Symantec Data Center Security: Server Advanced

Transcription

1 Symantec Data Center Security: Server Advanced Release Notes Version 6.5

2 Symantec Data Center Security: Server Advanced Release Notes Documentation version: 1.2 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

4 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

5 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

6 Contents Technical Support... 3 Chapter 1 Introducing Symantec Data Center Security: Server Advanced... 7 About Symantec Data Center Security: Server Advanced... 7 About DCS:S and DCS:SA... 9 About installation and prerequisites Where to get more information Additional release information Chapter 2 New Features and Enhancements New features in this release Additional platform support Chapter 3 Resolved Issues Resolved issues in this release Chapter 4 Known Issues and Limitations Known issues in this release Limitations in this release Appendix A Appendix Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later... 31

7 Chapter 1 Introducing Symantec Data Center Security: Server Advanced This chapter includes the following topics: About Symantec Data Center Security: Server Advanced About DCS:S and DCS:SA Where to get more information Additional release information About Symantec Data Center Security: Server Advanced Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides: A policy-based host security agent for monitoring and protection. Proactive attack prevention using the least privilege containment approach. A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.

8 Introducing Symantec Data Center Security: Server Advanced About Symantec Data Center Security: Server Advanced 8 Table 1-1 DCS:SA capabilities Security and protection Compliance Real-time proactive enforcement Intrusion and malware prevention System hardening Application control Privileged user access control Vulnerability and patch mitigation Does not use signatures or require continual updates to content Real-time monitoring and auditing Host intrusion detection File integrity monitoring Configuration monitoring Tracking and monitoring of user access Logging and event reporting The major features of DCS:SA are as follows: Intrusion detection facility for compliance auditing Real-time file integrity monitoring Granular change detection of registry values, file contents, and attributes Operating system and application log monitoring Local event correlation and smart response actions Intrusion Prevention facility for malware prevention and system lockdown Sandbox containment of operating system and application processes by an in-kernel reference monitor Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches Privileged user and program behavior Anti-malware security DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies. Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems Security orchestration using Operations Director. Operations Director is intended to: Automate security provisioning workflow. Provide application-centric security service. Seamlessly integrate with VMware NSX.

9 Introducing Symantec Data Center Security: Server Advanced About DCS:S and DCS:SA 9 Provide out-of-box security product integration. Centralized management environment for administering agents, policies, and events Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems The major benefits of DCS:SA are as follows: Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates. Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected. Provides visibility and control over the security posture of business-critical enterprise assets. Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures. About DCS:S and DCS:SA This document describes the features of Symantec Data Center Security: Server Advanced (DCS:SA). If you have purchased Symantec Data Center Security: Server (DCS:S), you are only entitled to a subset of these features. The features and components included in each product are described below: DCS:S entitles you to agentless anti-malware protection for your VMware guest VMs, via integration with the VMware NSX platform, as well as monitoring and hardening your VMware infrastructure. In addition, DCS:S lets you orchestrate security using Operations Director. By using the intelligence of Operations Director, you can provision a vapp/vm with the right security policies. DCS:SA extends DCS:S and allows you to monitor and protect physical and virtual data centers using a combination of host-based intrusion detection (HIDS), intrusion prevention (HIPS), and least privilege access control. Fully instrumented

10 Introducing Symantec Data Center Security: Server Advanced Where to get more information 10 REST API provides corresponding API for all console actions to enable full internal and external Cloud automation. About installation and prerequisites For information on the installation of DCS:S, DCS:SA, and their installation prerequisites, refer to the DCS:SA Planning and Deployment Guide. Where to get more information Product manuals for DCS:SA are available on the DCS:SA product media. Updates to the documentation are available from the Symantec Technical Support and Business Critical Services (BCS) Web sites. The DCS:SA product manuals are as follows: Installation Guide Online Help DCS:SA Online Help Planning and Deployment Guide Overview Guide Administrator's Guide Prevention Policy Reference Guide Detection Policy Reference Guide Agent Guide Implementation Guide Integration with VMware NSX (for Security Virtual Appliance) Operations Director Reference Guide vsphere Support Guide Release Notes Platform and Feature Matrix The following table lists additional information that is available from the Symantec Web sites.

