This article contains important information about Symantec Critical System Protection that is not included in the standard documentation or the context-sensitive help. Please review this document in its entirety before you install or upgrade Symantec Critical System Protection, or call for technical support.
As updates to Symantec Critical System Protection are released, the known issues for eaach release are added as sections to this document. Each section is added in chronological order, with the most recent additions at the top. For information about how to obtain the latest build of Symantec Critical System Protection , please refer to the following document:
Installation and Upgrade Issues
Unnecessary file creation events may appear during agent upgrade:
When you upgrade the Symantec Critical System Protection agent from previous versions, you may see unnecessary file creation events for existing files. To work around this issue and avoid creation of invalid events, remove the detection policies before you upgrade, and then reapply the detection policies.
Unattended agent installation failed while using relative paths:
If the unattended agent installation failed while using relative paths (error status 1602), provide the absolute path for certificate file.
Upgrading Red Hat 5.1.3 agent to Red Hat 5.2:
If you run a Red Hat 5.1.3 32-bit agent on a 64-bit system, you must uninstall the 32-bit agent and then reinstall using the Red Hat 5.2 64-bit agent.
Specifying configuration and policy group paths:
When entering configuration and policy group paths during installation, type the path using the forward slash (/).
Windows Agent installers sometimes do not recognize that a domain account has Administrator privileges:
The Management Server and Windows Agent installation kits allow you to specify an alternate account in which to run the Services. In some cases, if you enter a domain account instead of a local account, the installation kit fails to correctly determine that the domain account has Administrator privileges and refuses to allow the account. Either use the LocalSystem account, another local account with Administrator privileges, or a domain account that is a member of a local group that has Administrator privileges.
Special characters in sa password can cause Management Server installation to fail:
If the sa password for your database includes any of the following characters:
- hash mark (#)
- asterisk (*)
- percent sign (%)
- tilde (~)
the Management Server will be unable to connect to the database and the installation will fail. You must change the sa password for your system so it does not include any of these special characters. After the installation completes successfully, you can change the sa password back to original password. These special characters are only an issue during the installation process, not during normal product operation.
Windows Agent silent installers write reboot message when a reboot did not take place:
When performing a silent install of the Windows agent, the installer prints the following log message even though a system restart was not requested or initiated: MSI (s) (24:2C) [15:24:06:140]: The Windows Installer initiated a system restart to complete or continue the configuration of 'Symantec Critical System Protection Agent'.
You can ignore this message. The system will not be rebooted automatically.
Tru64 Agent install on cluster member modifies package database files for all members:
In a Tru64 clustered environment with multiple active cluster members, the package install mechanism (setld) does not allow for independent management of software packages on a per cluster member basis - only on a per-cluster basis. Symantec Critical System Protection requires individual, independent installations on each cluster member rather than a single installation for the entire cluster.
You may encounter the following issues managing Symantec Critical System Protection agents on each cluster member:
- Querying the Symantec Critical System Protection package (i.e. setld -i SYMCSP511) on all cluster members reflects only the most recent operation (install or delete) performed on any of the cluster members. For example, after installing Symantec Critical System Protection on cluster member 0, running setld -i SYMCSP511 on cluster members 1 and 2 will also show that it is installed even though it is not. You must install the agent separately on members 1 and 2. Manual verification of the installation status is required to verify on each other cluster member.
- When uninstalling the agent, only the first cluster member is able to use the setld -d SYMCSP511 package delete mechanism to remove the agent. The second, third, etc cluster members need to manually remove the agent using the "Manual uninstall" procedures outlined in the Installation Guide.
These issues do not inhibit the operation of the agent running on the different cluster members, only the ability to use the Tru64 package commands to manage the software.
Management Server upgrade from 5.0.x does not add new event types to existing Detection Parameters:
In release 5.1, two new Detection event types are available: Prevention Watch and UNIX C2 Log. If you create a new Detection Parameter object after you upgrade, these new event types are in the "transmit" list by default. However, if you are upgrading from 5.0 or 5.0.5, these new detection events are not integrated into your existing Detection Parameter objects. If you intend to use the Template Prevention Watch or UNIX C2 Log detection policies, be sure to update your Detection Parameters to include these in the log rules. If you do not, these events will not be transmitted to the management server or be visible in the Console.
