Security Content Update2017-2 Release Notes

Versions: CCS 11.1.x and CCS 11.5.x

SCU 2017-2 Release Notes for CCS 11.1.x and CCS11.5.x

Legal NoticeCopyright 2017 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERSAREHELD TOBE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Supportsprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amountof service for any size organization

Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

Product release level

Hardware information

http://www.symantec.com/business/support/http://www.symantec.com/business/support/

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:

support.symantec.com

Customer serviceCustomer service information is available at the following URL:

www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

https:/support.symantec.comhttp://www.symantec.com/business/support/

Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

customercare_apj@symantec.comAsia-Pacific and Japan

semea@symantec.comEurope, Middle-East, and Africa

supportsolutions@symantec.comNorth America and Latin America

mailto:customercare_apj@symantec.commailto:semea@symantec.commailto:supportsolutions@symantec.com

Technical Support ............................................................................................... 3

Chapter 1 Prerequisites for Security Content Updates ................... 7Prerequisites ................................................................................. 7

Chapter 2 What's New ............................................................................ 9New features ................................................................................. 9New technical standards ................................................................ 11

Mandate-based technical standards ........................................... 12Deprecated technical standards ...................................................... 13New regulatory and compliance standards ........................................ 14Addition in predefined platforms ...................................................... 15Modified files ............................................................................... 16Known issues .............................................................................. 16

Chapter 3 Resolved Issues ................................................................... 17Resolved issues ........................................................................... 17

Chapter 4 Legal Disclaimer .................................................................. 20Legal disclaimer for General Data Protection Regulation (EU) ............... 20

Contents

Prerequisites for SecurityContent Updates

This chapter includes the following topics:

Prerequisites

PrerequisitesThe following are the prerequisites to install a Security Content Update (SCU):

Symantec Control Compliance Suite 11.1 or later versionsBefore you install a Security Content Update (SCU), you must have SymantecControl Compliance Suite 11.1 or later versions installed on your computer.To use CCS data collection, evaluation and reporting capabilities forcommand-based standards, you must upgrade to CCS 11.5.2 (Product Update2017-1).

New signing certificate for CCS filesA new signing certificate is used for all CCS files that are signed after March 3,2017. To install SCU 2017-1 or later using the LiveUpdate feature, you needthis certificate. The certificate is valid till March 03, 2018. Before you install theSCU, you must install the updated CCS certificate information necessary tovalidate the new signing certificate. There are two methods of obtaining the newcertificate verifier:

Quick Fix 10604To install the SCU 2017-1 or later, you must apply Quick Fix 10604.The Quick Fix 10604 includes the Symantec.CSM.AssemblyVerifier.dllfile, which contains the updated CCS certificate information necessary tovalidate the certificate.You can download the Quick Fix 10604 from the following location:

1Chapter

http://symantechelp.com/CS?locale=EN_US&vid=v64467133_v121308827&ProdId=USER_GUIDE&context=CCS11.5.2

http://www.symantec.com/docs/TECH228300

Installing the Symantec Control Compliance Suite 11.5.2 (Product Update2017-1) on your application server. This Product update includes the filesfound in the Quick Fix and recognizes and validates Symantec binaries thatare signed using the new certificate, in addition to recognizing the olderbinaries.

Note:The Symantec.CSM.AssemblyVerifier.dll file for new signing certificateis included in theCCS_11_1__SCU_Win.exe for SCU 2017-1or later. So, if you install SCU 2017-1 or later manually, theSymantec.CSM.AssemblyVerifier.dll is installed with the SCU.

