<<USE COURIER REGULAR 10 FONT IF YOU WOULD LIKE TO PRINT THIS DOCUMENT>>
Trend Micro, Inc. January 29, 2015
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Trend Micro(TM) Intrusion Defense Firewall(TM) 1.5 Service Pack 1
for Trend Micro OfficeScan(TM) 10.0 to OfficeScan 11
Patch 2 - Build 1.5.2373
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: This readme file was current as of the date above. However,
all customers are advised to check Trend Micro's website for
documentation updates at:
http://www.trendmicro.com/download/
Register online with Trend Micro within 30 days of
installation to continue downloading new pattern files and
product updates from the Trend Micro website. Register during
installation, or online at:
http://olr.trendmicro.com
Contents
=====================================================================
1. About Intrusion Defense Firewall
1.1 Overview of this Release
1.2 Who Should Install this Release
2. What's New
2.1 Enhancements
2.2 Resolved Known Issues
3. Documentation Set
4. System Requirements
5. Installation/Uninstallation
5.1 Installation
5.2 Uninstallation
6. Post-Installation Configuration
7. Known Issues
7.1 Known Incompatibilities
7.2 Known Issues in the Intrusion Defense Firewall Server Plug-In
7.3 Known Issues in the Intrusion Defense Firewall Client Plug-In
8. Release History
9. Files Included in this Release
10. Contact Information
11. About Trend Micro
12. License Agreement
13. Third-party Licensing
=====================================================================
1. About Intrusion Defense Firewall
========================================================================
Intrusion Defense Firewall for OfficeScan Client/Server Edition is
an intrusion defense system that enables you to create and enforce
security policies that protect sensitive data, applications,
computers, or network segments. The server component, Server
Plug-In, is installed on the OfficeScan web console. It deploys and
manages the client component, Client Plug-In which is installed
on client computers with the OfficeScan client program.
1.1 Overview of this Release
=====================================================================
Intrusion Defense Firewall 1.5 Service Pack 1 Patch 2 solves
some known issues and includes several enhancements.
1.2 Who Should Install this Release
=====================================================================
You should install this release if you are currently running
Intrusion Defense Firewall 1.5 or any later release.
2. What's New
========================================================================
NOTE: Please install this patch before completing any procedure
in this section (see "5.1 Installation").
This patch addresses the following issues and includes the following
enhancements:
2.1 Enhancements
=====================================================================
The following enhancements are included in this patch:
Enhancement 1:
[Hot Fix 2349] Firewall Status Update Issues - This patch enables
Intrusion Defense Firewall clients to retry updating
the firewall status of the Microsoft Windows Security
Center one time after a failed attempt.
Additionally, this patch reconfigures Intrusion
Defense Firewall clients to send only one firewall
status update error report for each session.
Intrusion Defense Firewall clients will send any
next report only after the Intrusion Defense Firewall
client service restarts.
Enhancement 2:
[Hot Fix 2352] Windows Action Center Registration - This patch
enables Intrusion Defense Firewall clients to
automatically register with the Windows Action Center
again if clients do not detect their own entry in the
Windows Action Center.
Enhancement 3: CPU Usage During Recommendation Scans - This patch
adds a setting for the CPU Usage level for
Recommendation Scan. This setting controls the amount
of CPU resources dedicated to performing
Recommendation Scans. Use a lower value helps to
prevent high CPU usage during Recommendation Scans.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Procedure 3: To configure this setting:
a. Install this patch (see "Installation").
b. Open the Intrusion Defense Firewall web console.
c. Go to the "System > System Settings > System" tab.
d. Set the CPU usage during Recommendation Scans to
your preferred value. This option supports
three levels: High, Medium, and Low.
NOTE: Lower the CPU usage level to increase the wait time
between file scans and conserve CPU resources.
The CPU Usage setting only applies to CPU usage
resulting from Recommendation Scans. The actual CPU
loading may be impacted by other processes running
on the same endpoint.
Enhancement 4: Recommendation Scan Connection Timeout - This patch
extends the connection timeout for Recommendation
Scans. This can help ensure that Recommendation Scans
complete successfully while using fewer CPU resources
when connection timeout issues are more likely to
affect scans.
2.2 Resolved Known Issues
=====================================================================
This patch resolves the following issues:
Issue 1: When enabled, the Windows Firewall blocks the
connection between Intrusion Defense Firewall servers
and clients. As a result, Intrusion Defense Firewall
servers are unable to successfully deploy clients.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 1:
[Hot Fix 2346] This patch adds the Intrusion Defense Firewall client
application to the Windows Firewall exception list to
prevent it from blocking the connection between
Intrusion Defense Firewall servers and clients.
Issue 2: During deployment to Windows Vista or any later
Windows editions, Intrusion Defense Firewall
automatically adds three different firewall rules.
