Lumension® KnowledgeBase

Article: 1614  Changing LEMSS 7.3 Server Localization Settings

Beginning with LEMSS 7.3, Lumension added support for the LEMSS Application Server Console User Interface to display in languages other than English.  For customers that want to continue to manage their LEMSS console in English, this article discusses how to change the language displayed for their LEMSS Application Server Console UI.

Article: 1613  Bouncer Syslog / SIEM Event Formats

This article provides a detail of all events output by the Bouncer Manager. These events can be sent to a Syslog server or a Security Information and Event Management (SIEM) for further processing and correlation.

Article: 1612  Multiple instances of EPUI, PDDM.exe or NotificationManager.exe running on an endpoint

This article explains why a user may see multiple instances of EPUI, PDDM.exe or NotificationManager.exe running on an endpoint with the LEMSS Agent and/or Patch module installed.

Article: 1611  Repeated "Cleaned" Event Alerts Due To the Handling of NTFS Alternate Data Streams (ADS) by the AutoRestore Quarantine Feature in Lumension AntiVirus

This article covers the issue where repeated "Cleaned" event alerts are generated for a file despite it being held in AntiVirus Quarantine

Article: 1610  Identifying Exceptions for Memory Injection Policies

Reflective memory injection (RMI) is a software coding technique whereby a DLL is injected into a process which is already running in memory.  RMI injections can be malicious but occasionally can also be used by legitimate applications (such as Photoshop and Citrix client).  Lumension Application Control has been designed to detect when an RMI injection occurs and an associated RMI log event is created.
 
RMI events associated with non-malicious RMI usage (such as Photoshop and Citrix client) can be excluded from memory protection policies so that you can continue using these applications productively while maintaining protection against malicious RMI for all other files.

An Audit mode is provided to test the environment for any applications with legitimate behavior before enforcing the policy.  It is important to remain in Audit mode until all non-malicious executables have been excluded.

Article: 1608  Applications may require multiple files to be added as Trusted Updaters for successful installation on endpoints locked down with L.E.M.S.S. Application Control

Installing applications on locked-down endpoints may require more than the initial installation executable to be added as a Trusted Updater for the installation to succeed.  For example, Google Chrome on locked-down endpoints may require two files to be added as Trusted Updaters for the installation to succeed.

Article: 1607  MSI files are blocked on endpoints locked down with L.E.M.S.S. Application Control unless they are Trusted Updaters

To ensure that files installed via an MSI-based install are added to the endpoint whitelist, MSI installers are blocked from executing on locked-down endpoints if they are not Trusted Updaters. This also means that an MSI file that is not a Trusted Updater cannot be authorized on a locked-down endpoint by Local Authorization, Trusted Publisher, or Trusted Path.

Article: 1606  Whitelisted Windows Update files blocked by L.E.M.S.S. Application Control cannot be added as Trusted Updaters from logs

L.E.M.S.S. 7.3 introduced the Authorize/Deny from Logs feature for Application Control and also introduced a Windows Update protection feature whereby Windows Update files which are on the endpoint whitelist are blocked from executing if they are not Trusted Updaters.  However, when these whitelisted Windows Update files are blocked, the associated log events only appear in the All Application Events log query and the files cannot be added as Trusted Updaters from the logs.

Article: 1605  L.E.M.S.S. 7.3

This article discusses the release of Lumension Endpoint Management and Security Suite (LEMSS) 7.3 and contains a list of enhancements and issues contained in this new release.

Article: 1604  Lumension AntiVirus Technical Notification

This article discusses an issue with the antivirus (AV) definition file released at approximately 3:22am EST / 8:22am GMT on Friday, May 10th.

Article: 1603  Bouncer - Time Sync issues with Hypervisor interaction

This article describes how to properly configure a Bouncer server's time sync settings within a Hypervisor. If time is synced to the Bouncer server incorrectly, unexpected behavior may occur.

Article: 969  Recovering from a Bad AntiVirus Definitions File Update (Lumension EMSS 7.3.x)

This article discusses the recovery procedure to be used when LEMSS downloads an AntiVirus definition file containing a false positive that negatively affects the functionality of endpoints.

Article: 1602  Device Control Shadow File Content Not Accessible

This article addresses the issue where shadow file content is not accesible on the Device Event Log Queries Results page.

Article: 1601  File Filtering is Not Applied When Burning an Encrypted CD/DVD

This article discusses an issue where the file filtering feature provided in Device Control does not function when burning to an encrypted CD/DVD.

Article: 967  Manually move endpoints from one Bouncer Control Center to another

This article describes the process to move endpoints from one Bouncer Control Center (BCC) to another BCC.

Article: 966  Issues with Microsoft update MS13-036

This article discusses an issue with the recently released MS13-036 (bulletin 2823324).

Article: 965  Changing passwords for the ClientAdmin and ServiceAdmin accounts

This article discusses what to do if you need to change your passwords for the ClientAdmin and ServiceAdmin accounts in LEMSS (or have already changed them and now have issues).

Article: 964  Recovering from a Bad AntiVirus Definitions File Update (Lumension EMSS 7.2.x)

This article covers the recovery procedure for the case when the Lumension EMSS Server downloads a bad AntiVirus definition file containing a false positive that negatively affects the functionality of endpoints.


Article: 963  Database maintenance and cleanup recommendations prior to upgrading to 4.4 or 4.5

This article provides information on how to perform Database Maintenance/Clean-up prior to upgrading to 4.4/4.5 from a version prior to 4.4.

Article: 961  MS10-001 and MS10-076 show applicable after deployment

This article discusses an issue where MS10-001 Security Update for Windows Server 2003 (KB972270) and MS10-076 Security Update for Windows Server 2003 (KB982132) can both show 'not patched' after an apparently successful deployment.