HFA5 IMPORTANT Check Point recommends that customers stay up-to-date with the latest service packs, HFAs, and versions of security products, as they contain security enhancements and protections against new and changing attacks. Table of Contents Integrity 6.0 HFA5 Notes page 2 Integrity Client Issues Fixed: page 2 Integrity 6.5 HFA4 (February HFA) Notes page 3 Integrity Client Issues Fixed: page 3 Integrity 6.5 HFA3 (December HFA) Notes page 4 Integrity Client Issues Fixed: page 5 Integrity 6.5 HFA2 (October HFA) Notes page 6 Integrity Client Issues Fixed: page 7 Integrity 6.5 HFA1 Notes page 8 Integrity Client Issues Fixed: page 9 page 10 page 11 page 12 Integrity 6.0 HFA5 Notes In addition to the fixes below, we have released a troubleshooting utility that many customers requested which generates an uninstall password that works once for an end-user. For more details 2007 Check Point Software Technologies Ltd. All rights reserved.
see Uninstall Password Hash Utility in the Downloads site at http://www.checkpoint.com/downloads/index.html Integrity Client Issues Fixed: Added: Forced Reboot Dialog feature Added: Support for password hash utility Don't automatically connect to cm2.zonelabs.com High CPU and OS hang with IA and SMS 2003 Vsmon crash during the silent uninstallation Support for detecting Trend PC-Cillin 2006 Unnecessary desktop flashing on policy import Programs are not terminating when "Enforce by checksum" is checked Add HU100 key to uninstall password screen Memory leak ArchiveLogFile: zipopen error creating zip C:\WINNT\Internet Logs\tvDebug. In the past, when a non-administrator user logged into a machine after client installation, the client was not correctly licensed. Now, after rebooting the client machine, both admin and nonadmin users are fully licensed Various other ADA fixes Problem on Oracle during installation Policy is now added to cache upon being deployed "24 hours" item in client events Fix for Apache caching issue in non-english locales client_events table was not being purged Connection Leak on returnconnection Connection leak fix on DB2 2007 Check Point Software Technologies Ltd. All rights reserved. Page 2
Gateway Clustering fix iextranet.exe has IAS ip address default 2007 Check Point Software Technologies Ltd. All rights reserved. Page 3
Integrity 6.0 HFA4 (February HFA) Notes Integrity Client Issues Fixed: Client not authenticating with ldap parameters Policy export does not work with Japanese Client No proxy login, but cached Enterprise policy became active Error: Bad result from MSIUninstallService call. TrueVector Shutdown did not happen. IFlex 6.0.197.000 cannot get AV provider info for McAfee VirusScan 2006 AV fails to get turned with AV global settings present in a disconnected policy of a client package Bluescreen during installation 6.0.182 Integrity client User is prompted twice for Integrity Server address when using Nortel Personal Policy is active with Disconnected Policy which has setting "Enforce enterprise policies only" UTF16 Characters in Program Description causing problems in IS Paginate Program Manager to improve performance N o result returns if only one record in the program list (exit in K2E and Bentley NGX) 2007 Check Point Software Technologies Ltd. All rights reserved. Page 4
Integrity 6.0 HFA3 (December HFA) Notes Integrity Client Issues Fixed: Control-S shuts down the UI of Integrity Agent (not flex or desktop). Control-L shuts down the UI of Integrity Agent (not flex or desktop). IExtranet.exe is unable to identify the connection profile used on newer version of the Contivity client. Local login not sending up LDAP username in the correct format. Integrity Client attempts to contact Program Advisor servers too frequently when a connection is not available. SR_SERVICE crash occurs sporadically when using the SecureClient with Integrity Flex. Japanese shows garbled text in license section and extra characters on the title bar. APItest not blocking heartbeats as expected. Integrity Client not installing correctly when Google Desktop is present on the endpoint. Local attackers can escalation permissions to SYSTEM level (response to (http://www.idefense.com/application/poi/display?type=vulnerabilities) Policy export does not work with Japanese Client. Nortel clients are always returned status success by checkstatus call. When Using Remote Desktop, Client does not display program alerts. Problems with vsmon cause IAMDB.RDB corruption. In specific cases, Integrity Client failed to upgrade from 5.0.556.146. Abandoned transaction error during policy processing. LDAP proxy login requires full DN. Reference client works but attributes are not appearing properly in the Configuration section. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 5
Novell LDAP User Id incorrectly parsed, resulting in incorrect policy deployment. Garbled characters in the Japanese readme as a result of a build issue. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 6