8Prerequisites for Security Content UpdatesPrerequisites

http://www.symantec.com/docs/TECH228300

What's New

This chapter includes the following topics:

New features

New technical standards

Deprecated technical standards

New regulatory and compliance standards

Addition in predefined platforms

Modified files

Known issues

New featuresThe Security Content Update (SCU) 2017-2 contains the following new features:

Data collection support for MS SQL 2016 platform

Data collection support for Ubuntu Server v 16.04

Enhancement in automated MS SQL password management

CCS 11.5.2 agent support on Ubuntu 12.04, 14.04, and 16.04 servers

Blacklisting Windows data collection entities for agent-based data collection

Data collection support for Oracle Database 12c CDB-PDB assets

Data collection support for MS SQL 2016 platformFrom SCU 2017-2 onwards, data collection support for Microsoft SQL Server 2016for multiple and single instances of both agentless and agent-based modes of datacollection is available.

2Chapter

Data collection support for Ubuntu Server v 16.04Data collection support for the computers that run on Ubuntu Server 16.04 isavailable from SCU 2017-2 onwards.

The Security Essentials for Ubuntu 16.x LTS Server standard is provided in thePredefined folder in the tree pane of the CCS Standards view. By running thisstandard, you can assess the compliance posture for the Ubuntu Server 16.04assets in your environment. This support is available for both agentless andagent-based modes of data collection.

Enhancement in automated MS SQL password managementThe SQL Credential Management feature automates the process of managingpasswords of the MS SQL Server users that are configured on SQL Server agentfor data collection. An enhancement is made to this feature by adding two switchesto CCSSQLSETUP.exe tool for enabling the password management setting for MSSQL Server and cluster on the agent machine.

The following switches are added to the CCSSQLSetup.exe tool:

-EP: This switch enables the SQL user password management setting byupdating the value of the setting MANAGESQLUSERPASSWORD to 1 in theccssqlenv.dat file.

-EC: This switch enables the SQL cluster user password management settingby updating the value of the setting MANAGESQLUSERPASSCLUSTER to 1in the ccssqlenv.dat file.

CCS 11.5.2 agent support on Ubuntu 12.04, 14.04, and 16.04serversCCS 11.5.2 agent for data collection on Ubuntu 12.04, 14.04, and 16.04 serverswith Intel (32 bit and 64 bit) and x64 (64 bit) is available. For more information, referto the following URL: Security Updates Symantec Control Compliance Suite

Blacklisting Windows data collection entities for agent-baseddata collectionFrom SCU 2017-2 onwards, you can blacklist a Windows data collection entity thatyou want to exclude from data collection. This feature is applicable only to theagent-based mode of data collection for Windows entities.

Using this feature, the local administrator of the agent machine can control the datacollection for specific entities at agent level. This restricts the data collectors fromcollecting sensitive data from the blacklisted entities. For example, you can restrictthe data collection of a Text file content data source.

10What's NewNew features

https://www.symantec.com/security_response/securityupdates/list.jsp?fid=ccs&pvid=pgu

To use this feature, you must create a configuration file namedBlack_Listed_Datasource.conf at the following location on an agent machine:\ESM\config\Black_Listed_Datasource.conf

In this configuration file, list the entities that you want to blacklist. Each entity namemust be mentioned on a separate line. All the text lines that start with the # symbolare considered as comments. You can comment out the entities that you want toexclude from the list of blacklisted entities.

If you run a data collection job for these blacklisted entities, a warning message isdisplayed as follows on the console:

'The Data Source is blacklisted. Hence not collecting Data for thesame.'

Agent upgrade and agent content update jobs do not affect the configuration filecreated for blacklisting the entities.

Data collection support for Oracle Database 12c CDB-PDBassetsCCS supports the new Oracle Database 12c multi tenant architecture. Thisarchitecture holds a Container Database (CDB) that contains a number of virtualor Pluggable Databases (PDBs).

Data for both CDBs and PDBs can now be collected in CCS. You can import yourCDB Oracle assets into the CCS asset system by running the Asset Import job,and then perform data collection and evaluation on these assets.

You cannot import PDB Oracle assets by running the Asset Import job. You haveto add the PDB assets manually by using the CSV or the ODBC asset importfunctionality.

Note:While importing the PDB Oracle assets, asset attributes such as DatabaseName Type, Database Version, Operating System, and OS Type must be updatedfor successful data collection.