However, when Intrusion Defense Firewall is
uninstalled from these platforms, only two of these
three rules are removed from the system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 2:
[Hot Fix 2348] This patch reconfigures Intrusion Defense Firewall
to add only the needed firewall rule on Windows Vista
or later Windows editions during deployment. During
Uninstallation this rule is removed from the system.
Issue 3: When the "Apply IDF Rule Updates Automatically"
option for a scheduled download task is not selected,
Intrusion Defense Firewall continues to automatically
apply rule updates after downloading these updates.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 3:
[Hot Fix 2351] This patch ensures that Intrusion Defense Firewall
does not automatically apply rule updates to
scheduled download tasks when the "Apply IDF Rule
Updates Automatically" option is not selected.
Issue 4: An issue prevents the Intrusion Defense Firewall
server from purging old system events properly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 4:
[Hot Fix 2353] This patch resolves the issue to ensure that Intrusion
Defense Firewall purges old system events properly.
Issue 5: When upgrading an Intrusion Defense Firewall client
from an earlier version, the option to leave the
Windows Firewall unchanged (by setting
officeScanPlugin.AllowWindowsFirewallModification=false
in the "dsm.properties" file) may not work properly.
This means the Windows Firewall may become disabled
even when the option should have kept it enabled after
the upgrade.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 5:
[Hot Fix 2355] This patch ensures that the option works properly.
Issue 6: When the Intrusion Defense Firewall stateful checking
function and the Riverbed Steelhead Mobile Client are
enabled on a client, the client is sometimes unable to
open intranet websites. This happens because the
Riverbed Steelhead Mobile Client receives multiple
SYN/ACK packets with shifted sequence numbers which
the Intrusion Defense Firewall stateful checking
function drops, preventing it from setting up a
connection to the intranet.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 6:
[Hot Fix 2358] This patch allows users to enable the Intrusion
Defense Firewall stateful checking function to
accept multiple SYN/ACK packets with shifted
sequence numbers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Procedure 6: To enable the Intrusion Defense Firewall stateful
checking function to accept multiple SYN/ACK packets
with shifted sequence numbers:
a. Install this patch (see "Installation").
b. Open the command prompt on the Intrusion Defense
Firewall server.
c. Navigate to the Intrusion Defense Firewall server
folder.
d. Run the following command in a single line:
idf_c.exe -action changesetting -name
configuration.packet.driver.riverbedSeqUpdate
-value true
Issue 7: When an Intrusion Defense Firewall client upgrades
several times, more than one Windows Firewall rule
is added. However, only one rule is removed
during the Intrusion Defense Firewall client
uninstallation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 7:
[Hot Fix 2359] This patch reconfigures Intrusion Defense Firewall
clients to remove redundant firewall rules added by
previous upgrades and to delete all added firewall
rules during uninstallation.
Issue 8: The Application Server uses an Apache(TM) Tomcat(TM)
version that is affected by several vulnerabilities.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 8: This patch updates the Tomcat version in the
Application Server to remove the vulnerabilities.
Issue 9: Server/client communication uses the SSLv3 protocol
[Repack1 2366] which is affected by several vulnerabilities.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 9: This patch disables SSLv3 in the Intrusion Defense
Firewall server web console and allows it to only use
the TLS protocol.
Issue 10: The certificate used by the Application Server for
[Repack1 2366] SSL communication between Intrusion Defense Firewall
clients and the server expired on November 9, 2014.
As a result, the server can no longer deploy files
and updates to clients.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 10: This patch updates the certificate.
NOTE: - Users need to apply this patch on the Intrusion
Defense Firewall server and clients to ensure that
all certificates are up-to-date.
- Refer to Section 7.3.9 and Section 7.3.10 for
information on a related to known issue.
Issue 11: When users uninstall the Intrusion Defense Firewall
[Repack1 2366] client, the uninstaller displays an error message
indicating that it is unable to locate the
"c:\Windows\TEMP\IdfClientAgent.dll" module.
However, the uninstallation completes successfully.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 11: This patch reinstates the missing module so Intrusion
Defense Firewall clients can be uninstalled without
displaying this error message.
Issue 12: Upgrade the Intrusion Defense Firewall Client Plug-In
[Repack2 2373] by deploying it from the Intrusion Defense Firewall
server console. If an Intrusion Defense Firewall
client was installed by a standalone Client Plug-In
Installer previously, some necessary files for
Intrusion Defense Firewall installation may be
removed during the upgrade.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 12: This patch ensures that all Intrusion Defense
Firewall-related files are retained during client
upgrades.
NOTE: If this issue already occurred before this build
was released, perform the following workaround:
a. Copy the following files from a non-affected
client to the target client:
- IdfClientPlugin.dll
- IdfClientAgent.dll
- IdfClientResource.dll
b. Upgrade Intrusion Defense Firewall Client Plug-In
using the deployment or standalone Client Plug-In
Installer.
