               Release Notes for
        McAfee ePolicy Orchestrator(TM)
                  Version 3.0
                    Patch 2
   2003 Networks Associates Technology, Inc.
              All Rights Reserved


=====================================================

This release was developed and tested with:

ePolicy Orchestrator:  3.0.0

Make sure you have installed this version
before using this release.

=====================================================


Thank you for using the ePolicy
Orchestrator(TM) software. This file contains
important information regarding this release.
We strongly recommend that you read the entire
document.

The attached files are provided as is, and with
no warranty either expressed or implied as to
their suitability for any particular use or
purpose. Network Associates, Inc. assumes no
liability for damages incurred either directly
or indirectly as a result of the use of these
files, including but not limited to the loss or
damage of data or systems, loss of business or
revenue, or incidental damages arising from
their use. Patch files should be applied only
on the advice of McAfee Security Technical
Support, and only when you are actually
experiencing the issue being addressed by the
Patch. Patch files should not be proactively
applied in order to prevent potential product
issues. You are responsible for reading and
following all instructions for preparation,
configuration, and installation of Patch files.
Patch files are not a substitute or replacement
for product Service Packs which may be released
by Network Associates, Inc. It is a violation
of your software license agreement to
distribute or share these files with any other
person or entity without written permission
from Network Associates, Inc. Further, posting
of McAfee Security Patch files to publicly
available Internet sites is prohibited. Network
Associates, Inc. reserves the right to refuse
distribution of Patch files to any company or
person guilty of unlawful distribution of
McAfee software products. Questions or issues
with McAfee Patch files should be directed to
McAfee Security Technical Support.


_____________________________________________________
WHAT'S IN THIS FILE

-  About This Release
   -  Purpose
   -  Language Support
   -  Files Included with This Release
-  Installation
   -  Installation Requirements
   -  Installation Steps
   -  Securing ePolicy Orchestrator SQL Server
      Logins
   -  Checking the Agent Package Into the
      Master Repository
   -  Creating the New Agent Installation
      Package
   -  Replicating the Agent Package to
      Distributed Repositories
   -  Deploying the Agent to Client Computers
   -  Monitoring Agent Deployment
   -  Removing This Release
-  Contacting McAfee Security and Network
   Associates
-  Copyright and Trademark Attributions
   -  Trademarks
   -  License Agreement and Attributions


_____________________________________________________
ABOUT THIS RELEASE

PURPOSE

This release addresses the following
vulnerabilities:

-  ePolicy Orchestrator MSDE SA Account
   Compromise -- The default installation of
   MSDE, via ePolicy Orchestrator, configures a
   connection between the ePolicy Orchestrator
   server and MSDE to use an SA account. The
   following two steps would allow a
   knowledgeable user to obtain the SA password
   to this account. The ePolicy Orchestrator
   server configuration file, encrypted with
   3DES, can be obtained by issuing a carefully
   targeted HTTP request to the ePolicy
   Orchestrator server. It is then possible to
   decrypt this file and obtain the password by
   reverse engineering the product.
   Vulnerability identifier: CAN-2003-0148

-  ePolicy Orchestrator 3.0 Agent Directory
   Traversal -- By issuing a carefully targeted
   HTTP request to the ePolicy Orchestrator 3.0
   agent, a remote attacker can read arbitrary
   files.
   Vulnerability identifier: CAN-2003-0610

This release also includes ePolicy Orchestrator
3.0 Patch 1.


LANGUAGE SUPPORT

This release supports all language versions of
the ePolicy Orchestrator software.


FILES INCLUDED WITH THIS RELEASE

This release consists of a package called
EPO3002.ZIP, which contains the following
files:

