedefinition file updates, leaving them vulnerable to attack. An Agent version warning icon will displaybeside the Agent Version information of pre-8.2 agents on Manage > Endpoints > AntiVirus tab.
Figure 7: Pre-8.2 Agent Update Warning
Before Upgrading to AntiVirus 8.2, Microsoft Visual C++ 2012 Update 4 Redistributable Package(x86 and x64) Must Be InstalledThough the Norman Installation Manager installs .NET requirements during an upgrade to AntiVirus8.2, this specific package must be installed manually before you start the upgrade. It is available fordownload at: http://www.microsoft.com/en-us/download/details.aspx?id=30679
Patch and Remediation
Windows Embedded 8.1 Industry Pro SupportThe NESEC Agent and the Patch and Remediation endpoint module are now supported on WindowsEmbedded 8.1 Industry Pro for 32- and 64-bit architectures.
Global Patch Disable with Reasons (and Reporting)Prevent specific patches from being deployed in your enterprise using Global Patch Disable, a featurethat removes selected patches from the different Content page lists. This feature is useful when:
• A patch conflicts with operating systems or other applications.• The patch has a high frequency of installation failure.• Your enterprise hasn't approved it for deployment.Global Patch Disable also features drop-down list of reasons for the disable. Use one of the defaultssystem reasons (or enter your own) to inform yourself or other NESEC Admins about why a patch is
Norman Enterprise Security
- 10 -
disabled. When the reason is resolved, re-enable the patch and make a new comment about why youre-enabled it (i.e., you tested a patch and approved it for deployment).
Figure 8: Disable Content Dialog
Disabled/Enabled Patch Content ReportAs you disable (and re-enable) patch content, run the newly added Disabled/Enabled Patch ContentReport to keep track of the patches that are available in your system.
Figure 9: Disabled/Enabled Patch Content Report
Release Notes
- 11 -
Custom Patch List ImprovementsWe've added new user interface elements to the Custom Patch List feature that make it more intuitiveto use:
Custom Patch List SplashPage
When the CUSTOM PATCH LIST node is selected from the PatchContent Browser, a splash page opens. Use this page to create newlists or edit your five most recently used.
Figure 10: Custom Patch List Splash Page
List Container Animations When you add a new Custom Patch List to the Patch ContentBrowser or add content to an existing list, an animation displays inthe Browser to notify you of the action.
Figure 11: Custom Patch List Animation Example
Norman Enterprise Security
- 12 -
List Container Patch Count Each list container in the Patch Content Browser now indicates howmany patches it contains in parenthesis (see figure above).
List Breadcrumb The banner above the Content page toolbar now displays whatCustom Patch List you're working with.
Figure 12: Breadcrumb Example
Patch Content Vendor FilteringYou can now filter custom patch lists and system views by Vendor and Vendor Release Date. Thesefilters are available from each of the Patch Content pages available in NESEC:
• Review > Vulnerabilities• Review > Software• Review > Other• Manage > Groups > Patch Content/Vulnerabilities
Figure 13: Release Date Filter
Release Notes
- 13 -
FAQ
How Do I Determine if my Upgrade Was Successful?
Server From the NESEC console, navigate to Help > About. Successfulupgrades will display a Server Suite Version of 8.2.8.10.
Agent From the NESEC console, navigate to Manage > Endpoints.Successful agent upgrades will display a version of 8.2.8.10.
Issues ResolvedThe Norman Enterprise Security (NESEC) 8.2 release resolves the following issues.
Core
ID Description
20656 Corrected an issue that caused OSPack regeneration errors.
21069 Corrected an issue that occurred on upgraded NESEC 8.x Servers that have two NIC cardsinstalled. These servers would (falsely) list a critical error in Norman Event Viewer each timethe Endpoints page was visited.
21291 Replaced the Product Licensing page's Total Purchased column with the Purchased(non-expired) column. This change should make it easier to understand your licensing.
25891 Corrected an issue where 8.x agents would falsely report themselves as 7.x agents on theEndpoints page following upgrade.
28134 Corrected a System Event Viewer error (Type: Warning, Source:ntfs, Event: 50) that occurswhen the NESEC Agent is installed without any modules.
27069 Corrected an issue that prevented XP and Windows Server 2003 endpoints fromsuccessfully completing upgrades. Endpoints with 7.x could not upgrade to 8.x due tolocked files.
27071 Corrected an issue that prevented users from waking endpoints using Norman Wake onLAN. For some endpoints, the NESEC Agent was unable to collect the MAC address, whichis used during the wake process.
27366 Corrected an issue that produced an excessive number of logs on some NESEC Servers.Affected servers would ignore the "LogMaxFiles" setting in the logging configuration file(LM.Logging.Config).
27703 Corrected an issue where if you installed the NESEC Agent from command line using theGROUPLIST parameter, you could not remove that endpoint from that group.
Norman Enterprise Security
- 14 -
ID Description
27960 Corrected an issue related to endpoint distribution services logging. This issue causedredundant exception errors within Application Control and Device Control event logs.
27711 Corrected an issue that affected command line installs of the NESEC Agent. If a slash wasadded to the end of the installation directory parameter (/INSTALLDIR), the install wouldfail.
