Lumension® KnowledgeBase

Article Number:
1742

Date Created:
09/24/2015

Last Updated:
03/11/2017

Article Type:
Release Notes

HEAT E.M.S.S. 8.3

Description

Product:

L.E.M.S.S.

Versions:

HEAT Endpoint Management and Security Suite 8.3 (HEAT EMSS)

Summary:

We are pleased to announce the general availability of HEAT Endpoint Management and Security Suite 8.3 (Server Suite 8.3.0.10).

Details

Release Notes

We are pleased to announce the general availability of HEAT Endpoint Management and Security Suite 8.3 (Server Suite 8.3.0.10).
Note:
  • HEAT recommends that all updates be tested before entering production environments.
  • This release supersedes HEAT Endpoint Management and Security Suite Server Suite 8.2.0.10.

New Features

HEAT Endpoint Management and Security Suite (HEAT EMSS) 8.3 has several new features in this release.

Core Platform

Brand Refresh

If you haven't already heard, Lumension has merged with FrontRange to form a brand-new company, HEAT Software! As a result, we've renamed Lumension Endpoint Management Security Suite to HEAT Endpoint Management Security Suite. After upgrading to 8.3, you'll see some updated branding and a different color palette.

Updated Platform Support

8.3 adds full support for a few additional Microsoft platforms. HEAT EMSS now fully supports most versions of:

  • Windows 10
  • Windows 8.1 Embedded Industry Pro
  • Windows 8.1 Embedded Industry Enterprise

For all the details regarding which flavors of these operating systems are supported, refer to the HEAT Endpoint Management and Security Suite: Agent Installation Guide .

Performance and Stability Improvements

A few parts of HEAT EMSS perform substantially faster.
  • Endpoints page: In environments with a large number of endpoints, the Endpoints page now loads faster. For example, it loads 300% faster with 20,000 endpoints.
  • Replication: HEAT EMSS now downloads patch content from the Global Subscription Service much faster.
    • Initial replication performance increase: 200%
    • Incremental replications without content changes: 45%
  • Discover Applicable Updates Scanning (DAUs): DAU scans now complete successfully more consistently. This improvement also improves server performance, since it doesn't have to process failed DAUs.
  • Endpoint Log Collector: This utility that's used for troubleshooting is now fully integrated into the HEAT EMSS Agent (it used to be a stand-alone tool). This improvement is great for customers with secure change control processes who don't want to deploy a new program.

Application Control

Application Control Event Log Queries: Copy Scheduled Queries or Rerun Completed Ones

Save time and effort when creating Application Control Log Queries that are similar to ones you have already configured.
  1. Click Review > Application Control Log Queries.
  2. Select a query you want to base the new query on:
    • To base a new query on a scheduled query, select a query on the Scheduled tab and click Copy.

    • To base a new query on a completed query, select a query on the Completed tab and click Run Again.

      Both actions launch the Create application control log query wizard containing the original query's settings.

  3. Complete the wizard.

Trusted Updater Rules Engine Enhancements

We've added more restrictions to the Trusted Updater rules engine to prevent the unintentional whitelisting of files that occurred in certain rare cases. The changes strengthen Trust Inheritance, the mechanism that enables untrusted services to update the endpoint whitelist..

NOTE: It is possible that some Trusted Updaters may no longer work correctly because of the more restrictive rules. Upgrade a small test group of your endpoints first to confirm that applications are being updated correctly. If you encounter issues, contact  HEAT Support to update the list of Trusted Services.

 

AntiVirus

Potentially Unwanted Application (PUA) Detection

You can now set what action to take on PUA detection in your enviroment. PUAs are applications the user consents to installing, yet annoy, or comprise privacy and security. These include adware, toolbars, and other browser add-ons. Some applications that fall into this category, like commercial keyloggers, are legitimate and should not be treated as malware.

  1. Start configuring a Scan Now or AntiVirus policy.
  2. In the Scanning section of the wizard, set When a potentially unwanted application (PUA) is detected:
    • Perform no action
    • Send alert
    • Alert and Action (treat as malware)
  3. Complete the wizard.


Rootkit Detection

You can now use HEAT EMSS to detect rootkits, which is software that gives unauthorized users full access to your endpoints.

  1. Start configuring a Recurring Virus and Malware Scan or Scan Now - Virus and Malware Scan.
  2. In the Scanning section of the wizard, select Rootkit detection.
  3. Complete the wizard.

Exclusions Grid Improved

We've made it easier to add exclusions to your AntiVirus scans correctly. In the new grid list you can clearly identify an exclusion as a file, folder or process (Real-time Monitoring Policy only).

