Defect ID

Description

SUPP-431

Docs: Update public Gitlab docs until future container strategy is released

SUPP-405

Application functionality is affected after deploying VSP

SUPP-399

VSP-manager does not handle steady-state keep alive exceptions correctly

SUPP-395

Non binaries are reported from the initial FSWalk

SUPP-369

Incorrect reference to an ACP is applied to the Host Profile if the ACP name is similar

SUPP-366

Archived nodes cannot be deleted on CMS

SUPP-362

CMS is not resilient to server reboot in EKS

SUPP-361

Probes unable to reconnect to CMS console after CMS server reboot. CMS client reports 502 error

SUPP-357

Non-admin user cannot view alerts, threat and incidents on CMS dashboard

SUPP-355

Reflected XSS is not blocked for bookstore application

SUPP-354

Email notifications are not sent from CMS

SUPP-348

Failure to start CMS after execution of setup.sh during VSP upgrade from 2.4.0 to 2.5.0

SUPP-345

Application version number appears twice in the "Application" column

SUPP-344

In a Nginx Buffer Error Incident, the Memory Addresses are inaccurate

SUPP-335

VSP Upgrade on EKS from 2.2.4 to 2.5.0 fails

SUPP-333

License activation after upgrade to VSP 2.5.0 does not unlock CMS UI

SUPP-330

Azure SAML integration to be tested

SUPP-328

Log4j RFI attack is BLOCKED in protection mode but reported as a LOG incident in CMS

SUPP-327

App "File Integrity Exclusion Folders" field does not allow comma separated values

SUPP-273

IBM and IIS servers are not in PCM but feature in installation docs

SUPP-262

CMS UI Attack count is not updated

SUPP-250

FSM agent fails to create file event and report it to CMS for events except for file removed event

SUPP-216

Google found vulnerability in probe

SUPP-212

Infinite Potential | Host Out of Sync on Windows 2016

SUPP-208

ACP fails to detect useradd commands with /dev/null in it

SUPP-203

CI & CD tools are using images from internal artifactory

SUPP-201

Virsec 2.4.0 dashboard incident for Buffer Error displays 32-bit address for a 64-bit linux app

SUPP-200

High CPU Utilization on Probe on Windows 2016 server after upgrading probe from 2.2.2 to 2.3.3 while in Protect mode

SUPP-189

CI script encounters error with -g option

SUPP-186

Probe registration with CMS is not successful

SUPP-170

Connection error occurs while new scheduled reports are created in CMS

SUPP-155

Windows probe installer attempting to download vsp-web-vm.zip file from an incorrect location

SUPP-128

Unable to delete the previously associated but currently disconnected probe

SUPP-94

Probe installation takes a long time

SUPP-90

SKU script not able to detect the DD/MM/YY format

SUPP-73

VSP Probe install on RHEL takes 40 minutes when no Internet available

SUPP-66

Password reset does not work with all special characters

SUPP-52

False positive Web incidents reported

SUPP-46

CMS/LFR zip has UID of 1008. This value must be changed since it may be used by other UIDs

SUPP-43

'Activate now' link in the Email redirects to wrong URL after the user is invited by the super admin

SUPP-32

Windows probe installation frails

SUPP-9

Errors in CMS services: cms-client service and utility-service

Category

Description

Known Issue/ Caveat

Installation

CI phase fails on Ubuntu 20 container

CI phase fails on Ubuntu 20 container if the docker version 19.03.0 - 19.03.8 is installed on the Management node used for installation. This is due to a known issue in these docker versions

Recommended Workaround: Install docker version: 19.03.9 on the Management Node

Known Issue

FSM (File System Monitoring)

File Rename incident is detected with "fileName" and "filePath" as "NON_MONITORED_PATH"

For a File rename incident, "fileName" and "filePath" attributes are reported as "NON_MONITORED_PATH" after deletion of the file contents

Known Issue

Duplicate incidents and events are generated after file modification

Duplicate incidents and events are generated after modification of an existing or new file with event types NEW_FILE, FILE_MODIFIED and FILE_RENAMED

Known Issue

(Windows 2008) Two incidents are generated for file rename action

For a file rename action, two Incidents FILE_RENAME and FILE_MODIFIED are reported in Windows 2008

Known Issue

Incidents are reported for excluded folders

When multiple Applications are associated with the same ASI and a few folders are excluded in one of them and not the others, incidents are reported for the excluded folders

Recommended Action: Ensure that the folders are excluded in all the associated Applications on CMS

Known Issue

VSP-Memory

Post BE attack, process may not restart for VM

Post BE attack, if an application is configured in the inline protect restart mode, it may not get restarted successfully.

