Professional Documents
Culture Documents
0
Release Notes
Parity Build: 7.0.0.1228
Patch Number: 8
Document Version: 1.26
February 11, 2013
Bit9, Inc.
266 Second Ave, Waltham, MA 02451 USA
Tel: 617.393.7400 Fax: 617.393.7499
E-mail: support@bit9.com
Web: http://www.bit9.com
Copyright 2004-2013 Bit9, Inc. All rights reserved. This product may be covered under one or more patents pending. Bit9 and
Parity are trademarks of Bit9, Inc. in the United States and other countries. Any other trademarks and product names used herein
may be the trademarks of their respective owners.
Introduction
Parity 7.0.0 Release Notes document provides information for users upgrading from previous
versions as well as users new to Parity. It consists of the following major sections:
Before you begin: This section describes preparations you should make before beginning
the installation process for Parity Server.
Parity 7.0: New and modified features: This section describes major changes since 6.0.2
and should be read by all users.
Corrective content: This section describes issues resolved by this release as well as more
general improvements in performance or behavior.
Known issues and limitations: This section describes known issues or anomalies in Parity
7.0.0 that you should be aware of.
Contacting Bit9 support: This section describes ways to contact Bit9 Technical Support
and the information to have prepared to troubleshoot a problem.
Important information
Versions of Parity at Patch 8 and above contain important changes to the handling of Bit9s
digital certificates. We strongly recommend that you upgrade the Parity Server and then
upgrade all Parity Agents from prior versions as soon as is practical. Please contact Bit9 Support
if you have additional questions.
Documentation
Your Parity documentation set consists of online PDF file included with the product distribution
and also available in the support area of the Bit9 web site.
Installing Parity: Provides instructions for installing and configuring the Parity Server and
Parity Agent.
Using Parity: Describes Parity operation, including step-by-step instructions for
administration and configuration tasks. Management topics for computer systems,
including agent installation, are also covered.
Parity Events: Integration Guide Describes the events that are generated, tracked,
stored, and accessible through the Parity system, and the ways you can access Parity
event data outside of the Parity Console user interface.
2013-02-11
Page 2
System requirements
The most current Operating Environment Requirements for Parity 7.0 are provided in a separate
document which is readily available in the support area of the Bit9 web site.
Both upgrade and new customers should be sure to meet the requirements before proceeding.
Additional downloads
This section contains links to download additional software that may be required to install Parity
version 7.0. Consult the Installing Parity guide for more information.
Windows Installer 4.5:
http://www.microsoft.com/en-us/download/details.aspx?id=8483
SQL Server 2008 Express (R2 SP1):
http://www.microsoft.com/en-us/download/details.aspx?id=26729
2013-02-11
Page 3
Backup Parity server database: Backup your Parity Server database before you begin the
upgrade process. Backup is disabled during upgrade and must be re-enabled once you are
sure the upgrade was successful.
Backup certificates separately: Starting with 7.0 Certificates will be backed up in parity
Database. Further upgrades will not require backing up certificates.
Disable distribution systems: If you use third party deployment mechanisms (e.g. SCCM),
either disable the distribution of the Parity Agent using SCCM, and use Parity server for
upgrading agents. Or disable Parity Server from upgrading agents, and use your third party
deployment mechanism to upgrade the agents.
Review external event settings: If you use External Events, review the settings to ensure
they are still enabled and correctly functioning. External event schema has been changed.
Review the user guide how to upgrade it.
Review updaters: New Updaters have been added. Review the Updaters tab on the
Software Rules page to make sure the correct updaters are enabled.
Update agent distribution points: If you use third party deployment mechanisms (e.g.
SCCM), re-enable or re-create them using new agent packages from the upgraded Parity
Server.
o
Review the new Parity installations section: Although it is for new installations, this
section also includes information of possible interest to upgrade customers.
2013-02-11
Page 4
Choose account for Parity server installation: Bit9 recommends that you use a Domain
Service Account for Parity Server installation. If you plan to use Active Directory services
or use an authenticated proxy to access the Internet, a Domain Account is required for
Parity Server Service. This account must be assigned Local Administrator privileges on the
Parity Server.
Note: Do not change the permissions level of the account with which you install Parity
after installation.