The Database Name Type asset property must be updated to Service Name, andnot as a System ID (SID).

New technical standardsThemajor highlight of the SCU 2017-2 release is the addition of seven new technicalstandards with CIS Benchmark. The following new technical standards have beenadded:

11What's NewNew technical standards

CIS Security Configuration Benchmark for Microsoft SQL Server 2014,v1.2.0

CIS Security Configuration Benchmark for Microsoft SQL Server 2012,v1.3.0

CIS Benchmark for Solaris 11.1, v1.0.0

CIS Benchmark for Solaris 11.2, v1.1.0

CIS Microsoft Windows Server 2012 R2, v2.2.1

Security Essentials for Microsoft SQL Server 2016

Security Essentials for Ubuntu 16.04 LTS Server

The following standards are added for Apache Tomcat:

CIS Apache Tomcat 7 Benchmark, v1.1.0

CIS Apache Tomcat 8 Benchmark, v1.0.1

Security Essentials for Apache Tomcat 9

Prerequisite: To run data collection for these standards, xmllint (component of alibxml package) must be available on the target computer.

Note: A warning message informing that the character limit for checks is 512 bydefault may be displayed, when checks for Apache standards are loaded. You canavoid getting this message by customizing theCustomCommandTextLengthLimitfield in the AppserverService.exe.config configuration file. For more information,refer to the Permissible command length for the Commands entity for UNIXsection in the Security Content Update Getting Started Guide.

Mandate-based technical standardsThe following new standards based on the PCI-DSS 3.2 mandate are added:

PCI DSS v3.2 for Red Hat Enterprise Linux 5.x Machines

PCI DSS v3.2 for Red Hat Enterprise Linux 6.x Machines

PCI DSS v3.2 for Red Hat Enterprise Linux 7.x Machines

PCI DSS v3.2 for Microsoft Windows Server 2012 and 2012 R2 Machines

PCI DSS v3.2 for Microsoft Windows Server 2008 and 2008 R2 Machines

12What's NewNew technical standards

Deprecated technical standardsWhat is a deprecated standard?

A deprecated technical standard is a standard which customers can still use fordata collection for the asset types that it covers, but for which technical support orupdates are no longer available from Symantec. A technical standard is marked as'Deprecated' in CCS Standards Manager in the following cases:

ACCS standard corresponding to a CIS Benchmark is deprecated if the supportfor a platform is ended by the platform vendor.

A lower version of a CCS standard corresponding to a CIS Benchmark isdeprecated if a higher version of the CCS standard is available for the sameplatform.

A Security Essentials standard is deprecated if it is superseded by a CISBenchmark for the same platform.

A standard is marked as 'Deprecated' in the user interface (UI) for two consecutiveSCUs. After that, it is removed from the SCU installer. For uninterrupted technicalsupport for a platform, Symantec recommends that customers switch to a CISBenchmark CCS standard that supersedes a deprecated standard.

Note: Data that is already collected by using a deprecated standard remainsunaffected even after the standard is removed from the SCU installer.

The following technical standards are deprecated in SCU 2017-2:

Table 2-1 Deprecated technical standards in SCU 2017-2

Deprecated StandardOS or ApplicationVersion

Platform

Security Essentials for Microsoft SQL Server 2008Microsoft SQL Server2008

SQL

Security Essentials for Microsoft SQL Server 2012Microsoft SQL Server2012

Security Essentials for Microsoft SQL Server 2014Microsoft SQL Server2014

The Australian Government Information andCommunications Technology Security Manual forMS-SQL Server

SQL Server 2000Instances

13What's NewDeprecated technical standards

Table 2-1 Deprecated technical standards in SCU 2017-2 (continued)

Deprecated StandardOS or ApplicationVersion

Platform

CIS Microsoft Windows Server 2012 R2 v2.2.0Microsoft WindowsServer 2012

Windows

The Australian Government Information andCommunications Technology Security Manual forWindows

Windows 2000Machines

Windows 2003Machines

New regulatory and compliance standardsSCU 2017-2 contains the following new regulatory compliance standards:

General Data Protection Regulation (EU)

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is aregulation by which the European Parliament, the Council of the European Unionand the European Commission intend to strengthen and unify data protection forall individuals within the European Union (EU). It also addresses the export ofpersonal data outside the EU. The primary objectives of the GDPR are to givecontrol back to citizens and residents over their personal data and to simplify theregulatory environment for international business by unifying the regulation withinthe EU.