Management Server installation sometimes fails when installing remotely via terminal services:
If you are logging into a system via terminal services and attempt to install the Management Server on that system, the installation may fail. This situation only occurs if you choose an Evaluation installation and choose to have the kit install MSDE. The MSDE portion of the installation may fail with an "unable to connect to database" error.
If you receive this error, verify that the Symantec Critical System Protection instance of MSDE is not in the Add/Remove Programs List. (If it is in the list, uninstall it.) Then log into the system directly via the console (rather than remotely) and install the Management Server.
Web console hangs if a bad path is used in a global writable resource list:
In Internet Explorer 8, if you have mistakenly added a bad path to a global writable resource list, you see an error message and the Web console hangs.
To work around this issue, you should correct the bad path using the standard version of the management server console.
Dialog box does not appear in the Web console when you edit policy options:
At times, when you click Add to edit a policy option, the Add dialog box does not seem to appear. The dialog box does appear, but it is hidden behind the Edit policy dialog box.
To work around this issue, move the Edit policy dialog box out of the way.
Web console hangs when you rename a group:
If you rename a group under Assets on the Prevention tab, you see an error message and the Web console hangs.
To work around this issue, you should use the standard version of the management console if you have to rename a group.
Web console displays shorter version of the polling interval value than the standard management console:
When you set a polling interval for the Windows Baseline policy, the value that the Web console displays is truncated. For example, if the standard management console shows the value High volume - 3 minutes, the Web console displays High.
To work around this issue, you can view the full value on the standard management console.
Difficulty erasing the first character in a field in the policy editor or Event Wizard:
Using the Backspace key to erase the data in the field, character by character, always leaves one character in the field. To erase the data, select the entire field and then type the new value.
Adjust the detection time window action in Event Wizard always configures an exclusion window:
For the adjust the detection time window action, the Event Wizard allows you to set the start, duration, and frequency of the window. It does not include a choice of whether the window should be an inclusion or exclusion window - it always configures the policy for an exclusion window. If you want an inclusion window, you must manually edit the policy and check the Trigger Rules Only During Specified Time Interval option in the policy.
Applying multiple Detection policies at once sometimes fails to apply some policies:
In rare circumstances, when multiple Detection policies are applied to a group or agent in a single operation, e.g. via multi-select, the Management Server may fail to apply one or more of the policies.
To verify that all Detection policies were applied, compare the number of policies listed in the Agent Status message:
Successfully updated the policy to Detection Policies (30)
with the number of Detection policies shown on the Policies tab of the Agent details. If the numbers do not match, re-apply one (and only one) of the Detection policies to the agent or group. This will cause the Management Server to send all the Detection polices to the Agent and get it back in synch with the Management Server.
Agents will not register with a Management Server upgraded from 5.0.x to 5.2:
If you upgrade your Management Server directly from version 5.0.x to 5.2, you may find that newly installed Agents will fail to register with the Server. To fix this problem, import a 5.2 Prevention policy pack onto your Server. After importing the pack, the Agent(s) will successfully register.
You can load the policy pack using the LiveUpdate feature (accessible from the Home Page) or by manually downloading the policy pack and importing it via the Console.
Some 5.1 queries may produce divide by zero errors:
You may see a divide by zero error while running the following queries on a 5.2 console:
- Events/All Events/All/Stats by Day Name
- Events/All Events/All/Stats by Day of Month
If you see this error, you can import the 5.2 Report Pack onto your Server and run the 5.2 versions of these queries.
Transaction was deadlocked error sometimes occurs in the console:
If you receive the following error in the Console:
"Transaction was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction."
retry the operation. This condition can occur if two users are logged into the Console and happen to collide when requesting the same information from the database.
CTRL-click does not always maintain all selected rows on Assets page:
Attempting to drag multiple agents with the left mouse button drags only the most recently selected agent. Using the right mouse button maintains all of the selected agents for the drag-and-drop operation.
CTRL key does not always maintain all selected agents in drag-and-drop operation to group:
Using the CTRL key to select and drag non-consecutive multiple agents to a group drags only the most recently selected agent. Use the SHIFT key to select and drag consecutive agents to a group.
