Known issues appear in the end of the document.

Known issues appear in the end of the document. What's New in 4.2.1 1.DAM - Added the ability to send e-mail notification whenever a session termination occurs. 2.VA - Expanded XML API to include various vulnerability management tasks. 3.DAM - Fixed an issue where DML triggers were not created correctly on Oracle 9 platforms. 4.VA - Fixed a server performance problem that resulted in slowness when updating VA tests. What's New in 4.2.0 IMPORTANT NOTE FOR EXISTING CUSTOMERS: a new permission, All OUs, was added to the permissions scheme in preparation for a future enhancement. The new permission does not impact most users. However, if you have created users with limited database access, the new permission may impact these users permissions. Please contact technical support for further details. 1. DAM - added script signing, allowing signed transactions to bypass custom policy. 2. Reports - added dynamic systems reports mechanism and new preconfigured reports. 3. VA - Running database OS checks via SSH tunnel is now supported (see DBMS properties/advanced). 4. VA - Running database OS checks using a certificate is now supported (see DBMS properties/advanced). 5. VA - New limited VA scan permission allows limiting the user to clone/run/delete scans, selecting DBMSs and scheduling only. 6. General - added selective archive loading (load partial archives using a filter). 7. DAM - DBMS system report allows reporting on the dbms up time. 8. DAM - added revision differences report (see rule revision page). 9. VA - added new scan tests report, showing which tests passed and failed per scan. 10. General - added automatic backup of the HSQLDB backend database. 11. Scheduling - added the ability to schedule a single event. 12. DAM - Application Mapping added paging and sorting. 13. VA - PostgreSQL and SQL Azure now supported. 14. DAM - new property allows users to decide whether new vpatch rules will be enabled or disabled (vpatch.default.disabled=true or false). 15. VA - network scans can now be scheduled. 16. DAM - new support for active/passive clusters. This is enabled by default. When defining an active/active cluster go to DBMS properties and change the cluster to active/active. 17. General - added new filters in the DBMS screen. 18. General - password policy - added the ability to prevent the use of user name in the password. 19. VA - added export and import of custom tests and custom configuration of system tests. 20. General - added browser time out warning. 21. VA - improved weak password discovery, including a larger password dictionary. This may result in slower tests. What's New in 4.1.0 1. VA added OS level tests (e.g. test permissions of the DBMS files and directories). 2. VA - added support for MySQL 3. VA - added support for Sybase vulnerability scanning 4. DAM - added support for MS SQL 2008 SP2. 5. DAM - added support for Oracle 10.2.0.5 and 11.2.0.2 6. VA - for Oracle added the ability to import database names and parameters from tnsnames.ora files (in the DBMS tab) 7. DAM - Added ability to audit pre & post values for DML transactions using DML triggers. 8. Improved reports: a. Added summary reports including charts (Bar, Multi Bar, Pie

b. Added report formats (now supported: XML, PDF, RTF, DOC, Excel, HTML) 9. VA - Advanced management for VA tests - manage & edit custom and predefined tests as well as add new test groups 10. DAM - Rule syntax expansion: added Exec_user. In addition to user and osuser keywords the exec_user has been added for Microsoft SQL Server. Exec_user is used when the login of the current session is changed or a statement is executed under a different user. 11. DAM - Added support for bind variables. Bind variables will now be shown in alerts. You can also write rules that include bind variable values. For example bindvar contains obama will trigger an alert whenever the bind variable value will contain the string obama. Note that all values are treated as strings. 12. DAM - Alert times are now shown in both server local time and sensor local time (note time based rules always refer to the sensor local time). 13. LDAP - added the ability to configure the cipher suite for LDAP over SSL. 14. DAM - When a sensor error occurs, a new indication will be shown in the sensor page (exclamation mark next to the relevant sensor). 15. DAM - Rule objects: added support for Regular Expressions in the dynamic object values. 16. VA - Scan results added the ability to search within the data set results. 17. VA results new state field will reveal whether a result is new (was not seen in the past), existing, or old (no longer exists). 18. VA added the ability to exclude a DBMS from a specific test. 19. VA added the ability to exclude users from the weak password tests. 20. VA added clear indication whether a user with a weak password is open or locked. 21. Users can now configure which page will be open upon log in to the server (in the Permissions/users screen). 22. DAM - Added history record of sensor versions (in the system/history screen). 23. VA - Data discovery: you can now sample row data and search for data using regular expressions. See example in the User Manual. What's New in 4.0.0 1. Added DBScanner - enterprise level security scanner for databases. DBScanner requires a license. DBScanner evaluation is limited to 5 scan results per DBMS. 2. DBScanner includes data discovery (finding tables that contain sensitive data such as credit card data, passwords, personal information). 3. Data discovered can be easily added as a rule object to rules (e.g. a rule protecting all tables containing credit card data). 4. Added support for MS SQL 2008R2 5. Added support for Sybase ASE 15. 6. Added support for Oracle 10.2.0.5. 7. Reporting - rule objects can now be used in dynamic reports. 8. Reporting - added user to "sort by" and "group by" fields. Added OSuser to "sort by" field. 9. Rule syntax - added DBMS_HOST and DBMS_NAME. These are especially useful in creating exceptions to rules. Since there is considerable variation in the way DBMSs show the host and instance name, it is recommended to copy the values from existing alerts. 10. XML Api: 2 new services. dbms: for retrieving DBMS status + VA scan summaries per DBMS. varesults: for retrieving VA Results. 11. XML Api: Date format has changed to include time zone information. (Format is configurable via xmlapi.date.format in the custom.properties file. More info about date formatting is available at: http://java.sun.com/javase/6/docs/api/java/text/simpledateformat.html ) What's New in 3.5.2 1. Added support for Oracle 11g Rel 2 for HPUX, IBM AIX, Windows 32/64 bit, Solaris x86 64bit. 2. Added support for Sybase 12.54 64bit on HPUX and support for Sybase ESDs 12.5.4 9.1 and 10 in all platforms. 3. Added new fields to alerts: Batch CMD type (available in detailed and print views). Field is populated only if a