Financial Services Transaction Network - Cybersecurity Best Practices

It is a set of baseline security controls recommended for financial servicesorganizations. These controls are implemented by FSO to secure the completefinancial transaction chain. Controls are intended to help customers safeguard theirlocal technology environments and reinforce the security of the wider financialcommunity.

National Institute of Standards and Technology (NIST) 800-171 Revision 1

The National Institute of Standards and Technology (NIST), a measurementstandards laboratory, and a non-regulatory agency of the United States Departmentof Commerce has released the NIST SP 800-171 US Federal agencies requireNIST 800-171 compliance for protecting the confidentiality of Controlled UnclassifiedInformation (CUI).The NIST 800-171 requirements apply to all components ofnon-federal information systems and organizations that process, store, or transmitCUI, or provide security protection for such components.

14What's NewNew regulatory and compliance standards

Addition in predefined platformsSCU 2017-2 contains the following enhancements in the predefined platforms:

Table 2-2 Enhancements in predefined platforms

EnhancementPlatform

The following new fields are added to the SQL platform for datacollection:

SQL Server Agent Service Account SQL Server Full-Text Daemon Service Account Maximum Number of Error Log Files Is DataBase Type contained? Encryption Algorithm Used Key Size for Asymmetric Key Algorithm Used Is SQL Authentication Used in Contained Databases

MS SQL

The following are added to the UNIX platform:

Solaris 11.1 Machines Solaris 11.2 Machines New target type: UNIX computers with Tomcat Running New asset group: All UNIX servers with Tomcat Running Asset-type Properties: The following new fields are added to UNIX

assets: Is Tomcat Running?: This Asset property must be enabled

before running Apache Tomcat standards on UNIX assets. OS Kernel Version: The value for this field is required to set

when importing agentless as well as agent-based assets.

UNIX

Data collection support for theWindows platform is extended bymakingthe following fields available for the Shares entity:

Underlying Directory Permissions Permissions (Advanced)

The following two fields are made available for the WQL entity:

Result: This field returns list of results of a WMI query whichhas single field in query.

Result as Record: This field returns results of a WMI query whichis in the form of multiple records.

Windows

15What's NewAddition in predefined platforms

Modified filesThe following files are modified in SCU 2017-2:

Unix.Schema.dll

Dbif.Schema.dll

Symantec.CSM.UnixPlatformContent.Solaris10v4.0.dll

Symantec.CSM.SqlPlatformContent.CISSQL2008R2.dll

Symantec.CSM.Content.Localization.Resources.dll

Windows.Schema.dll

Symantec.CSM.UnixPlatformContent.Apache.dll

Note: The version number for all the files mentioned earlier is 11.10.11000.1107.

Known issuesTable 2-3 contains the details of known issues observed in SCU 2017-2:

Table 2-3 Known issues

SolutionIssue

After you have imported the assets for theSolaris agent, run the asset import job forthese assets again for both agentless andagent-based targets. This updates the OSKernel Version asset-type property for theseassets.

During the import of Solaris agent-basedassets, the asset-type property OS KernelVersion does not get updated for theimported assets.

After you have imported the assets for theLinux agent, run the asset import job for theseassets again for both agentless andagent-based targets. This updates the IsTomcat Running? asset-type property forthese assets.

During the import of Linux agent-basedassets, the asset-type property Is TomcatRunning? does not get updated for theimported assets.

16What's NewModified files

Resolved Issues

This chapter includes the following topics:

Resolved issues

Resolved issuesTable 3-1 contains the details of the customer issues that are resolved in SCU2017-2.