Issue 13: Unnecessary settings that Intrusion Defense Firewall
[Repack2 2373] does not use in this build were added to the
Intrusion Defense Firewall web console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 13: This patch removes unnecessary settings from the
Intrusion Defense Firewall web console
Issue 14: Intrusion Defense Firewall online help erroneously
[Repack2 2373] links to Trend Micro Deep Security online help
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 14: This patch displays Intrusion Defense Firewall online
help properly
3. Documentation Set
========================================================================
In addition to this readme.txt, the documentation set for this
product includes the following:
o Deployment Guide -- Provides product overview, deployment
plan, installation steps and basic information intended to
help you deploy Intrusion Defense Firewall smoothly.
o Administrator's Guide -- Provides post-installation instructions
on how to configure the settings to help you get
Intrusion Defense Firewall "up and running". Also includes
instructions on performing other administrative tasks for the
day-to-day maintenance of Intrusion Defense Firewall.
o Readme.txt files -- version enhancements, basic installation, known
issues, and release history.
Electronic versions of the printed manuals are available at:
http://docs.trendmicro.com/
o Online help -- Context-sensitive help screens that provide
guidance for performing a task.
o Knowledge Base -- a searchable database of known product issues,
including specific problem-solving and troubleshooting topics.
http://esupport.trendmicro.com
4. System Requirements
========================================================================
For a complete list of the system requirements, see the Deployment
Guide:
http://docs.trendmicro.com/
5. Installation/Uninstallation
========================================================================
5.1 Installation
=====================================================================
For installation instructions, see the Deployment Guide:
http://docs.trendmicro.com/
5.2 Uninstallation
=====================================================================
For installation instructions, see the Deployment Guide:
http://docs.trendmicro.com/
6. Post-Installation Configuration
========================================================================
Refer to Section 7 for more information on procedures to work around
certain known issues that can occur after applying this patch.
7. Known Issues
========================================================================
7.1 Known Incompatibilities
=====================================================================
The following are known software incompatibilities affecting the
Intrusion Defense Firewall Client Plug-In:
7.1.1 Windows 2003 Service Pack 1 and Teamed NICs
---------------------------------------------------------------------
Incompatibilities have been noted between the Client Plug-In
and specific Windows configurations that have network interface
teaming enabled. To resolve these issues, upgrade Windows
Server 2003 to Service Pack 2, or apply the following patch
provided by Microsoft:
http://support.microsoft.com/kb/912222/article
7.1.2 Windows 2003 Service Pack 1
---------------------------------------------------------------------
Incompatibilities have been noted between the Client Plug-In
and Windows 2003 Service Pack 1. To resolve these issues,
upgrade Windows Server 2003 to Service Pack 2, or apply the
following patch provided by Microsoft:
http://support.microsoft.com/kb/912222/article
7.1.3 Resonate Load Balancer (5.0.1)
---------------------------------------------------------------------
Environments where the Resonate load balancing software is
installed may experience a loss of Resonate functionality when
the Client Plug-In is installed in the same environment. To
work around this issue, restart the Resonate Central Dispatch
Controller services.
7.1.4 Trend Micro Client Server Messaging Security for SMB
---------------------------------------------------------------------
Connectivity issues have been noted while the Client Plug-In
runs with any version of Trend Micro Client Server Messaging
Security for SMB that are older than Version 3.5 Build 1113.
To resolve these issues, upgrade Trend Micro Client Server
Messaging Security to Version 3.5 Build 1138 or higher.
7.1.5 Realtek RTL8169/8110 Family Gigabit Ethernet NIC
---------------------------------------------------------------------
Issues have been noted between Version 5.663.1212.2006 of
the Realtek Gigabit Ethernet NIC and the Client Plug-In.
To resolve these issues, upgrade the driver to the latest
version.
7.1.6 Intel(R) PRO/100+ Dual Port Server Adapter
---------------------------------------------------------------------
Issues have been noted when using Intel NIC cards with driver
versions older than 8.0.17.0 on endpoints running the Client
Plug-In. To resolve this issue, upgrade the driver to version
8.0.19 or later.
7.1.7 Windows 2000 Service Pack 1 and Service Pack 2
---------------------------------------------------------------------
Incompatibilities have been noted between the Client Plug-In
and Windows 2000 running Service Pack 1 or Service Pack 2. To
resolve these issues, upgrade Windows Server 2000 to
Service Pack 3 or Service Pack 4.
NOTE: When deploying Intrusion Defense Firewall Client Plug-In
on endpoints running Windows Server 2000 Service Pack 3,
you must also apply the following patch provided by
Microsoft:
http://support.microsoft.com/kb/884016
7.1.8 Windows 2000 Service Pack 3 and Service Pack 4
---------------------------------------------------------------------
In the Windows 2000 platform, the Intrusion Defense Firewall
Client Plug-In may display a "Digital Signature Not Found"
message. To resolve this issue, users need to install the
latest Root Certificates package from the Microsoft website.