Drag-and-drop operation on Assets page does not always copy multiple selected agents:
Using the Ctrl key and the left mouse button to select multiple agents in the Assets page may not maintain previously selected agents. Usually this is the result of accidentally dragging an agent as you select it. Make sure not to move the mouse until you have fully released the mouse button, and the previous selections will be maintained.
LiveUpdate does not display the latest policy pack:
When you open the LiveUpdate Wizard and click Check, the latest policy pack may not be displayed. To work around this issue, close the console, and then log back on to the console. The LiveUpdate Wizard should now display all of the latest policy and report packs.
Windows Baseline Detection AutoStart Service Specific Keys do not work:
Registry monitoring may not function correctly for the parts of the registry database that are redirected on Windows 64-bit operating systems.
For more information about the affected registry keys, see:
USB device connection and disconnection events are not triggered:
Because of changes in Windows Event Log messages, the Windows Baseline Detection policy USB Device Connected and USB Device Disconnected rules do not work on computers that run Windows 2008.
To work around this issue, use the USB Registry Connect Activity rule to monitor the general activities of USB devices.
Monitoring system files in %systemroot%\System32 folder may not work without a Microsoft hotfix on computers that run Windows 2003 64-bit version:
For information about the Microsoft hotfix, click:
System_File_Protection_Status does not work on computers that run Windows 2008 and Windows Embedded operating systems:
The Windows detection policy System_File_Protection_Status does not work on Windows 2008 or later, which uses Windows Resource Checker version 6.0 or higher. System_File_Protection_Status also does not work on computers that run the Windows XPe operating system.
There is currently no workaround.
CD/DVD_Burning_Activity events are not triggered when the default Windows Baseline policy is applied:
By default in Windows Baseline policy, when you burn a CD or DVD, it triggers an event. This does not work on computers that run Windows 2008 and 2003 R2.
There is no workaround.
Prevention policy event filtering based on the Description field does not work:
Although the Description field is an available option when constructing a log filter rule, you cannot use the Description field in a log filter rule. The description values that are displayed in the console for prevention events are created in the console from available data.
To work around this issue, you can match on elements of the event other than the description. For example, you can use the process path and resource name.
Prevention policy compatibility:
If you are using a Prevention policy on your Symantec Critical System Protection management server, you must update the policies to 5.2.4 at the same time you update the management server software to 5.2.4. The new Web UI feature of the management server will not work if the older 5.2.0 Prevention policies are applied on the management server system.
The TCP notification port does not close properly:
When the IPS agent is restarted by the IDS agent by using the UNIX_CSP_Agent_Diagnostics Restart_IPS_Service command. it calls /opt/Symantec/scspagent/IDS/bin/agent_mgmt.sh -ips to restart the IPS service. The TCP notification port is not closed properly and is left in a TIME_WAIT state.
To work around this problem, you can start the IPS service manually by using the following command:
Network option settings must be reviewed after updating to 5.2 Prevention policies:
The networking options in the 5.2 Prevention polices have been significantly enhanced and reorganized. The network option settings from your pre-5.2 policies are carried forward to the extent possible when updating to 5.2 policies. However, because of the new option organization, you should review all of the network settings after updating your policies to be sure the resulting settings are correct for your purposes.
Table: Network Option Settings
Conclusions: When updating to a 5.2 policy, we recommend you make a copy of the pre-5.2 policy and update the copy. After the update, you can edit both policies, view the editor windows side by side, and use the Changes from Base filter to review that the new policy is configured appropriately.
C2 rules are supported only on some versions of HP-UX and Linux:
The C2 Detection rules in the template policy are only supported on the following operating system versions:
- HP-UX v1 and v2
- Red Hat Enterprise Linux ES 3.0
- SUSE Enterprise Linux 8.0 and 9.0
- Solaris 8, 9, and 10
- AIX 5.1, 5.2, and 5.3
The C2 Detection rules are not supported on the following operating system versions:
- HP-UX v3
- Red Hat Enterprise Linux ES 4.0
Text Log rules do not support multi-line records:
The Text Log Detection rules in the template policy contain a Records in file contain multiple lines option. This option does not work correctly and should not be used.
You cannot use different parse strings for the same file Text Log rules:
The Text Log Detection rules in the template policy allow you to specify a parse pattern to extract specific data from the records in the file. If you create more than one Text Log rule to watch the same file, you must use the exact same parse pattern for all the rules. This is true whether you have multiple rules in the same policy or in several policies. If you use different parse patterns for the same file, the system arbitrarily chooses one of the parse patterns and uses it for all rules that reference the file. Thus, some of the rules will not work properly.
