Virsec Security Platform (VSP) leverages the patented Trusted Execution™ technology to protect high-value enterprise applications deployed in data center or on public and hybrid clouds, from highly sophisticated attacks including memory corruption, code injection, credential theft, supply chain and other sophisticated attacks. VSP effectively creates and enforces guardrails around the application as it executes. These guardrails ensure that applications only perform as intended and restrain bad actors from corrupting memory as a precursor to hijacking control of the application and subsequent stealing or destroying high-value enterprise data.
DATE OF RELEASEDATE OF RELEASE
2/14/2022
COMPATIBILITY MATRIXCOMPATIBILITY MATRIX
Refer to the topic Compatibility Guide for information related to the Supported platforms and languages.
NEW FEATURESNEW FEATURES
-
VSP-Host Maintenance Mode – Maintenance mode is an intermediate mode for configured hosts. In this mode, the probe goes into an “observer” state, allowing the execution of new binaries during the change control window. No Incidents are reported and new binaries are automatically added to the whitelist. Maintenance Mode can be used for system maintenance windows that involve the installation and uninstallation of multiple software packages that could otherwise generate a large number of incidents and management overhead. Click here for more information
-
VSP Probe Password Protection (For VMs) – VSP Password Protection is introduced to restrict VSP-CLI stop and edit commands to authorized personnel only. Password is set during VSP Probe installation and can be modified using VSP-CLI utility. Click here for more information
-
SAML SSO Support – Provides Single Sign-On capabilities for CMS authentication and role assignment with Security Assertion Markup Language (SAML) v2 compliant Identity Providers. Click here for more information
-
Manual override for Auto-Instrumentation option (For VMs) – In release 2.2.0, the ability of automatic runtime instrumentation for application workloads was added. A manual override option is now available when automatic instrumentation is not desired. Click here for more information
-
CI/CD Containerization – CI/CD container names are now canonical and do not change between minor releases. Using these names, the user can be assured of procuring the latest available release during installation/upgrade. Click CI Phase, CD Phase for more information
-
Node.js Support (Beta Feature) – 2.3.0 adds VSP-Web support for Node.js. Refer to the Compatibility Matrix for more information
-
RHEL 6.7 and Windows 2000 R2 support for VMs – 2.3.0 now supports these Operating Systems for VMs. Refer to the Compatibility Matrix for more information
-
Pre and Post Installation Configuration – Custom scripts can be configured to be executed before and/or after CMS installation. In cases where a proxy server is needed, it can be configured before installation and changes can be reverted post installation. Click here for more information
-
Support for IBM QRadar SIEM – Virsec now provides DSM (connector) for IBM QRadar SIEM solution. Customers can deploy this DSM in their QRadar setup to ingest and parse incidents that are generated on VSP. Click here for more information
-
AppDynamics Compatibility – VSP-Web runtime instrumentation can be deployed alongside AppDynamics APM instrumentation. Refer to the Compatibility Matrix for information about languages and versions supported. Click here for more information
-
VSP-Web Dynamic Logging – Default location and level of VSP component logs can be configured using VSP-CLI utility. Click here for more information
-
Protection against Advanced Memory-based Exploit Techniques for Linux – VSP now offers the additional protection against advanced process injection and defense evasion techniques, that easily bypass traditional endpoint protection and post-breach detection tools. With this release, support has been added for Linux servers. Support for Windows was added in the previous release 2.2.x
KNOWN ISSUES AND CAVEATSKNOWN ISSUES AND CAVEATS
Category |
Description |
Known Issue/ Caveat |
Installation |
||
CI phase fails on Ubuntu 20 container |
CI phase fails on Ubuntu 20 container if the docker version 19.03.0 - 19.03.8 is installed on the Management node used for installation. This is due to a known issue in these docker versions Recommended Workaround: Install docker version: 19.03.9 on the Management Node |
Known Issue |
After CMS upgrade, Probes status is wrongly depicted |
After CMS upgrade, Probes page depicts the wrong AI status, even though keep alive messages are not received from ASI
|
Known Issue |
FSM (File System Monitoring) |
||
File Rename incident is detected with "fileName" and "filePath" as "NON_MONITORED_PATH" |
For a File rename incident, "fileName" and "filePath" attributes are reported as "NON_MONITORED_PATH" after deleting the contents of the file |
Known Issue |
Modification of Hard-link files are not reported as incidents |
Modification of Hard-link file is not reported as incidents |
Known Issue |
Modification of Soft-link files are not reported as incidents |
Modification of Soft-link files are not reported as incidents |
Known Issue |
VSP-Memory |
||
Post BE attack, process may not restart for VM |
Post BE attack, if an application is configured in the inline protect restart mode, it may not get restarted successfully. Recommended Workaround: sudo must be present on the machine and must not require a password to execute when launched as root user |
Known Issue |