   CLEANUP.EXE =
      Agent uninstallation program

   CMDAGENT.EXE =
      Command Agent program

   FRAMEWORKPACKAGE.EXE =
      Agent packaging tool

   FRAMEWORKSERVICE.EXE =
      Agent service program

   FRMINST.EXE =
      Agent framework installation program

   MCSCRIPT.EXE =
      McAfee script engine

   NAPRDMGR.EXE =
      Product Manager program

   UPDATERUI.EXE =
      Agent user interface program

   WSTUB32.EXE =
      Win32 stub for agent package

   AGENT.DLL
   AGENTPLUGIN.DLL
   AGENTRES.DLL
   CABINET.DLL
   CLIENTUI.DLL
   CMAUIRES.DLL
   COMPONENTSUBSYSTEM.DLL
   COMPONENTUSERINTERFACE.DLL
   FRMPLUGIN.DLL
   GENEVTINF.DLL
   INTERNETMANAGER.DLL
   LISTENSERVER.DLL
   LOGGING.DLL
   MANAGEMENT.DLL
   MCURIAL.DLL
   NACMNLIB.DLL
   NAGSHR32.DLL
   NAILOG.DLL
   NAINET.DLL
   NAISIGN.DLL
   NAIZLB32.DLL
   NAPOLICYMANAGER.DLL
   NASPIPE.DLL
   NAXML.DLL
   PATCHW32.DLL
   PCRPLUG.DLL
   POEVTINF.DLL
   PSAPI.DLL
   SCHEDULER.DLL
   SCRIPTSUBSYS.DLL
   SCRPTRES.DLL
   SECUREFRAMEWORKFACTORY.DLL
   UNICOWS.DLL
   UPDATESUBSYS.DLL
   UPDPLUG.DLL
   UPDRES.DLL
   USERSPACE.DLL
   XMLWRAP.DLL =
      Application extension files

   SRPUBKEY.BIN =
      Server public key

   AGENT.INI =
      Agent configuration file

   LOGO.JPG =
      McAfee Security company logo

   PACKING.LST =
      List of Patch files

   AGT300DET.MCS
   INSTALLMAIN.MCS
   UPDATEMAIN.MCS =
      Agent detection scripts

   INSTALL.PKG =
      Package information used by server

   EPOSQLSEC.SQL =
      SQL script

   PATCH2.TXT =
      This text file

   PKGCATALOG.Z =
      Agent package catalog file

   FRAMEWORKMANIFEST.XML =
      Package installation information file
      list used by agent installer

   SERVER.XML =
      Default agent policy settings

   SITELIST.XML =
      Repository list


_____________________________________________________
INSTALLATION

INSTALLATION REQUIREMENTS

To use this release, you must have ePolicy
Orchestrator 3.0 software installed on the
ePolicy Orchestrator server that you intend to
update with this release.

   NOTE:
   This release does not work with earlier
   versions of the ePolicy Orchestrator
   software.


INSTALLATION STEPS

1. Create a temporary folder on the hard drive
   of the ePolicy Orchestrator server.

2. Extract the EPO3002.ZIP file to the
   temporary folder that you created in Step
   1.


SECURING EPOLICY ORCHESTRATOR SQL SERVER
LOGINS

If you installed MSDE as part of the ePolicy
Orchestrator installation, you need to complete
these steps.

1. In a text editor, open the EPOSQLSEC.SQL
   file from the temporary folder you created
   in Step 1 of "Installation Steps." It
   contains these lines:

   EXEC sp_addlogin
      '<new_login_name>',
      '<password>',
      '<database_name>'

   EXEC sp_grantdbaccess '<new_login_name>'

   EXEC sp_addrolemember
      'db_owner',
      '<new_login_name>'

3. Replace the <new_login_name> variable with a
   user name for a new SQL Server user account
   (login). This variable appears three times.

4. Replace the <password> variable with a
   password for the new user account. This
   variable appears once.

5. Replace the <database_name> variable with
   the name of the ePolicy Orchestrator
   database. The default database name is
   EPO_<SERVER>, where <SERVER> is the name of
   the ePolicy Orchestrator server. This
   variable appears once.

   For example, if the user name is EPODBO, the
   password is T2M0912, and the database name
   is ePO_MANAGE, the resulting file would be:

   EXEC sp_addlogin
      'EPODBO',
      'T2M0912',
      'ePO_MANAGE'

   EXEC sp_grantdbaccess 'EPODBO'

   EXEC sp_addrolemember
      'db_owner',
      'EPODBO'

6. Save the file.

7. At the command prompt, run the following
   command:

      NOTE
      This command is case-sensitive.

      OSQL -d<database_name> -U<account_with_sa_privileges> -P<password>
      -i<path>EPOSQLSEC.SQL

   Where <database_name> is the name of the
   ePolicy Orchestrator database. The default
   database name is EPO_<SERVER>, where
   <SERVER> is the name of the ePolicy
   Orchestrator server.

   And where <account_with_sa_privileges> and
   <password> are the user name and password of
   an account with system administrator
   permissions on the database.

   And where <path> is the location of the
   EPOSQLSEC.SQL file.