Validation has been improved to catch common errors, like not adding a backslash to the end of a folder exclusion.

Process Exclusions in Real-time Monitoring Policies

You can now exclude processes that cause noticeable performance issues on endpoints protected by a Real-time Monitoring Policy.
  1. Start configuring a Real-time Monitoring Policy.
  2. On the Exclude Files, Folder and Processes panel, click Add.
  3. In Type list, select Process.

  4. In the Path box, enter the process path.
  5. Click the green check mark.
  6. Complete the wizard.
When importing excludes using an XML list, add processes using the tag: <pexclude path=""/>

Integration with Action Center

Windows now recognizes an endpoint as having Spyware and unwanted software protection turned on when it is assigned a Real-time Monitoring Policy. No more annoying balloons from Action Center (called Windows Security Center in pre-Windows 7 releases).

New Endpoint Log for Recording AntiVirus Definition Updates

We've added the log C:\ProgramData\HEAT Software\EMSSAgent\logs\AV\DefUpdate.log so you can track successful and unsuccessful downloads of new  definitions. With it you can demonstrate ongoing compliance for auditing purposes, validating that an endpoint has been kept up-to-date with the latest definitions file over time.

Pending Reboot Delete Status

You'll now see a notification on the endpoint when a reboot is required to clean or delete a quarantined file.

Device Control

Extended Portable Device Data Protection

You can now apply read-only access, file shadowing, and file copy limits to portable devices like mobile phones and media players that enter your environment:
  1. Start configuring a Device Class Policy or Device Collection Policy.
  2. In the Device Class list, select Portable Devices.
  3. In the Settings applied by this policy section, the Shadow settings and Daily copy limit options are now selectable.

  4. If you select Permissions settings, you can now set read-only access.
  5. Complete the wizard.

Charging Mode

Users can now charge their portable devices without you having to allow read/write permissions.

Printed Content Shadowing

The Printed Content Shadowing feature lets you view the activity of users with print permission. Use it to prevent users from printing confidential information.

  1. Start configuring a Device Class Policy or Device Collection Policy.
  2. In the Device Class list, select Printers.
  3. In the Settings applied by this policy section, select Shadow settings.

  4. On the Shadow settings panel later in the wizard, select Shadow printed content.

  5. Complete the wizard.
A Printer policy with shadowing enabled captures the PRN file sent to the printer and generates a shadowing event. The endpoint uploads the file to the server location set in Tools > Options > Device Control > Server shadow directory.

You can view the contents of a PRN file by reprinting it or opening it in a print spooler file viewer application.

Keylogger Detection and Enforcement

You can now select what happens when an agent detects a keyboard change that could potentially be a keylogger. A keylogger device is placed between a USB port and a keyboard cable that logs a user's keystrokes to capture passwords or other sensitive information.

  1. Select Tools > Options.
  2. Click the Device Control tab.
  3. In the General Settings section, select an item from the Agent action on detect USB key logger list.

The user should immediately find the device and remove if not a valid keyboard. You can review keylogger events in your environment by creating a Device Event Log Query of type Detected keyloggers.

Exclusive mode protects against Rubber Ducky, a USB keyboard emulation device that can inject payloads that change system settings and capture data.

Add Devices to the Device Library From All Event Types

You can now add devices that carry a Model ID and class other than Unmanaged from an event to an existing or new collection in the Device Library.

Device Friendly Names

Manufacturers don’t always use built-in device names that you can easily read and identify. We've published an SQL script to help you replace such instances of unclear names with friendlier ones. Contact HEAT Support for more information.

Database Maintenance

You can now configure recurring purge jobs that safely remove old Device Control events and keep a smaller, faster database. Stored events become less useful and relevant over time, and their build-up can lead to performance issues.
  1. Click Tools > Database Maintenance.
  2. Click Schedule Maintenance.

  3. Complete the wizard.

Running regular purges is a best practice we recommend you set up in your environment. The number and types of events kept should be according to your organization’s business needs.

Events become eligible for purging when they exceed the minimum age you specify in the Purge events older than X days field.

Though purge jobs can run while DC is processing new events, we recommend that you schedule them for off-peak hours. Use a purge job’s Maximum purge duration to manage purge time (minutes) and server load. At time-out the system finishes the event batch it is purging and then stops.
Caution: Purging is irreversible! Use care when configuring a purge job to avoid removing necessary data by accident.

Device Event Log Queries: Copy Scheduled Queries or Rerun Completed Ones

Save time and effort when creating Device Event Log Queries that are similar to ones you have already configured.
  1. Click Review > Device Event Log Queries.
  2. Select a query you want to base the new query on:
    • To base a new query on a scheduled query, select a query on the Scheduled tab and click Copy.