Review .NET configuration: If Microsoft .NET 4 is installed on your Parity Server system
with Windows 2008 Server, ensure that the IIS DefaultAppPool is set to use .NET
Framework v2.0.50727 by default.
Prepare to enable Parity agent management access: The Parity Agent Management
screen in the new installation dialog allows you to designate a user or group, or a
password usable by anyone, to perform certain agent management activities assisted by
Bit9 Technical Support. Especially if you will have client computers that will never be
connected to Parity Server, it is best to set up a client access option before generating and
distributing agent installation packages. If you are unable to configure access during
installation, you can do it later on the Management Configuration page in Parity Console.
See the Using Parity manual (or online help) for more details.
Enable Parity CLI management access: If you did not enable Parity Agent Management
access during installation, go to the General tab of the System Configuration page in Parity
Console to enable it, preferably before deploying agents. See Configuring Agent
Management Privileges in the Using Parity manual (or online help) for more details.
Confirm agent installation privileges: The Parity Agent installer must be run either by
Local System or a user account that has administrative rights and a loadable user profile.
Consider agent rollout impact: As soon as the Parity Agent is installed, it connects with
the server and begins initializing files. Because initialization can involve an increased flow
of data between the Parity Server and its new client, be sure your agent rollout plans take
your network capacity and number of files into account simultaneous agent installation
on all the computers on a large network is not recommended.
Review trusted updaters: Review Trusted Updaters to ensure the correct ones are
enabled for your environment before you begin large-scale Parity Agent deployment.
Note in particular these updater changes:
o
In Parity 6.0.2, there were separate updaters for Java Virtual Machine only and for Java and Bundled
Software. In Parity 7.0.0, there is a single updater called Java that replaces both of these, and when
enabled, allows updates to Java and related bundled software.
2013-02-11
Page 5
Review root certificates for trusted publishers: Trusted Publishers are validated by
Windows. For proper validation to occur, the correct, up-to-date root certificates must be
installed for these publishers. You should ensure that Microsoft root certificate updates
are included in your Windows Updates. If you plan to use in-house certificates, ensure
that your in-house root certificates are installed on each endpoint on which you will install
Parity Agent.
Test user-supplied certificates: Parity Server allows you to use user-supplied certificates
for Parity Agent-Server communication. To validate this certificate, each agent system
must have up-to-date root certificates. Bit9 recommends that you test your new
certificates before large-scale Parity Agent deployment begins. See Securing AgentServer Communications in the Using Parity manual or online Help for more details.
Specify a custom notifier logo if necessary: You can specify a custom logo for the notifier
that appears when Parity blocks an action on an agent computer. See Specifying a
Custom Notifier Logo in Using Parity (or online Help).
Review content of trusted directories for distribution systems: If you use Windows
Software Update Services (WSUS) or other software distribution mechanisms (e.g. SCCM
or Altiris), pre-approving this content with a Trusted Directory before large-scale Parity
Agent deployment will ensure a more effective transition to Lockdown.
Java tracking: Support for tracking Java class and jar files is not enabled by default. If you
plan to track Java applications, please enable java files in Rules -> Software Rules Scripts.
Exclude Parity agent from AV scanning: Antivirus products should be configured to
exclude the following from on-access scanning:
o
o
o
Consider other agent interactions: Certain other types of software may interact with
Parity Agent contact Bit9 Support for more information on each of these cases:
o
The SMS Software Approval updater has been removed because Microsoft SMS has reached its end of
life. The replacement product is Microsoft SCCM, for which there is an updater in Parity.
Disk encryption software may interact with the Parity Agent. In general, full disk or partition encryption
should minimize the chances of problems. However, some encryption products are compatible with
Parity with other types of encryption (file or folder) enabled.
Ghosting or imaging systems with Parity pre-installed requires additional steps on the master system.
Please consult Using Parity for more information.
Do not change SQL recovery model: Parity sets the Simple Recovery Model for the Parity
SQL Database. Do not change this.
2013-02-11
Page 6
Console terminology
Parity v7.0 key terminology changed to make it clearer and more descriptive for users. These
changes are:
Previous Term
Seccon
Lockdown
Block & Ask
Monitor
Online
Offline
Pending
IPv6 support
Parity v7.0 supports both IPv4 and IPv6. The server automatically detects the availability of each
protocol.