   For example, if the ePolicy Orchestrator
   database name is ePO_MANAGE, the user name
   is SA, the password is 53cr3t, and the
   EPOSQLSEC.SQL file is in C:\TEMP, the
   resulting command would be:

      OSQL -dePO_MANAGE -USA -P53cr3t -iC:\TEMP\EPOSQLSEC.SQL

8. Start the Server Configuration program
   (CFGNAIMS.EXE). The default location is:

      C:\PROGRAM FILES\NETWORK
      ASSOCIATES\EPO\3

   If you upgraded the software from version
   2.0, 2.5, or 2.5.1, the default location
   is:

      C:\PROGRAM FILES\MCAFEE\EPO\3

9. Click the "Administrator" tab.

10.   Select "Use SQL authentication."

11.   In "User name," type the value you
   provided for the <new_login_name> variable
   in Step 3.

12.   In "Password," type the value you
   provided for the <password> variable in Step
   4.

13.   Click "OK."


CHECKING THE AGENT PACKAGE INTO THE MASTER
REPOSITORY

   NOTE
   You cannot check in packages while pull or
   replication tasks are executing.

1. Log on to the desired ePolicy Orchestrator
   server using a global administrator user
   account.

2. In the console tree under "ePolicy
   Orchestrator" | <SERVER>, select
   "Repository."

3. In the details pane under "AutoUpdate
   Tasks," click "Check in package." The "Check
   in package" wizard appears.

4. Click "Next" to open the package type dialog
   box.

5. Select "Products or updates," then click
   "Next." The catalog file dialog box
   appears.

6. Select the package catalog (PKGCATALOG.Z)
   file from the temporary folder you created
   in Step 1 of "Installation Steps." You can
   type the path to this file, or click
   "Browse" to select it, then click "Next."
   The summary dialog box appears.

7. Click "Finish" to check in the package.

8. Click "Close" after the package has been
   checked in.


CREATING THE NEW AGENT INSTALLATION PACKAGE

1. Stop the "McAfee ePolicy Orchestrator 3.0
   Server" service. This procedure varies
   depending on the operating system. For
   instructions, see the operating system
   product documentation.

2. Delete the FRAMEPKG.EXE and FRAMEWORK.Z
   files from this location in the installation
   directory:

      \DB\SOFTWARE\CURRENT\EPOAGENT3000\INSTALL\0409

   The default location of the installation
   directory is:

      C:\PROGRAM FILES\NETWORK
      ASSOCIATES\EPO\3

   If you upgraded the software from version
   2.0, 2.5, or 2.5.1, the default location
   is:

      C:\PROGRAM FILES\MCAFEE\EPO\2.0

3. Start the "McAfee ePolicy Orchestrator 3.0
   Server" service. This procedure varies
   depending on the operating system. For
   instructions, see the operating system
   product documentation.


REPLICATING THE AGENT PACKAGE TO DISTRIBUTED
REPOSITORIES

   NOTE
   Since local distributed repositories can
   only be accessed from client computers,
   replication tasks do not copy packages from
   the master repository to local distributed
   repositories; you must manually update local
   distributed repositories with the desired
   packages.

1. Log on to the desired ePolicy Orchestrator
   server using a global administrator user
   account.

2. In the console tree under "ePolicy
   Orchestrator" | <SERVER>, select
   "Repository."

3. In the details pane under "AutoUpdate
   Tasks," click "Replicate now." The
   "Replicate Now" wizard appears.

4. Click "Next" to open the distributed
   repositories dialog box.

5. Click "Select All" to select all global and
   SuperAgent distributed repositories, then
   click "Next." The replication type dialog
   box appears.

6. Select "Incremental replication," then click
   "Finish" to run the task.

7. Click "Close" after the task has completed.


DEPLOYING THE AGENT TO CLIENT COMPUTERS

Although there are numerous methods you can use
to install the agent on computers you want to
manage via ePolicy Orchestrator, we recommend
using the "Deployment" client task, see below.
For a list of other methods and instructions
for each, see "Agent deployment" in the ePolicy
Orchestrator 3.0 Product Guide.

1. Log on to the desired ePolicy Orchestrator
   server.

2. In the console tree under "ePolicy
   Orchestrator" | <SERVER>, right-click
   "Directory," <SITE>, <GROUP>, or <COMPUTER>.
   The "Policies," "Properties," and "Tasks"
   tabs appear in the details pane.

3. Click the "Tasks" tab.

4. Right-click the "Deployment" task, then
   select "Edit Task." The "ePolicy
   Orchestrator Scheduler" dialog box appears.