batch command is used. 4. Added sensor time zone display (see sensor properties). 5. Solved an issue where users were unable to create analytic packages when Hedgehog server is clustered. 6. Enhanced cluster page. 7. Improved password change flow. 8. Added timeout to the Hedgehog console (10 minute default, can be configured). 9. Improved Chrome support and dropped IE 6.0 support. 10. After installing sensor user can decide whether or not to run the sensor immediately. 11. Disabled cipher suites considered weak (DES 40, DES 56, RC4 40) and added the option of changing the ciphers. 12. User can now change the HH server certificate with an internally signed certificate (used for authenticating sensor to server communications). 13. Added new operators for IP filtering in the alerts page: = exact match.! not like.!= not equal. \ ignore chars /escape characters 14. Added the ability to add a description to manually created archives. 15. Improved HPUX sensor installer - installer no longer performs unnecessary mounted filesystem check. 16. Several additional issues fixed. What's New in 3.5.1 1. Support for Oracle 11g Rel 2 for all currently supported OSs (Solaris, Linux). 2. Application Mapping - changed naming conventions and added the ability to create alert rules from the DBMS Access Info screen. 3. Message box improvements including the ability to send messages to external systems and the ability to ignore future messages by category. 4. Better support for Active/Passive clusters (Oracle and Sybase). 5. Allow specifying connection string only in alternative connections (user and password are no longer mandatory). 6. vpatch rule settings can now be exported/imported via xml files. 7. Improved rule revisions, including ability to easily compare revisions and rollback to older revisions and expanded rule revisions filter. 8. Improved rule settings (including changing the email subject). 9. Alert screen - you can now add exceptions to custom rules directly from the alerts screen. 10. Added action buttons to the alerts' advanced view dialogs. 11. Added Twitter as an external interface (allowing sending alerts to Twitter). 12. Added support for Google Chrome 3.0 and up. 13. Several fixes, including memory issue in external libraries and sensor screen display. 14. Emails generated by the server now include server's host name. 15. Changed the permissions required for the /conf folder for better security (on all supported platforms other than Windows XP). What s new in 3.5.0 1. Support for Oracle 11g Release 2 over Linux OS. 2. Application mapping added. Application mapping collects and presents statistics on database usage and allows easy creation of audit and security rules. 3. Added password policy page (under permissions). 4. "Like" function in rules changed to comply with standard usage. Old usage: statement like '*'New usage: statement like '%*%'. Please review existing rules as this change affects existing rule evaluation logic. 5. Added Check Point OPSEC (SAM) integration allowing sending SAM rules to Check Point