Parity 7.0 Release Notes
2013-02-11
Page 7
2013-02-11
Page 8
Corrective Content
If you are upgrading from Parity 6.0.2, note that this release of Parity 7.0 addresses all of the
relevant issues that have been addressed in 6.0.2 patch releases to date. Each release includes
general improvements in product quality, based on our on-going testing of Parity 7.0.
Details: In some circumstances, a diagnostic file upload would prevent the reporting of other events to
the server. In this release, diagnostic upload is managed separately from event reporting, thus avoiding
this issue.
Details: When a file was approved due to an Updater rule, the event report for this action incorrectly
identified it as a Custom Rule action. This release reports Updater-related events correctly.
Details: Deletion of file execution meters could cause a race condition that would deadlock the Bit9 agent
and cause a large number of threads to be created. The race condition is corrected in this release.
Details: In rare circumstances, the name of a network file would be incorrectly identified in a Bit9
notification. This release addresses the cause of this issue.
Details: After a Bit9 agent had been installed for 128 days, it would report that its system time had
changed, even though no time change had occurred on the endpoint. This release eliminates the
erroneous time change report and the related health check failures for affected agents.
Details: An interoperability issue with Ultrabac would cause a system with both Bit9 and Ultrabac
installed to hang at boot time. In this release, Bit9 delays some operations early in the boot process,
allowing both products to function correctly.
Details: On Windows 2003 Server systems, a Stop Error with the code 0x000000DF
(IMPERSONATING_WORKER_THREAD) would occur in certain circumstances, especially when Symantec
Antivirus is installed along with Bit9. This release ensures that the Parity driver correctly manages
internal system resources in a way that is compatible with older versions of Windows and that also works
correctly in conjunction with Symantec Antivirus.
The digital certificate used to sign prior releases has been revoked. In addition to using a newly issued
certificate, this release will explicitly unapprove any software that was previously signed by the revoked
certificate, even when Bit9 is a Trusted Publisher. This prevents any software signed by this certificate
from running in Medium or High Enforcement.
Details: When periodic event pruning of the event database occurred, it would temporarily delay the
sending of execution events from the Bit9 agent. In this release, events are sent in a timely fashion even
during event pruning.
Details: This release adds the ability to exclude certain low-level kernel operations from processing by
Bit9. This provides the ability to handle interaction with certain other kernel drivers that require
unfettered access to particular files in order to operate correctly.
2013-02-11
Page 9
Details: Performance improvements were made in the processing of alerts and events in this release by
adjusting the SQL Server parallelism used.
Details: This release includes improvements in performance to the background processing of Files on
Computers data.
Details: In this release, improvements were made in scheduling the processing of data received from
Trusted Directories. This is particularly noticeable when there are several busy Trusted Directories.
Details: When a remote SQL Server database was used, the Bit9 console would display inappropriate
configuration fields, which would lead to errors when backups were enabled. This release corrects the
console to display the appropriate settings.
Details: When a new Saved View was created, the Bit9 console did not select this view as the current
choice. This problem is corrected in this release.
Details: If a Custom Rule was disabled and then immediately deleted, this change would not be sent to
agents. In this release, agents are correctly informed of the deletion of the rule.
Creating New Saved Views does not Update Saved View Choice [28990]
o
Details: In certain circumstances, data sent by a Trusted Directory on an agent to the server would cause
the server to encounter an exception, which would prevent the server from efficiently processing Trusted
Directory approvals. This release addresses the exception.
Details: In syslog events generated by Bit9, the ban_name field contained incorrect data. This release
correctly sends the name of the ban that appears in the Bit9 console or a blank field if there is no
associated ban name.
Server Exception Processing Information from Trusted Directory [28614, 28811, 29069]
o
Details: In some circumstances, even though the Upgrade check box was selected for a particular policy,
the agents would take a long time to be scheduled for upgrades. This release schedules upgrades in a
more timely fashion.
Details: When a USB device reported its device descriptor as blank text, the device could not be approved
from the Bit9 console. This release now uses the vendor descriptor in those cases where the device
descriptor is blank, which allows the device to be approved.
Details: In some circumstances, the SQL database would deadlock while Bit9 was marking files as deleted.