NOTE: For detailed information, please refer to the Microsoft
Knowledge Base page:
http://support.microsoft.com/kb/931125
7.2 Known Issues for the Intrusion Defense Firewall Server Plug-In:
=====================================================================
The following are known issues and limitations for the Intrusion
Defense Firewall Server Plug-In:
7.2.1 If DNS is not available, the Intrusion Defense Firewall Server
Plug-In is unable to communicate with clients
---------------------------------------------------------------------
By default, the Server Plug-In attempts to resolve the
host names of clients using DNS in order to communicate with
them. In some environments, DNS is not available, so the
Server Plug-In is unable to communicate with all clients. To
work around this issue, you can enable a setting on the Server
Plug-In to allow it to use the last known IP of the endpoint
as reported by OfficeScan instead of the host name. This will
allow the Intrusion Defense Firewall Server Plug-In to
communicate with endpoints when no DNS is available.
To enable the setting:
1. Stop the Intrusion Defense Firewall service.
2. Add the following line to the "dsm.properties" file in the
"<OfficescanDir>\Addon\Intrusion Defense Firewall\
webclient\webapps\ROOT\WEB-INF" folder:
hssHostnameIPDisplaynameClientname=true
3. Start the Intrusion Defense Firewall service.
NOTE:
- This new scheme will store the IP in the "hostname" field,
and the client name in the "displayname" field so all
your hosts will appear as "<IP> (<clientname>)" in the GUI.
- Log on to the Server Plug-In to update all the host names.
If you restarted endpoints while still logged on, go
to "Console > Computer" and click "Synchronize with
OfficeScan".
7.2.2 Some frames within the console may be unresponsive
---------------------------------------------------------------------
On rare occasions after installing or upgrading the Intrusion
Defense Firewall Server, some of the frames within the console
may become unresponsive. For example, the dashboard may not
display when you first load the console. If this problem
persists, restart the Intrusion Defense Firewall service on the
server.
7.2.3 Microsoft SQL Server may interfere with Server Plug-In
installation
---------------------------------------------------------------------
If installation of the Server Plug-In fails because of
Microsoft SQL Server, restart the endpoint and retry the
installation. There are rare circumstances where Microsoft
SQL Server 2005/2008 requires a reboot to complete the
installation.
7.2.4 Intrusion Defense Firewall Server console will not open using
some installations of Microsoft Internet Explorer 7 or later
---------------------------------------------------------------------
In some cases, the Server console will not open using some
installations of Internet Explorer 7 or later. This is caused
by a certificate error in Internet Explorer. You can try any of
the following procedures to work around this issue:
1. Import the Intrusion Defense Firewall Server certificate.
To access the Intrusion Defense Firewall Server certificate:
a. Open the affected Internet Explorer and go to
"https://<hostname>:4119".
b. Click "Continue to this website?".
c. Click "Certificate Error".
d. Click "View certificates".
e. Install the certificate.
f. Select the option to automatically select the
certificate store based on the type of certificate.
g. Go back to the OfficeScan console, and access the
Intrusion Defense Firewall Server.
2. Add the OfficeScan server address to the list of "Trusted
Sites" in the affected Internet Explorer.
To do this:
a. Open the affected Internet Explorer and go to "Tools >
Internet Options".
b. Go to the "Security" tab, and click "Trusted Sites".
c. Add the OfficeScan server site to the list and save the
changes.
d. Go to the OfficeScan console and access the
Intrusion Defense Server.
7.2.5 Endpoints must be deleted from Intrusion Defense Firewall
manually
---------------------------------------------------------------------
Endpoints must be deleted from Intrusion Defense Firewall
manually. This is to prevent loss of configuration when
OfficeScan auto-deletes inactive endpoints after seven days.
If endpoints that still exist in OfficeScan are deleted, they
will re-appear on the next synchronization. Synchronization
may run when you click the "Manage Program" button or it may
run automatically every 24 hours.
7.2.6 Deployment or removal of Client Plug-In may not complete before
timeout
---------------------------------------------------------------------
When deploying or removing the Client Plug-In, the Intrusion
Defense Firewall Server Plug-In waits up to three hours for a
successful operation. Operations may not be able to complete
before the time-out when:
- The endpoint is off or not connected
- The OfficeScan server has the endpoint in the Offline state
and it remains in that state for more than three hours.
- The operation completed but the result is not sent back to
the server.
7.2.7 Upgrades may fail if the "Services" screen is open
---------------------------------------------------------------------
During upgrades on some platforms, the Intrusion Defense
Firewall service may not be installed properly if the
"Services" screen is open. Trend Micro recommends closing the
"Services" screen prior to installation or upgrade of
Intrusion Defense Firewall.
7.2.8 Windows Firewall may interfere with port scans
---------------------------------------------------------------------
If Windows Firewall is enabled on Intrusion Defense
Firewall, it may interfere with port scans and cause false port
scan results. Windows Firewall may proxy ports 21, 389, 1002,
and 1720, causing these ports to always appear open regardless
of any filters placed on the host.