Integrity 6.0 HFA2 (October HFA) Notes Integrity Client Issues Fixed: Long Custom messages are poorly handled by the client. Client is not authenticating properly with Novell LDAP parameters. FTP fails in specific instances with Flex/Agent unless any/any on any port is allowed. The link text in the French client overlaps with the Custom message. Program Alerts have incomplete text. Integrity Flex cannot handle large custom text messages that are supported by Integrity server. Integrity Client not processing PAC files for proxy servers correctly. Multiple policies active when switching connection modes when disconnected policies are assigned for VPN and LAN. When upgrading from 3.5 to 6.x Client, program settings that were set to an "ASK" status were set to "BLOCK" status. Integrity Flex 6.0.162 could not recognize Symantec DAT version for newest AV client. If a Gateway is assigned a policy package, the always triggered policy never becomes active. Raw.msi installer unable to perform silent install standalone or with GPO. Integrity Client.msi build will not install using Radia on machines when user is logged in with User rights. BSOD occurs occasionally with Integrity Agent 6.0.612 Japanese Integrity Client shows garbled text in license section and extra characters on title bar. BSOD with the program Content Manager. AV compliance rule set to observe in a disconnected policy still produces an enforcement pop-up. Policy export does not work with Japanese Client. Novell sso dll is sending the port number in the cuid even if port is the Default Port [389]. Program Advisor not providing security recommendations on programs. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 7
2007 Check Point Software Technologies Ltd. All rights reserved. Page 8
Integrity 6.5 HFA1 Notes The following reported issues were fixed in the Integrity 6.5 HFA1. Integrity Client Issues Fixed: Installation of default Flex package fails with "Integrity Client Installer failed to properly install the application. (Error: 0)" Matching algorithm for proxy exception list incorrect and Integrity client gets incorrect policy when connecting thru Proxy Server Avtest.exe should be built with every client build and made available for QA testing Long filenames crash VSMON K2E_HFA02: The library name under Start->programs is "Check point" instaed of "Check Point + "Porduct name" Integrity Client fails to detect Trend OfficeScan 6.5 as running in enforcement scenarios. Integrity Client fails to sync with proper fault codes when sync fails for Active Directory based LDAP catalog. Vsmon crash seen in rare cases after initial reboot after automatic upgrade from HFA01. WebSense redirection pages fails when Integrity is loaded. Vsmon crash in rare cases while programs were accessing the network. Integrity Flex installation on a Win98SE machine running Trend Micro Internet Security 2004 fails. Client needs to send AV provider information in synchronize call. IClient fails to detect Office Scan 7.0 as Running when it's running. Secure Client crashes while performing an auto update using gateway connection to the server. DISPATCH_LEVEL problems cause vsmon crash. Grouped Rule of two or more Prohibit Rules shows incompliance alert, even when the client is compliant with this grouped rule. New client packages needs to include SecureClient. In rare cases VSMON crashes after restarting Integrity Flex. DNS server name not being resolved making connectivity to the Integrity Server impossible. CA etrust AV compliance cannot be detected. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 9
The client running CA AV InoculateIT is out of compliance regardless of AV dat settings in the policy. The library "Zone Labs" (under Start -> Programs) is not removed post upgrade of ZAPro (5.5) to Integrity Flex Client. Vsmon crash of Integrity Flex after repeated policy imports. Incorrect compliance information reported by the client in the absence of a policy. Multiple Integrity Server connections result in multiple policies being active, causing a TrueVector crash. Wireless card crashes after several rapid connections and disconnections. If user shuts down Integrity Client while connected to Wireless Device using EAP, svchost crashes. BAD POOL CALLER created by long command lines, such as those run automatically by cygwin bash users. Sophos 5.0 not detected properly by enforcement rules. Client crash due to ACCESS_VIOLATION_vsutil!GetIpAdapterInfo. svchost crashed after Client becomes restricted. Svchost crashed when Integrity Client applies restricted rules. Wizard and Tutorial need to be removed from Integrity Desktop. HTTP Proxy setting prevents Heartbeat from working. Vsmon shutdown after deploying extremely large policy to the Client. Replay alerts won't display incompliance alert and Review Compliance alerts won't show up either. Apache proxycache grows without limits unless Apache is configured properly. Database error when filling Admin "Real Name" field full of ASCII characters Integrity Client Installer failed to properly install the application. (Error 126) Catalogs should hide their groups and sub-groups by default to improve initial loading times 2007 Check Point Software Technologies Ltd. All rights reserved. Page 10
