Business Suite Policy Manager 16.x Changelog

AleksandrG · 2023-09-28T10:20:48+00:00

There was an error rendering this rich post.

This changelog provides updates for both WithSecure™ Policy Manager and Policy Manager Proxy, the core management components of the WithSecure™ Business Suite. It includes the latest enhancements, feature updates, and fixes that improve centralized policy management, proxy functionality, and overall control of endpoint and server protection in on-premises environments.

Find more posts tagged with

Changelog

Comments

Jouni_J

WithSecure Policy Manager 16.03 and WithSecure Policy Manager Proxy 16.03

Changes in this release

Bug fixes:

Policy Manager alerts: Fixed an issue where the Policy Manager was not receiving alerts from endpoints if the URI scheme in alerts could not be resolved.
Isolated environment: Resolved DNS issues in ultimate proxy mode when the Policy Manager host had no direct access to DNS.
Upgrade installation: Addressed a problem where upgrading the Policy Manager Proxy from version 16.01 to 16.02 removed a required registry key.

Other changes:

LDAPS connections: Extended the list of supported security groups in LDAPS connections.
New Installation Launcher version: Updated to ilaunchr.exe version 13.6.174.
Security enhancements: Added the includeSubDomains directive in the Strict-Transport-Security header for admin and host interface ports.
File exclusions: Client products’ locally added file exclusions can now be found with Policy Manager Data Mining.
Improved indexing: Enhanced indexing for long lists of exclusions.
Vulnerability fixes: CVE-2024-22262, CVE-2024-38809.

Jouni_J

WithSecure Policy Manager 16.02 and WithSecure Policy Manager Proxy 16.02

Changes in this release

MSI arguments

This release introduces changes in MSI arguments. Now, during a clean installation, the non-default locations for Policy Manager Server and Policy Manager Console data folders can be set using the MSI parameters DATADIR and CONSOLE_DATADIR.

For installing Policy Manager with data folders at D:\WithSecure\, use the following command:

msiexec /i policy-manager.msi DATADIR=D:\WithSecure\PMData CONSOLE_DATADIR=D:\WithSecure\PMCData

Note: By default, the installation process places the Policy Manager Server and Policy Manager Console data folders under the C:\ProgramData\WithSecuredirectory.

New features and improvements

It is no longer required to have Policy Manager server address defined at the Root domain level.
Support tool improvements.
Added support for following Linux distributions:
- Rocky Linux 8
- Debian 11 & 12
- Ubuntu 22.04 LTS & 24.04 LTS

Bug fixes:

WinInet error 12157 on Windows Server 2022 in Status Monitor.
NullPointerException bugfix and other improvements in fspm-definition-update-tool and import-definition-updates -tools.
Installation of Policy Manager/Policy Manager Proxy Windows services as unrestricted to configure Windows Firewall for inherited Java process when Client Security/Server Security is on the same server.
Policy distribute wizard incorrectly showing WMI as disabled.
Removal of duplicated Software Updater settings in Policy Manager Console.
Failures in exporting Policy and Inheritance reports in Policy Manager 16.
Installation wizard of Policy Manager allowing only 4-digit ports.
Miscalculation of selected hosts number in Policy Manager 16.01.
Policy Distribution changes are slow after upgrading to Policy Manager 16.
Non-functional password reset when Policy Manager 16 is installed in a custom location.
Fsiinst.exe crash during push installation.
Configure forwarding -link in Alerts view opens a wrong view.
Policy Manager upgrade from 15.x to 16.x migrates the wrEnabled registry value.
Policy Manager Proxy clean installation problem on localized Windows Servers.

Dropped functionality:

Policy Manager Server no longer supports access via host names containing characters that are not permitted in RFC 1738. For instance, underscores are no longer acceptable symbols in the host name for Policy Manager.

Other changes:

Vulnerability fixes (CVE-2024-22243, CVE-2023-24998)
Include the 'pinned-certificates-unix' channel in the default channels.json of the fspm-definitions-update-tool.
The Software Updater maximum cache size limit for Policy Manager and all managed Policy Manager Proxies can be globally configured via the Policy Manager Console’s Server configuration -page (Tools > Server configuration > Updates cache).
URI wrapping for client alerts to avoid forwarded alerts getting blocked by email filtering.

Limitations

After the Policy Manager upgrade to version 16.xx, automatic Firewall rule for Policy Manager ports created by Server Security 14.10 and newer will stop functioning. You would need to create corresponding Firewall rule manually or upgrade Server Security to version 16.00 and install HF 16.00HF1 to allow external connections to Policy Manager ports.

AleksandrG

WithSecure Policy Manager 16.01 and WithSecure Policy Manager Proxy 16.01

Changes in this release

New MSI arguments support is added.

If the Policy Manager or Policy Manager Proxy host does not have a direct internet connection, specify the HTTP proxy configuration as 'PROXY_SERVER' MSI argument for example by running an MSI file from the command line and passing the arguments to it:

msiexec /i policy-manager.msi PROXY_SERVER=http://proxy.example.com:8080

Use percent encoding for any reserved URI characters in the user name or password. For example, if the password is ab%cd, you need to enter it as follows:http://user:ab%25cd@proxy.example.com:8080

Installation improvements:

non-default installation directories are now supported for upgrades.
service stop hangling during upgrade is now improved.
web reporting shortcut is now created.

Push-installation issue is now fixed.

Scanning reports not being opened from the Console is now fixed.

Tool to import malware definitions in isolated networks is now called import-definition-updates.

Additional troubleshooting information is now collected with wsdiag.