If possible, only use one Text Log rule per file being watched. If it is necessary to use multiple rules for the same file, be sure the parse pattern is the same in all the rules.
A program listed in both the Safe and Custom lists does not get Safe privileges:
If the same program is entered both into the Safe Interactive Programs list and into an Interactive Custom Control (under My Custom Programs), it will be controlled by the Custom Control rules rather than the Safe privilege rules. In order to give the program Safe privileges, remove the program from the Custom Control list.
Symantec Critical System Protection Agent does not appear in the Add or Remove Programs list:
On Windows NT Agents, the Prevention policy blocks the Agent from appearing in the Add or Remove Programs list as part of the protection against uninstalling the Agent software. If you apply the Null policy or disable prevention in the policy, the Agent will appear in the list and you can uninstall the Agent software.
Blocking inbound networking on Solaris:
You can configure Solaris and Linux systems to start networking daemons in a variety of ways. For example, you can configure telnetd to run standalone and listen for inbound connections, or to be launched from inetd. When trying to block inbound connections destined for a particular daemon, use the resource lists in the General Daemon Options to ensure that you are blocking the connections.
To block inbound connections destined for a particular daemon:
- Check the box for Daemon Options > General Daemon Options > Resource Lists > Network Deny Lists > Deny listening for TCP requests.
- Add the ports for the daemon you want to block in the list of TCP ports to deny listening on, under the Deny Listening for TCP requests option. For example, to block telnet, enter port 23 in the list. To block the R-services, enter ports 512-514 in the list.
If the daemon you want to block accepts requests on UDP ports, use the Deny listening for UDP requests and List of UDP ports options instead.
By using the General Daemon Options, you will block the inbound connections no matter what method is used to launch the daemon.
Users in the Administrators' group cannot make config changes by using the configtool with User Account Control enabled:
Admin users other than the administrator who want to make changes to the configuration via the configtool must elevate their permissions to Administrator.
Due to the new User Account Control (UAC) security feature in Windows 2008, it is no longer possible for users in the Administrators group to make configuration changes by using the configtool. To run the configtool with an administrator's account, that is, a user in the Administrators' group other than administrator, you must first elevate the permissions of the command prompt or a batch file running the command.
To elevate the permissions for Administrator to run the configtool:
- On the Start menu, right-click All Programs>Accessories>Command Prompt.
- Click Run as administrator.
- Confirm or authenticate for the administrator user.
- Run the configtool with the desired options.
For example, you could type:
C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin\sisipsconfig.exe -trace
No Syslog-ng event if you use the default LocalAgent.ini:
With the syslog-ng changes, Symantec Critical System Protection supports the use of a custom logging source entry by using the Syslog NG Source key in LocalAgent.ini. The default entry is src, which is the default logging source in syslog-ng.conf on SUSE10 machines. On RHEL5, s_internal is the default logging source in syslog-ng.conf. Change the default entry in LocalAgent.ini file for RHEL5 from #Syslog NG Source=src to:
#Syslog NG Source=s_internal
Modifying syslog- ng.conf:
When the IDS agent starts, as with the syslogd and /etc/syslog.conf, an entry is added directly to /etc/syslog-ng/syslog-ng.conf. When the IDS agent stops, that entry is removed. On SUSE 10, the suggested way for administrators to modify syslog-ng.conf is to edit /etc/syslog-ng/syslog-ng.conf.in, then run SuSEconfig to generate a new syslog-ng.conf file. SuSEconfig will find that the syslog-ng.conf was modified (by Symantec), and will warn the user. It is safe for the administrator to overwrite the old file with the generated one and restart the syslog-ng daemon (or issue SIGHUP), but they must also restart the IDS service, so that our syslog-ng entry will be re-added to the syslog-ng.conf file.
Modifying the logging source entry:
With the syslog-ng changes, Symantec Critical System Protection supports having a custom logging source entry via the Syslog NG Source key in LocalAgent.ini. The default entry is src, which is the default logging source in syslog-ng.conf on SUSE10 machines. When changing the value for the source, it MUST be added ABOVE the lines where the default source is defined. This appears to be a limitation of syslog-ng daemon. Defining sources below the default may result in no messages being written to the syslog pipe. When in doubt, test that the custom source works by creating a custom logging destination which points to a file. If events are seen in that file destination for the custom source, then that source should also work for writing to the syslog pipe.