7.2.9 The clock on a client endpoint must be synchronized with
Intrusion Defense Firewall
---------------------------------------------------------------------
The clock on a client endpoint must be synchronized with
Intrusion Defense Firewall to within 24 hours. If the clock is
behind the clock on the Server Plug-In, the activate operation
will fail.
7.2.10 Caching successful DNS lookups forever may prevent Intrusion
Defense Firewall from communicating with endpoints that use
DHCP or whose IP address has changed
---------------------------------------------------------------------
The Intrusion Defense Firewall Server Plug-In runs in a
Java(TM) Virtual Machine (JVM), and the JVM places certain
controls on network behavior. Java uses a cache to store both
successful and unsuccessful DNS lookups. By default,
successful lookups are cached forever as a guard against
DNS spoofing attacks. However, this type of caching may
prevent the Intrusion Defense Firewall from communicating
with endpoints that use DHCP or whose IP address has changed.
To prevent communication issues, Intrusion Defense Firewall
overrides this setting to a 60-second cache, using the
"networkaddress.cache.ttl=60" setting in the "java.security"
file under the "Trend Micro\OfficeScan\AddOn\Intrusion
Defense Firewall\jre\lib\security" folder.
NOTE: In environments where DNS servers are at risk of DNS
spoofing, users may opt to prevent Intrusion Defense
Firewall from looking up IP addresses from a DNS server
by configuring the DNS cache to an unlimited lifetime.
To reconfigure this setting:
a. Open the "java.security" file under the "Trend Micro
\OfficeScan\AddOn\Intrusion Defense Firewall\jre\
lib\security" folder.
b. Locate "networkaddress.cache.ttl" and set its value
to "-1".
c. Save the changes and close the file.
d. Restart the Intrusion Defense Firewall service.
After the DNS spoofing situation has been resolved,
users should promptly reconfigure the setting to
"networkaddress.cache.ttl=60" by following the
procedure above. This can help prevent the
communication issue between Intrusion Defense Firewall
and endpoints that use DHCP or whose IP address has
changed.
Refer to the following site for more information on the
Java network cache settings:
http://java.sun.com/j2se/1.5.0/docs/guide/net/properties.html
7.2.11 Sample profiles may require modification before use
---------------------------------------------------------------------
The sample profiles included with the product may require
modification before use. Specifically, the profiles are
designed to operate in a non-domain environment. To use the
profiles in a Windows Domain environment, you should modify
the profiles as follows to enable communication from the
Domain Controller to the domain clients:
1. Edit the "Domain Controller(s)" IP list and replace the
IP of 127.0.0.1 with the list of IPs that represent the
Domain Controller(s) with which the client may communicate.
2. Add the following two packet filters to the profile:
- TCP from Domain Controller
- UDP from Domain Controller
7.2.12 Firewall Rules must be considered when writing custom Security
Profiles
---------------------------------------------------------------------
Firewall Rules to consider when writing custom Security
Profiles:
- If you rely on dynamic ARP, include an appropriate rule to
allow ARP.
- If the UDP stateful option is enabled, use a "Force Allow"
rule when running UDP servers (e.g., DHCP).
- If you do not have a DNS or WINS server configured for your
endpoints, a "Force Allow, Incoming UDP Ports 137" rule may
be required for NetBios.
7.2.13 If Intrusion Defense Firewall Backup and Restore are used to
migrate endpoints from one OfficeScan server to another, the
migrated endpoints must be updated within Intrusion Defense
Firewall with the new OfficeScan server endpoint name
---------------------------------------------------------------------
If the Intrusion Defense Firewall Backup and Restore processes
(as described in the Intrusion Defense Firewall
"Administrator's Guide" and on-line help) are being used to
migrate endpoints from one OfficeScan server to another, the
migrated endpoints must be updated within Intrusion Defense
Firewall with the new OfficeScan server endpoint name. For
all migrated endpoints, right-click, and select "Actions >
Update Client Plug-In(s) Now".
7.2.14 Summary report system events graph may not properly display
data if you select a one-hour time interval
---------------------------------------------------------------------
When creating a summary report, if you select a one-hour time
interval, the system events graph might not properly display
the data. To resolve the issue, use a time interval of two
hours or more.
7.2.15 A "java.lang.OutOfMemoryError" error may occur during the
installation of the Server Plug-In
---------------------------------------------------------------------
If you receive a "java.lang.OutOfMemoryError" error while
installing the Server Plug-In, refer to the "Deployment Guide"
for instructions on how to configure the maximum memory usage
for the installer.