28165 Corrected an issue related to the VMWare endpoint group. If you upgraded your 7.xNESEC Server to 8.x, this group was incorrectly added to the Directory Service Groupshierarchy.
28650 Corrected an issue where endpoint distribution services consumed excessive CPU.
29012 Corrected a rare issue during NESEC Agent upgrade from 7.3 to 8.x that caused root drivedata loss.
27974 Corrected an issue that affected enterprises using third-party firewalls that are configuredwith an overriding connection timeout value. These socket connections would close duringNESEC replication. These sockets now remain open.
AntiVirus
ID Description
28370 Corrected an issue where NESEC Server upgrades from 8.0 to 8.x would fail if AntiVirus hadbeen installed and then uninstalled.
29004 Corrected an issue that affected Realtime Monitoring Policies. Logging for these policiesfalsely list an event as critical multiple times (although the event is non-critical): yyyy-mm-dd-hh:mm:ss, idNumber,critical,av,"LM.EPS.VirusScanner: Task_OnAccessScan::Execute Enter".
Application Control
ID Description
20040 Corrected incorrect text in the Policy Assignment dialog.
22926 Corrected an issue that affected trusted updater that caused some endpoints to bluescreen.
28732 Corrected an internal server error. This error would occur when sorting the ApplicationLibrary page using the Show Group by Row filter.
Release Notes
- 15 -
Device Control
ID Description
14045 Corrected an issue that affected Intel Centrico Wireless-N 2230 network cards. DeviceControl falsely identified this card as a different device, and would therefore not block itsoperation.
20668 Corrected an issue where the Device Connected widget creates a new log query each timeit's refreshed (you can view this widget from the Home page).
27349 Corrected an issue where the breadcrumb on the Device Control Policy page would notfunction as a link.
27963 Corrected an issue that prevented event logging from being updated within WindowsEvent Viewer. Device Control event logs with bad time stamps prevented logs from beingupdated.
28682 Corrected an issue that affected the Default Policy for DVD/CD Drives device controlpolicy. If you had disabled this policy, it would become re-enabled following an agentupgrade from 7.3 to 8.x. The policy now remains disabled.
28683 Corrected an issue that affected the LDC install SK-NDIS driver policy within the GlobalSystem Policy. If you changed the setting to Do not install, it would revert to the defaultvalue (Install enabled) following an agent upgrade from 7.3 to 8.x. The setting nowremains Do not install.
Patch and Remediation
ID Description
28529 Corrected an issue that affected Mandatory Baseline use in Internet Explorer 9. Whenadding/removing content to the baseline for a custom group, the list of content displayedincorrectly.
28291 Corrected an issue where some Patch and Remediation endpoints randomly rebootedfollowing a deployment that allowed users to snooze the reboot (the user is not notifiedthat a reboot is pending).
27311 Corrected an issue that affected the Mandatory Baselines view (applying filters to the listof content took an excessive amount of time to complete).
27745 Corrected a data exception that occurred when opening the Deployment and Tasks viewfrom the Groups page.
21283and27986
Corrected an issue that affected reports. The reports listed an incorrect deployment dateand time.
Norman Enterprise Security
- 16 -
Known IssuesNESEC 8.2 contains some known issues.
Upgrade
ID Description
28945 During upgrade to NESEC 8.2, the Norman Installation Manager hangs when installing theMicrosoft Visual C++ 2012 Update 4 Redistributable Package (x86 and x64) prerequisite.Workaround:Download and install the Redistribution Package available at http://www.microsoft.com/en-us/download/details.aspx?id=30679, then rerun Norman InstallationManager to complete the upgrade.
Core
ID Description
27212 When using Mozilla Firefox 24 or 31, there is an issue when selecting multiple items onlisted pages. When dragging to select multiple rows, the rows are selected and the text ishighlighted (when the text should not be highlighted).
29366 When using Norman Remote Systems Management within Mozilla Firefox 24 or 31, remoteendpoint management does not work because it fails to download the necessary files.Workarounds:
1. Use Microsoft Internet Explorer 9+ instead.2. Download and install the plug-in available at https://addons.mozilla.org/en-US/firefox/addon/
microsoft-net-framework-assist/.
28947 During upgrade to NESEC 8.2, the Norman Installation Manager hangs when installing theMicrosoft Visual C++ 2012 Update 4 Redistributable Package (x86 and x64) prerequisite.Workaround:Download and install the Redistribution Package available at http://www.microsoft.com/en-us/download/details.aspx?id=30679, then rerun Norman InstallationManager to complete the upgrade.
Device Control
ID Description
28311 If you attempt to apply a device collection policy configured to allow Read/Writepermissions to a new collection, RTNotify incorrectly shows a permission setting of None.Workaround: The permission actually allows Read/Write despite the interface incorrectlydisplaying None. Instruct the user to proceed as normal, despite the misleading text.
Release Notes
- 17 -
ID Description
28727 When the RTNotify dialog is open on German and French operating systems, the deviceclass text "Modem - USB" is incomplete. The class should be named "Modem/SecondaryNetwork Access Device - USB" (pending translation of course).
Release Notes
- 18 -
