Symantec has discovered two related defects in the SCSP agent software for UNIX and Linux systems:

• High memory usage by IDS file watch due to unnecessarily monitoring files not matching a policy.
• Possible missing IDS file watch events (false negative)

 
Affected Operating systems: All UNIX and Linux
Affected Symantec Critical System Protection versions: All 5.2.x (5.2 RUx). This issue is fixed in 5.2 RU9 MP1.

Conditions for high memory usage to occur (All conditions below must exist)

• A File Watch rule containing a wildcard in select string for file name such as “/var/www/*.html” where the wildcard and a portion of file name are both present in the file watch select string. 
  NOTE: use of wildcard for the entire file name such as “/var/www/*”  would not cause high memory usage.
• New files are frequently added to a monitored folder (e.g., “/var/www/” in the above example) after the IDS File Watch policy is applied.  

Conditions for missing IDS file watch events: (All conditions below must exist)

• File Watch rule containing wildcard in select string in file name such as “/var/www/*.html” where the wildcard and portion of file name both are present in the file watch select string.   
• File Watch rule has search depth (number of subdirectory levels to monitor) greater than 1.
• More than one subdirectory in any directory below the directory being monitored, up to the search depth set.
  For example, for select string “/var/www/*.html”, presences of subdirectories “/var/www/sales” and “/var/www/marketing”.  If the search depth was set to 2, then if either sales/ or marketing/ had more than a single subdirectory, they would also be susceptible to the error.
   

In the immediate term, if you are impacted, Symantec recommends that you evaluate your File Watch policies to see if it is possible to modify them according to the following information.

To address the issue where excess files are monitored:

• If the directory contains different types of files such as *.log, *.html, *.jpg, etc. and you want to monitor only *.html, list all files interested without using wildcard in the policy.
• If the directory contains only one type of files *.html than use just * in the select string of the policy.

To address the issue where some files are not being monitored:

• Keep FileWatch search depth set to a value of 1 and specify a file pattern (or Select String) for each single directory you want to monitor in any given directory hierarchy.

NOTE: The fix for both issues is included in the 5.2 RU9 MP1 release.  If a full upgrade is not possible, the SCSP 5.2.8 MP4 HF1 hotfix can be found here:
http://www.symantec.com/docs/TECH198658
 

Applies To

Who Is Not Impacted

• Anyone using a simple wildcard for the entire file name such as “/var/log/*” would not be impacted by either issue.
• Anyone using the out-of-the-box Unix Baseline Detection policy (unmodified) would not be impacted by either issue.

Who is Impacted     

• If your IDS file watch rules contain select string with compound wildcard and filename patterns, for example “/var/log/*.log”, “/var/www/*.html” or similar. 
• Also if your FileWatch search depth is greater than 1, you should carefully read the section below called, "Detailed Description of Conditions for Occurrence".