~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security(TM) Manager 9.0 Service Pack 1 Patch 4 Platforms: Microsoft(TM) Windows(TM) 2012 R2 Server (64-bit) Windows 2012 Server (64-bit) Windows 2008 Server (64-bit), Windows 2008 Server R2 (64-bit), Windows 2003 Server Service Pack 2 (64-bit), Windows 2003 Server R2 Service Pack 2 (64-bit), Red Hat(TM) Enterprise Linux(TM) (RHEL) 5 (64-bit), Red Hat Enterprise Linux 6 (64-bit) Not Supported: Red Hat Enterprise Linux (RHEL) Xen Hypervisor Windows Server 2012 Core Windows Server 2008 Core As of Deep Security 9.0, Deep Security Manager is no longer supported on 32-bit versions of the Windows platform. Date: October 07, 2014 Release: 9.0 Service Pack 1 Patch 4 Build Version: 9.0.6601 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the click through license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our web site at: http://us.trendmicro.com/us/solutions/enterprise/security-solutions/ virtualization/deep-security/ Download the latest version of this readme from the "Software" page at the Trend Micro Download Center web site http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any other Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 9.0 Service Pack 1 Patch 4 1.1 Overview of this Release 1.2 Who Should Install this Release 1.3 Support Expiration Notice 1.4 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation/Uninstallation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in this Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third Party Software =================================================================== 1. About Deep Security 9.0 Service Pack 1 Patch 4 ======================================================================== 1.1 Overview of this Release ===================================================================== Deep Security Manager 9.0 Service Pack 1 Patch 4 contains solutions to several issues. For a list of the major changes in Patch 4, please see the "What's New in Deep Security 9 SP1" section of the online help, or the Administrator's Guide or Installation Guide, available for download from the Trend Micro Download Center and refer to the "What's New" section of this readme file. 1.2 Who Should Install this Release ===================================================================== You should install this release if you are currently running Deep Security Manager 7.0, 7.5, 8.0, or 9.0. All new Deep Security Manager users should install Deep Security Manager 9.0 Service Pack 1 Patch 4. 1.3 Support Expiration Notice ===================================================================== Please refer to Trend Micro Download or Support center for an official notice about product version life-cycle and End-of-Support information. Please visit the Trend Micro Download Center web site to download the latest releases at: http://downloadcenter.trendmicro.com/ 1.4 Upgrade Notice ===================================================================== To upgrade to Deep Security Manager 9.0 Service Pack 1 Patch 4, you must be running Deep Security Manager 8.0 Service Pack 2 or higher versions. If you are running an earlier version of Deep Security Manager, you must first upgrade to Deep Security Manager 8.0 Service Pack 2 or any later version before upgrading to version 9.0. If you choose to upgrade your Deep Security Manager to version 9.0 Service Pack 1 Patch 4 while running older versions of Deep Security Agents under protection, you will be warned during the upgrade installation that this Patch will no longer be able to communicate with those Agents. Deep Security Manager 9.0 Service Pack 1 Patch 4 ONLY supports versions 7.5 Service Pack 4, 8.0 Service Pack 1, and 9.x or later versions of Deep Security Agent, Deep Security Relay, and Deep Security Virtual Appliance. Please refer to the "Known Incompatibilities" section of this read me file for details. Deep Security 9.0 does not support ESXi version 4.1. To deploy Deep Security 9.0, your VMware infrastructure (vCenter, vShield Manager, vShield Endpoint, and vShield Endpoint drivers) must be upgraded to version 5.x. Also be sure to read the VMware documentation for upgrading your VMware environment including the KB article on VMware's web site: http://kb.vmware.com/selfservice/microsites/ search.do?language=en_US&cmd=displayKC&externalId=2032756 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== Deep Security Manager 9.0 Service Pack 1 Patch 4 does not add any enhancement. 2.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.0 Service Pack 1 Patch 4 resolves the following issues: Issue 1: [21439/TT290049] When the sub-directory is not selected, Deep Security Agent Integrity Monitory still includes the sub- directory in the baseline and monitors the change. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Patch enables Deep Security Agent to match patterns in integrity monitoring rules which resolves this issue. Issue 2: [22953/TT297195] Scheduled task times are not set to the local time zone. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Patch ensures that scheduled tasks follow the local time zone. Issue 3: [23136/TT297125] The most recent firewall/intrusion prevention events in the "Computers" page of the Deep Security Manager console display the wrong time information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Patch ensures that the correct time appears in firewall/intrusion prevention events. Issue 4: [23181/TT297616] Deep Security Manager cannot update licenses and extend license expiry dates because of an inconsistency between the license expiration date in Deep Security Manager and the license expiration date in the PLS portal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This Patch resolves the information inconsistency so Deep Security Manager can successfully update licenses. Issue 5: [23234/TT296220] When users create an IPList for a DPI rule, Deep Security Manager cannot validate an additional (extra) dot in IP addresses such as in 10.203.136.26.. This prevents Deep Security Manager from parsing the configuration rules. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This Patch enables Deep Security Manager to properly handle an extra dot in IP addresses. Issue 6: [23271] Deep Security Manager may not be able to deploy a Deep Security Virtual Appliance to a new ESXi on the first attempt. This is because the ESXi certificate is not trusted and although Deep Security Manager should automatically accept the certificate and try to deploy the Deep Security Virtual Appliance again, a logic issue prevents it from trying to deploy the appliance again. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This Patch resolves the logic issue so Deep Security Manager can deploy a Deep Security Virtual Appliance to an ESXi on the first attempt. Issue 7: [23422/TT287816] The "Update" page of the Deep Security Manager console may take a long time to load when there is a large number of Deep Security Virtual Appliances. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This Patch ensures that the "Updates" page load normally when there is a large number of Deep Security Virtual Appliances. Issue 8: [23423/TT287816] A specific database update task uses an SQL transaction to retrieve the Agent Last Communication Time information when a simple SQL connection would suffice. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This Patch enables the specific database update task to use an SQL connection instead of an SQL transaction to retrieve the Agent Last Communication Time information. Issue 9: [23528/TT298908] Deep Security Manager may not be able to synchronize Active Directory (AD) names that contain an open and close parenthesis "(" and ")" in Active Directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This Patch enables Deep Security Manager to escape these characters while synchronizing AD names in Active Directory. Issue 10: [23533] When the "Network Driver Mode" of the host or the policy is set to "Tap" and you attempt to set "Intrusion Prevention State" to "On", the value becomes "Inherited (On)" or "Inherited (Off)" depending on the parent policy setting and "Intrusion Prevention Behavior" is disabled automatically. However, under this scenario, "Intrusion Prevention Behavior" is set to "Prevent" instead of "Detect". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This Patch enables users to change the "Intrusion Prevention State" successfully when "Network Driver Mode" is set to "Tap" and ensures that the "Intrusion Prevention Behavior" becomes "Detect" Issue 11: [23607/TT298955/TT299079] Some UI strings are not translated to Japanese and Chinese. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This Patch adds the correct string translations in the Japanese and Chinese versions of the Deep Security Manager console. Issue 12: [22315/23859/TT292744] Sometimes, Deep Security Manager stops responding while running several IM or AM scans simultaneously. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This Patch ensures that Deep Security Manager can successfully run several IM and AM scans simultaneously. Issue 13: [24094/TT302307] The Java(TM) SE version in Deep Security Manager is affected by a certain vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This Patch updates the Java version in Deep Security Manager to resolve the vulnerability. Issue 14: [24150/TT302609] An administrator who does not have permission to view role information can see a list of all of the roles in the system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This Patch adds a checking mechanism that ensures that an administrator that do not have permission to view role information can see only his role. Issue 15: [21471/TT302610] In a controlled environment, a regular user may be able to see the administrator's login name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This Patch enhances the session-checking mechanism to block users from accessing the administrator password setting page if they do not have the right permissions. Issue 16: [24180/TT301857] When users save more than one settings at a time in the Deep Security Manager console system setting page, Deep Security Manager may run into a race condition while accessing the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This Patch prevents the race conditions so Deep Security Manager can successfully save several settings to the database simultaneously. Issue 17: [24263/TT303491] The timestamps on the "Last Boot Time Change" Agent events do not use the user's time zone setting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This Patch enables Deep Security Manager to user the time zone of the current user for the timestamps on "Last Boot Time Change" Agent events. Issue 18: [24436/TT303121] Some information on the "Maximum number of fragmented IP Packets" and "Fragment Timeout" sections of the Deep Security Manager online help page are not clear. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This Patch edits the relevant online help section to provide specific details. Issue 19: [24139/TT302914] When Deep Security Manager sends an invalid URL request, the web server's response contains the web server type and version information of Deep Security Manager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This Patch changes the value of the "server.xml" parameter to remove server type and version information from the web server response. Issue 20: [21441] Users may need to manually restart Deep Security Manager when it stops unexpectedly after encountering an error while testing the database connection through the "Tenant Properties" window. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: After applying this Patch, if the tenant database is the T0 database, the test connection will have a successful result. If the tenant database is one of the secondary databases, the clean/close database task will be triggered only if the database handlers were specifically created to perform the test connection operation. Issue 21: [23060/TT287816] When Deep Security Manager performs relay list updates, only one transaction is used for all relays, which may cause deadlock issues in the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This Patch enables Deep Security Manager to use one transaction to update each relay list to prevent the deadlock issues in the database. Issue 22: [23388] Deep Security Manager allows users to enable multi-tenancy using expired activation license codes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This Patch adds an checking mechanism to check the validity of an activation code before allowing users to enable the multi-tenancy functionality using the code. Issue 23: [23559/TT298309] Deep Security Manager uses a version of the Apache(TM) Tomcat(TM) web server that is affected by certain vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This Patch updates the Tomcat web server program in Deep Security Manager to remove the vulnerabilities. Issue 24: [23595/TT297144] Deep Security Manager may not be able to show all the required information in a DPI event if it receives the information in a jumbopacket. This issue affects systems that use an Oracle back end database and occurs because the Deep Security Manager DPI event table can store up to 2000 bytes only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This Patch adds a column type that can store up to four kilobytes of packet data. This can help ensure that Deep Security Manager can display all the required information in DPI events. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Deep Security 9.0 Service Pack 1 Patch 4 Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you smoothly deploy Deep Security. o Deep Security 9.0 Service Pack 1 Patch 4 Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. (All the content of the Administrator's Guide can be found in the Deep Security Manager's online help.) o Readme.txt files -- version enhancements, known issues, and release history. There is one readme for each installable Deep Security component: Manager, Agent, Virtual Appliance, and ESXi Filter Driver. o Supported Kernel Document -- list of currently supported Linux kernels. o Electronic versions of the manuals are available from the Trend Micro Download Center at: http://downloadcenter.trendmicro.com/ o Online help -- Context-sensitive help screens that provide guidance for performing a task. (The online help contains all the information contained in the Administrator's Guide.) o TrendEdge is a program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics. http://trendedge.trendmicro.com o Knowledge Base -- a searchable database of known issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security 9.0 Service Pack 1 Patch 4 Installation Guide. 5. Installation/Uninstallation ======================================================================== Refer to the "Deep Security Manager 9.0 Service Pack 1 Patch 4 Installation Guide" document available for download from the Trend Micro Download Center. 6. Known Incompatibilities ======================================================================== The following are the known incompatibilities for this release: - Microsoft Windows Vista is not a supported platform of Deep Security Manager and contains several known issues. - Deep Security Manager 9.0 does not support version 7.5 and earlier versions of Deep Security Virtual Appliance. - Deep Security Manager 9.0 Service Pack 1 ONLY supports versions 7.5 Service Pack 4, 8.0 Service Pack 1, and 9.x or higher versions of the Deep Security Agent, Deep Security Relay, and Deep Security Virtual Appliance. Previous versions of Deep Security Manager incorporated Java(TM) 6, which has reached its end-of-life. Deep Security Manager 9.0 Service Pack 1 has been upgraded to incorporate Java 7. Impacts: - Any Deep Security Agent version prior to 7.5 Service Pack 4 cannot communicate with Deep Security Manager. These Agents will not be able to activate, reactivate, deactivate, send events, receive updates, or communicate with Deep Security Manager in any way. This applies to Deep Security Agents, Deep Security Relays, and Deep Security Virtual Appliance. - Deep Security Agent versions released before 8.0 Service Pack 1 cannot communicate with Deep Security Manager. - Deep Security 7.5 Service Pack 4 and higher versions, 8.0 Service Pack 1 and higher versions, and 9.x Agents can communicate with the updated Deep Security Manager without problems. 