AppArmor blocks the IDS Syslog Collector by default if enabled:
AppArmor's default configuration blocks syslogd and syslog-ng from writing into the syslog pipe. You must add a rule for each of the syslogd/syslog-ng process profiles in AppArmor so that the Symantec Critical System Protection Agent Syslog collector can receive syslog messages.
To add a rule in YaST through the wizard:
- Open the Novell AppArmor>Update Profile Wizard. (The /opt/Symantec/scspagent/IDS/system/ids_syslog.pipe should automatically appear if the agent has been installed and is running.)
- Select Allow, and then click Finish.
By default, the wizard assigns RW access, but only W access is required.
To add a rule in YaST manually:
- Open AppArmor>Edit Profile.
- Go to the /sbin/syslog-ng profile.
- Highlight Add Entry and File.
- Type in the agent install directory: /opt/Symantec]/scspagent/IDS/system/ids_syslog.pipe
- Add write permissions, and then save the profile.
- Repeat steps 2-5 for /sbin/syslog, if desired.
The SLES 10 base release is not supported:
The Symantec Critical System Protection agent Util daemon (sisipsutil) does not start on the SLES 10 base OS when the OS is unpatched. The Symantec Critical System Protection agent currently supports only SLES 10 SP1 and SP2.
To determine your patch level (PATCHLEVEL), run the following command:
# cat /etc/SuSE-release |grep PATCHLEVEL.
PATCHLEVEL = 1
Note: This example shows that this is an SP1 installation.
SuSE Firewall default settings block server communication with the agent:
The SuSE Firewall blocks the Symantec Critical System Protection agent from receiving notification of new policies from the server. Therefore pushing new policies from the console/server may take a long time to be applied. The firewall rules must be modified to allow the notify port (default 2222) over tcp.
Prevention policies don't control NFS v4 clients' connection to RedHat EL 4 servers:
When clients that use the NFS v4 protocol connect to a Red Hat Enterprise Linux 4.0 server, the Agent on the server doesn't completely control access to the shared files.
If you disable the NFS v4 protocol on the server, then all clients use NFS v3 and the remote accesses are controlled. To disable the NFS v4 protocol for the NFS server on RHEL4, add the following entry to the /etc/sysconfig/nfs file:
NFS shares not controlled on Linux Agents if NFS server is started after bootstrap:
On Linux Agents, if the NFS server is started after the system bootstrap is completed, the Prevention policies do not control NFS accesses from remote systems. This might happen if you manually start (or restart) the NFS server or if you manually share a file system on a system that had no shared file systems previously.
There are two ways to fix this issue and get the Prevention polices to control the NFS shared file systems:
- Run /etc/init.d/sisips.nfs manually after starting the NFS server. The shared file systems are controlled after this script is run.
- Reboot the system, so the NFS server starts automatically during bootstrap.
This issue only arises when starting (or restarting) the NFS server. Simply adding or removing shares is handled automatically, as long as the NFS server remains running.
When using http protocol, sisipsconfig tool incorrectly reports successful communication:
If you change the communication protocol on an Agent from https to http using the sisipsconfig tool but do not change the Management Server configuration to accept http connections, the Agent will not communicate with the Management Server. However, if you run the sisipsconfig -test command, it will incorrectly report successful communication.
If you configure an Agent to use the http protocol, be sure the Management Server has been configured to accept http as well. By default, the Management Server is configured to only accept https connections.
Mismatched times in Detection events from HP-UX v3 systems:
On newly installed HP-UX 11i v3 systems, it is possible for the Timezone (TZ) setting to be different in the /etc/TIMEZONE and /etc/profile files. Some system services incorrectly use the setting from /etc/profile rather than the value set in /etc/TIMEZONE. In this case, events generated by such services and reported by the Detection policies may have a mismatch between the timestamp logged by the Symantec Critical System Protection Agent and a timestamp contained in the event description. This would most likely occur for Unix Activity Log or Syslog events.