    • To base a new query on a completed query, select a query on the Completed tab and click Run Again.

      Both actions launch the Create device log query wizard containing the original query's settings.

  3. Complete the wizard.

Refresh Device Event Log Query Results

You can now refresh a completed Device Event Log Query to import all events sent from endpoints without having to recreate the query.
  1. Click Review > Device Event Log Queries.
  2. Select the Completed tab.
  3. Click the name of a completed query in the list. The query results page displays.
  4. Click Refresh.

From the moment you click Refresh, relevant events received in the last 24 hours appear in the results grid list.

File Export Tool to Decrypt Devices Encrypted with Non-Portable Encryption

We’ve developed a tool to help users that have media encrypted with non-portable encryption but no matching decryption keyfile. Contact HEAT Support for more information.

Patch and Remediation

Do Not Patch

The new Do Not Patch feature allows you to exclude patch deployment for endpoints or groups that you choose. This feature can be used to prevent patches that negatively impact an endpoint from being deployed to it. It also allows you to track the reason that you've excluded the patch.

To use it:

  1. Open any HEAT EMSS page that lists patches.
  2. Select any patch you want to exclude and then click Do Not Patch.
  3. Complete the wizard.

After marking content as Do Not Patch, you can reenable it for an endpoint at any time. You can monitor patch and endpoint status a few different ways. You can:

  • View any content page and sort the patches using the Do Not Patch column.
  • Drill into a patch and then select the Do Not Patch tab.
  • Navigate to Reports > Deployments and print one of the following reports, filtered for Do Not Patch parameters:
    • Deployment Detail Report
    • Deployment Status Report
    • Package Compliance Detail Report

End of Life Notices

Some older Lumension Endpoint Management and Security Suite (LEMSS) releases are no longer supported for 8.3.

7.2.x.x

LEMSS 7.2 is no longer supported as of the HEAT EMSS 8.3 release. LEMSS 7.2 can only be upgraded to 8.3 by first upgrading to 7.3.x.x or 8.x and then upgrading to HEAT EMSS 8.3.

Legacy Agent Sections Removed from the AntiVirus User Interface

AntiVirus moved to a new engine on 31 July 2015. From this date the “legacy” definition file feed is turned off.

We’ve removed the 7.2 to 8.1 fields in:
  • AntiVirus tab on the Subscription Service Configuration panel.
  • AntiVirus Engine & Definition Distribution Settings section of Agent Policy Sets.

FAQ

How Do I Obtain 8.3?

New Server Installs
Download the HEAT EMSS 8.3 installer from the HEAT Customer Portal .
Existing Installs (Upgrades)
Within the HEAT EMSS console, replicate with the Global Subscription Service. Then download the 8.3 components using Installation Manager.
New Server Install
For new server installs, launch the installer you downloaded from the portal.
Existing Server Upgrades:
  1. Open the LEMSS console.
  2. From the toolbar, select Tools > Launch Installation Manager.
  3. Upgrade the manager when prompted.
  4. Select the New/Update Components tab.
  5. Choose 8.3 (8.3.0.10) and begin the upgrade.
New Agent Installs:
  1. Log on to your endpoint.
  2. Open the HEAT EMSS console and select Tools > Download Agent Installer.
  3. Select agent version 8.3.0.10 and run the installer.
Existing Agent Upgrades:
Note: If possible, time your upgrade at least an hour apart from Patch and Remediation DAUs to maximize reliability.
  1. Open the HEAT EMSS console and select Manage > Endpoints from the navigation menu.
  2. Select endpoints to upgrade and click the Agent Versions button on the toolbar.
  3. Apply the most recent version of the agent to your endpoints and click OK.
Note: A small percentage of endpoints may need additional time or user interaction to complete the upgrade. See Known Issues for more information.

How Do I Determine if My Upgrade Was Successful?

Server
From the HEAT EMSS console, navigate to Help > About. Successful upgrades will display a Server Suite Version of 8.3.0.10.
Agent
From the HEAT EMSS console, navigate to Manage > Endpoints. Successful agent upgrades will display a version of 8.3.0.10.

Issues Resolved

The HEAT Endpoint Management and Security Suite (HEAT EMSS) 8.3 release resolves the following issues.

