Release Notes for McAfee(R) ePolicy Orchestrator(R) Version 3.0.2a Patch 4 Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved ========================================================== This release was developed and tested with: - ePolicy Orchestrator:3.0.2a Make sure you have installed these versions before using this release. ========================================================== Thank you for using ePolicy Orchestrator(R) software. This file contains important information regarding this release. We strongly recommend that you read the entire document. The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. Network Associates, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. Patch files should be applied only on the advice of McAfee Security Technical Support, and only when you are actually experiencing the issue being addressed by the Patch. Patch files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of Patch files. Patch files are not a substitute or replacement for product Service Packs which may be released by Network Associates, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from Network Associates, Inc. Further, posting of McAfee Security Patch files to publicly available Internet sites is prohibited. Network Associates, Inc. reserves the right to refuse distribution of Patch files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee Patch files should be directed to McAfee Security Technical Support. __________________________________________________________ WHAT'S IN THIS FILE - About This Release - Purpose - Resolved Issues - Installation - Installation Requirements - Installation Steps - Removing This Release - Contacting McAfee Security and Network Associates - Copyright & Trademark Attributions - Trademarks - License Agreement and Attributions __________________________________________________________ ABOUT THIS RELEASE PURPOSE This Patch replaces server files in ePolicy Orchestrator to resolve the issues listed below. RESOLVED ISSUES 1. ISSUE: This release addresses the McAfee ePolicy Orchestrator Remote Command Execution Vulnerability; vulnerability identifier: CVE-2004-0038. RESOLUTION: This vulnerability no longer exists. 2. ISSUE: When the ePolicy Orchestrator server is busy, the remote console login process may be slow. RESOLUTION: The console login and package check-in have been changed so that they now process synchronously. 3. ISSUE: In certain low bandwidth environments, the ePolicy Orchestrator server did not process socket I/O optimally, causing the HTTP connections to reach the limit specified in the server settings and start rejecting any additional connections. RESOLUTION: The ePolicy Orchestrator server now handles all the socket I/O in blocking mode. Now when agent connections come to the server, the worker thread picks up the connection and waits on read or write operations for 15 seconds. If data doesn't come in during that period, the server puts the socket back in the work queue and the worker thread processes the next request. ADDITIONAL INFORMATION: There are now four new performance counters for tracking socket read and write time-outs. The following new performance counters have been added: - Number of socket read watches - Number of socket read time-outs - Number of sockets write watches - Number of sockets write time-outs 4. ISSUE: The time-out connection logic sometimes caused the HTTP connections to build up over extended periods of time. RESOLUTION: Now, if a value is defined for "ConnectionTimeout=" in SERVER.INI, the time-out for inactive sockets uses this figure. Otherwise, 15 minutes is the time-out value. ADDITIONAL INFORMATION: To specify a connection time-out in SERVER.INI, do the following: 1. In a text editor, open SERVER.INI. This file is located in the DB folder in the installation directory. The default installation directory is: C:\PROGRAM FILES\NETWORK ASSOCIATES\EPO\3.0.1 2. Type the following line in SERVER.INI, then save the file: ConnectionTimeout=NNN Where NNN equals the number of seconds. For example, ConnectionTimeout=900 3. In the "Service" dialog box, select the "McAfee ePolicy Orchestrator 3.0.1 Server" service, click "Stop," then click "Start" to restart the service. 5. ISSUE: Replication tasks using FTP would result in partial or incomplete replications. RESOLUTION: Changes to the FTP communication sub-systems make them more reliable and fault tolerant in a variety of environments. 6. ISSUE: A limitation on the number of sites within the directory tree caused the console to close when someone clicked "Create user" or "Modify user." RESOLUTION: There is no longer a limit on the number of sites in the directory tree. 7. ISSUE: A duplicate path delimiter was being added during the generation of all agent file paths, which caused an entry in the sitemgr.log such as "Failed to verify file size for agent.ini". RESOLUTION: The agent file paths are generated correctly. __________________________________________________________ INSTALLATION INSTALLATION REQUIREMENTS To use this release, you must have ePolicy Orchestrator 3.0 and Service Pack 2a software installed on the computer you intend to update with this release. NOTE: This release does not work with earlier versions of ePolicy Orchestrator software. INSTALLATION STEPS 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the EPO3023.ZIP file to the temporary folder that you created in Step 1. WARNING Close the Windows Services dialog box to avoid installation issues. 3. Back up ePolicy Orchestrator databases. If you are using Microsoft SQL Server as the ePolicy Orchestrator database, see the SQL Server product documentation. If you are using Microsoft Data Engine (MSDE) as the ePolicy Orchestrator database, you can use the Database Backup Utility (DBBAK.EXE) to back up ePolicy Orchestrator MSDE databases on the database server. For instructions, see "Backing up ePolicy Orchestrator MSDE databases" in the ePolicy Orchestrator 3.0 Product Guide. 4. Log on to the desired computer using a user account with local administrator permissions. 5. Close all ePolicy Orchestrator consoles. 6. On the taskbar, click the "Start" button, then point to "Run." The "Run" dialog box appears. 7. In "Open," type the path where the Setup program (SETUP.EXE) is located, then click "OK." The "ePolicy Orchestrator 3.0.2 Patch 3 Setup" wizard appears. 8. Click "Next" to begin the installation. 9. Click "Finish" to complete the installation. 10. In the "Services" dialog box, select the "McAfee ePolicy Orchestrator 3.0.2 Server" service and edit the service to change the account back to the original setting. For example, if you specified a domain administrator account during the initial installation, you need to provide that account information again. The account is not automatically restored. 11. For all remote consoles, perform Steps 4 – 9. REMOVING THIS RELEASE To remove this Patch from your computer, uninstall, then reinstall ePolicy Orchestrator. NOTE: We recommend that you do NOT remove the Patch files once you install them. If you reinstall the ePolicy Orchestrator software, we recommend that you also reinstall the Patch. __________________________________________________________ PARTICIPATING IN THE MCAFEE SECURITY BETA PROGRAM To download new beta software or to read about the latest beta information, visit the beta web site: http://www.networkassociates.com/us/downloads/beta/ To submit your feedback on any McAfee Security beta product, send e-mail to: avbeta@nai.com McAfee Security is devoted to providing solutions based on your input. __________________________________________________________ CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal http://mysupport.nai.com Login credentials required. McAfee Security Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/ E-mail avbeta@nai.com Security Headquarters -- AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Virus Sample – AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Service http://vil.nai.com/vil/join-DAT-list.asp Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Network Associates Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: http://www.nai.com/us/index.asp http://www.networkassociates.com/us/index.asp For additional information on contacting Network Associates and McAfee Security – including toll-free numbers for other geographic areas - see the CONTACT file that accompanied your original product release. __________________________________________________________ COPYRIGHT & TRADEMARK ATTRIBUTIONS Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972- 963-8000. TRADEMARK ATTRIBUTIONS Active Firewall, Active Security, ActiveSecurity (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (Stylized E), Design (Stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HomeGuard, Hunter, IntruShield, Intrusion Prevention Through Innovation, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and Design, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, McAfee VirusScan, NA Network Associates, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Associates Coliseum, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, RingFence, Router PM, SecureCast, SecureSelect, Sniffer, Sniffer (in Hangul), SpamKiller, Stalker, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Virus Defense, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What’s The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1989. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems(R), Inc. (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/ bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. V2.3.2