What are the Release Notes for VigilEnt Security Agent for WebServers 3.0? (NETIQKB24854)

  • 7724854
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

goal
What are the Release Notes for VigilEnt Security Agent for WebServers 3.0?

fact
VigilEnt Security Agent for WebServers 3.0

fix

New Features and Enhancements

  • Detect/Prevent Functionality: Checks each HTTP request sent to a web server and provides the ability to refuse requests that are recognized as possible attempts to gain unauthorized access to the web site.
  • Port Scanner: Provides the ability to scan a network and locate open ports.
  • Content Scanner: Lets you perform a content analysis of web sites.
  • lockdown Procedure Enhancements: Lets you exclude files from the File Modification Analysis.
  • Retrieval of Old Reports: Provides the ability to save up to five of each type of report .
  • VigilEnt Security Manager Actions: Provide a set of web server-related actions that can be run from VigilEnt Security Manager.
  • Vulnerability Updates: Added checks to protect you from the latest security threats.
  • Reworked User Interface: Allows easier navigation of the product.

 

Problems Fixed

  • File permissions are no longer changed to read-only by the lockdown archiving process.
  • The performance of the File Modification Analysis and the Restore process has been improved.
  • The installation process has been simplified.

Known Issues

  • VigilEnt Security Agent for Web Servers 3.0 only supports Microsoft Windows 2000/NT
    This release of VigilEnt Security Agent for Web Servers supports IIS, Apache, and iPlanet only on Windows 2000/NT. A future release will support Apache and iPlanet on Unix as well.

 

  • Microsoft Exchange Server Port Conflict
    Microsoft Exchange Server may conflict with VigilEnt Security Agent for Web Server communication port (1099). To determine if port 1099 is in use before installation, the command c:\winnt\system32\ netstat -a -n -p tcp can be used to list the ports that are in use.


To resolve this issue after installation, change the following communication ports on the Manager Server:

    1. Navigate to install_folder\VSAforWebServers\manager.
    2. Open the startup.properties file.
    3. Change the value in the line agent.port=1099 to the number of an available port.
    4. Save and close the viewer.
    5. Navigate to install_folder\VSAforWebServers\guiserver.
    6. Open the startup.properties file.
    7. Change the value in the line agent.port=1099 to the number of an available port.
    8. Save and close the viewer.

To change the communication port on each distributed agent:

  1. Navigate to install_folder\VSAforWebServers\agent.
  2. Open the startup.properties file.
  3. Change the value in the line agent.port=1099 to the number of an available port.
  4. Save and close the viewer.
  • ?Send Email Alert? Action Requires Valid Mail Server
    The web server fails to start if the mail server for the Detect/Prevent ?Send Email Alert? action is not properly set. Any valid host name (including ?localhost?) allows the web server to start. A valid SMTP mail server is required for Detect/Prevent to send e-mail alerts. If you do not plan to use e-mail, enter either the host computer name or its loopback address, 127.0.0.1, into the Host Name field of the Specify the Mail Server window.
.

 

  • Upgrading Runtime Libraries on Windows NT 4.0
    When running on Microsoft Windows NT 4.0 systems, the Detect/Prevent component of VigilEnt Security Agent for Web Servers requires version 6 of both the Microsoft C Runtime Library (MSVCRT.DLL) and Microsoft C++ Runtime Library (MSVCP60.DLL).

To determine if you need to upgrade your system to version 6 of these libraries, perform the following steps.

  1. Use Windows Explorer to determine if the following file exists: System_Root\System32\MSVCP60.DLL If this file does not exist, an upgrade is required.
  2. Use Windows Explorer to navigate to the following file: System_Root\System32\MSVCRT.DLL
  3. Right-click the file and select Properties.
  4. Click Version.
  5. Check the entry in the File version field. If the entry in this field is less than 6, an upgrade is required.

The utility required to upgrade Windows NT 4.0 is available in the VSA for Web Servers product installation directory. To perform the upgrade, execute the following file: install_folder\VSAforWebServers\IDS\update\vcredist.exe.

Prerequisites for running this utility are:

  • 10 MB of available disk space
  • administrator privileges
  • a valid TEMP directory

A reboot is required after running the utility. This utility was taken from the Microsoft Visual Studio 6.0 Service Pack 5 product distribution. For more information, go to: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q259403.

  • Installation Cannot Use UNC Paths
    Use absolute paths such as c:\Program Files\PentaSafe\VSAforWebServers rather than Universal Naming Convention (UNC) paths such as \\HostName\share when installing the VigilEnt Security Agent for Web Servers software.