AleksandrG

WithSecure Policy Manager 16.00 and WithSecure Policy Manager Proxy 16.00

Policy Manager is an on-premise application providing a central location for managing security applications across different operating systems.

Policy Manager can be used for:

setting and distributing security policies,
installing application software to local and remote systems,
monitoring the activities of all systems in the enterprise for compliance with corporate policies and centralized control

Policy Manager and Policy Manager Proxy support following operating systems

Microsoft Windows:

Windows 10 (64-bit), not recommended for the Policy Manager Server
Windows 11 (64-bit), not recommended for the Policy Manager Server
Windows Server 2012 R2; Essentials, Standard or Datacenter editions
Windows Server 2016; Essentials, Standard or Datacenter editions
Windows Server 2019; Essentials, Standard or Datacenter editions (Server Core is not supported)
Microsoft Windows Server 2022; Essentials, Standard, or Datacenter editions

Linux (only 64-bit versions of all distributions listed are supported):

AlmaLinux 8.5
CentOS 7, 8
CentOS Stream 8
Debian GNU Linux 9, 10
openSUSE Leap 43, 15
Oracle Linux 8
Red Hat Enterprise Linux 6, 7, 8
SUSE Linux Enterprise Server 11, 12, 15
SUSE Linux Enterprise Desktop 11, 12, 15
Ubuntu 16.04, 18.04, 20.04

Note: see user guides for full list of system requirements.

Changes in this release

New domain names

As of version 16 managed clients are now using new backends to function. In case external network connections are controlled in the company, please allow all connections to *.fsapi.com or white-list this list explicitly:

guts2.fsapi.com
guts2-old.fsapi.com
corp-reg.fsapi.com
api.doorman.fsapi.com
baseguard.doorman.fsapi.com
a.karma.sc2.fsapi.com
restmc.mind.sc2.fsapi.com

Policy Manager server address in Root domain

It is now required to have Policy Manager server address defined at the Root domain level. It is still possible to override values for subdomains, i.e. Policy Manager host has specific alias for certain location.

New Windows MSI

Windows editions of Policy Manager and Policy Manager Proxy are now using MSI for installation.

New directories

New directories and registry keys are now used for both Policy Manager and Policy Manager Proxy

Program files location: C:\Program Files\WithSecure\Policy Manager\
Program data location: C:\ProgramData\WithSecure\NS\Policy Manager\
Registry: HKLM\SOFTWARE\WithSecure\Policy Manager

If you use KB instructions written for earlier versions of the Policy Manager (i.e. requiring additional_java_args overrides) adjust locations correspondingly.

MSI arguments

By default Policy Manager MSI always installs both Policy Manager Console and Policy Manager Server. In case Server is not required and you are installing Console to connect to remote Server, use 'NOSERVER' MSI argument overridden to ‘true’, for example by running an MSI file from the command line and passing the arguments to it:

msiexec /i policy-manager.msi NOSERVER=true

If you wish to override destination directory for the installation, use 'TARGETDIR' MSI argument to override it, for example by running an MSI file from the command line and passing the arguments to it:

msiexec /i policy-manager.msi TARGETDIR=C:\CustomDirectory

Changes in services names

Main Policy Manager and Policy Manager Proxy services are now called wspms (WithSecure Policy Manager).

F-Secure Automatic Update Server service is no longer used, there is no replacement service.

New features and improvements

Ultimate mode – managed clients without direct internet connection are now able to proxy Karma lookups through the connected Policy Manager.
EOLed products notification – if used version of the client software has reached the end-of-life, admin will get the corresponding warning in the Policy Manager Console.
Added an option to export domain policies to prepare environment for migration to Elements.
Added an option to configure Web Content Control alerts per category.
Added an option to disable alerts for certain Application control rules.
Added an option to change sample submit URL in browser block pages.
Added an option to include the blocked URLs in all alerts.
Separate toggle to activate EDR subscription – it is now possible to keep Sensor subscription entered, but not activated at the target device.
Business Suite + EDR installation experience is now improved.
WithSecure Firewall has a new feature to allow certain rules and groups of rules when "disable all rules" option is selected. It's useful if you want, for instance, to disable all rules except Network Discovery.
User specific environment variables (i.e. %LOCALAPPDATA%, %USERPROFILE%) are now supported in Firewall rules.
Remove unnecessary built-in inbound Firewall rules.
Premium features are now marked in the Policy Manager Console’s editors.
Enriched info for scanning alerts.
Added an option to show Effective exclusions to end users.
The whole URL for the malicious/suspicious/harmful links is now included to alerts.
New application control rule is now added on top of the profile (instead of the end).
The list of possible malware scanning actions for the inserted USB devices has been extended

Bug fixes:

Fixed inability to renew Policy Manager Proxy certificate in some cases.
Isolate/release operations behavior is now fixed.
Not all alerts forwarded to the QRADAR issue is now fixed.
Memory leak on policy generation is now fixed.
GUTS2 cache corruption leading to inability to start PMS is now fixed.
Automatic Database Backup logic is now fixed.
Username in now shown in DataGuard alerts.

Dropped functionality:

Policy Manager no longer supports running database on MySQL 5.5, 5.6.
Support for clients 13.x and older is now removed. FSAUS (F-Secure Automatic Update Server) service is no longer installed.

Limitations

After the Policy Manager upgrade to version 16.00, automatic Firewall rule for Policy Manager ports created by Server Security 14.10 and newer will stop functioning. You would need to create corresponding Firewall rule manually or upgrade Server Security to version 16.00 and install HF 16.00HF1 to allow external connections to Policy Manager ports.