7. Known Issues ======================================================================== The following are the known issues for this release: - Deep Security Manager shows an error on the "Policy Overview" pages for users whose role privilege is set to "Edit All Computers" but "View Selected Policies" only. The workaround is to enable the "Allow viewing of non-selected Policies" setting in the "Policy Rights" page of this User Role setting. - Deep Security Manager does not support installation paths that contain special characters (non-alphabet and non-numeric characters). The same restriction also applies to the database name and/or database account used by Deep Security Manager. - Exclusion directory list does not support the share folder format. - When a user runs Agent-initiated recommendation scan using the "dsa_control -m RecommendationScan:true" command, no system event related to the recommendation scan is recorded. - In rare situations, Deep Security Manager may not correctly identify the status of the EPsec Driver installed on an ESXi. When you activate an Appliance, if Deep Security Manager does not identify the correct status of vShield Endpoint, it will not register with the vShield Manager. If Deep Security Manager gives you this warning, perform a full "Synchronize" with your vCenter and it will update the current installation status of all drivers on all ESXi(s) in the environment. - In Multi-Tenant installations, the Primary tenant Deep Security Manager may cause "Reconnaissance Detected: Network or Port Scan" alerts on Tenants' Deep Security Managers. To avoid these alerts, Tenants can manually add the Primary Tenant's Deep Security Manager IP address to the "Ignore Reconnaissance" IP list. (Policies > Common Objects > Lists > IP Lists). - In rare cases, adding a vCloud or AWS Cloud Account in Deep Security Manager can result in the creation of two identical Cloud Accounts. If this occurs, neither one of the two accounts can be safely removed. - In a cloud provider environment if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. - If the Manager node(s) and the Database are installed on machines with synchronized clocks but configured for different time-zones, an error indicating that the clocks are not synchronized will be triggered incorrectly. - On Windows 2008 and Server 2012 systems, after installing the Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically appear in the Windows notification area. However, the Deep Security Notifier will still function. Users need to re-launch the Deep Security Notifier from the "Start" menu or restart the system. - When using Deep Security in iCRC mode, a DNS server must be available. If a DNS server is unavailable the Anti-malware feature of the Deep Security Virtual Appliance may not function correctly. [Deep Security 8.0-01169] - When using Relay Groups, Linux Relays will not update correctly if they use Windows Relays as their update source. Relays should only be configured to update from the Global update source or from Relays of the same OS platform. [Deep Security 8.0-01110] - Deep Security Manager does not support License updates or connecting to the Trend Micro Certified Safe Software Service using a SOCKS proxy. To use these two features, use an HTTP proxy. [Deep Security 8.0-1024] - In certain cases, when attempting to use the dsm_s stop command on Linux to stop the Deep Security Manager service, you may get the following message: Timeout. Daemon did not shutdown yet. Dsm_s is based on install4j whose timeout value is 15 seconds, which cannot be changed. The Deep Security Manager may require longer than this to shut down. To ensure the service has been shut down run the "ps -ef | grep DSMService" command before using the dsm_s stop command. [Deep Security 8.0-00095] - Air-gapped Relays will still try to contact an Update Server to check for Updates. To avoid update failure alerts, set the Relay to use itself as an update source: 1. In the Relay's "Details" window, go to "System > System Settings > Updates". 2. In the "Relays" area, select "Other Update Source:" and add "https://localhost:4122". 3. Click "Save". [Deep Security 8.0-01124] - If an ESXi with an installed vShield Endpoint driver is removed from its vCenter, Deep Security Manager cannot detect the installed driver if the ESXi is later re-added to the vCenter. This will cause any newly Deep Security Virtual Appliance- protected virtual machines (VMs) to not have antimalware enabled. The workaround is to uninstall and reinstall the driver through the VSM. [Deep Security 8.0-01036] - The default value for whois in Deep Security does not resolve properly. To use the whois feature, you must modify the WHOIS URL to use a different server. [Deep Security 8.0-01248] - Intrusion Prevention is not supported over SSL connections when using IPv6. - The Anti-malware scan inclusion/exclusion directory settings are sensitive to forward slash "/" and backslash "\". For use with Windows operating systems the inclusion/exclusion paths must use the backslash "\". [7.5 SP1-00231] - When creating custom Integrity Monitoring Rules using the "RegistryKeySet" tag, the attribute values must be in uppercase letters. For example, . Using lowercase may result in an "Integrity Monitoring Rule Compile Issue" error. [7.5 SP1-00171] - Malware scans of network shared folders are only supported using real-time scan. Manual scans or scheduled scans will not work. [7.5-00012] - If a CD or a mounted ISO file contains malware and the anti-malware configuration is set to "Delete" upon detection, Deep Security Manager will still report that the malware was "deleted" even if it was unable to do so. [7.5-00010] - Deep Security Manager cannot display an incorrect filename event in the Anti-Malware Event if the malware was found in the "Recycle Bin". [7.5-00023] - During an upgrade, the Deep Security Manager service may not be able to install properly on some platforms if the "Services" screen is open. To work around this, make sure the "Services" screen is closed prior to installation or upgrade of Deep Security Manager. - If you receive a "java.lang.OutOfMemoryError" error during the installation of Deep Security Manager, please refer to the "Installation Guide" for instructions on how to configure the maximum memory usage for the installer. - During an upgrade, if you receive a message stating that the Deep Security Manager cannot start the service, restarting Deep Security Manager usually fixes the problem. In rare cases, you may have to run the installer again in Upgrade/Repair mode after restarting. - If Windows Firewall is enabled on Deep Security Manager, it may interfere with port scans causing false port scan results. Windows Firewall may proxy ports 21, 389, 1002, and 1720 resulting in these ports always appearing open regardless of any filter placed on the computer. - By default, Microsoft Exchange(TM) 2000 and later versions dynamically assign a non-privileged port (1024-65535) for communications between the client and the server for the System Attendant, Information Store, and Name Service Provider Interface (NSPI) services. If you will be using the Exchange Server profile with an Exchange 2000 or later server then you should configure these services to use static ports as described in the article "Exchange 2000 and Exchange 2003 static port mappings" (http://support.microsoft.com/?kbid=270836). Once static ports have been configured you should extend the appropriate Exchange Server port list to include the ports that have been assigned to these services. You may also want to set the "No RFR Service" registry setting to "1" to prevent the Exchange server from referring clients to the domain controller for address book information. See the article "How Outlook 2000 Accesses Active Directory" (http://support.microsoft.com/?kbid=302914) for more information. Alternatively, it is possible to configure Exchange RPC to run over HTTPS if you are using Microsoft Outlook(TM) 2003 on Windows XP Service Pack 1 or later with Exchange Server 2003. In this case only port 443 needs to be added to the Exchange port list. - The "Recommendation" Alert may remain raised on some computers even after all recommended Intrusion Prevention, Integrity