Improper IP validation on event notifications page. PA exceptions seen in Server log. Package name field should not allow text input of more than 50 characters. Need jdbc driver download help text for linux installer. Unnecessary admin timeouts on /DEFAULT_SCHEMA/MS_ALERTS when using JDatastore DB. IP catalog does not show the policy assigned to the catalog; it shows the policy assigned to the parent. Help for Server Upgrade Pages links to wrong file. Advanced firewall rules IP destination names lost without explicit save. Enforcement Rule custom text area allows unlimited text entry. Custom Message text in policy studio is not limited to proper character count. Need to clarify jdbc install info in manual and help screens. Change text at top of 'edit client package' screen. Javascript error in program reports on programs containing quotation marks. Client package language selection info not present in Server install summary info panel. Cluster nodes do not recover properly from channel communication error Installer does not check for existence of K install/config files prior to doing an upgrade. Sorting some NT Domain catalogs into one group results in no users imported. Cannot import Organization that contains no groups. Cannot import if any policy package assigned to top level Entity. Login URL for join cluster install should not contain the default login and password. Domain Options panel should not be presented if admin chooses to migrate data from 5.x server. Database type should not be an option when migrating from 5.x server. Unexpected JDataStore Main Database growth. Client packager policy drop-down list truncates policy names to less than 56 characters (80 is maximum name length). Out of Memory error during concurrent client package deployments. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 11
Empty policies cannot be imported. Able to synchronize overlapping catalogs. Max DB connections reached during 100,000 user performance tests in specific cases. Policy assigned to IP group that is part of another group takes effect only after restarting the client in specific configurations. Unified packager unable to install SecureClient.msi package. Gateway state machine does not recover from restriction properly. IP groups with the same host can be created successfully. The Host field in New Group accepts data in the wrong format. Errors are generated, when spaces are used in Custom Group names. AV Reference Client DAT Timestamp incorrectly displayed. Package cache flushing does not work in integrity, apache. Exceptions seen in communication with the Gateway on a Clustered server. Policy Assignment page becomes inaccessible after a few uses; Entity Manager does not return to appropriate page at times. Email and Password field lengths should be limited to 50 characters when creating/modifying administrators. User passwords are written in clear text when user specifies LDAP credentials vai Proxy Login. Radius Proxy Login not working correctly; no Default Policy activated, and username/password only prompted once. "Unterminated string constant" error seen when viewing the Program Details report in certain instances. UpgraderForm throwing serialization exceptions. Doing an Entity search in a Integrity cluster results in java.io.notserializableexception error in some cases. Entity Manager truncates 80-character policy name. Unterminated String Constant error when viewing Client Events report in some cases. Catalog Event notification absent on synchronization status (success/fail/sync time changed...). Integrity Server version on 'About' page differs from version in tech support / system properties page. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 12
Logging needs to move from system into integrity.log. Preceding spaces in Address Range in IP catalog are not truncated after saving. Creating IP catalog using Subnet Mask causes an error "An error occurred while checking ip group {0}." Integrity Server on Linux failed to create SIC with InterSpect. Assigned Policy column is empty when viewing custom groups. Processing slowdown with 50,000 client connections when sending log data to SmartCenter. Terminate program settings not always working correctly with Reference Sources. After disabling wireless card client continues sync attempts to IAS IServer loses gateway sessions if gateway reboots (IServer/InterSpect goes down and then up again). Integrity server is not processing RADIUS packets from Safe@Office properly. InterSpect not establishing connection properly after shutdown. Constant logged in and logged out messages on Integrity Agent and wireless connection enabled/disabled. Info of AV Provider is not displayed after server upgrade. 2007 Check Point Software Technologies Ltd. All rights reserved. Page 13