This release breaks the process into smaller chunks, thus ensuring that the database does not deadlock.
Details: In very rare circumstances, the Bit9 server would deadlock when accessing the SQL database.
This release corrects the known causes of these deadlocks.
Details: Several security issues affecting the security of the Parity console were addressed in this release.
Details: This release improves the efficiency of upgrades from prior major releases of Bit9 (e.g. v6.0.2).
2013-02-11
Page 10
Details: In some circumstances, a hard reset, power failure or system crash can corrupt the Parity agents
database. If this occurred more than once within a 12-hour period, the agent would reinitialize and need
to download information from the Parity server, which could lead to unexpected agent behavior,
including blocks. In this release, the agent is now more resilient to the failures that caused this condition.
Details: After an upgrade, the Parity agent was reporting information to the Parity server on all approved
and banned files, causing an increase in network traffic. In this release, only changes in the state of the
files are reported to the server.
Details: When an agent received a request for a cache consistency check during initialization, the
initialization process would be incorrectly terminated. This would later cause pre-existing files to block
when in High Enforcement. In this release, cache consistency checks are ignored until initialization is
complete.
Details: In some circumstances, when Parity was newly installed on Windows 2003 Server or Windows
XP, the Reboot required status would not be cleared, even after a reboot. In this release, the status is
correctly cleared.
Details: For Policies assigned by Active Directory mapping, agents would occasionally move between
Enforcement levels unexpectedly. This release corrects issues in the mapping mechanism.
Details: On systems running Windows 2008 R2 Server Code, the built-in Parity health check mechanism
would incorrectly check the certificate on a Windows system file that does not exist on Server Core,
producing an erroneous health check failure. For this release, the health check is performed using a
Windows system file that exists on all Windows platforms.
Details: When accessing files over a network, the Parity agent would cause a marked slowdown in the
performance of certain operations, such as copying files. By caching additional internal information, this
release improves the performance of operations on network files.
Details: In some circumstances, the Parity server would not correctly propagate approvals and rules to
agents. This occurred when certain types of Custom Rules were to be sent. In this release, the server
correctly sends these rules, allowing agents to update.
Details: In some environments, Parity agents would not connect to the Parity server, and the server
would log errors for AcceptSecurityContext, referencing error code 0x80080321. This error indicated a
failure to properly negotiate the SSL connection between agents and the server. This release corrects the
underlying issue with SSL negotiation in the Parity Server.
Details: In previous releases, an agents debug state was not displayed in the Parity console. The
computer details page now contains agent debug level information and the Computers page now
provides a column for agent debug level.
Details: In previous releases, the Parity agent would not correctly clean and rotate its log files. This
release adjusts log rotation to account for both the total number of files and their overall size, reducing
the space consumed.
2013-02-11
Page 11
Details: An internal Parity server task that tracks data for alerting was not functioning correctly, which
caused alerts not to be correctly triggered. In this release, the internal task is corrected and alerts now
trigger correctly.
Changing Time Zone Does Not Affect Event Timestamps [25160, 27134]
o
Details: When many agents in a large deployment were initializing, the Parity console would occasionally
give a fatal error. This required the Parity server to be restarted to regain access. This release resolves
the error.
Details: If an agent was moved from a Policy that did not allow upgrades into a Policy which did, it would
fail to upgrade until a user logon caused the agent to re-register with the server. During this time, the
agent would remain in Not requested state in the Parity console. In this release, the server correctly
flags an agent for upgrade when it is moved into a Policy that has upgrades enabled.
Details: On systems where Symantec Anti-virus is installed, the system may hang when a USB storage
device is inserted. The Parity driver was waiting for information from the system that was not yet
available on initial insertion of the USB device. This release does not wait for this information.
Details: When the Parity server time zone was changed in the System Configuration section of the Parity
console, the timestamps of events displayed by the console was incorrect. In this release, the
timestamps correctly display in the chosen time zone.
Details: In the Parity console, the Find Files page would incorrectly reset filters when moving to and from
the page. This release correctly retains any filters in this case.
Details: In previous releases, a permission issue caused the Parity Server to log a misleading message.
This permission issue has been eliminated so that the Parity Server can correctly communicate statistics
to the log files.