VPN-1/FW-1 6. In case of disconnection from Hedgehog Server, the sensor keeps current alerts locally. The default size of the buffer is 25MB. Alerts are compressed (200,000-400,000 alerts). In previous versions the buffer size was limited to 5,000 alerts. 7. When using an external backend database, and monitoring the database with Hedgehog Sensor, it is easier to filter out Hedgehog Server related activity (all Hedgehog Server activity will be identified with the application name "Hedgehog Server"). 8. Sensor-server communications are now compressed, allowing efficient communications even over the WAN. 9. Clone rule button allows easy copying of rules. 10. Improved rule exceptions - rule exceptions added to custom/compliance rules and added the ability to add multiple exceptions to the same rule. 11. Creating exception/new rule from alert improved. 12. Compliance rules are now editable. 13. Added - filter rules by severity. 14. You can now create rules that auto-resolve alerts. 15. Improved reports (IDentifier information added and irrelevant fields were eliminated). 16. Archiving - archive page now includes additional information on each archive file. 17. Updates - vastly improved and streamlined. 18. Log-on time now available in alerts on Oracle databases. 19. Troubleshooting - added the ability to display the local server time (this is especially important for customers with databases in multiple time zones). 20. Added the ability to contribute to Sentrigo's research by sharing vpatch alerts with the team (to enable this feature see the System/Troubleshooting page). 21. New keyword allows easier monitoring of logons and logoffs. Usage: session_state = New_session / End_session / Execute (where Execute are all statements that are not a logon or logoff statement). 22. You can now open an alert by clicking the alert line. 23. Added slider and paging to the rules page in order to change rules order easily. 24. Generating a report from the alerts screen improved - added excel report and customization dialog. 25. Auto complete added for rule name field in the alerts filter. 26. Improved dashboard performance. 27. Dynamic reports - you can now filter alerts according to whether quarantine was initiated. 28. Dynamic reports - you can now exclude more than one OSuser/User. 29. Dynamic reports - when filtering by rule name, if a rule's name has been changed, you will need to filter by both the old and the new name. 30. You can now filter alerts by vpatch rule ID. 31. SNMP support improved and MIB changed (removed unnecessary elements and added host and IP to all traps). 32. LDAP - multiple domain support. When using multiple domains, the use of global catalog is mandatory. 33. LDAP - connect timeout is now configurable. 34. LDAP configuration page now shows up to 1000 LDAP groups. 35. Added support for Sybase when binary name was changed by customer. 36. Added fine grained permissions for the XML API. What s new in 3.0.0 1. Microsoft SQL 2008 (including SP1) support. 2. Microsoft Windows Server 2008 support. 3. Improved and streamlined sensor update process. 4. Fixed "dashboard flash does not start on FF3 for a minute or until a timeframe is selected." (issue 4213)

What s new in 2.5.3 =============== 1. Detect excessive behavior (transactions that repeat x times during a defined time period) 2. Alerts can be sent directly to archive (bypassing the backend database) 3. Mask sensitive information (e.g. credit card numbers, social security numbers, etc.) 4. Increase and decrease the rule edit box 5. To prevent errors, the product now prevents using the same rule name twice 6. New vpatch feature: you can now import and export exceptions to vpatch rules 7. You can filter the screen according to the content of rule exceptions 8. Improved handling of vpatch revisions 9. You can now configure which rule tab will be opened first in new sessions (page.rules.default.tab = VPATCH or = CUSTOM in the custom.properties file) 10. Print view 11. Select number of alerts per page 12. Improved filtering criteria (resolve time) 13. Added more granular actions in the alerts page (resolve/archive/report) 14. When filtering the alert screen you can now enter multiple values in the fields, using $value1,value2 15. Resolution state of alerts can now be changed (including changing a resolved alert to unresolved) 16. Product now comes with 4 predefined roles 17. System: new tab - Backend DBMS Details - provides information on the backend database. The screen provides information about the database size and maximum allocated size, free space and additional information when an external database (Oracle or MS SQL) is used. 18. Simplified updates tab. 19. New tab settings allows changing the logo for all reports 20. When running a system report you can now add a comment that will be added to the report s opening section 21. New dynamic report creation screen enables selection of report fields (by default all fields are selected) 22. When scheduling report mailing you can now attach a report or only send notification when the report is ready 23. You can now download scheduled reports and track report downloads in the history tab 24. Fixed an issue where filtering by 2 rules in the report did not behave as expected 25. Firefox 3 and Internet Explorer 8 now fully supported 26. Administrator notifications: Mail is now sent to admin in case server backend database is not responding 27. Improved server analytic package 28. Oops page now contains extended support data 29. Old server logs are purged (by default logs older than 30 days are deleted). 30. Link in the history allows viewing resolved alerts 31. You can now view recognized LDAP groups in the LDAP configuration tab 32. Added db monitoring status to the XML API sensor list What's New in 2.5.1 1. Sybase ASE 12.5 support added. Note that not all sub-versions are supported. Contact support@sentrigo.com for further details before attempting to monitor a Sybase server. 2. Alerts that include non-english characters are now showing correctly. 3. Support for Oracle 11.1.0.7.0 added 4. Support for SQL Server 2005 SP3 Added 5. Added HIPAA, GLBA and Best Practices compliance modules. 6. Added the ability to generate a sensor analytic package, sensor restart, and changing the sensor log configuration from the UI (available in the sensor properties screen). 7. Added the ability to apply actions to multiple databases (in the DBMS screen, check multiple databases and select "apply actions" 8. Permissions - added granularity to system permissions (other than the permission to view the system screen, there are 6 different update permissions). 9. Added comment field to vpatch rules.

