Application Control Solution 7.1 SP3 Release Notes
Arellia 7.1 SP3 has introduced requirements of SQL Server 2008 as a minimum SQL Server Platform
Application Control Solution 7.1 SP3 is being made available via downloadable product listing
Introduction
Application-level security attacks, such as file system corruption, registry corruption, spyware, and keylogging, pose a serious threat to mission critical business operations. Altiris Application Control Solution helps you manage this risk by letting you control the software applications in your Altiris environment.
For example, using Application Control Solution, you can create policies to automatically inventory the software packages or systems in your environment. You can also protect your company's data from malicious behavior by automatically encrypting documents, controlling an application's access to specific network locations, and preventing applications from installing Windows API hooks.
For a summary presentation on the changes, see Arellia 7.1 Service Pack 1 Presentation .
Requirements
- Arellia Application Control Solution 7.1 SP3 requires Notification Server 7.1 SP2 as a minimum platform.
The recommended system requirements vary depending on the size of the environment. The size of the environment also affects how you configure the platform.
For more information, see Symantec Management Platform Best Practices References.
- Microsoft Silverlight 5, which you will be automatically prompted to download when first accessing the Arellia Console.
It can be manually downloaded from http://www.microsoft.com/silverlight/
- IIS Url Rewrite 2.0 module needs to be installed on the Notification Server.
Symantec Installation Manager will automatically prompt you to install this, or you can manually download it from http://www.iis.net/downloads/microsoft/url-rewrite
- Microsoft SQL Server 2008
Installation
You use Symantec Installation Manager to install Symantec Management Platform and all of the products that run on the platform. You also use Symantec Installation Manager to install updates, apply licenses, and repair installations.
For more information, see the Quick Start to Installing with Symantec Installation Manager.
Please see the following articles for additional configuration actions.
How to Disable the Clean up File Resources Task
Technical Impact
The Software Management "Clean up File Resources" task, deletes File Resources that are not associated with functionality delivered with SMP Software Management. In particular it deletes File Resources that do not have a Resource Asssociation. This ignores the situation where relationships are modelled through Inventory Data Classes (Dataclass Foreign Key Associations). Arellia products have modelled these relationships in the same manner since the introduction of the File Resource with Application Control 6.0.
If this task schedule is not deleted, most File Resources discovered through Local Security Soloution and Application Control Solution will be deleted at 2:10 am every day. These resources will re-discovered based upon inventory cycles, and will subsequently be once again deleted.- Arellia X64 7.1 Agent Information
Policy Enforcement changes
A significant change has be made to default policy enforcement which is outlined in detail . A new option "Applies to All Policies" has been introduced to Application Control Policies, which defaults to false. Unless checked Application Control Policies will now only be applied to User Interactive processes.
Policy Enforcement History
Previous to version 7.1 SP3, all policies were evaluated when an application was executed. This included System and Windows Service applications, and not just "User Interactive" applications. Policies were required to include a manditory filter specfying the default "User Interactive" filter to only apply to "User Interactive" applications.
7.1 SP3 and beyond Policy Enforcement Behavior
A new option "Applies to All Policies" has been introduced for Application Control Policies, which defaults to false. Unless checked Application Control Policies will only be applied to User Interactive processes.
Reasons for change
In dealing with support issues for Application Control a substantial and ongoing theme is the application of Application Control Policies to non user interactive processes, and the subsequent unintended consequences.
In evaluting the best way to help protect Application Control users from unintended consequences, it was decided to default enforcement of policies to just user interactive processes.
Required Changes
Any existing policies that are meant to be applied to all processes must be modified to set the "Applies to all processes" option available in the "Policy Enforcement" tab.
Licensing
Changes have been made to how Arellia licenses its products.