11 Introducing Symantec Data Center Security: Server Advanced Additional release information 11 Table 1-2 Type of information Public Knowledge Base Symantec Web sites Web address Releases and updates Manuals and other documentation Contact options Virus and other threat information and updates Additional release information Symantec publishes the following release information in addition to the product-specific highlights for DCS:SA v6.5: For troubleshooting the registration of Symantec Data Center Security plug-in for Operations Director, refer to the document Manual_Registration_Data_Center_Security_Plug-in.pdf that is included in the ISO file. DCS:SA v6.5 does not support TCP Segmentation Offload (TSO) and Large Receive Offload (LRO) for Guest Network Threat Protection. When the appropriate TSO/LRO support is present in the NSX software stack, DCS:SA may provide support in a future release. DCS:SA v6.5 discontinues support for SUSE Linux Enterprise Server 32-bit. DCS:SA v6.5 does not support Pentium III processors for Windows agent installations. The online help content for the management console continues to support DCS:SA v6.0 with no further edits. For the updated help topics for DCS:SA v6.5, refer to the following link: EN_US&vid=v _v &ProdId=DCS1_0&context=DCS1.0

12 Chapter 2 New Features and Enhancements This chapter includes the following topics: New features in this release Additional platform support New features in this release DCS:S v6.5 includes the following new features: Table 2-1 New features in DCS:S Feature Description New network-based intrusion prevention system and application-centric protection for many data center applications. DCS:S v6.5 provides intrusion prevention at network layers by monitoring the network traffic and blocking all suspicious activities. Provides an option to choose application-specific protection to optimize network through put. Capability to quarantine malware in a guest virtual machine with options to manage quarantine folders. DCS:S v6.5 lets you configure the antivirus policies to enable quarantine of infected files and send them to the quarantine folder. DCS:S v6.5 includes the following new features:

13 New Features and Enhancements New features in this release 13 Table 2-2 Feature New features in DCS:S - Operations Director Description Security orchestration feature by using Symantec Data Center Security Operations Director (OD) Operations Director lets you do the following: Automate security provisioning workflow Security provisioning workflow gets triggered directly from vcenter upon creation of new virtual application. OD also automates the collaboration between the virtual infrastructure administrator and security administrator to reduce security provisioning time to minutes. Provide application-centric security service Instantly assesses application security requirements during vapp/vm provisioning by using security tags. An intelligent rule engine identifies the appropriate security policies. OD also provides out-of-box tags and security policy mapping. Seamlessly integrate with VMware NSX Leverages NSX platform and NSX compatible security services to create application-specific security groups and policies. Provide out-of-box security product integration Applies antimalware controls by using Symantec Data Center Security: Server, server hardening controls by using Symantec Data Center Security: Server Advanced, and automates application firewall rules by using Palo Alto Networks Next Generation Firewall. Note: For DCS:SA, you can orchestrate security policies by integrating with Operations Director.

14 New Features and Enhancements New features in this release 14 Table 2-2 Feature New features in DCS:S - Operations Director (continued) Description Unified Management Console (UMC) UMC is an appliance that provides a web-based console for NSX virtual data center protection and orchestration. The console is used to register and configure various features and products of Symantec Data Center Security. UMC provides unification of the common tasks across DCS:S, DCS:SA, and Operations Director. DCS:SA v6.5 includes the following new features in Intrusion Detection: Table 2-3 Feature New features in DCS:SA - Intrusion Detection Description Capability to monitor and harden OpenStack servers OpenStack-specific protection and detection policies are included in this release to monitor activities on OpenStack server and to harden the authentication module keystone. This feature is available on the supported operating systems of Ubuntu and RHEL based OpenStack installations. Capability to monitor extended file attributes and access control list ACL changes RT-FIM support for VxFS Support for AWS virtual systems A new detection feature is added to UNIX and Linux systems to monitor changes in the Extended file attributes and Access Control List. For example, changes made by setfacl or setfattrib commands can be monitored by using detection policy. Real-time File Integrity Monitoring is now supported on the operating systems that are supported by Veritas File Systems. Windows and Linux agents can be installed on virtual instances of AWS. All the operating systems that are in the platform matrix document and available in an AWS environment are supported