To fix this, verify that both /etc/TIMEZONE and /etc/profile contain the correct timezone setting. Then restart the services exhibiting this behavior. If you changed /etc/TIMEZONE, also restart the IDS daemon (by running /sbin/init.d/sisidsagent restart).
Detection event collection on HP-UX on Itanium2 delayed when system time is set backwards:
The Detection collectors are based on polling intervals. For HP-UX on Itanium2 systems, the polling intervals are delayed when the system time is explicitly set backwards. The polling interval expiration is not re-calculated based on the new system time. This causes the collectors to not receive any new events for a period of time equal to the amount by which the system time was set backwards. After this period has passed, the collectors begin receiving events again and operate correctly from then on. The collectors do not miss any events that happened during the period - the event collection is only delayed. For example, if the system time is set backwards by 1 hour, the Detection collectors will not receive events for 1 hour.
In addition to any manual changes in system time, this issue also occurs when the system automatically sets the time backward from daylight savings time to standard time.
To correct the problem, restart the IDS daemon on the Agent whenever the system time is set backwards (by running /sbin/init.d/sisidsagent restart).
This will recalculate the polling interval expiration based on the new system time. This information applies to the Symantec Critical System Protection Agent on HP-UX on Itanium2 (IA64) only. HP-UX agents on PA-RISC hardware and agents on all other operating systems are not affected by this issue.
Policy Override may time out when agent is configured with alternate management servers:
The policy override tool has a timeout of 90 seconds. If the prevention is not disabled within that time, the override fails. If you have configured an agent with alternate management servers, and you have used host names rather than IP addresses for the servers, you may encounter timeouts when trying to override the policy and the agent cannot contact the DNS server to resolve the server host names.
If you are using alternate management servers and you expect to need to override while not connected to a network, you should use IP addresses instead of host names for the alternate servers.
Solaris pkgchk errors for SYMCcsp:
Running pkgchk on the SYMCcsp package on a Solaris system displays errors.
- file size <3312> expected <3311> actual
- file cksum <9924> expected <9849> actual
These mismatches are a result of the product changing these files as a result of normal operation. They are expected and can safely be ignored.
Authoring Environment Issues
Authoring environment requires policy component upgrades:
When starting the authoring environment after upgrading Symantec Critical System Protection to Release 5.2, you are notified that one or more policy components requires upgrading in the management server. To use the authoring environment, you must permit this upgrade. Otherwise, the authoring environment will not start and you will not be able to author policies.
To upgrade the policy components, click Yes.
Set proper locale during UNIX Agent installation:
If you are installing an Agent on Solaris, HP-UX, AIX, Tru64, or Linux and are using a locale other than POSIX or English, be sure to change the default locale setting in the Agent installation kit. The proper locale setting is required to correctly process non-English file names and log data.
If you do forget to set the proper locale during installation, you can change it afterwards, by editing the .profile file located in the <Agent>/IPS directory. Change the LC_CTYPE variable setting to the desired locale. Then reboot the system, so the Agent programs get the new locale setting.
Destination directory entered during UNIX Agent installation must be an ASCII path with no spaces:
If you are installing an HP-UX, Solaris, Linux, AIX, or Tru64 agent on a system that supports non-English character sets, the destination directory you choose for the agent must contain only ASCII characters.
In addition, you may not use spaces in the destination directory.
If you include any non-ASCII characters or spaces in the directory path, the installation will fail.
Agent Name entered during Agent installation must be ASCII:
If you are entering an Agent Name during Windows agent installation, the name must contain only ASCII characters. If you want the agent's name to contain non-ASCII characters, e.g. Japanese characters, you must change the agent name via the Console.
Exported PDF reports don't display double-byte data in some fields:
If you use double-byte characters in the Title, Header, Footer, or Date fields of a report, and export that report as a PDF file, the data won't be displayed in the PDF file. To get the double-byte data to display, export the report as HTML. Double-byte data in the queries contained in the report is displayed correctly in both PDF and HTML formats.
Collect Agent Info fails on some German systems:
If you have installed an Agent on a German system, and used non-English characters in the installation path, the Collect Agent Info script will not work. If you have this problem, you should edit the getagentinfo.bat script and replace the folder(s) in the installation path that contain non-English characters with their Windows 8.3 format names. Once this replacement is done, the Collect Agent Info script will work.