5. On the "Task" tab, click "Settings." The
   "Task Settings" dialog box appears.

6. Deselect "Inherit."

7. Next to "Agent 3.1.0," select "Install" in
   "Action."

8. Next to those products that you do not want
   to deploy, select "Ignore" in "Action."

9. To specify command-line options used when
   installing the agent, click the "..." button
   next to "Agent 3.1.0." For instructions, see
   "Agent installation command-line options" in
   the ePolicy Orchestrator 3.0 Product Guide.

10.   If you want this task to also be enforced
   during the policy enforcement interval,
   select "Run this task at every policy
   enforcement interval."

11.   Schedule the task. For instructions, see
   "Scheduling client tasks" in the ePolicy
   Orchestrator 3.0 Product Guide.

12.   Click "OK" to save the current entries.


MONITORING AGENT DEPLOYMENT

You can use the Agent Versions or the
Compliance Issues reports to monitor the
deployment of the agent. For instructions and
information, see "Running reports," and "Agent
Versions report template" or "Compliance Issues
report template" in the ePolicy Orchestrator
3.0 Product Guide, respectively.

The new agent version number is 3.1.0.221.


REMOVING THIS RELEASE

To remove this Patch from your computer,
uninstall, then reinstall ePolicy
Orchestrator.

   NOTE:
   We recommend that you do NOT remove the
   Patch files once you install them. If you
   reinstall the ePolicy Orchestrator software,
   we recommend that you also reinstall the
   Patch.


_____________________________________________________
CONTACTING MCAFEE SECURITY & NETWORK
ASSOCIATES

Technical Support
   Home Page
      http://www.networkassociates.com/us/support/


   KnowledgeBase Search
      https://knowledgemap.nai.com/phpclient/homepage.aspx

   PrimeSupport Service Portal
      http://mysupport.nai.com

      Login credentials required.


McAfee Security Beta Program
   Beta Web Site
      http://www.networkassociates.com/us/downloads/beta/

   E-mail
      avbeta@nai.com


Security Headquarters -- AVERT (Anti-Virus
Emergency Response Team)
   Home Page
      http://www.networkassociates.com/us/security/home.asp

   Virus Information Library
      http://vil.nai.com

   Submit a Virus Sample  AVERT WebImmune
      https://www.webimmune.net/default.asp

   AVERT DAT Notification Service
      http://www.networkassociates.com/us/downloads/updates/


Download Site
   Home Page
      http://www.networkassociates.com/us/downloads/

   DAT File and Engine Updates
      http://www.networkassociates.com/us/downloads/updates/

      ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

   Product Upgrades
      https://secure.nai.com/us/forms/downloads/upgrades/login.asp

      Valid grant number required.
      Contact Network Associates Customer
      Service


Training
   McAfee Security University
      http://www.networkassociates.com/us/services/education/mcafee/university.htm



Network Associates Customer Service
   US, Canada, and Latin America toll-free:
   Phone:   +1-888-VIRUS NO or +1-888-847-8766
            Monday - Friday, 8 a.m. - 8 p.m.,
            Central Time

   E-mail:  services_corporate_division@nai.com
   Web:     http://www.nai.com/us/index.asp
            http://www.networkassociates.com/us/products/mcafee_security_home.htm

For additional information on contacting
Network Associates and McAfee Security 
including toll-free numbers for other
geographic areas  see the documentation that
accompanied your original product release.


_____________________________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS

 2003 Networks Associates Technology, Inc. All
Rights Reserved. No part of this publication
may be reproduced, transmitted, transcribed,
stored in a retrieval system, or translated
into any language in any form or by any means
without the written permission of Networks
Associates Technology, Inc., or its suppliers
or affiliate companies. To obtain this
permission, write to the attention of the
Network Associates legal department at: 5000
Headquarters Drive, Plano, Texas 75024, or call
+1-972- 963-8000.