15 New Features and Enhancements New features in this release 15 Table 2-3 Feature New features in DCS:SA - Intrusion Detection (continued) Description Support for Security-Enhanced Linux (SELinux)/AppArmor Support for Red Hat Enterprise Linux 7.0 DCS:S agents can now coexist with SELinux and AppArmor in enforcement mode. Users are not required to disable or set to passive mode before the agent installation. DCS:S agents are now supported on RHEL 7. Refer to the DCS:SA Platform Feature Matrix document for details. DCS:SA v6.5 includes the following new features in Intrusion Prevention: Table 2-4 Feature New features in DCS:SA - Intrusion Prevention Description RESTful API support for additional platforms and integration Application-centric hardening (database schema changes) LAMP support on UNIX (new sandboxes for MySQL and PHP in UNIX policy) Upgraded third-party components (OpenSSL, curl, FIPS) Fully instrumented REST API provides corresponding API for all console actions to enable full internal and external Cloud automation. The management server and the database have been enhanced to improve support for managing application data from a performance perspective. New sandbox controls have been created to protect LAMP environments (Linux Apache MySQL PHP) that use the UNIX prevention policies. A new MySQL sandbox has been introduced, in addition to the PHP support that has been added to the existing Apache sandbox. The third-party libraries have been updated to include the latest security fixes. DCS:SA agents now use OpenSSL v1.0.1j, FIPS ECP v2.0.8, and curl v libraries.

16 New Features and Enhancements Additional platform support 16 Table 2-4 Feature New features in DCS:SA - Intrusion Prevention (continued) Description Support for No-run list exception in prevention policy Capability to block execution of files with non-executable extensions Support for Red Hat Enterprise Linux 7.0 and CentOS 7 A list of processes that are prevented from being executed has been added to every sandbox. Exception list of processes that are allowed to run by using a specific command-line argument has also been added to the sandboxes. The Windows prevention policies now provide support to block the execution of files that have non-executable file extensions. RHEL 7 and CentOS 7 are now supported by DCS:SA agents. Refer to the DCS:SA Platform Feature Matrix document for details. ACL changes on Windows and UNIX Capability to block modifications to Windows services Capability to block product registration Capability to block the Windows Installer from executing The access control lists on DCS:SA agent files have been tightened to provide additional protection from the Operating System. The Windows prevention policies have been enhanced to provide support to prevent processes from starting the Windows Service Control (SC) utility and from modifying the *ControlSet* service registry keys. The DCS:SA v6.0 Windows prevention policies provide support for blocking software from registering components with the Windows registry. The DCS:SA v6.0 Windows prevention policy provides the capability to prevent processes from starting the Windows Installer process. Additional platform support DCS:SA v6.5 adds support on the following platforms:

17 New Features and Enhancements Additional platform support 17 Table 2-5 Platform New platform support IDS IPS Security-Enhanced Linux (SELinux) Red Hat Enterprise Linux version 7 OpenStack Yes Yes Yes Yes Yes Yes

