Readme text for Symantec Security Information Manager 4.5 Service Pack 1
search cancel

Readme text for Symantec Security Information Manager 4.5 Service Pack 1


Article ID: 177176


Updated On:


Security Information Manager


You want to apply the Symantec Security Information Manager4.5 Service Pack 1 and would like to review the readme file before you proceed.


* Symantec Security Information Manager 4.5.1 (Service Pack 1) README.TXT
* February 2007
* Copyright (C) 2007 Symantec Corporation. All rights reserved. Symantec and
* the Symantec Logo are trademarks or registered trademarks of Symantec
* Corporation or its affiliates in the U.S. and other countries. Other names
* may be trademarks of their respective owners.
* The Licensed Software and Documentation are deemed to be "commercial
* computer software" and "commercial computer software documentation" as
* defined in FAR Sections 12.212 and DFARS Section 227.7202.

This README.TXT file includes compatibility information, late-breaking news,
and usage tips for this Symantec Security Information Manager 4.5 Service Pack 1

NOTE: This Service Pack includes fixes from all previously released Information
Manager 4.5 HotFixes. It can be applied to any system with 4.5 HotFix 1
or 2 already installed, or to a system with the base 4.5 release

Please install this Service Pack before migrating data from a 4.0.x
installation. The documentation for the Migration Tools
(SSIM_MIGRATION.PDF) can be found with package containing the tools.

README.TXT sections:

This 4.5 Service Pack release addresses issues in the following areas:

Include more incident information in the Information Manager MIB for
SNMP support.

NOTE: Please uninstall the old MIBs before installing the new MIBs.
With some SNMP management software, installing the new MIBs over
the older MIBs may result in improperly formatted SNMP messages.

Best fit from Network Table is now used for rule processing during
Rules updated for better support of Snort and Enterasys Dragon data.
Fix to add the port field for Policy Manager Collectors.
Fix to populate TARGET_RESOURCE field from OPTION3 field for some
Windows EventLog events.
Fix to improve correlation performance.
Fix to support very large quantities of hosts data (source/target
host information).
Fix to correct situations (rare) in which incident-modified time can
be earlier than incident-created time.

Rules page
Fix to allow greater-than/less-than operators when creating rules
for Cisco IDS.
Fix to allow import of lookup tables.
Fix to allow proper deployment of a rule when changing the rule,
reversing the changes, making new changes, and then deploying the
Fix memory leak with Rules Service resulting in sluggish Rules
Events page
Update Firewall queries for better support of SGS data.
Add indexing of EMR values to allow reference in queries.
Fix issue in which non-US users cannot access Query Wizard.
Updated backup/restore queries to capture the proper data.
Event queries now handle special characters, such as backslash (\)
and quotation marks (").
Permit user-defined queries that do not begin with "SELECT...".
Fix to allow saving of filtered System Queries to My Queries.
Fix UI display of archives when the system time is set back.
Fix refresh issue with event archive queries.
Removed option to save as PDF for tabular queries.
Fix to quickly return queries with no data.
Fix to display event details for events forwarded from a 4.0.x
Fix to properly export tabular query with "Raw Event" data only to
CSV and PDF formats.
Assets page
Fix to properly update/reference CVEs in Asset auto-population
when the incoming events have only CVE values.
Network change notifications are now properly updating the Network
Fix to properly update Assets manually in some circumstances (for
example, when the system has 3,000 - 10,000 assets).
Dashboard page
Fix problem loading queries on dashboard in some scenarios.
Display a proper error message when user does not have permission
to view a query on the dashboard.
Incidents page
Fix to display Event Date as string rather than integer for
Invalid Event Date Alert.
Fix DB handle leak in ICE Service that eventually leads to the
inability to see incidents on the Incidents page.
Fix incident modified time to get updated when priority changes.
Improved performance issue with high CPU when viewing incidents.
Fix to allow user-defined filters for incident list based on
Fix to enable Close and Details buttons on Incidents page when
only one incident is displayed in the view.
System page
Fix to show total Agents, total Enabled Sensors, and Elapsed Time
on Visualizer tab.
When configuring a role, the lower half of the Console Access
Rights window is now disabled if user checks All Console Access
Fix to allow special characters in username (for example, "$").
Fix to display warning message for correlation services only when
user applies changes for "Correlation Appliance" setting.
Reports page
Fix occasional error due to timed-out credentials when scheduling
Tickets page
Fix to allow the removal of ticket categories.
Fix to not remove associated incidents when modifying any field
in a ticket's details.

Fix to return a unique Incident ID when creating a new incident.
Fix to prevent new events from correlating to closed incidents.
Fix Null Pointer Exception when returning an empty search result.
Fix Null Pointer Exception when searching events with an empty query
Enable subscription to new/updated tickets.