Core

ID Description
17841 Fixed an issue where users deleted from the system still displayed as under assignment to a role. These users are now completely removed from the system.
21515 Fixed an issue that forced Mozilla Firefox users to relaunch their browser to log back in to a session that had timed out.
28500 Fixed an issue where custom users who do not have the View Current Status access right could still view the Home page server status.
29146 Fixed a "Failed copying file 'bin\lmctl.exe'" error that sometimes occurred when upgrading HEAT EMSS 8.x Agents.
29911 Fixed an issue where adding a user from another domain to the HEAT EMSS Server resulted in an error when viewing the Users and Roles page.
29975 Fixed a HEAT EMSS Server upgrade error caused by duplicate data.
31061 Fixed an issue where endpoints would display a 404 error when attempting to download upgrade files.
31652 Fixed an issue where the lmrestart.exe and lmhost.exe processes would attempt to terminate McAfee VirusScan and AntiSpyware Enterprise processes. McAfee would then block the lmrestart.exe and lmhost.exe processes, preventing succcessful installation of HEAT EMSS modules.
32486 Fixed an issue where the HEAT EMSS Server installer did not validate missing prerequisites.
32763 Fixed an issue where Windows 2012 endpoints were placed in the Win8x64 system group instead of the Win2012x64 system group.
33031 Fixed a blue screen issue related to endpoint upgrade.
35159 Fixed an error that occurred while purging large amounts of data.

AntiVirus

ID Description
30823 Fixed an issue where Real-time Monitoring would scan CD/DVD media despite the Scan locally-attached media check box being cleared in the policy.
31603 Fixed an issue where the AV Definition Update filter "Out of date" on Manage > Endpoints > AntiVirus was filtering incorrect endpoints.
31608 Fixed an issue with the AntiVirus Policies page that occurred when more than 100 AntiVirus policies exist.
31612 Fixed an issue where the AntiVirus Policies page load time performance was negatively affected by database calls.
31891 Fixed an issue where only a maximum of 100 entries were shown in the AntiVirus Policy Exclusions List.
31893 Fixed an issue where HEAT EMSS continued to use proxy for AntiVirus replication after it had been removed.
31974

Fixed an issue where AntiVirus would cause excessive Malware Alerts by continuously rescanning files in Quarantine.

32150 Fixed an issue where the use of wildcards in AntiVirus Policy exclusions caused endpoints to hang.
32520 Fixed an issue where Recurring Virus and Malware Scans would restore infected files and re-quarantine them repetitively.
33354 Fixed an issue where slow performance was experienced on endpoints with Real-time Monitoring when new AntiVirus Definitons were downloaded and applied.
33836 Fixed an issue where high CPU usage by LMHost.exe and LM.Detection.exe caused poor system performance and DAU to take long to complete.
33995 Fixed an issue where a 3rd party software DLL file was being deleted due to a virus detection during a Memory scan.
34242 Fixed an upgrade issue where many files were deleted instead of cleaned or quarantined.
34362 Fixed an issue where tasks scheduled by Windows stopped working on endpoints when agents were upgraded.
35602 Fixed an issue where no alert was generated when a virus was pending delete on reboot after a scan.

Application Control

ID Description
14398 Added support for the %LOCALAPPDATA% environment variable (available from Windows 7) in Trusted Path Policies.
19348

Fixed an Easy Audit Mode issue where the MSIEXEC service would not immediately close after an authorized installation completed.

20041 Fixed an issue where the Windows dialog "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them" displayed when a user attempted to launch a denied application using "Run as User" or "Run as Administrator".
20666

Fixed an issue where despite System Center Configuration Manager (SCCM) being added as a Trusted Updater it was allowed to install applications on all endpoints, even those not part of the trusted policy and locked down.

28748 Fixed an issue where a file/hash removed from a Trusted Updated Policy that was updated by another Trusted Updater remained in SUTU.dat, causing files that were not members of Trusted Updater files group to maintain their Trusted Updater functionality.****
29459 Fixed an issue where the Blocked Application dialog was distorted on screens set to a different DPI than Normal (100%).
29784

Fixed an issue where specific applications became a Trusted Updater through inheritance when Windows Update was a Trusted Updater.

29999 Fixed a blue screen issue related to virtual machine snapshots.
30262

Fixed an issue where MSI files were getting blocked despite being in a Trusted Path.

31654 Fixed an issue where no more than 50 Users were being displayed on Application Control policy assignment panels.
31705 Fixed an issue where Application Control was blocking its own files while attempting to upgrade.
31929 Fixed an issue where trusted EXE-based installers were not updating the local Whitelist and authorization was not persisted after reboot.
34252 Corrected the list of Firewall Access URLs for replication and Agent communication in the HEAT EMSS Server Install Guide under Network Requirements.