18 Chapter 3 Resolved Issues This chapter includes the following topics: Resolved issues in this release Resolved issues in this release Table 3-1 DCS:SA resolved issues Issue Windows 2012 R2 agents used to display the OS version and type as Windows 2012 on the console Description For the agents installed on Windows 2012 R2, OS type and version "Windows server 2012 was displayed on the console instead of Windows server 2012 R2. In case of a policy in prevention disabled state, if the prevention ON/OFF slider control is used for enabling an individual sandbox or a group of sandboxes, it overrides the disabled state in the global policy level This issue has been fixed. Affected operating systems: Windows 2012 R2 Affected DCS:SA versions: 6.0 MP1 and earlier In case of a policy in prevention disabled state, if the prevention ON/OFF slider control is used for enabling an individual sandbox or a group of sandboxes, it overrides the disabled state in the global policy level. This issue has been fixed. Now you cannot enable prevention for an individual sandbox or a group of sandboxes when prevention is globally disabled in the policy. Affected DCS:SA versions: 6.0 MP1 and earlier

19 Resolved Issues Resolved issues in this release 19 Table 3-1 Issue DCS:SA resolved issues (continued) Description Policy used to take long time to load in a console when predefined applications are added in trusted updaters or in application rules While opening a policy having predefined applications added in trusted updaters or in application rules, opening of the policy used to take long time. This issue has been fixed. Affected DCS:SA versions: 6.0 MP1 and 6.0 Management server upgrade used to fail with custom SQL named instance listening on custom port with SQL browser service OFF The Database using custom SQL named instance with a custom port and having the SQL browser service OFF, Management server upgrade used to fail. This issue has been fixed. Affected operating systems: All Windows server supported platforms Affected DCS:SA versions: 6.0 MP1 and earlier In a specific scenario, CPU utilization of SQL Server was high when application data was fetched from agents CPU utilization of SQL Server was high when application data was fetched from agents. This issue has been fixed. 'Superuser_Group_Created' event used to get generated when the user password was changed in a specific scenario Affected DCS:SA versions: 6.0 MP1 and 6.0 'Superuser_Group_Created' event used to get generated along with User_Password_Changed event when a user changed the password when the user password was set with specific settings such as No password expire and No warning for password expire. Affected operating systems: All supported UNIX and Linux platforms Affected DCS:SA versions: 6.0 MP1 and earlier Affected DCS:SA Policy: UNIX Baseline Detection policy

20 Resolved Issues Resolved issues in this release 20 Table 3-1 Issue DCS:SA resolved issues (continued) Description UNIX Baseline Detection Policy failed to apply on UNIX agents when Root Logon Failure option was not selected in the policy When UNIX Baseline Detection Policy was applied on UNIX agents without selecting Root Logon Failure option under SSH Logon Failure, the policy failed to apply with the following error: Variable not found: SSH_Logon_Failure_Root_Logon_Failure.SelectStrings%" This issue has been fixed. Affected operating systems: All supported Solaris and HP-UX platforms Affected DCS:SA versions: 6.0 MP1 and earlier Affected DCS:SA Policy: UNIX Baseline Detection policy In a specific scenario, translation used to fail when any IPS policy other than null policy was applied on the agent Applying any IPS policy other than null policy on an agent used to fail when length of parameter value in a policy is greater than a certain limit. This issue has been fixed. Affected operating systems: All supported Windows agents Affected DCS:SA versions: 6.0 and 6.0 MP1 Installation of the agent used to fail on Win XP embedded SP3 Installation of the agent used to fail on the Win XP embedded SP3 platform. This issue has been fixed. Affected DCS:SA versions: 6.0 MP1 and 6.0 Note: Win XP embedded is frozen in the DCS:SA 6.5. The updated installer is present in the legacy folder on DCS:SA6.5 CD image.

21 Chapter 4 Known Issues and Limitations This chapter includes the following topics: Known issues in this release Limitations in this release Known issues in this release Table 4-1 lists the issues that are known in this release for DCS:S. Table 4-1 DCS:S known issues Issue description Workaround/recommendation SVA adds the NTP servers in the /etc/ntp.conf file, when SVA is configured for DHCP IP and the DHCP server in the network is configured to offer NTP Servers. At times, the netsec service fails to start when the SVA service is deployed. The error message 'Failed to initialize the DVFilter API library' is logged in the netsec.log file, although it is not displayed on the user interface. To resolve this, you must do one of the following: Log in to SVA and delete extra NTP servers from the /etc/ntp.conf file, and restart the NTP daemon. Modify the function ntp_config() in /etc/dhcp/dhclient.d/ntp.sh as follows: ntp_config() { return #do nothing } To resolve this issue, you must restart the host ESX computer.