 

  • Search Path Must Include DLL?s
    VigilEnt Security Agent for Web Servers uses specific DLL files for both Apache and iPlanet web servers. These DLL files must be included in the system search path, or a runtime error is generated when executing the Access, Configuration, CGI-Bin, and System Check Analysis task if VSA for Web Servers is monitoring Apache or iPlanet web servers and these DLL?s are not found. Add the directories containing these DLL files to the system search path using the following guidelines:
    • Apache Users VigilEnt Security Agent for Web Servers requires the Apache file Win9xConHook.dll. This .DLL is normally located in the <Apache install directory>/Apache directory.
    • iPlanet Users  VigilEnt Security Agent for Web Servers requires the iPlanet file nsldap32v30.dll. This .dll is normally located in the <iPlanet install directory>\Server4\bin\https\bin directory.

 

  • Digital Certificate Command Fails
    The digital certificate creation command (vemkcert.bat) currently fails. Digital certificates are used to secure agent/manager communication. VigilEnt Security Agent for Web Servers ships with a default certificate. See ?Securing Agent Communication? in Chapter 2 of the User Guide for a more detailed discussion.

A workaround for the problem with the vemkcert.bat file is as follows:

  1. From a command prompt, type the following: edit <install_folder>\bin\vemkcert.bat.
  2. Append a space followed by a ?.? (period, without the quotes) to the command li.
    ne. The corrected command is as follows:
    %JAVA% -classpath %CLASSPATH% -Djava.library.path=. com.pentasafe.agentframework. security.KeyStoreSetup . PentaSafe recommends generating a custom certificate for your installation.

 

  • ?Limit MIME Separator Length? Rule Does Not Function Properly on Apache
    The Detect/Prevent rule ?Limit MIME Separator Length? does not function properly when used on Apache.

To correct the rule:

  1. Make a back up copy of the following files: <install_folder>/IDS/templates/VSAforApache.xml and <install_folder>/IDS/servers/VSAforApache/config/VSAforApache.xml.
  2. In both files, replace all three instances of <request-content-type/> with <request-header value="Content-Type"/>. 
  3. Save the file.
  4. Go to the Web Server Manager window in the Detect/Prevent component.
  5. Click Update for the Apache server.

 

  • Log File Rolling Results in Multiple Active Log Files
    Log file rolling, available for System and Transaction logs of Detect/Prevent, does not function correctly when roll frequency is set to greater than 1. When a web server is restarted or spawns a new process, the new process is created with a log file rolling interval based on the beginning of the current minute/hour/day (depending upon the roll method selected). This may result in the creation of multiple active log files when the rolling frequency is set to greater than 1.

To work around this problem, set the roll method to ROLL_BY_DAY or ROLL_BY_HOUR and the roll frequency to 1 in the Detect/Prevent settings.

 

  • Log Viewer May Truncate Entries Unexpectedly
    The Log Viewer of Detect/Prevent, by default, uses the newline character \n to determine when a log entry ends. Consequently, if a log entry contains the newline character, the Log Viewer may truncate the log entry or stop reading at that point in the log. This is primarily an issue when viewing the System log. A workaround involves changing the line delimiter character in the log configuration user interface. An alternative line delimiter character is the non-printing character \x0D.

 

  • Host Availabi l i ty Issues
    • In rare circumstances the displayed name of a remote agent may not match the actual host. The occurs when a remote agent loses communication with the manager, the manager restarts, and a new agent registers with the manager before the first agent re-establishes communication with the manager. In this situation, the contents of any requested report will contain the correct agent name. If the agent name in the report does not match the selected host, you can re-select the host to force the browser's information to match the correct name. 
    • From the Audit tab of the interface, if you select a host that has become unavailable between "heartbeat" checks, a white screen is displayed with no further error message. Re-select the Audit tab, navigate to Select a Host, and select another host. Once the unavailable host has missed enough heartbeats, it is removed from the list, and the list of available hosts no longer shows the unavailable host as a possible selection.

 

  • Apache Version Check
    The Apache configuration check does not require the most recent Apache version. To update the required version:
    1. Edit t.
      he manager/properties/ApacheConfPam.prp file.
    2. Change 1.3.19 to 1.3.26.
    3. Restart the agent.
      The correct line reads: *.ApacheConfPam.testVersion=1.3.26
      The next service release will update this version.
.


Additional Information

Formerly known as NETIQKB24854