Symantec™ Embedded Security: Critical System Protection 7.0.0 MP2
Last Updated May 31, 2017
Symantec announces the general availability of Symantec Embedded Security: Critical System Protection version 7.0.0 MP2. Version 7.0.0 MP2 contains miscellaneous hardening and bug fixes, which include important customer-reported issues.
Note: The Symantec Embedded Security: Critical System Protection agent, version 7.0.0 MP2, are dual signed with SHA-1 and SHA-2 code signing certificates. Additionally, version 7.0.0 MP2 enables you to install the agent on all the supported Windows platforms through the single Windows installer file––agent.exe. The different Windows installer files (other than agent.exe) which were available in earlier releases have been deprecated.
If a Windows prevention policy has been exported and then imported, and you select that policy to edit and click on the About button in the policy editor, the Reference Policy Pack was displayed as Unknown. As a result, the policy pack status was incorrectly displayed.
If you export and then import entries from List of processes that services should not start by using the Replace option, the list of entries used to get corrupted.
The path for rundll32.exe was missing from the List of processes that services should not start. As a result, any service on the system was able to run rundll32.exe.
In a Windows prevention policy, the SysCall options were missing in some sandboxes.
In the Windows prevention policies, there was no provision to deny all access to raw disk devices.
Windows prevention policies have been enhanced, and if Protect the raw local disk device option is selected, then:
In basic and hardened sandbox, by default all access to raw disk devices are denied. Lists are provided in these sandboxes to selectively allow writable and read-only access.
In all other sandboxes, by default read-only access to raw disk devices is allowed. Lists are provided in these sandboxes to selectively allow writable and deny all access.
Note: Due to the default deny-all access in the Protect the raw local disk device option for basic and hardened sandboxes, file access is denied to an application (which is routed to a basic or hardened sandbox) when it tries to access a device as a raw disk. Ensure that you add an exception for each application that requires access to a device as a raw disk. For example, if Notepad++ is routed to a basic sandbox and requires access to a device as a raw disk, you must add an exception in the Protect the raw local disk device option for Notepad++.
Supported upgrade paths of the management server and agent to 7.0.0 MP2
If you are currently on any of the following versions of Symantec Embedded Security: Critical System Protection, you can directly upgrade your management server and agent to version 7.0.0 MP2:
Symantec Embedded Security: Critical System Protection 7.0.0 MP1
Symantec Embedded Security: Critical System Protection 7.0.0
Symantec Embedded Security: Critical System Protection 6.5.1 MP1
Symantec Embedded Security: Critical System Protection 1.0.1 MP5
Considerations before upgrading the management server and agent
Consider the following important points before you upgrade the management server and agent:
If you are upgrading both the management server and the agent, first upgrade the management server, and then the agent.
Upgrade of the SES: CSP management console is not supported. However, the management server and management console must be of the same version. Therefore, you must uninstall the existing management console, and then install that version of the management console which is the same as the management server version.