- A policy has been set to override for 30 minutes on a Linux server
- The Linux computer is shut down and is in an off state for an hour
- The computer is started up again. The expectation is that, since the override was for 30 minutes and the computer was off for 30 minutes longer than the override period, that the IPS/Prevention Policy will become effective immediately
- Instead, when Linux host is loads the agent, and the IPS driver-- the IPS continues to be in a disabled state for approximately 8-10 minutes. Sometimes longer
Steps to Reproduce:
- Override the SDCSS Prevention policy for 15 minutes.
- Shutdown the host for 30 minutes. Let the override timer expire when the host is in power down state
- Power up the host.
- After power-up, observe that the Prevention Policy remains disabled Disabled even though the timer set by the user has expired.
- It takes approximately 8-10 minutes to update the Policy Prevention to Enable
SDCSS Agent is not adhering to the policy override timer set by the user. It is allowing additional time without IPS enabled. This may lead to security attacks while the user is under false assumption that IPS would be enabled immediately after timer expiry.
Reproducible across multiple SDCS Agent versions.
Reproduced on SDCSS Agent Versions: 6.8.0 (build 309) , 6.8.2 (build 757) , 6.9.1 ( build 505 )