22 Known Issues and Limitations Known issues in this release 22 Table 4-1 Issue description DCS:S known issues (continued) Workaround/recommendation The threats that are not in either the HTTP request or HTTP response header are blocked, but may not display the "Threat Detected and Blocked" message in the guest virtual machine's browser. NSX may send network traffic to the SVA before NSX provides guest network threat protection policy information for that network traffic. Until the policy information is received, the network traffic remains unprotected. No workaround is available currently. Follow the VMware best practices for configuration of security groups and virtual machine management to minimize this situation. Note: There is no notification of this situation in the management console or the NSX management console. In NSX environments, there may be delays in propagating Guest Network Security protection information from NSX to the SVA. Until the security virtual appliance fetches the information, the network flow remains unprotected. Guest Network Security monitors network traffic through integration with NSX NSX informs the SVA when to start and stop monitoring network. NSX network introspection may send network traffic to the SVA that does not comply with the network introspection security policy and rules configured in NSX. DCS:S v6.5 examines all the network traffic that is sent to the security virtual appliance by NSX Follow the best practices when you establish the security groups and apply the network threat protection policies to the security groups to minimize this delay. Follow the best practices when you establish the security groups and apply network threat protection policies to those security groups for appropriate protection. Create a new security group and apply a security policy to the security group. vcenter 5.5 Update 2 does not correctly propagate the usb.present setting in the SVA.OVF file. usb.present is correctly configured in the SVA.OVF file, but when the OVF is deployed, vcenter does not propagate the setting correctly. When a configuration policy is updated and LiveUpdate is run, the policies are not published. No workaround is available currently. Use the REST API script to re-publish the policies.

23 Known Issues and Limitations Known issues in this release 23 Table 4-1 Issue description DCS:S known issues (continued) Workaround/recommendation The Top 10 GVMs with virus threats remediated graph on the Home page does not display the bar for the guest virtual machine that has a lower virus count as compared to the other GVMs, although the name of the GVM is displayed correctly. However, the virus count is displayed as a tooltip on mouse hover. You can also drill-down to the Events page by clicking the label. No workaround is available currently. Mount fails on an agent that has the NFS client with protection is enabled, even though mounting is allowed in the policy. To allow root to mount a specific folder, follow these steps: In the Policies workspace on the DCS:SA console, open the policy or create a new UNIX policy. Click Sandboxes > Root Program Options. Under General Settings, check Allow mounting and unmounting of filesystems (mount, umount). In the File Rules section, check Writeable Resource List >Allow Modifications to these files. In the List of files that can be modified list, add the mount point. For example, /tmp) Save the policy. Warning messages are displayed in case of OpenSSL version incompatibility. The NSX Security Group page displays the virtual machines with operating system from Windows family. When a VM goes into auto-sleep mode, the VM entry is not displayed under the NSX Security Group page. This is a known limitation and will be addressed in future release. DCS:S v6.5 supports OpenSSL 1.0.1j. If you are currently on an OpenSSL version that is earlier than 1.0.1j, then you must upgrade to v1.0.1j. No workaround is available currently.