7.2.16 A "Recommendation" alert may occur on some endpoints even
after all the recommended DPI Rules have been applied
---------------------------------------------------------------------
A "Recommendation" alert may occur on some endpoints even
after all recommended DPI Rules have been applied. This may
occur because there are Application Types that are
recommended for a endpoint, but all DPI Rules within a
particular Application Type are not recommended. To resolve
the issue, use the "Show All" view of the DPI Rules screen for
the endpoint to ensure that all recommended Application Types
are assigned, or simply dismiss the alert after verifying that
you have assigned all recommended rules for the endpoint.
7.2.17 An "Update Failed" error may occur When performing an
Activate/Reactivate on an already activated Client Plug-In
---------------------------------------------------------------------
When performing an Activate/Reactivate on an already activated
Client Plug-In, you may get an "Update Failed" error. If you
see this error, the activate/reactivate has succeeded;
however, the update may not have. To resolve this, perform a
clear error/warnings on the affected host and then right-click
and select "Update Now". This will force the update to take
effect.
7.2.18 In an IPv6 and IPv4 mixed environment, Intrusion Defense
Firewall client deployment may remain in the "deploying
client" stage for a long time
---------------------------------------------------------------------
In an IPv6 and IPv4 mixed environment, Intrusion Defense
Firewall client deployment may remain in the "deploying
client" stage for a long time because the OfficeScan server
is using IPv6 and Intrusion Defense Firewall does not support
IPv6 in this release. To work around this issue:
1. In the OfficeScan 10.6 web console go to "Networked
Computers > Global Client Settings".
2. In the "Preferred IP Address" section, select the "IPv4
first, then IPv6" option under the "Clients with IPv4 and
IPv6 addresses register to server using" settings.
3. Open the "dsm.properties" file in the "C:\Program Files\
Trend Micro\OfficeScan\Addon\Intrusion Defense Firewall\
webclient\webapps\ROOT\WEB-INF\" folder and add the
following line:
hssHostnameIPDisplaynameClientname=true
4. Restart the Intrusion Defense Firewall services.
7.2.19 The Intrusion Defense Firewall Widget may disappear after
users upgrade the Intrusion Defense Firewall Server
---------------------------------------------------------------------
When this happens, manually add the widget back from the
OfficeScan web console.
7.3. Known Issues for the Intrusion Defense Firewall Client Plug-In:
=====================================================================
The following are known issues/limitations for the Intrusion Defense
Firewall Client Plug-In:
7.3.1 Running more than one firewall on a single host can lead to
unpredictable behavior.
---------------------------------------------------------------------
Intrusion Defense Firewall may behave abnormally if you run
more than one firewall on a single host. Before enabling
Intrusion Defense Firewall, any firewalls already running on a
host should be disabled/turned off.
NOTE: Running both OfficeScan firewall and Intrusion Defense
Firewall, regardless of whether Intrusion Defense
Firewall is active, may lead to unpredictable behavior
on some Windows XP/2003 systems. (Refer to the
"Deployment Guide" for more information.)
7.3.2 Stateful Inspection (with TCP and UDP logging enabled) must be
enabled for the Traffic Analysis feature
---------------------------------------------------------------------
Stateful Inspection (with TCP and UDP logging enabled) must be
enabled for the Traffic Analysis feature to function correctly.
7.3.3 Upgrade of the Intrusion Defense Firewall driver may not have
completed but the Intrusion Defense Firewall server shows
"Managed"
---------------------------------------------------------------------
During an upgrade, the upgrade of the Intrusion Defense
Firewall driver may not have completed but the Intrusion
Defense Firewall server shows "Managed". The Intrusion Defense
Firewall driver install/upgrade may need you to restart the
Intrusion Defense Firewall services but in rare cases it does
not show the "Reboot Required" warning message. The Intrusion
Defense Firewall client will continue to use the previous
driver until the Intrusion Defense Firewall has restarted.
7.3.4 Intrusion Defense Firewall client deployment or upgrade may
succeed but the Intrusion Defense Firewall server console
displays an "Update Failed" status for the endpoint
---------------------------------------------------------------------
In rare cases, an Intrusion Defense Firewall client deployment
or upgrade will succeed but the Intrusion Defense Firewall
server console displays an "Update Failed" status for the
endpoint. This may be due to the driver being successfully
installed without bindings to network adapters on the host.
To resolve this issue locally, manually enable the bindings
by selecting the checkboxes associated with "Third Brigade
DSA Filter Driver" for a network adapter in "Local Area
Connection > Properties" or remotely uninstall and re-deploy
the client. The Uninstallation should remove the driver
entirely, and the fresh install should reinstate the
bindings.
7.3.5 If connectivity is lost during upgrade, the client endpoint
may need to be restarted
---------------------------------------------------------------------
When upgrading the Client Plug-In, if network connectivity
becomes lost for an extended period of time, it may be
necessary to restart the Client Plug-In's host machine.