Details: In some cases, manually deleting a Parity Agent Clone inside the Parity Console would result in
the associated Parity Agent Template to also being removed. In this release, the Parity Agent Template is
retained when deleting clones associated with it.
Details: Parity Agent Clones were not automatically pruned from the Parity Console as defined in the
associated Parity Agent Template. In this release, disconnected Parity Agent clones are removed from the
Computers list according to the schedule specified in their template.
Details: In some circumstances, the Parity Console Dashboard would display an Incorrect Syntax error
after logging into the console. This has been addressed in this release.
Details: In rare circumstances, the Parity Agent would encounter an issue processing the ConfigList. In
this release, the root cause for this issue has been addressed.
Details: In previous releases, the name of the user making an approval request (Requestor) was
incorrectly displayed on the Approval Requests page in the Parity Console. In this release, the correct
Requestor names are shown.
2013-02-11
Page 12
Details: In previous releases, configuring a Trusted Publisher for only selected policies resulted in
approval of the publisher for all policies. In this release, approvals for Trusted Publishers are correctly
limited to specified policies if that option is chosen.
Details: In previous releases, certain classifications of Tamper Protection events were inappropriately
reported to the Parity Server. In this release, reporting of Tamper Protection events has been optimized.
Details: After a patch upgrade of a Parity Server that is running Parity Agent, the Parity Dashboard may
display an Access is Denied error. If you are experiencing this issue, please contact Bit9 Support.
Details: A Parity Server upgrade can reset the alerts for Malicious File and Potential Risk. In this release,
Parity Server alerts of this type are retained during upgrade.
Details: In previous releases, there was a character limit on the Parity Notifier Text field that could cause
the custom message to be truncated. In this release, the supported character length has been extended
to 1900 characters.
Details: In the Parity Console, typing the < character when entering Custom or Memory Rules should
auto-complete with available Parity macros. In some circumstances, no auto-completion would occur.
This release auto-completes macros in all appropriate Parity Console fields.
Details: If & was used in the Computer Tag or Description fields on the Computer Details page, it would
be replaced with & when the details were saved. The & character is now correctly preserved in
these fields.
Details: Reset Current Settings in a Parity Console users preferences did not reset the Saved View. In
this release, clicking the Reset Current Settings correctly clears the filter settings.
Details: When filters or groupings were added to a Saved View, these changes would be lost when
navigating away from the page and later returning to the same page. This release corrects this issue.
Details: A Windows kernel deadlock was identified when the Parity Agent was running on high-volume
servers. In this this release, the identified deadlock condition has been eliminated.
Details: In previous releases, attaching a USB device to a host with more than one security solution would
sometimes cause a stop error. This release improves interoperability with removable devices when other
security products are installed on the same host.
Details: When using the Parity Console in Internet Explorer 8, certain drop down menu options would not
show the entire text of the command. In this release, drop down menus now expand to show the entire
text.
Details: In some cases, the Parity Agent would not process ConfigList updates properly. In this release,
the issue is resolved.
2013-02-11
Page 13
Details: Health check could fail when attempting to gather information on volumes that had already been
removed. In this release, information is correctly processed.
Details: Parity Agent incorrectly identified some Dynamic Disks as removable devices. This issue has been
resolved.
Details: In some cases, events indicating a file was approved due to Trusted User were not generated.
Events are now generated as expected.
Details: Parity Server upgrades would sometimes fail due to the length of custom rules. In this release,
custom rules are properly migrated.
Details: An issue in the Parity Reporter occasionally caused it to stop processing periodic tasks. These
include the processing of Files on Computers information, backups and other low priority tasks. This
release fixes the underlying issue that was preventing the Parity Reporter from correctly scheduling and
processing these tasks.
Details: In previous releases, the SSL thread count was not configurable. In this release, this value can be
adjusted per the guidance of Bit9 Support.
Details: When browsing the Active Directory to create Policy Mappings, certain Unicode characters could
not be selected in the Active Directory browser. This release allows mappings to be created from Active
Directory objects that contain any Unicode character.
Details: When an Active Directory user logged into the Parity Console, certain Unicode characters in the
users name were displayed incorrectly. In this release, the characters are now displayed as they appear
in the Active Directory.
Details: The alert to confirm connectivity to Parity Knowledge after an outage was not properly cleared.