24 Known Issues and Limitations Known issues in this release 24 Table 4-1 Issue description DCS:S known issues (continued) Workaround/recommendation At the time of Symantec service deployment, the SVA virtual machine must include a virtual CD-ROM drive of the Datastore ISO file type with a valid datastore and ISO path specified. For example: [datastore1]symantec DataCenter Security Service for VMware NSX.iso An occasional issue is observed where the virtual CD-ROM is not specified correctly. As a result, network traffic is not protected and a fatal level of events are observed within the SVA netsec.log: "Failed to read agent name. DVFilterApi init() failed". To resolve this issue, re-deploy the Symantec service and verify that the CD-ROM drive is specified correctly for all Symantec service SVA virtual machines. If the LiveUpdate proxy server settings are missing, any user with the administrator privileges can configure the settings through the SVA Configuration Policy. However, editing of Proxy Server settings is allowed only through the UMC console. No workaround is available currently. The Edit option is not supported through SVA configuration policy. Guest Network Threat protection is introduced with DCS:S v6.5. Network threat protection does not function with SVA configuration policies of versions older than 6.5. While using Guest Network Threat protection, ensure that the v6.5 SVA config policy is used. When you upgrade from any previous DCS:S version to DCS v6.5, the root directory does not get updated. As a result, you cannot register a product with the Unified Management Console (UMC). Manually update the root directory to c:\program Files\<x86>\Symantec\Data Center Security Server\Server and then register a product with UMC. The EICAR virus file may not get detected over SMB v1 connection with the default content definitions on the security virtual appliance. Symantec recommends that you update all content types upon security virtual appliance deployment. Guest Network Threat protection is introduced with DCS:S v6.5. Network threat protection does not function with SVA Config policies of versions earlier than v6.5. While using Guest Network Threat protection, ensure that you use the v6.5 SVA config policy.

25 Known Issues and Limitations Known issues in this release 25 Table 4-1 lists the issues that are known in this release for DCS:SA. Table 4-2 DCS:SA known issues Issue description Workaround/recommendation For alert notifications, the Subject and the body support only partial Text editor features. The placement of the cursor cannot be changed to select and delete the content. Intermediate text selection by using the mouse is possible, but deletion is not supported. Application Data Protection Rules prevent services from accessing their application data if given alternate privileges. Upgrade of agents with v5.2.6 to DCS:SA v6.5 fails on Solaris 10 SPARC U10 and U11 platforms with the following error message: Use the Backspace key to delete the entire text till the point you want to edit and retype the content. Do not use the Obey Application Data Restrictions option along with the Run with * privileges feature. You must remove the alternative privilege lists and disable the Obey Application Data Restrictions option on the alternative privileges sandboxes. Disable prevention on the agent and restart the computer before you upgrade to DCS:SA v6.5. Network error: Software caused connection abort The same error message is displayed if you try to uninstall the product by using the following command: pkgrm SYMCcsp To disable prevention, run the following command:./sisipsconfig.sh -i Note: The pkgadd and pkgrm commands do not work after the installation of x agent. The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the Management Server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5. To resolve this issue, after the server upgrade, modify the java.security file to enable Sun providers. For more details, refer to the topic Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later in the Appendix A.

26 Known Issues and Limitations Known issues in this release 26 Table 4-2 Issue description DCS:SA known issues (continued) Workaround/recommendation The CSP v5.2.0 agents fail to communicate with the DCS:SA v6.5 server when the java.security file has been updated to fix the issue, "The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the Management Server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5". To resolve this issue, do the following: Stop the Symantec Data Center Security Server Manager service. Locate the server.xml file on the server machine at the following location: <installation directory>\server\tomcat\conf\ In the server.xml file, add SSLv2Hello in sslenabledprotocols to the following SSL Connector instances: Tomcat stand-alone agent service Tomcat stand-alone console service Tomcat stand-alone service The updated entry must be sslenabledprotocols="tlsv1,tls v1.1,tlsv1.2,sslv2hello" Start the Symantec Data Center Security Server Manager service. Note: Symantec recommends that you use an XML editor to update the server.xml file.