TRADEMARKS

Active Firewall, Active Security, Active
Security (in Katakana), ActiveHelp,
ActiveShield, AntiVirus Anyware and design,
Appera, AVERT, Bomb Shelter, Certified Network
Expert, Clean-Up, CleanUp Wizard, ClickNet,
CNX, CNX Certification Certified Network Expert
and design, Covert, Design (stylized N), Disk
Minder, Distributed Sniffer System, Distributed
Sniffer System (in Katakana), Dr Solomons, Dr
Solomons label, E and Design, Entercept,
Enterprise SecureCast, Enterprise SecureCast
(in Katakana), ePolicy Orchestrator, Event
Orchestrator (in Katakana), EZ SetUp, First
Aid, ForceField, GMT, GroupShield, GroupShield
(in Katakana), Guard Dog, HelpDesk, HelpDesk
IQ, HomeGuard, Hunter, Impermia, InfiniStream,
Intrusion Prevention Through Innovation,
IntruShield, IntruVert Networks, LANGuru,
LANGuru (in Katakana), M and design, Magic
Solutions, Magic Solutions (in Katakana), Magic
University, MagicSpy, MagicTree, McAfee, McAfee
(in Katakana), McAfee and design, McAfee.com,
MultiMedia Cloaking, NA Network Associates, Net
Tools, Net Tools (in Katakana), NetAsyst,
NetCrypto, NetOctopus, NetScan, NetShield,
NetStalker, Network Associates, Network
Performance Orchestrator, Network Policy
Orchestrator, NetXray, NotesGuard, nPO, Nuts &
Bolts, Oil Change, PC Medic, PCNotary,
PortalShield, Powered by SpamAssassin,
PrimeSupport, Recoverkey, Recoverkey 
International, Registry Wizard, Remote Desktop,
ReportMagic, RingFence, Router PM, Safe &
Sound, SalesMagic, SecureCast, SecureSelect,
Service Level Manager, ServiceMagic, SmartDesk,
Sniffer, Sniffer (in Hangul), SpamKiller,
SpamAssassin, Stalker, SupportMagic,
ThreatScan, TIS, TMEG, Total Network Security,
Total Network Visibility, Total Network
Visibility (in Katakana), Total Service Desk,
Total Virus Defense, Trusted Mail, UnInstaller,
VIDS, Virex, Virus Forum, ViruScan, VirusScan,
WebScan, WebShield, WebShield (in Katakana),
WebSniffer, WebStalker, WebWall, What's The
State Of Your IDS?, Whos Watching Your
Network, WinGauge, Your E-Business Defender,
ZAC 2000, Zip Manager are registered trademarks
or trademarks of Network Associates, Inc.
and/or its affiliates in the US and/or other
countries. Sniffer brand products are made
only by Network Associates, Inc. All other
registered and unregistered trademarks in this
document are the sole property of their
respective owners.


LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE
APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO
THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE
LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE
GRANT OR PURCHASE ORDER DOCUMENTS THAT
ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU
HAVE RECEIVED SEPARATELY AS PART OF THE
PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT
CD, OR A FILE AVAILABLE ON THE WEB SITE FROM
WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF
YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH
IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE.
IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO
NETWORK ASSOCIATES, INC. OR THE PLACE OF
PURCHASE FOR A FULL REFUND.


Attributions

This product includes or may include:

-  Software developed by the OpenSSL Project
   for use in the OpenSSL Toolkit
   (http://www.openss1.org/).

-  Cryptographic software written by Eric Young
   (eay@cryptsoft.com) and software written by
   Tim J. Hudson (tjh@cryptsoft.com).

-  Some software programs that are licensed (or
   sublicensed) to the user under the GNU
   General Public License (GPL) or other
   similar Free Software licenses which, among
   other rights, permit the user to copy,
   modify and redistribute certain programs, or
   portions thereof, and have access to the
   source code.  The GPL requires that for any
   software covered under the GPL which is
   distributed to someone in an executable
   binary format, that the source code also be
   made available to those users.  For any such
   software covered under the GPL, the source
   code is made available on this CD.  If any
   Free Software licenses require that Network
   Associates provide rights to use, copy or
   modify a software program that are broader
   than the rights granted in this agreement,
   then such rights shall take precedence over
   the rights and restrictions herein.

-  Software originally written by Henry
   Spencer, Copyright 1992, 1993, 1994, 1997
   Henry Spencer.

-  Software originally written by Robert
   Nordier, Copyright  1996-7 Robert Nordier.
   All rights reserved.

-  Software written by Douglas W. Sauder.

-  Software developed by the Apache Software
   Foundation (http://www.apache.org/).

-  International Components for Unicode ("ICU")
   Copyright  1995-2002 International Business
   Machines Corporation and others. All rights
   reserved.

-  Software developed by CrystalClear Software,
   Inc., Copyright  2000 CrystalClear
   Software, Inc.

-  FEAD Optimizer technology, Copyright
   Netopsystems AG, Berlin, Germany.


DBN 005-ENG