10. Fixed a problem where in some dialogs actions buttons were hidden behind the bottom frame. 11. Improved (faster) processing of alerts resulting in improved server performance and improved UI performance. 12. Fixed issue where changes in an LDAP server (e.g. password change) caused an error. 13. Removed limitation where only 1000 LDAP groups could be configured in Hedgehog. 14. Added support for Syslog over TCP and added syslog maximum packet length configuration (up to 64kb). 15. Extended XML API to include all alert fields. 16. Added the capability of supporting database clusters where the cluster members have different names and the ability to manually name a cluster within Hedgehog. 17. Sensor now reports full CMDtype for DDL commands (e.g. Alter Table vs. Alter). To catch an ALTER TABLE command, rule should be either "cmdtype='alter table'" or "cmdtype contains 'alter'(the latter will also catch alter user, etc.) 18. New DBMS groups added to minor dbms versions (e.g. Oracle 10.1). 19. Improved performance of logging to external systems. 20. By default DDL triggers are only enabled for Oracle databases. MS SQL triggers are only necessary when prevention is required. 21. IDentifier is no longer shipped with the Hedgehog Server installation packages. To download the IDentifier log in to the portal support.sentrigo.com is necessary. 22. Added the ability to exclude a dbms from a group in the install on rule dialog. What's New in 2.2.1 1. Oracle client info field (exposing user name and host in Peoplesoft and other apps). 2. Failed logins detection in MSSQL 2005 does not require a trigger anymore. 3. Detection of possible false positives in vpatch rules Hedgehog sends notification when a vpatch rule triggers many alerts (default: 50 alerts in 30 seconds, configurable in the system/messages/configuration). What's New in 2.2.0 1. Added new product - Hedgehog vpatch. 2. Added vpatch security level 3. Added exceptions to vpatch rules (available both from the alerts screen and the vpatch rules screen) 4. Added dynamic reports and report scheduling. 5. Improved compliance reports (now with more detailed information and friendlier format). 6. SQL Server 2000 support (service pack 3 and above). 7. Oracle 11g is now fully supported on all versions. 8. Oracle 10.2.0.4 is fully supported. 9. Fixed a problem where sys appears as the user name in the beginning of a session for non sys users in Oracle. 10. Added the ability to automatically archive according to the size of the alert database. 11. Added the ability to define rule permissions by role of the Hedgehog admin/operator. 12. Added grouping of duplicate alerts (can be disabled using the configuration file). Known Issues ============ 1. (No issue number) Exec_user: if sensor monitors a new session event when session executes with user different from original (e.g. sensor starts when session is already active) the user name will be set to exec user name, and exec user will be altered when session returns from the execution. 2. (No issue number) When using promiscuous mode on HPUX NICs: only one process may sniff the NIC and therefore the sensor may either prevent another sniffer from working or another sniffer may prevent the sensor from functioning correctly. Workaround make sure that the NIC is not running in promiscuous mode. 3. (5021) When using Chrome - it is impossible to select print view twice (workaround - go to another screen and return to alerts).

This is due to a known Chrome issue: http://code.google.com/p/chromium/issues/detail?id=16528 https://bugs.webkit.org/show_bug.cgi?id=28633 4. (No issue number) Non-English characters cannot be used in rules (e.g. if a table name is in non-english characters, it cannot be used in a rule). This is a known issue that will be resolved in a future release. 5. (No issue number) Because of limitations of SQL 2000 the following behavior is different from all other DBs: SQL server 2000 does not enable the use of triggers, therefore there is no DDL trigger. This means there is no delay of DDL commands (and termination will not necessarily happen before the transaction). 6. (1111) When setting the sensor machine's clock backward, all databases display as "none". Workaround - restart the sensor. 7. (1927) When changing the Hedgehog Server time manually (e.g. when daylight savings time takes effect and the server doesn't change the time automatically) the Hedgehog Server's time may show incorrectly and alerts may also show incorrectly. Restarting the Hedgehog Server will resolve this issue. 8. (1083) Action scripts are not ignored by the sensor. This may cause database instability. Workaround - when using action scripts user must be sure that the script does not trigger alerts (e.g. by creating an allow rule at the top of the policy). 9. (5604) Dashboard - in some cases (10min or hour time period) a refresh does not apply to the alert summary graph. Workaround - choose a different time period