Apache 2.4 (httpd) is not instrumented when it is started as a service (Win 2016) |
httpd service is not instrumented when it is started as a service. The process terminates. Recommended Workaround: Do not start httpd as a service. Execute it from the console |
Known Issue |
(Windows) VSP-Memory fails to automatically re-instrument an Application sometimes |
In Windows, when using auto-instrumentation for a service, VSP-Memory sometimes fails to re-instrument the application automatically, if the service is restarted via the Services window. This is because VSP-Memory-Assist does not process the application stop/start quickly enough Recommended Workaround: In such cases, stop the service, wait up to 5 seconds before starting the service |
Known Issue |
Host Monitoring |
||
All entries in the Global exclusion list are considered regular expression patterns |
All entries in the Global exclusion list are considered regular expression patterns even if there are absolute paths present |
Known Issue |
SearchUI.exe process gets suspended on Windows Server 2016 | SearchUI.exe process gets suspended on Windows Server 2016. This is a behavior of the specific OS | Caveat |
VSP-CLI logs error in Mixed Mode |
In Mixed Mode, VSP-CLI logs error: “ERROR: ld.so: object 'libvsp-hmm-agent.so' from /etc/ld.so.preload cannot be preloaded: ignored.” |
Caveat |
Some publishers did not get detected/whitelisted during initial scan |
Upon launch, Google Chrome browser, some libraries (signed by publisher 'ESET, spol. s r.o.') are loaded. The publisher is not listed in the publishers list in the initial scan. When the process is launched, this publisher gets whitelisted automatically (if auto-whitelist is enabled) |
Expected Behavior |
Suspended signed process is not resumed (Windows) |
After the initial scan, when a new process is installed, it gets suspended in Protect Mode. When the publisher is whitelisted, the process is not resumed. Recommended Workaround: Whitelist the specific process associated with the profile. |
Known Issue |
VSP does not report modified processes or libraries that belong to a package in systems that use prelink |
VSP does not report modified processes or libraries that belong to a package in systems that use prelink. The prelink application inherently changes the binary checksum, so there is no true reference for VSP to use. |
Expected Behavior |
In Windows, when an application is started with or without the “.exe”, different detections by VSP may be possible |
ACPs are specific to the command line used when starting an application. In Windows, when an application is started with or without the “.exe”, different detections by VSP may be possible |
Known Issue |
App Control Policies do not support any unicode character in any field |
App Control Policies do not support any unicode character in any field |
Limitation |
Execution of native image DLLs by Windows CLR runtime is not covered |
Execution of native image DLLs by Windows CLR runtime is not covered under Virsec Process and Library Monitoring capabilities |
Known Issue |
Reporting |
||
On premise deployment:Generated Reports cannot be viewed |
In an on-premise multi-pod deployment, generated reports cannot be viewed. Error 404 is displayed. This occurs when the components JReports and Ngnix Client service are deployed on different worker nodes |
Known Issue |
VSP-Web (on Web Server) |
||
Compressed Responses are not supported |
VSP-Web (on Web Server) does not support compressed Responses.Example: gzip |
Limitation |
VSP-Web |
||
Long polling or WebSocket based requests are not supported |
Long polling or WebSocket based requests are currently not supported by VSP Web |
Limitation |
Asynchronous servlet model is not supported |
Applications leveraging Async-API are not supported |
Limitation |
Permission denied message is displayed along with the Application message |
For some inline protection cases, along with the Permission Denied pop-up message, the application response is also displayed |
Known Issue |
VSP Memory Exploit Protection |
||
Process Hollowing prevention does not work under some conditions |
Process Hollowing prevention does not work under some conditions due to the way API hooking is implemented |
Known Issue |
RMP does not detect a variant of PowerShell Exploit |
RMP does not detect a variant of PowerShell Exploit if both the source and target processes are the same |
Limitation |
General |
||
VSP-CLI command gives error while executing stop/restart VSP-Manager service |
When VSP-CLI command is used to stop/restart VSP-Manager service (individually or all the services), there is an error “Exception occurred during the initialization of the VSP Kafka consumer” Recommended Workaround: Close the current session and stop/restart the VSP-Manager service in a new session |
Known Issue |
User may be unable to delete instances |
User may be unable to delete instances in a larger environment with more than 20 thousand open incidents |
Known Issue |
Application and host profiles do not auto- associate if the tag names contain spaces |
Application and host profiles do not auto- associate if the application and host tag names contain spaces Recommended Workaround: Ensure that no spaces are present in the tags |
Limitation |
Table – Known Issues and Caveats
AVAILABLE PATCHESAVAILABLE PATCHES
Click here for VSP Patch 2.3.1 information
Click here for VSP Patch 2.3.2 information
Click here for VSP Patch 2.3.3 information
Click here for VSP Patch 2.3.4 information
Click here for VSP Patch 2.3.5 information
Click here for VSP Patch 2.3.6 information
Click here for VSP Patch 2.3.7 information