27 Known Issues and Limitations Known issues in this release 27 Table 4-2 Issue description DCS:SA known issues (continued) Workaround/recommendation In a gradual server upgrade scenario that follows CSP v5.2.x to SDCS:SA v6.0 MP1 and then to DCS:SA v6.5, the management server may not enforce communication between server-agent and server-console to be in TLS protocol. In order to verify that you are not affected by this issue, do the following: Locate the server.xml file on the upgraded server machine at the following location: <installation directory>\server\tomcat\conf\ Check whether sslenabledprotocols="tlsv1,tlsv1.1,tlsv1.2" entry is inside the following SSL Connector instances: Tomcat stand-alone agent service Tomcat stand-alone console service Tomcat stand-alone service To resolve this issue, do the following: Stop the Symantec Data Center Security Server Manager service. Locate the server.xml file on the upgraded server machine at the following location: <installation directory>\server\tomcat\conf\ Edit the server.xml file, and move sslenabledprotocols="tlsv1,tls v1.1,tlsv1.2" entry inside the following SSL Connector instances: Tomcat stand-alone agent service Tomcat stand-alone console service Tomcat stand-alone service Start the Symantec Data Center Security Server Manager service. Note: Symantec recommends that you use an XML editor to update the server.xml file. If a Security-Enhanced Linux (SELinux) system is changed from "Disabled" or "Permissive" mode to "Enforcing" mode after an agent installation, the system boots in the "Maintenance" mode when you apply a predefined UNIX prevention policy and restart the machine. No workaround is available currently.

28 Known Issues and Limitations Known issues in this release 28 Table 4-2 Issue description DCS:SA known issues (continued) Workaround/recommendation FIPS mode gets disabled after you upgrade the Management Server from SDCS:SA v6.0 MP1 to DCS:SA to v6.5. To resolve this issue, re-execute the configfips.vbs file to enable FIPS. For information on how to enable FIPS, refer to the FIPS Compliance Guide. The Alert Filter > Preview Events link takes the user to the Events List page. The "Sort" operation on columns is currently not supported. A server with Tomcat-only installation fails to communicate with the database and does not start its Server Manager service if the server.xml file of the upgraded server is used for installing DCS:SA v6.5 on the Tomcat-only server. The server is unable to locate the server-cert.ssl file as the server.xml contains the old product installation path, which does not get updated. The module fields specified in a network rule are ignored and the rule is matched based on other fields in the rule. The rule does not match any of the module fields. For the agents installed on Windows 2003 or earlier, all module attributes are ignored if specified in the rules. Such rules are matched based on the other fields of the rule. No workaround is available currently. To resolve this issue, do the following: In all the three connectors in the server.xml file located at <installation directory>\server\tomcat\conf\ on the Tomcat only server, rename the keystore file path "Critical System Protection" to "Data Center Security Server". Example, keystorefile="c:\program Files (x86)\symantec\critical System Protection\Server\server-cert.ssl" Change to keystorefile="c:\program Files (x86)\symantec\data Center Security Server\Server\server-cert.ssl" Restart the Symantec Data Center Security Server Manager service. No workaround is available currently. No workaround is available currently.

29 Known Issues and Limitations Limitations in this release 29 Table 4-2 Issue description DCS:SA known issues (continued) Workaround/recommendation On AIX agents, users other than sisips/root are not able to run sisipsoverride tool To resolve the issue, do the following: Login to the system as a root user. Modify the permissions of the following library files to add read permission to other users: <AgentInstallDir>/IPS/bin/libgcc_s.a <AgentInstallDir>/IPS/bin/libstdc++.a Table 4-3 lists the issue that is known in this release for DCS:S - Operations Director. Table 4-3 Issue description DCS:S - Operations Director known issue Workaround/recommendation DCS:S - Operations Director now supports PAN-OS However while naming a vapp/vm to be provisioned, you can use only special characters like period (.), underscore(_), or hyphen (-). Symantec recommends that you can use only the specified special characters in the name of a vapp/vm to be provisioned. Note: Using any other special characters can cause issues with provisioning of the vapp/vm.. Limitations in this release DCS:SA v6.5 contains the following limitations for internationalization: The Description field for events is generated by the agents, which cannot be localized The data that you export cannot not be localized. The non-english guest virtual machine names, MOID, and security groups are not displayed in the localized form. The error strings that are generated from the server cannot be localized. For example, instances such as duplicate policy creation, invalid file upload and so on. The data for the Date column for the Recent Events pane in the Assets workspace cannot be localized. The data for the Date column in the Notification page cannot be localized.