Recommended Workaround: sudo must be present on the machine and must not require a password to execute when launched as root user

Known Issue

Apache 2.4 (httpd) is not instrumented when it is started as a service (Win 2016)

httpd service is not instrumented when it is started as a service. The process terminates.

Recommended Workaround: Do not start httpd as a service. Execute it from the console

Known Issue

(Windows) VSP-Memory fails to automatically re-instrument an Application sometimes

In Windows, when using auto-instrumentation for a service, VSP-Memory sometimes fails to re-instrument the application automatically, if the service is restarted via the Services window. This is because VSP-Memory-Assist does not process the application stop/start quickly enough

Recommended Workaround: In such cases, stop the service, wait up to 5 seconds before starting the service

Host Monitoring

All entries in the Global exclusion list are considered regular expression patterns

All entries in the Global exclusion list are considered regular expression patterns even if there are absolute paths present

Known Issue

In Mixed Mode, VSP-CLI logs error: “ERROR: ld.so: object 'libvsp-hmm-agent.so' from /etc/ld.so.preload cannot be preloaded: ignored.”
It has no adverse effect on the VSP-CLI functionality.

Some publishers did not get detected/Allowlisted during initial scan

Upon launch, Google Chrome browser, some libraries (signed by publisher 'ESET, spol. s r.o.') are loaded. The publisher is not listed in the publishers list in the initial scan. When the process is launched, this publisher gets allowlisted automatically (if auto-allowlist is enabled)

Suspended signed process is not resumed (Windows)

After the initial scan, when a new process is installed, it gets suspended in Protect Mode. When the publisher is allowlisted, the process is not resumed.

Recommended Workaround: Allowlist the specific process associated with the profile.

VSP does not report modified processes or libraries that belong to a package in systems that use prelink

VSP does not report modified processes or libraries that belong to a package in systems that use prelink. The prelink application inherently changes the binary checksum, so there is no true reference for VSP to use.

In Windows, when an application is started with or without the “.exe”, different detections by VSP may be possible

ACPs are specific to the command lines used when starting an application. In Windows, when an application is started with or without the ".exe", different detections by VSP may be possible

App Control Policies do not support any unicode character in any field

App Control Policies do not support any unicode character in any field

Linux HMM agent limitation

In Linux, VSP host monitoring injects its own HMM agent into every running process. The HMM agent expects a specific version of glibc. If the application loads its own custom glibc version that is not compatible with the HMM agent, the HMM agent may not load correctly causing some application issues

Exclusion on Child Type ACP rule does not work

Even when a child process added under exclusion in ACP, Child Exclusion is reported as incident

Incident is not reported when the user name is a mismatch

Incident is not reported when the user name does not match the "Allow" user in ACP config

Publisher/Package list is not included when the host profile is exported

Publisher/Package list is not included when the host profile is exported. As a result, when the host profile is imported into CMS, the publisher/packages list may be missing and may generate incidents.

Fully statically-linked executables are not detected during the start up by HMM

Fully statically-linked executables are not detected during the start up by HMM. However, whenever the allowlist is published or there is a VSP host mode change, VSP host detects and checks the actively running statically-linked executables

Known Issue

For a small subset of applications started via the "service" command in Linux, VSP host does not detect the application start

In some cases, for a small subset of applications started via the "service" command in Linux, VSP host does not detect the application start, resulting in a potential false negative. However, each time the allowlist is published or the VSP host mode is changed, VSP host scans the system, that detects the running application if it is still running

Known Issue

Execution of native image DLLs by Windows CLR runtime is not covered

Execution of native image DLLs by Windows CLR runtime is not covered under Virsec Process and Library Monitoring capabilities

For ACPs configured for interpreter shells like cmd.exe or powershell.exe, HMM does not evaluate commands executed directly in them

For ACPs configured for interpreter shells like cmd.exe or powershell.exe, HMM does not evaluate commands executed directly in them against the commandline ACP rules.