7.3.6 NDIS drivers may stop responding during installation or
uninstallation if they do not properly free packets when
requested to unbind
---------------------------------------------------------------------
It is possible that NDIS drivers will stop responding during
installation or uninstallation if they do not properly free
packets when requested to unbind. The Intrusion Defense
Firewall Client Plug-In with accompanying NDIS 5.1 or NDIS 6.0
driver is set to free all packets correctly before upgrades
or uninstallation; however, when installing or uninstalling
NDIS drivers, Microsoft requires that all NDIS drivers be
unbound and then rebound. This means that if other third-party
NDIS drivers do not properly free packets, it is still
possible for the Intrusion Defense Firewall Client Plug-In
install, upgrade, or uninstall processes to stop responding.
This is beyond Trend Micro's control and will only happen in
very limited situations. If this does occur, restarting your
endpoint will likely resolve the issue so that you can attempt
to install, uninstall, or upgrade afterwards.
7.3.7 Firewall and DPI Events may display numbers instead of
object names
---------------------------------------------------------------------
Under certain circumstances, the Firewall and DPI Events on the
Intrusion Defense Firewall Client Plug-In or Server Plug-In
display numbers for a DPI Rule, traffic stream, and Firewall
Rule instead of the object's name. This occurs when the event
viewer does not have access to the objects referred to by the
event log entry in the following instances:
- The rule has been unassigned from the host
- The Client Plug-In has been locally deactivated, which
causes the Client Plug-In to clear all previous security
settings, in addition to returning the Client Plug-In to
a pre-activation state
- A new set of rules has been assigned to the Client Plug-In,
but the "Refresh" button has not been clicked on the Client
Plug-In "Configuration" tab.
7.3.8 Firewall Status Registration issue in Security Center
---------------------------------------------------------------------
If the Intrusion Defense Firewall status entry in the Windows
Security Center is removed accidentally, restart the Intrusion
Defense Firewall client service to restore the entry in the
Windows Security Center. However, if the Windows Security
Center service is not running, which usually happens when the
endpoint restarts, the registration may not work. When this
happens, restart the Intrusion Defense Firewall client
service again once the Windows Security Center service is
running properly.
7.3.9 Unsuccessful Client Installation caused by Expired Certificate
---------------------------------------------------------------------
Patch installation may be unsuccessful because of an
expired certificate on certain Intrusion Defense Firewall
clients. If you encounter this issue, manually delete the old
certificate (ds_agent.crt) from the client's installation
directory and re-install this patch.
7.3.10 Unsuccessful Client Installation caused by Deactivated Client
---------------------------------------------------------------------
Patch installation may be unsuccessful if an Intrusion Defense
Firewall client is deactivated and the Intrusion Defense
Firewall Client service is not running. If you encounter this
issue, remove the Client Plug-In and then install Client
Plug-In again. For more information about the uninstallation
process, see "Intrusion Defense Firewall Deployment Guide".
7.3.11 Unsuccessful client upgrade if Intrusion Defense Firewall
client was installed by the 1.5.2366 standalone Client Plug-In
installer
---------------------------------------------------------------------
If you have installed Intrusion Defense Firewall Client
1.5.2366 using the standalone MSI, the deployment may be
unsuccessful because of an MSI issue. To work around this,
place the Intrusion Defense Firewall Client 1.5.2366 standalone
installer package in the following folder and then Deploy
Intrusion Defense Firewall Client Plug-In again:
"<OfficeScan Client installation folder>\Temp\AoS\"
7.3.12 Possibly unsuccessful upgrade of Intrusion Defense Firewall
client 1.5.2366 when using the standalone Client Plug-In
Installer of this patch
---------------------------------------------------------------------
Upgrading the Intrusion Defense Firewall client 1.5.2366 using
the standalone Client Plug-In Installer of this patch may be
unsuccessful because of a Windows installer limitation. If you
encounter this issue, consider upgrading the Intrusion Defense
Firewall Client Plug-In by deploying from the Intrusion
Defense Firewall web console or uninstalling and reinstalling
the Intrusion Defense Firewall Client Plug-In.
8. Release History
========================================================================
- Intrusion Defense Firewall 1.5.2331, April, 2013
- Intrusion Defense Firewall 1.5.1229, June, 2012
- Intrusion Defense Firewall 1.5.1206, August, 2011
9. Files Included in this Release
========================================================================
This patch is released in an Active Update package. Users can
download this Intrusion Defense Firewall 1.5 Service Pack 1 Patch 2
package from the OfficeScan Activate Update Server:
IdfClientAgent.zip
IdfClientPlugin.zip
IdfClientPlugin_i386.zip
IdfClientPlugin_x86_64.zip
IdfPatchAgent.zip
IdfServerPlugin.zip
10. Contact Information
========================================================================
A license to the Trend Micro software usually includes the right to
product updates, pattern file updates, and basic technical support
for one (1) year from the date of purchase only. After the first
year, Maintenance must be renewed on an annual basis at Trend Micro's
then-current Maintenance fees.