This alert now reflects correct connection status.
Details: The Parity Agent would not hash a MSI file that it determined was not crawlable. The Parity
Agent now reports the hash regardless if it can crawl the contents of the installer.
Details: Changes in memory or registry rules were not propagating correctly to agents, which could result
in blocks even when rules had been changed to report only. This release correctly propagates the
changes.
Details: Although Windows uses case-insensitive file names, in some circumstances the names of files
discovered on Parity agents were recorded as mixed case, leading to inconsistent results when Parity
Console users searched for these files. In this release, all Windows file names are converted to lower
case, allowing for easy searching using lower case names.
2013-02-11
Page 14
Details: Due to interactions with Parity tamper protection, clicking on the link in the Notifier dialog would
cause the Notifier to crash in some circumstances. In this release, tamper protection does not interfere
with the Notifier link.
Details: The documentation for the Live SDK now includes details of the differences between the Live SDK
API in 6.0.2 and 7.0.0 releases.
Details: In some cases, upgrade would fail with a schema error, even though there were no schema
issues. This release eliminates the false error report that interfered with upgrades.
Upgrade Fails with Large Databases or Low Disk Space on SQL Server
o
Details: In certain circumstances, upgrade would fail when the Parity Server had certain Custom Rules in
place. This release allows these rules and Parity Server to be upgraded successfully.
Details: After upgrade, the Parity Server would log a database exception about ExternalDBGetEvents.
This release eliminates the exception.
Details: In rare circumstances, when the Parity Server upgrade process encountered an issue, the Parity
Server would fail to start. This release corrects this, allowing the Parity Server to start correctly after
upgrade.
Details: The use of a SQL Server default collation setting other than US English caused problems with
Parity tasks, including agent upgrade. In this release, Parity Server can run with a non-default SQL
collation setting.
Details: Attemps to upgrade large databases or those on SQL Servers with low disk space would fail. This
release includes a mechanism that, with the assistance of Bit9 Support, allows successful upgrades in
these situations.
Details: Due to an underlying Windows issue, a stop error would occur at boot time. This release includes
a work-around for the underlying issue.
Details: Due to changes in the way that Webex updates itself, the Webex Trusted Updater was not
approving all files. This release includes additional logic to account for these changes.
Details: In rare circumstances, an upgrade from Parity 6.0.x would fail due to a complex Custom Rule. In
this release, complex rules are correctly processed and the upgrade succeeds.
Details: In previous releases, attempts to install Parity Server on systems without .NET 3.5 produced an
installer error. In this release, the installer provides a warning that .NET 3.5 is required and exits.
2013-02-11
Page 15
Details: In some circumstances, blocks occurred on approved files following an abrupt shutdown (such as
a power loss or crash). This was due to a client database integrity check following the shutdown. This
issue is addressed in this release.
2013-02-11
Page 16
If you use the Export to CSV File feature in a Parity table (such as the Computers page),
there is a limit of 25,000 on the number of rows that can be exported.
Some or all memory rules are not supported on certain operating systems:
o
o
o
In Memory Rules: Do not use Prompt as the action for Dynamic Code Execution rules. This
could cause a deadlock situation.
If a Registry Rule is configured to block writing to a full path (no wildcard on the left), the
rule will block attempts to rename and delete a key or value, but it will not block creation
of a new key. However, no values can be created under this key.
By default, computers running Microsoft Vista or Windows 7 operating systems have User
Access Control (UAC) enabled. With UAC, users are not actually members of a built-in,
privileged group unless they have been given "elevated privilege". Because of this, a Parity
rule that relies on a pre-defined group to identify a user may not work for computers
running Vista or Windows 7. If a group definition is necessary for a rule, consider using
security groups you have defined rather than the pre-defined groups.
2013-02-11
Page 17
Reporting Problems
When you call or e-mail Bit9 technical support, please provide the following information to the
support representative:
Required
Information
Description
Contact
Product version
Product name (Parity Server, Parity Agent, or Parity Knowledge) and version
number
Hardware
configuration
Document
version
For documentation issues, specify the version of the manual you are using.
The date and version of the document appear after the copyright section of
each manual.
Problem
Action causing the problem, error message returned, and event log output
(as appropriate)
2013-02-11
Page 18