Table 3-1 Resolved Issues in SCU 2017-2

ResolutionIssue

If the files remain in the cache after deletingthem, delete them again after a time lapse of300 milliseconds. One more time beforecreating a new delta, it will iterate throughcontrol/Windows/TempFiles and delete itincluding its stale contents.

The temp and domain cache files on CCS11.5 DPS were not being cleaned up. Someactivities like OS file system journaling orindexing, or anti-virus live scanning coincidedwith the file creation timeline and openhandles at the same time.Windows API couldnot delete the files and directories, if therewere open handles on it.

The Patch Assessment pre-check is restrictedonly for patch related data collection. Now,there is no patch related attribute selected inthe query. Data is collected for all querieswithout any error or crash.

When running a data collection query on anumber of agents, several of them did notreturn any data for the machine data source.This issue occurred on agent-based targets.This was because the patch files located atthe following path were of 0 byte size:C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\ESM\bin\dcmodules\Control\Windows\PatchAssessment.

3Chapter

Table 3-1 Resolved Issues in SCU 2017-2 (continued)

ResolutionIssue

The parameter name DBMS_RANDOM inthe check 4.1.9 is replaced by the parametername - DBMS_BACKUP_RESTORE.

The parameter in the XML is changed toDBMS_RANDOM.

The static content is modified to includeDBMS_RANDOM in place ofDBMS_BACKUP_RESTORE.

In the CIS Oracle Database 11g R2Benchmark v2.2.0 standard, the check 4.1.9Is EXECUTE Revoked from PUBLIC onDBMS_BACKUP_RESOTRE? targeted thetable named DBMS_BACKUP_RESTORE.According to the new version of the standard,the check should target the table namedDBMS_RANDOM.

The code for the Generic Devices is modifiedto handle the multiline prompt string of thetarget device.

A command-based standard for the GenericDevices platform caused a query timeouterror because of a multi-line prompt string ona target device. This happened when thetarget device was connected using either theSSH or the Telnet protocol.

The code is modified to remove the httpdentry from rpm_qa.txt. Now, after importingapache asset, the Is Apache Installedproperty of apache asset is set to true.

After importing an apache asset, the IsApache InstalledAsset-type Property ofapache assets was set to false, if packagename does not start with httpd.

Added the following two new attributes tovCenter Server and the ESXi machinesschema:

EvaluatedComplianceScores MaxRiskScores

CCS ISS API failed to return the asset scorefor VMware ESXi Machines or VMwarevCenter Server asset types.

The parameters' names are changed in theStandard Xml and Complex Algorithm. Thefollowing parameters are added in thestandard XML file:

This works even if a null value or some textvalue is added

When modifying any of the values under theParameters tab for the following checks inthe Security Essentials for Apache HTTPServer 2.4 standard, the values for theParamValue0 and ParamRegex0 parameterswere not found.

Check 1.6.1 Configure the Error Log Check 1.6.2 Configure the Access Log

Changed the check number from 3.1 to 3.10for the check No Users Are Assigned the'DEFAULT' Profile? as per the CIS checknumber.

The CISOracle Database 11g R2 Benchmarkv2.0.0 displayed check number as 3.1 insteadof 3.10 for the following check:

No Users Are Assigned the 'DEFAULT'Profile?

18Resolved IssuesResolved issues

Table 3-1 Resolved Issues in SCU 2017-2 (continued)

ResolutionIssue

The Windows platform schema binary isupdated to recognize the special value {NoValue}.

The field System Settings: Optionalsubsystem in the Machines data sourcereturned an empty value which could not beevaluated using the current operators. Anissue was faced while using the right operatorand value to validate the empty value.

An exclusive query flag is set to True for the1.6.4 check.

The check 1.6.4 - Log Storage and Rotationin the Security Essentials for Apache HTTPServer 2.4 standard invoked the "du -xk"commands on NFS- mounted shares, whichcan take many hours to complete oreventually time out.

When the check 1.6.4 was removed, the datacollection succeeded.

