Events added when a Policy change is implemented and system is restarted.

Article:TECH180980  |  Created: 2012-02-08  |  Updated: 2012-03-01  |  Article URL http://www.symantec.com/docs/TECH180980
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



Spurious Events are added when a Policy change is implemented and system is restarted.


Environment



 This issue exists on all platforms and all versions


Cause



The SCSP File Collector maintains an internal baseline for every file and directory specified in the set of applied policies. Internally, the individual baselines are referred to as “WatchedFiles” and the set of all baselines is referred to as the “WatchedFile collection”. An individual WatchedFile contains a snapshot in time of a file’s external properties such as: size, owner, timestamps, permissions, etc.


At IDS startup time (or when a new policy is applied), the File Collector constructs the WatchedFile collection by storing the initial properties of each individual WatchedFile. Then, at regular polling intervals, the collection is traversed and the current properties of each file are compared to the stored values.

If the recursion level is changed between shutdown and start up, this may cause spurious events to be reported.

An upcoming release of Critical Systems Protection will include a check of the recusion level at shut down and startup to ensure these spurious events do not occur.


Solution



The following options are potential workarounds:

- Use Baseline policy with a recursion level not equal to 0

- Keep the default recursion level

- After changing the default recursion level but before restarting the IDS agent, delete the serialization data. That data is stored in a file called FileWatch.dat under the IDS/bin folder.

- Move to newer style policies. Newer SCSP detection polices are constructed such that the filewatch.ini configurations that get generated from them have recursion levels specified with each rule.

 - Enable the Deny Log option on an agent.  This is done in the CSP Manager by selecting Assests, right-clicking on an agent and selecting properties, then checking the Deny Log box on the General tab.




Article URL http://www.symantec.com/docs/TECH180980


Terms of use for this information are found in Legal Notices