30 Known Issues and Limitations Limitations in this release 30 The user input fields on some of the web console pages do not accept single quotation mark ('), except for Extensions, Folders, and Files fields from the Add Policy page. Clicking the browser back button is not supported in UMC. You must use the menu options to traverse to the UMC workspace. After you log in to UMC and select a registered product from the UMC product switcher, if you again select UMC in the product switcher, it does not change the selected product to UMC. For example, if you log in to UMC and select OD from the product switcher, you cannot come back to UMC by selecting UMC in the product switcher. DCS:SA v6.5 contains the following limitation in the Java console: After an upgrade to DCS:SA v6.5, clicking on Help in the Java console does not launch the online help. To avoid this issue, you must take a backup of the webui.war file from the following location before you perform an upgrade: C:\Program Files (x86)\symantec\data Center Security Server\Server\tomcat\webapps Place the file at the same location after the upgrade and then restart the Symantec Data Center Security Server Manager service. DCS:SA v6.5 contains the following limitation in the Unified Management Console: UMC allows multiple users to log in simultaneously on the same computer.

31 Appendix A Appendix This appendix includes the following topics: Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later The communication between the agents and the server fails if you have done a gradual or a direct upgrade of the management server from SCSP v5.2.0 or earlier to SDCS:SA v6.0 or DCS:SA v6.5. This issue occurs in the following specific scenario: When you have a server that was upgraded from CSP or earlier to DCS:SA v6.5 and which has certificates that have MD5withRSA as the signature algorithm. When you have Windows, Solaris, AIX, or HP-UX with agents v5.2.9 MP5 with Hotfix 1 or later, or Linux agents with OpenSSL version 1.0.1g or later. In such a scenario, perform the following steps to re-establish the agent-server communication: Stop the DCS:SA Management Server service from Windows Service Control Manager (SCM). Locate the java.security file present at the following location: <SERVER_INSTALL_ROOT>\jre\lib\security Comment the following security provider list (use # at the start of the line) in the java.security file. You can use any text editor to edit this file. security.provider.1=com.rsa.jsse.jsseprovider security.provider.2=sun.security.jgss.sunprovider

32 Appendix Re-establishing agent-server communication after upgrade from SCSP v5.2.0 to DCS:SA v6.0 or later 32 security.provider.3=com.sun.security.sasl.provider security.provider.4=org.jcp.xml.dsig.internal.dom.xmldsigri security.provider.5=sun.security.smartcardio.sunpcsc security.provider.6=sun.security.provider.sun security.provider.7=sun.security.rsa.sunrsasign security.provider.8=sun.security.ec.sunec security.provider.9=com.sun.net.ssl.internal.ssl.provider security.provider.10=com.sun.crypto.provider.sunjce security.provider.11=sun.security.mscapi.sunmscapi Add the following list of security providers in the java.security file: # List of providers and their preference orders (for MD5withRSA as signature algorithm): security.provider.1=sun.security.provider.sun security.provider.2=sun.security.rsa.sunrsasign security.provider.3=sun.security.ec.sunec security.provider.4=com.sun.net.ssl.internal.ssl.provider security.provider.5=com.sun.crypto.provider.sunjce security.provider.6=sun.security.jgss.sunprovider security.provider.7=com.sun.security.sasl.provider security.provider.8=org.jcp.xml.dsig.internal.dom.xmldsigri security.provider.9=sun.security.smartcardio.sunpcsc security.provider.10=sun.security.mscapi.sunmscapi Start the DCS:SA Management Server Service from Windows Service Control Manager (SCM). After you make these changes, FIPS mode is not enforced as FIPS does not support MD5 as a signature algorithm. To enforce the FIPS mode, revert the changes made in the security provider list. For more details, refer to the DCS:SA FIPS Compliance Guide.