Added indexing of CVE and BID lists for support in UI queries.
Updated event summary to correctly handle time changes.
Fix to allow user-defined indexes.
NOTE: After updating the index file, restart the Event Service.
Only new incoming events will use the new indexes.
Improved Help option information (Archive CLI Tool).
Removed the option (-n) to show event summary (Archive CLI Tool).

Fix to allow the user to change the db2admin password through the
Information Manager Web configuration interface.
Fix to stop all services before changing the date/time through the
Information Manager console or Web configuration interface.
Fix to support installation of new GIN licenses.
Install OpenManage utilities for diagnostics and troubleshooting
Fix to rotate ibmhttpd log files to prevent filling up the file
Fix to cleanly uninstall SIP packages.
Fix to prevent installation of multiple SIPs for the same product.
Added note after SIP installation to inform user to restart any
console sessions.
Fix to properly handle proxy settings when applying a GIN license.
Fix to show version history in the Information Manager Web
configuration interface.
Added /opt/Symantec/sesa/eventservice/logs/catalina.out and
/etc/ssim-history logs to when collecting all logs
through the Information Manager Web configuration interface.

Fix to support Chinese characters in a PDF report.
Fix to support Chinese characters in report titles.
Fix to support Chinese characters in input entry boxes for Report
Name, Rule Name, etc.
Fix to support adding Chinese characters to the system Hosts file
through the Information Manager Web configuration interface.
Fix to support publishing queries with Chinese characters in the name.
Fix to support Chinese characters embedded in a report.
Fix to support Japanese characters in event details for Windows
EventLog events.
Fix to properly display High-ASCII characters in header/footer and
title of exported Tickets view.

Fix to encrypt user passwords in LDAP.
Fix multiple vulnerabilities in OS Kernel. Kernel has been updated
to 2.6.9-42.0.8.ELsym.
Fix multiple RedHat vulnerabilities in openssh, xorg-x11, tar, gnupg,
and nss_ldap.
Removed cleartext private keystore password in installation logs.
Disabled SNMP access on DRAC card to prevent unauthorized users from
modifying SNMP data.
Fix to not display All Scheduled Reports list from the Information
Manager Web configuration interface without user authentication.
Individual scheduled reports can be viewed without authentication.

Fix to allow Information Manager to accept the Source and Destination
information that collectors send for host names and IP addresses.
Fix to prevent Information Manager from overwriting both the Source
Host Name and Destination Host Name with the Source IP Address and
Destination IP Address when either host name is missing. Now the IP
address will be substituted only for the missing host name, if any.

Apply this Service Pack only to Information Manager appliances running the version of the software, as shipped from Symantec. This Service Pack
can be applied over Information Manager 4.5 HotFix 1 and 2, or applied without
the HotFixes installed. Do not apply this Service Pack to systems running
Symantec Incident Manager 3.x or Information Manager appliances running an older
version of Information Manager 4.x software.

Before you install the Service Pack, you should do the following:

* Save all work and close any Information Manager console sessions. Note that
the installer automatically reboots the appliance as part of the installation

After you have followed the pre-installation procedure, to install the Service
Pack, do the following steps:

1. Connect to the appliance using an account with administrative privileges,
either by using an SSH client or by logging in locally.

2. Download the and .md5 files to a temporary location on
the appliance, such as /tmp.

NOTE: You must use BINARY mode when transferring the files to the appliance.
Some FTP utilities use ASCII mode by default, which will corrupt the
installation file.

3. Verify the integrity of the downloaded .sh file by using a file verification
tool such as md5sum, which is included with the Linux installation. If you
are using md5sum, execute the following command:

md5sum -c

NOTE: Both the .sh and .md5 files must be present in the same directory for
md5sum to execute correctly.

For more information on md5sum, see the Linux man pages.

6. Execute the following command as root from the location where you downloaded
the files:


7. When prompted, enter the administrative directory password.

8. When prompted, select to migrate HOST data or not.

NOTE: If HOST data is migrated, the process of migration can take a long time
depending on how much data exists on the system. If HOST data is not
migrated during installation, Existing Target and Source view data will be
lost until new data is populated in the system from incoming events.

The installation proceeds, with no additional user actions. Information Manager
automatically restarts the appliance when the installation is complete.

If there is a problem updating the system, please contact Technical Support with
the following information:

- Detailed steps that were performed and any third-party tools that were
used (for example, Putty or WinSCP).
- The Information Manager version that you are updating, including any
HotFixes that you have already applied.
- Any error messages displayed on the screen.
- All log files captured through the Information Manager Web configuration
interface, if possible.

End of File