A filter has been added to the standard XMLfile which filters out the disabled SQL logins.Now, CCS evaluation works only for theenabled users.

CCS evaluation reported on the disabled SQLlogins making the following two checks to fail.

5.02 Is Password Expiration Enforced forSQL Logins?

5.03 Is Password Complexity Enforcedfor SQL Logins?

The following two fields are made availablefor the WQL entity to get results from a WMIquery:

Result: This field returns list ofresults of theWMI query which has singlefield in query

Result as Record: This field returnsresults of the WMI query which are in theform of multiple records.

The user must select the Result as Recordfield to run the query.

When a WMI query was run, it displayed thefollowing error message:

'Please select ResultAsRecord field in query.-The parameter is incorrect.'

19Resolved IssuesResolved issues

Legal Disclaimer

This chapter includes the following topics:

Legal disclaimer for General Data Protection Regulation (EU)

Legal disclaimer for General Data ProtectionRegulation (EU)

The Customer acknowledges and agrees that this Report is provided for generalinformation and internal record keeping purposes only. Neither the underlyingquestionnaire nor the Report, dashboards and other outputs generated on its basisor derived thereof constitute legal advice or opinion of any kind, or any advertisingor solicitation, and should not be treated as such. No lawyer-client, advisory, fiduciaryor other relationship is created between Symantec and the Customer by virtue ofany these materials.

This Report synthesizes the responses provided by the Customer to the underlyingquestionnaire, which is comprised of a series of questions based on an arbitraryand discretionary subset of the general provisions and requirements of Regulation(EU) 2016/679 (General Data Protection Regulation GDPR) as published in theOfficial Journal of the European Union (L 119/1) on May 4th, 2016. This Report andthe underlying questionnaire are in no event meant to provide a complete, accurateor adequate review of the GDPR. The Customer is solely responsible to determinethe relevance and adequacy of each GDPR provision and of the related question(s) if any to the Customers activities, operations and requirements. The solepurpose of this Report is to record the Customers statement as to whether theCustomer is able to document its self-determined answer to each question of theunderlying questionnaire.

Consequently the Customer acknowledges and agrees that:

the questionnaire underlying the Report does not intend to comprehensivelycover all requirements of the GDPR;

4Chapter

the inclusion of any question in the questionnaire underlying the Report doesin no way imply that the question is relevant or applicable to the Customer, asonly the Customer can make such determination;

the absence of any reference to a particular provision or requirement of theGDPR from the questionnaire underlying the Report does in no way imply thatthe particular provision or requirement is not relevant or applicable to theCustomer, as only the Customer can make such determination; and

- the Report, dashboards and other outputs generated on the basis of theunderlying questionnaire or otherwise derived thereof only provide a record ofthe Customers self-determined answers to each question and do in no wayconstitute any reliable indication or statement of legal conformity, complianceor adequacy under the provisions and requirements of the GDPR or of any otherlegislative or regulatory instrument.

Symantec makes no representations or warranties of any kind, express or implied,about the completeness, accuracy, reliability or suitability with respect to the purpose,content and/or use of the Report, of the underlying questionnaire or of any otherderived material. Any reliance the Customer may place on the Report and theunderlying questionnaire is therefore strictly at the Customers own discretion andrisk.

In no event shall Symantec be liable for any damages, losses or causes of actionof any nature arising from the provision or use of the Report and of the underlyingquestionnaire, including dashboards and all other outputs and materials generated,and their interpretation, by the Customer.

21Legal DisclaimerLegal disclaimer for General Data Protection Regulation (EU)

Security Content Update 2017-2 Release NotesTechnical SupportContents1. Prerequisites for Security Content UpdatesPrerequisites

2. What's NewNew featuresNew technical standardsMandate-based technical standards

Deprecated technical standardsNew regulatory and compliance standardsAddition in predefined platformsModified filesKnown issues

3. Resolved IssuesResolved issues

4. Legal DisclaimerLegal disclaimer for General Data Protection Regulation (EU)