Device Control

ID Description
14998 Fixed an issue where deleting an endpoint would clear its name from the Endpoint column in related events in Device Event Log Queries.
15048 Fixed an issue where high-bit characters were added to a shadow file name containing non-Western characters when saved.
22127 Fixed an issue where the "Unlock Code" dialog displayed when a user tried to generate an unlock code for temporary permissions with multiple invalid parameters.
29264 Fixed an issue where the Online and Offline states were not being properly read when using the "Server connectivity" and "Hide agent control panel" options.
29569

Fixed an issue where a user was given the option to encrypt using non-portable encryption with Microsoft CA access disabled, resulting in no certificate on the device and making it unlockable.

29885

Fixed an issue where users could not recover a password for an encrypted device despite entering the proper Medium ID and Security Code.

30023

Fixed an issue where Network Printers with a Model ID were not getting added to a Device Collection through a WRITE-DENIED event.

30275 Fixed an issue where some Device Control events in Device Event Log Queries were assigned an "All" class.
31485 Fixed an issue where users were experiencing USB key access problems after upgrade.
31626 Fixed an issue with Device Class and Device Collection Policies for Removable Storage Devices where an explicit None permission was overriding a higher priority Read/Write permission.
32113

Fixed the issue where disabling Agent Hardening in an Agent Policy Set did not always cause the agent to disable its hardening.

33352 Fixed an upgrade issue where Device Control did not generate a CCH file, leaving Device Classes open to access.
33839

Fixed the description for the default reboot behaviour option “Notify user, user response required before reboot" in the Core User Guide. It stated the reboot occurs 5 minutes after a user clicks OK, when in fact it occurs immediately.

Patch and Remediation

ID Description
14285 Fixed an issue where the Deployments and Tasks tab for an endpoint would incorrectly show that the endpoint received Not Applicable deployments.
20665 Fixed an issue on the Deployments and Tasks page where new package deployments were shown as completed before the deployments had started.
21290 Fixed an error related to assigning mandatory baseline items to a custom group. The error would occur when setting the Distribution Options to Consecutive Deploy to all endpoints on a first come first serve basis.
21653 Fixed an issue where the Inventory page would not display some Japanese characters correctly.
23505 Fixed an issue where the Software Inventory Detail Report would not display Chinese characters correctly.
28947 Fixed an issue where the Discover Applicable Updates (DAU) task would fail due to duplicate data.
28984 Fixed an issue with the Name or CVE-ID field when searching with wildcards. Search results for ranges and sets using the [^] wildcard now populate correctly.
29131 Fixed an issue that prevented reboot notifications from appearing when multiple users were logged in to a machine.
30221 Fixed an error that occurred during Patch / OS Packs replication. This error occurred because the RSMonitor service could restart during a job. This service can no longer restart during a job.
30331 Fixed an issue where HEAT EMSS did not display the IBM XIV Host Attachment Kit in the software inventory.
30576 Fixed endpoint "error code -30: Invalid CheckSum." The HEAT EMSS Agent was uploading more data than necessary following the DAU task, which could sometimes cause failures.
30746 Fixed an issue where endpoints rebooted without warning. This error occurred when endpoints received a deployment with a Reboot Within setting configured for 999999999 minutes, hours, or days.
31148 Fixed a SQL Server 2014 Express error stating "There is insufficient memory available in the buffer pool." This error caused vulnerability replication to fail at 75% completion.
31511 Fixed an issue that caused the Regenerate OS Pack job to fail due to a pre-existing OSP file.
31831 Fixed an error that would occur when viewing the status of the latest deployment following a virus and malware scan.
32576 Fixed an issue where the DAU task would fail on Linux, Unix, and Mac endpoints due to duplicate data.
35202 Fixed an issue where the Deployment Detail Report did not show accurate Vulnerability Status values for endpoints consistently.
35829 Fixed an issue that caused Agents to go offline after upgrading from 7.3.
36137 Fixed an error that prevented successful Content Replication on HEAT EMSS Servers using SQL Server 2005. Content Replication would fail during date/time conversion.

Power Management

ID Description
34460 Fixed an issue where installing or upgrading Agents resulted in poor performance and caused online Agents to appear offline.

Wake on LAN

ID Description
29453 Fixed an issue where endpoints with multiple IP addresses or long IP or MAC address names (more than 40 characters) would cause errors.

Known Issues

HEAT EMSS 8.3 contains some known issues.

Upgrade

ID Description
36463 After upgrading an Agent from 7.3 to HEAT EMSS 8.3, an empty folder named "Lumension" will remain in the Program Files folder and in the ProgramData folder.

Core

ID Description
35802 The Groups page right-click context menu does not display correctly within Mozilla Firefox 31 in some environments.

Workaround: Use Mozilla Firefox 38 or Microsoft Internet Explorer 9+ instead.


12345678910
Current rating: 4.8