Example: If an ACP is created for "cmd.exe" with a commandline deny rule for "echo":

1. Execution of the command "cmd.exe /c echo hello" is reported to CMS as an incident

2. Opening cmd.exe and execution of the command "echo hello" inside the interpreter does not result in incident detection

Reporting

On premise Kubernetes - based deployment:Generated Reports cannot be viewed

In an on-premise Kubernetes - based multi-pod deployment, generated reports cannot be viewed. Error 404 is displayed. This occurs when the components JReports and Ngnix Client service are deployed on different worker nodes

Known Issue

The error may be due to the occurrence of SQL connectivity error in the JReports Server.

Recommended Workaround: If the error SQLNonTransientConnectionException is found, restart the JReports server

VSP-Web (on Web Server)

Compressed Responses are not supported

VSP-Web (on Web Server) does not support compressed Responses.Example: gzip

Limitation

VSP-Web

Long polling or WebSocket based requests are not supported

Long polling or WebSocket based requests are currently not supported by VSP Web

Limitation

Asynchronous servlet model is not supported

Applications leveraging Async-API are not supported

Limitation

Permission denied message is displayed along with the Application message

For some inline protection cases, along with the Permission Denied pop-up message, the application response is also displayed

Known Issue

VSP 2.5.0: VSP-Web for Ruby is not backward compatible

VSP-Web for Ruby on Rails is not backward compatible

Impact: It impacts VSP-Web for Ruby, where CMS is upgraded to VSP 2.5 and Probe is still of a previous version

Recommended Workaround: Ensure that VSP Probe is also upgraded to version 2.5

Limitation

RFI profile exclusion list is not considered for perimeter level RFI attack

RFI profile exclusion list is not considered for perimeter level RFI attack

Recommended Workaround: Add the relevant exception to circumvent the issue

Known Issue

Web Protection (On Web Server)-Apache – pop-up is not displayed

Web Protection (On Web Server)-Apache: Permission denied popup is not displayed. The request is blocked as expected with no impact to functionality

Known Issue

.Net Core: VSP deletes comments from the file web.config

.Net Core: While provisioning application, VSP deletes comments from the file web.config of the application

Known Issue

Invalid CSRF token is reported to CMS when two j-session IDs are present

Invalid CSRF token is reported to CMS when two j-session IDs are sent in the request. VSP supports monolithic applications only. This occurs with multiple session providers only

Known Issue

VSP Memory Exploit Protection

RMP does not detect a variant of PowerShell Exploit

RMP does not detect a variant of PowerShell Exploit if both the source and target processes are the same

Limitation

RHEL 7.6: Process name in Memory integrity incidents is inaccurate for watch command

Process name in Memory integrity incidents is displayed as bash instead of the target process name for watch command

Known Issue

Multiple incidents are reported for powershell

Multiple incidents are reported for powershell since Windows attempts to spawn a new powershell with a shortened path and VSP blocks all these attempts

Expected Behavior

Regex-based exclusions are not supported

Regex-based exclusions are not supported currently

Limitation

General

VSP-CLI command gives error while executing stop/restart VSP-Manager service

When VSP-CLI command is used to stop/restart VSP-Manager service (individually or all the services), there is an error “Exception occurred during the initialization of the VSP Kafka consumer”

Recommended Workaround: Close the current session and stop/restart the VSP-Manager service in a new session

Known Issue

For VSP CMS on an AWS environment ensure that only the External Email server is configured

For VSP CMS on an AWS environment ensure that only the External Email server is configured

Limitation

Email Subscription for application-based incidents

If any application-based incident is configured for Email Subscription, ensure that the Host is NOT selected

Known Issue

VSP is not supported for workloads running SELinux or AppArmor in Enforcing mode

VSP is not supported for workloads running SELinux in Enforcing mode

Limitation

User may be unable to delete instances

User may be unable to delete instances in a larger environment with more than 20 thousand open incidents

Known Issue

Application and host profiles do not auto- associate if the tag names contain spaces

Application and host profiles do not auto- associate if the application and host tag names contain spaces

Recommended Workaround: Ensure that no spaces are present in the tags

Limitation

Splunk connection using proxy with RootCA configuration is not supported

Splunk connection using proxy with RootCA certificate configuration is not supported by CMS

Limitation