You can contact Trend Micro by fax, phone, and email, or visit us
at:
http://www.trendmicro.com
Evaluation copies of Trend Micro products can be downloaded from our
website.
Global Mailing Address/Telephone Numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For global contact information in the Asia/Pacific region, Australia
and New Zealand, Europe, Latin America, and Canada, refer to:
http://www.trendmicro.com/en/about/overview.htm
The Trend Micro "About Us" screen displays. Click the
appropriate link in the "Contact Us" section of the screen.
NOTE: This information is subject to change without notice.
11. About Trend Micro
========================================================================
Trend Micro Incorporated, a global leader in Internet content
security and threat management, aims to create a world safe for the
exchange of digital information for businesses and consumers.
A pioneer in server-based antivirus with over 20 years experience,
we deliver top-ranked security that fits our customers' needs, stops
new threats faster, and protects data in physical, virtualized and
cloud environments. Powered by the Trend Micro
Smart Protection Network(TM) infrastructure, our industry-leading
cloud-computing security technology and products stop threats where
they emerge, on the Internet, and are supported by 1,000+
threat intelligence experts around the globe. For additional
information, visit www.trendmicro.com.
Copyright 2015, Trend Micro Incorporated. All rights reserved.
Trend Micro, the t-ball logo, Smart Protection Network, OfficeScan,
and Intrusion Defense Firewall are trademarks of
Trend Micro Incorporated and are registered in some jurisdictions.
All other marks are the trademarks or registered trademarks of their
respective companies.
12. License Agreement
========================================================================
Information about your license agreement with Trend Micro can be
viewed at:
http://us.trendmicro.com/us/about/company/user_license_agreements/
Third-party licensing agreements can be viewed:
- By selecting the "About" option in the application user
interface
- By referring to the "Legal" page of the Getting Started Guide or
Administrator's Guide
13. Third-party licensing
========================================================================
13.1 Intrusion Defense Firewall Server Plug-In
=====================================================================
Intrusion Detection Firewall makes use of 3rd party binary
distributions.
The binary distributions are subject to the licenses available in the
following directory:
[INSTALL DIRECTORY]\webclient\webapps\ROOT\WEB-INF\lib\licenses
Where 3rd party licenses require open access to their source code,
Trend Micro will provide the necessary materials upon written
request.
For more information on the 3rd party binary distributions and access
to source code see the following locations:
Apache Commons: http://commons.apache.org
Axis: http://ws.apache.org/axis/
BeanShell: http://www.beanshell.org/
Bouncy Castle: http://www.bouncycastle.org/
CSVWriter: http://www.osjava.org/genjava/license.html
Derby: http://db.apache.org/derby/
iText: http://www.lowagie.com/iText/index.html
Jasper: http://jasperforge.org/plugins/project/
project_home.php?group_id=102
Java: http://www.sun.com/java/
JavaMail API: http://java.sun.com/products/javamail/
JAX-RPC: https://jax-rpc.dev.java.net/
JCommon: http://www.jfree.org/jcommon/
JFreeChart: http://www.jfree.org/jcommon/
JExcel API: http://jexcelapi.sourceforge.net/
JTDS: http://jtds.sourceforge.net/
JUnit: http://www.junit.org/
MD5Crypt: http://www.mackman.net/code/MD5Crypt.java
Oracle JDBC: http://www.oracle.com/technology/tech/java/
sqlj_jdbc/index.html
SAAJ: https://saaj.dev.java.net/
SNMP4J: http://www.snmp4j.org/
Tomcat: http://tomcat.apache.org/
VMware: http://www.vmware.com/
WSDL4J: http://sourceforge.net/projects/wsdl4j
Xalan: http://xml.apache.org/xalan-j/
Xerces: http://xerces.apache.org/xerces2-j/
XML Commons: http://xml.apache.org/commons/
13.2 Intrusion Defense Firewall Client Plug-In
=====================================================================
This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (http://www.openssl.org/).
Intrusion Defense Firewall Client Plug-In also employs the use of the
following software.
Third-party binary distributions:
Expat (http://expat.sourceforge.net/)
fksec (http://win32.mvps.org/)
IP Filter (http://coombs.anu.edu.au/~avalon/)
SQLite (http://www.sqlite.org/)
WxWidgets (http://www.wxwidgets.org/)
zlib (http://www.zlib.net/)
Third-party source:
GMTime (http://www.jbox.dk/sanos/source/lib/time.c.html)
Tree (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/sys/tree.h)
The third-party software is subject to the licenses available in the
following directory:
[INSTALL DIRECTORY]\Licenses
Public domain source code licenses are available here:
SQLite - http://www.sqlite.org/copyright.html
fksec - http://win32.mvps.org/license.html
Where third-party licenses require open access to their source code,
Trend Micro will provide the necessary materials upon written
request.
========================================================================
(C) 2015 Trend Micro Inc. All rights reserved.