and Log Inspection Rules appear to have been applied. This can occur because even though an "Application Type" may be recommended for a computer, the "Application Type" will not be displayed in the "Show Recommended" view if no Intrusion Prevention Rules associated with Application Type are currently recommended. To resolve the situation, use the "Show All" view of the Intrusion Prevention Rules screen and assign all recommended "Application Types" (even if no associated Rules are currently recommended). Alternatively, you can just dismiss the alert after verifying that you have assigned all recommended rules to the computer. [8345] - If Deep Security Manager is unable to connect to vCenter for an extended period of time, you may notice certain errors constantly being raised and resolved on Deep Security Virtual Appliance VMs, particularly the "Interfaces Out of Sync" error. In general, when Deep Security Manager is integrated with vCenter, it must maintain constant connectivity with vCenter in order to properly provide protection to the environment. When connectivity is broken, Deep Security Manager will not be able to respond to the dynamic environment and issues like this can occur. The solution is to ensure that connectivity between Deep Security Manager and vCenter is always maintained. - When an Appliance-protected VM is migrated from one Appliance-protected ESXi to another, and if that virtual machine currently has warnings or errors associated with it (for example "Reconnaissance Detected"), those errors may incorrectly get cleared during the migration. - Log Inspection event logs is limited to 6000 characters. - Common objects are copied over when creating a new tenant template in an environment with multi-tenancy. For this limitation, refer to KB article Solution ID: 1104945 http://esupport.trendmicro.com/solution/en-us/1104945.aspx for more information. 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download - Deep Security Manager 9.0.6500, May 30, 2014 - Deep Security Manager 9.0.6019, December 6, 2013 - Deep Security Manager 9.0.5500, September 11, 2013 - Deep Security Manager 9.0.5370, June 6, 2013 - Deep Security Manager 9.0.4017, January 30, 2013 8.1 Deep Security Manager 9.0.6500 ===================================================================== 8.1.1 Enhancements ===================================================================== Deep Security Manager 9.0.6500 adds the following enhancement: Enhancement 1: [21107/TT287685] Deep Security Manager dsm_c Utility – You can now use the dsm_c utility to create a diagnostic package for a particular tenant in multi-tenant mode. Enhancement 2: [18266/TT265581/TT276120] Deep Security Manager Alerts - When some Deep Security Manager components are outdated, a large number of update alerts, including Deep Security Rule Update alerts, Security Update alerts, and other content-based out-of-date alerts, are generated. The following changes have been made in the alert generation frequency: - "Security Update Alert (New Security Updates are available)" alerts are generated one hour apart so that another alert will only be triggered if the user does not download the latest version of the component within one hour of the previous alert. - "New Rule Update Not Applied" alerts are generated 30 minutes apart so that another alert will only be triggered if the user does not download the latest DSRU version within 30 minutes of the previous alert. Enhancement 3: [22231] Filter Driver and Deep Security Virtual Appliance Batch Deployment and Upgrade – Users can now deploy or upgrade Filter Drivers and Deep Security Virtual Appliances in groups. Enhancement 4: [22232] Deep Security Virtual Appliance Activation and Upgrade – Users can now activate or upgrade several Deep Security Virtual Appliances using a multi-select option through the Deep Security Manager console. 8.1.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.0.6500 resolves the following issues. Issue 1: [22628/TT295680] Deep Security Manager uses version 1.1.1 of the Common FileUpload version library which is affected by the CVE-2014-0094 vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Patch upgrades the Common FileUpload version library to resolve the vulnerability. Issue 2: [22386/TT294159] After users change the severity of certain alerts from "Warning" to "Critical" in the Deep Security Manager 9.0 console, the status bar correctly indicates the alert severity as "Critical", however, the corresponding events in the "Alerts" list and in Alert Viewer still display the severity level as "Warning". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Patch ensures that alert logs always display the correct alert severity setting. Issue 3: [21991/TT291540] A "Computer Created" event-based task fails when a computer name is specified in the conditions of the scheduled task. This occurs because the computer name field is empty right after a virtual machine is created in the VMware vCenter and will only be filled after a period of time so Deep Security Manager will not be able to match the computer name condition for the event-based task immediately. As a result, the task fails and the virtual machine will not be activated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Patch resolves this issue by enabling Deep Security Manager to match the computer name condition in event-based tasks using: - "[Host name] ([VM display name])", if the computer's host name is different from the virtual machine's display name - "[Host name]", if the computer's host name and the virtual machine's display name are the same - "([VM display name])", if the computer's host name field is empty Issue 4: [21844/TT291737] When a Deep Security Virtual Appliance or a guest virtual machine (VM) in a Deep Security Virtual Appliance is deactivated, Deep Security Manager deletes all quarantined files associated with the appliance or guest VM. This may take a long time if there is a large number of quarantined files because Deep Security Manager creates a connection for each quarantined file instead of using one connection to delete all the files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This Patch enables Deep Security Manager to use a single connection to delete all the quarantined files from the Deep Security Virtual Appliance. This significantly reduces the time required to deactivate a guest VM or Deep Security Virtual Appliance when there is a large number of quarantined files. Issue 5: [21771/TT291386] When Deep Security Manager is handling a large load, some VMs that are frequently VMotioned may lose protection, or may display errors such as "Update Failed" or "Virtual Machine Unprotected after move to another ESX". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This Patch improves the timing and coordination of processes in protected VMs during VMotion. This helps reduce the warnings and errors during VMotion. Issue 6: [21607/TT290176] Deep Security Manager manages scheduled tasks using the time zone setting of the host or primary tenant. As a result, Deep Security Manager may not be able to run scheduled tasks on time in tenants that use a different time zone even when the task was created by a user on the same time zone as the tenant. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This Patch enables Deep Security Manager to manage scheduled tasks using the tenant's own time zone setting so that scheduled tasks that are created by a user on the same time zone as the tenant, always run on time. Note: The login user must be using the same time zone as the tenant to properly create scheduled tasks for the tenant and to make sure that these tasks run on time. Issue 7: [21578/TT290832] When Deep Security Manager generates Diagnostic Packages on the Red Hat for Linux platform, the resulting PDF files may not be able to display Japanese characters properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This hot fix enables Deep Security Manager to generate the PDF files using the Sazanami-Mincho font for Red Hat 5 and the Ipa-Mincho for Red Hat 6. Issue 8: [21524/TT290527] An event-based task's last run time is always displayed as "N/A" even after the task runs successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This Patch enables Deep Security Manager to update the "last run time" field for an event-based task each time the task is triggered. Issue 9: [21497] The Computer Status widget times out if the database does not respond in 60 seconds. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This Patch Changes the timeout settings for the Computer Status widget to five minutes to allow more time for the database to respond. Issue 10: [21261/ TT287774] When Deep Security Manager generates a report, it adds a time stamp based on its host's time zone and locale instead of on the current login user's setting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This Patch enables Deep Security Manager to use the time zone and locale of the current login user in report time stamps. Issue 11: [21249/TT287672] An issue prevents Deep Security Manager from sending the latest relay list information to Deep Security Virtual Appliances when the "Relay Group Properties" setting is updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This Patch enables Deep Security Manager to send the latest relay list information to the master agent and to send the same information to Deep Security Virtual Appliances and to guest agents through a security policy each time that the "Relay Group Properties" setting is updated. Issue 12: [21206/TT287685] In multi-tenancy mode on a vCloud environment, if the VMWare tool's "guestInfo.ovfEnv" variable is not initialized properly in a virtual machine, the Deep Security Agent-initiated activation task creates a duplicate host for the virtual machine using fully-qualified domain name (FQDN). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This fix improves Deep Security Manager's ability to match hostnames with or without the DNS suffix to prevent the Deep Security Agent-initiated activation task from creating duplicate hosts for virtual machines. Issue 13: [21132/TT285927] In a multiple inherited policy chain, if the leaf policy inherits the Manual and Scheduled Scan configurations and overrides the Real-time Scan configuration, the following error message appears when users attempt to perform a manual or quick malware scan. "Manual Malware Scan Failure (Agent/Appliance configuration error)". This message means that that the host does not have an assigned Manual Scan configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This Patch resolves the issue by ensuring that Deep Security Manager properly handles hierarchical policies while overriding the malware configuration. Issue 14: [21131/TT288712] Administrators receive an "Internal Server Error" message when they enable event-based tasks to activate the virtual machine in Deep Security Manager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This Patch prevents this error from occurring when event-based tasks try to activate the virtual machine. Issue 15: [20966/TT287783] When Deep Security Manager is in tenant mode, users will be able to view the syslog settings page for firewall and IPS event forwarding only if both the firewall and IPS modules are visible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This Patch enables Deep Security Manager to display the firewall and IPS event forwarding syslog settings page when one or both the firewall and IPS modules are visible. Issue 16: [20938/TT286472] The Deep Security Virtual Appliance does not raise an alert when it does not detect an interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This Patch enables the Deep Security Virtual Appliance to raise an "Engine Offline" alert when it does not detect an interface. Issue 17: [20931/TT286018] Anti-malware Event Email Plugin checks the mail server connection every 30 seconds even when there are no events to send. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This Patch enables the plugin to check the mail server connection only when there are events to send. Issue 18: [20881/TT286733] An issue with local time conversion may trigger the Deep Security Manager console to display a license expiration date that is actually one day late. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This Patch ensures that the correct license expiration date appears on the Deep Security Manager console. Issue 19: [20790/TT286417] When Deep Security uses SOAP APIs to determine the version of currently-installed components, the "componentInfoTransports" array always returns a null value. This occurs because the query may call functions related to older ActiveUpdate components which may not be supported in new component versions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This Patch ensures that Deep Security can successfully query component version information from the "componentInfoTransports" array using SOAP APIs. Issue 20: [20771/TT286472] The Forensic Computer Audit Report do not include any information about the rules that are applied to the computer through parent policies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: This Patch ensures that Forensic Computer Audit Reports now contain references to all rules for the leaf and parent policies. Issue 21: [19404] The Deep Security Virtual Appliance does not raise an alert when it does not detect an interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This Patch enables the Deep Security Virtual Appliance to raise an "Engine Offline" alert when it does not detect an interface. Issue 22: [22329/TT294064] Deep Security Manager 9.0 cannot create and send reports to recipients that do not have a time zone setting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This Patch resolves this issue by enabling Deep Security Manager 9.0 to use the tenant's time zone setting to generate and send reports to recipients that do not have a time zone setting. Issue 23: [22400/TT294227] Deep Security Manager may not be able to assign a "Policy Interface Type" for interfaces with names that contain multi-bytes characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This Patch enables Deep Security Manager to handle Unicode characters properly to ensure that it can assign a "Policy Interface Type" for interfaces with names that contain multi-byte characters. Issue 24: [22402/TT294723] The status of a Deep Security Agent becomes "Log Inspection Engine Offline" when the customized "Log Inspection" rule is in "single line text log" format. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This hot fix ensures that Deep Security Manager uses the correct format for "Log Inspection" rules. Issue 25: [21888/TT292259] If an Amazon instance is managed as a physical computer, the communication setting is bi-directional or agent-imitated and an Amazon cloud connector is created for the same Amazon region. Under this scenario, the Deep Security Manager's agent identity verification mechanism cannot match the host information from heartbeat events with its own records. As a result, Deep Security Manager cannot recognize the Deep Security Agent preventing the Deep Security Agent from communicating with Deep Security Manager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 25: This Patch enables the Deep Security Manager's agent identity verification mechanism to correctly match the heartbeat information to its records. This ensures that Deep Security Manager can recognize the Deep Security Agent and communicate with it. Issue 26: [22508/TT294852] When users upgrade Deep Security Manager from version 8.0 to 9.0, ESXi hosts are automatically assigned the "Base Policy" which should not happen because ESXi hosts are not assigned any security profile. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: This hot fix prevents Deep Security Manager from automatically assigning policies to all types of ESX hosts. Issue 27: [22476/TT292865] After a guest VM finishes storage vMotion, the Firewall/DPI protection stops working. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 27: This Patch enables Deep Security Manager to detect a fastpath binding issue and to correct it at first heartbeat to guest agents. Issue 28: [21751/TT291386] On the Deep Security Manager console, the anti-malware status of a guest virtual machine host keeps changing to "Anti-Malware engine offline" after it is vMotioned to another Deep Security Virtual Appliance. This occurs because a virtual agent process stays alive on the old Deep Security Virtual Appliance and keeps sending the false anti-malware engine alert through heartbeat events. Deep Security Manager does not check if a heartbeat comes from a valid or a zombie virtual agent. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 28: This Patch improves the Deep Security Manager's heartbeat event handling mechanism to check if the virtual agent that sent the heartbeat lives on a valid Deep Security Virtual Appliance by reading the "hostInfo" information that comes with each heartbeat event in Deep Security 9. This enables Deep Security Manager to drop heartbeats from zombie virtual agents. This change enhances the fix in Deep Security Manager 9.0 Service Pack 1 Patch 2 by adding an FDQN name comparison function. Issue 29: [22725] Deep Security Manager may reject heartbeats from computers with mostly agent-initiated communication in a multi-tenant environment. This is more likely to happen when host ID's overlap in the Deep Security Manager database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 29: This Patch ensures that in multi-tenancy mode, bi-directional Agent heartbeats work properly and are not rejected. Issue 30: [22328/TT290726] In rare cases, multiple database locks can be inserted into the database which may cause potential locking scheme issues under certain scenarios. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 30: This Patch resolves the issue by improving the database locking mechanism. Issue 31: [22710/TT295458] At the Deep Security Manager console, user cannot export the hosts list to a CSV file through the Toolbar's Export Menu. This is evident if the host type is a virtual host or AWS hosts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 31: This Patch fixes this issue users can export the host lists to a CSV file even if the host is a virtual host. Issue 32: [22739] Whenever an ESXi Server is rebooting, the Deep Security Manager would not properly detect it. This results in the communication thread timing out after several minutes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 32: This Patch resolves the issue of communication thread timing out. 8.2 Deep Security Manager 9.0.6019 ===================================================================== 8.2.1 Enhancements ===================================================================== Deep Security Manager 9.0.6019 adds the following enhancement: Enhancement 1: Widget Redirect Links - All widgets now have a redirect link which opens another browser page. If a previous session exists, the page will directly use the same connection to Deep Security Manager. If there are no previous sessions, the page will ask the user for the necessary information to be able to log on to Deep Security Manager. All drill down links redirect to different pages depending on the widget function. For example, the AM widget redirects users to the AM event logs page. Enhancement 2: Anti-Malware Email Notificatios Plug-in- The Anti-Malware Email Notifications Plug-in for Deep Security Manager now monitors anti-malware events and sends an email to a list of recipients with details of each new event. It is a self-contained plug-in and should be used with Deep Security Manager 9.0 Service Pack 1 Patch 1 (5500) or any other higher builds. Enhancement 3: ds_agent Dump Files – This Patch enables "ds_agent" to generate a full dump file instead of a minidump file when it stops unexpectedly on computers running on any Windows platform. Full dump files should give administrators more information to investigate why "ds_agent" stopped unexpectedly. 8.2.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.0.6019 resolves the following issues. Issue 1: [19960] Some widgets on the dashboard show items in English even when the user's display language is Japanese. As a result, the widgets will not be able to correctly match and display event information when users click on events in "Events & Reports". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Patch enables dashboard widgets to use the correct language setting to ensure that these widgets can correctly match and display event information. Issue 2: [19971] Deep Security Manager alerts are triggered only when both the Firewall and Deep Packet Inspection modules are set to "visible". These alerts do not appear when only one of these modules are set to "visible". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Patch adjusts a condition to ensure that Deep Security Manager Alerts are triggered when either one of or both the Firewall and Deep Packet Inspection modules are "visible". Issue 3: [20018/TT280639] In Microsoft Internet Explorer(TM) 8, there is no dynamic edit box or listbox on the Firewall Rule editing screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Patch modifies the Javascript(TM) to ensure that the related edit and list boxes appear on the page. Issue 4: [20020/TT280389] When users update Deep Security Manager 9.0, some user roles may automatically be granted viewing rights after user rights migration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This Patch enables the Deep Security Manager update mechanism to check the version number before migrating user role rights to ensure that it migrates user role rights only when necessary. Issue 5: [20073] The Security Update Status Widget does not change after users apply policy filters because the host filter was not applied correctly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This Patch resolves this issue by ensuring that the host filter is properly applied when users apply policy filters. Issue 6: [20089] The wrong version information appears for the CloudLinux platform on the Deep Security Manager console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This Patch ensures that the correct CloudLinux platform version appears on the Deep Security Manager console. Issue 7: [20091] Deep Security Manager may not be able to detect incompatible agents during Multi-Tenant upgrade from version 8.0 Service Pack 2 to 9.0 Service Pack 1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This Patch sets the correct query condition to resolve this issue. Issue 8: [20115/TT279449] The Deep Security Manager encounters an error when users add a virtual machine that is managed by VMware's vCenter and that contains some specific characters in its display name but does not have a qualified domain name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This Patch enables the Deep Security Manager to ignore the triggering characters in the virtual machine display name which prevents the error and allows users to add the virtual machine to the Deep Security Manager. Issue 9: [20164/TT274610] [20254/TT282200] Under certain conditions, a Deep Security Virtual Appliance may not clean resources after a guest virtual machine is vMotioned to another Deep Security Virtual Appliance. When this happens, both Deep Security Virtual Appliances will report a status for the same guest virtual machine to the Deep Security Manager which can lead Deep Security Manager to update the status of the guest virtual machine incorrectly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This hot fix ensures that the Deep Security Manager uses the virtual machine status from the correct Deep Security Virtual Appliance and enables it to ignore the status message for the same guest virtual machine from other Deep Security Virtual Appliances. This resolves the issue. Issue 10: [20168/TT281393] When users create a duplicate of an existing rule in a policy and set the duplicate to inherit the properties of the original rule, both the original and duplicate rules are counted which affects the rule numbering and statistics. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This hot fix removes duplicate rules from the Deep Security Manager web console to ensure that the rule numbering and statistics remain consistent. Issue 11: [20328/TT283535] An issue in the time validation process triggers the "Start time" field in the Deep Security Manager Scheduled Task settings rejects values from 00:00 to :00:59. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This Patch resolves the issue in the time validation issue in the "Start time" field of the Scheduled Task settings so that when "Time format" is "12 Hour", the range of hours is from "1" to "12" and when "Time format" is "24 Hour", the range of hours is from "0" to "23". Issue 12: [20376/TT278763] When a vCloud's host vMotions a non-primary tenant, the host becomes unmanaged. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: To resolve this issue, this Patch ensures that Deep Security Manager always stores remote agent record pointers for any vCloud agent that is not created for vMotioned virtual machines. Issue 13: [20471/TT282794] After a successful security update on a Deep Security Virtual Appliance, the security status of the virtual machines protected by the Deep Security Virtual Appliance in the Deep Security Manager console do not change. As a result, some updated virtual machines appear as outdated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This Patch ensures that the correct security status of virtual machines protected by Deep Security Virtual Appliance appear on the Deep Security Manager console. Issue 14: [18914] NSFocus, a leading anti-DDOS solution vendor, would like to integrate their vulnerability assessment solution with a Deep Security virtual patch. However, in the response of DPI rules query of the Deep Security web service did not include CVE information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This Patch ensures that the CVE informaton is added to DPI rules query of the original web service without adding new API. Issue 15: [20208,TT280970] DNS resolution fails if users specify the host name in the [hostname]:[port] format when configuring the SSL certificate for DPI inspection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This Patch ensures that the [hostname]:[port] hostname format is supported when configuring SSL certificates for DPI inspection. Issue 16: [20461/TT283921] When an automatic synchronization task between Deep Security Manager 9.0 and vCenter is interrupted because the network communication to vCenter is blocked, the automatic synchronization task cannot resume even after the network communication with vCenter is restored. This is caused by a deadlock issue in the VMWare ESX SDK API in Deep Security Manager 9.0 that detects updates from vCenter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This Patch enhances the Deep Security Manager 9.0 vCenter update-handling code to prevent the VMWare SDK API deadlock issue. This ensures that Deep Security Manager 9.0 can resume automatic synchronization tasks that have been interrupted when the network communication with vCenter was blocked. Issue 17: [19427] The "Upgrade of the Agent/Appliance software is recommended on Computer(s)" alert does not appear correctly after users upgrade to Deep Security Manager 9.0 Service Pack 1 Patch 2. This issue occurs because of some inaccurate Notifier information on the manifest. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This Patch removes the triggering Notifier information on the manifest to help resolve the issue. Issue 18: [20511/TT284434] When users change the IPS state from "Prevent (default)" to "Detect" in the Security Policy and then change the policy name, the IPS state goes back to "Prevent". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This Patch ensures that IPS state will not change after changing the security policy name. Issue 19: [20391] Deep Security Agent-initiated activation does not work in coordinated protection environments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This Patch improves the Deep Security Agent-initiated activation mechanism to enable it to work in coordinated protection environments. Issue 20: [20206/TT282497/TT282506] During Deep Security Manager installation, the proxy settings are not properly encrypted in the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: This Patch ensures that the proxy settings are properly encrypted in the database during Deep Security Manager installation. Issue 21: [20487/TT284690] A "Log Inspection Engine Offline" error appears on any non-English version of the Deep Security Manager console. This happens because of some translation issues in the Log Inspection File Format. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This Patch resolves the translation issues in the Log Inspection file format to ensure that the error appears on non-English versions of the Deep Security Manager console. Issue 23: [20193/TT277853] Sometimes, the "Relay Details > Updates" page of the Deep Security Relay console displays the version numbers of some components as "0.0.0" and marks these components as outdated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This Patch ensures that Deep Security Relay receives the correct versions of components that are found on the Deep Security Agent but not on the Deep Security Relay. Issue 24: [19858] Pages 342, 343, and 357 of the "Administrator's Guide" use "inline" instead of "Tap". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This Patch replaces the three instances of "inline" with "Tap" on the "Administrator's Guide". 8.3 Deep Security Manager 9.0.5500 ===================================================================== 8.3.1 Enhancements ===================================================================== Deep Security 9.0.5500 adds the following enhancement: Enhancement 1: Event Pruning Feature - The log retention period for the Event Pruning feature has been extended from 52 weeks to 53 weeks. The filter constraint for recurring report tasks is also extended to allow generated reports to contain data from last 53 weeks (13 months). Enhancement 2: DPI Rule Query - The CVE information is now included in the results of DPI rules query from the original Deep Security web service without any need for a new API. 8.3.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.0.5500 resolves the following issues. Issue 1: [19773] Deep Security Manager downloads the Deep Security Agent diagnostic package again after users click on the "close" button on the last page of the diagnostic package wizard using version 8 or 9 of the Microsoft Internet Explorer(TM) web browser. This issue occurs because after users click on the "close" button, the diagnostic wizard displays the last step including the trigger for downloading the diagnostic package. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Patch enables the diagnostic package wizard to display the trigger of the diagnostic package download in the summary page. This prevents users from triggering the download diagnostic package task twice. Issue 2: [19705] In syslog, Deep Security Manager always displays the primary tenant's name instead of the current tenant's name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Patch ensures that Deep Security Manager displays the current tenant name in syslog unless it does not contain special characters. Issue 3: [19627] The custom setting specified from the dsm_c command does not reach the Deep Security Agent. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Patch ensures that the "freeFormDriverSettings" packet filter reaches to Agent. Issue 4: [19523] The component updates for agent-initiated agents are not processed on Deep Security Manager. Also agent-initiated workload can prevent Deep Security Manager from correctly counting jobs which can lead to too many jobs running at the same time. This also prevents the limit disk space and network usage protection functions from working properly when multi-tenancy is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This Patch ensures that agent-initiated agents are processed on Deep Security Manager and that the agent-initiated workload does not lead to too many jobs running at the same time. When multi-tenancy is enabled this Patch ensures that the limit disk space and network usage protection functions to work correctly. Issue 5: [19483] The web page shows the "html5.js is not at "js/bootstrap/html5.js" " error message when users access web sits using old browser versions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This Patch corrects the reference path for the HTML 5 shim javascript in Deep Security Manager 9.0 to ensure that old browser versions can display HTML elements properly. Issue 6: [FB 19369] Sometimes, the Deep Security Manager server cannot sync with vCenter and a "NullPointerException" event appears in the log file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This Patch improves the Deep Security Manager error-handling mechanism to prevent the null pointer exception and ensure that Deep Security Manager can successfully sync with vCenter. Issue 7: [19431] When multi-tenant agent-less solution is enabled for tenants and a tenant virtual machine is protected by the appliance, the computer host widget in the tenant environment displays the number of managed computer as "0". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This Patch ensures that the computer status dashboard widget always displays accurate information in multi-tenant vCloud environments. Issue 8: [19409] The status of remotely-managed virtual machines in the primary tenant's host list does not appear as "Remotely Managed". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This Patch ensures that the status of remotely-managed virtual machines appear as "Remotely Managed" in the primary tenant's host list. Issue 9: [19409] In multi-tenant vCloud environments, remotely-managed virtual machines appear to not have antimalware protection from the Deep Security Manager console even when antimalware is enabled in these machines. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This Patch ensures that the correct antimalware status of virtual machines appear on the Deep Security Manager console. Issue 10: [19539] Users who access the Deep Security Manager console in Internet Explorer 10 cannot create or edit a firewall rule that has the TCP+UDP protocol selected because both the "Ok" and "Apply" buttons do not work. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This Patch adjusts the "maxlength" attribute in the "protocol" input tag to ensure that users can create or edit firewall rules under this situation. Issue 11: In Deep Security Manager 9.0 Service Pack 1, the Linux and Solaris security profiles for "intrusion defense strategy" include rules that are only applicable in the Windows platform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This Patch updates the Deep Security Manager installer "latest_dsru_map.csv" to ensure that Windows rules do not appear on the Linux and Solaris profiles. Issue 12: [19495/TT271519] A role with "Delete only" policy rights cannot delete policies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This Patch ensures that the validation logic on the "Computer and Policy" page can correctly verify role policy rights. Issue 13: [19131/TT269704] The wrong search results appear when users search for firewall events using the "Advanced Search" feature on the Deep Security Manager console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This Patch adds newly-defined GUIDs for the packet filter into the database to ensure that the correct search results appear under this situation. Issue 14: [19512] Starting with Deep Security Manager 9.0 Service Pack 1, users should be able to create tenants using the REST Web Service API. However, attempting to do so triggers the following error message in "server0.log": "Unable to create new item. The system may be experiencing loss of database connectivity. Please try again." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This Patch ensures that new tenants can be created using the REST Web Service API. Issue 15: [19359] When the "Web Server Common Properties" point to a port list, "App Types" mismatch alerts appear on the Deep Security Manager console and several related errors are recorded in the "server0.log" file. This occurs because Deep Security Manager cannot restore the port list ID without a reference to the original or previous port list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This Patch resolves this issue. Issue 16: [19505/TT273979] In the "vCenter properties" page, the "Add/Update Certificate..." button is greyed-out when the account user name contains special characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This Patch enables the "vCenter properties" page to support special characters to ensure that the "Add/Update Certificate..." button works properly. Issue 17: [19516/TT274644] The "Event Based Task" configuration is automatically saved after users set the condition type because the user interface immediately sends the configuration update to the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This Patch ensures that the user interface sends "Event Based Task" configuration updates to the server only after users save the changes. Issue 18: [19639/TT275483] Users cannot create a directory list that contains wildcard drive letters (for example "*:\") in policies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This Patch enables the policy directory list format to accept special characters for Citrix environments. Issue 19: [19418] Deep Security Manager 9.0 Service Pack 1 antimalware appears to be offline on the description of child policies although it is enabled on the parent policy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This Patch ensures that the correct antimalware status appears on the child policy description. Issue 20: [19487/TT270663] SQL exception errors appear in the Deep Security Manager system events and client machines do not receive component updates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: The fix improves the Deep Security Manager error-handling mechanism to enable it to handle situations where one of the relay groups is deleted while a pending update is still in the system waiting to be processed. This prevents the SQL errors and ensures that client machines receive component updates. Issue 21: [19367/TT271141] If the database server is not available when Deep Security Manager is initializing it, Deep Security Manager will not be able to start the database server and a 412 error appears. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This Patch increases the database initialization retry time to reduce the chance of database initialization failure. This Patch also adds a "dbconnect.retry={n}" property in the "dsm.properties" file to set how many many times should the database server attempt to initialize before giving up. Issue 22: [19638/TT275275] The performance of the Deep Security Manager console slows down while handling over 3000 virtual machines. When this happens, it can take a long time for the Deep Security Manager to display the "Dashboard and Computers" page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This Patch improves the performance of the Deep Security Manager console while it manages a large number of virtual machines. This ensures that the console can display the "Dashboard and Computer" pages faster. Issue 23: [19432] In multi-tenancy, tenant creation requires a "create DB" permission assigned to the database account used by Deep Security Manager. Without a "create DB" role, the creation of a new tenant leaves an "orphan" tenant entry in the tenant database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This Patch ensures that Deep Security Manager can properly handle the exception that occurs in the situation described above. This prevents Deep Security Manager from leaving invalid entries in the database. Issue 24: [19377] The log retention period for the event pruning feature is only 52 weeks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This Patch increases the retention period for the event pruning feature has been extended from 52 weeks to 53 weeks for QSA audit for PCI compliance. The filter constraint for recurring report tasks is also extended to allow generated reports to contain data from last 53 weeks (13 months). Issue 25: [18914] NSFocus, a leading anti-DDOS solution vendor, would like to integrate their vulnerability assessment solution with Deep Security virtual patch. However, in the response of DPI rules query of the Deep Security web service does not include CVE info. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 25: This Patch adds CVE information in the DPI rules query from the original web service without requiring a new API. Issue 26: [19167] In 9.0 Service Pack 1, Web Reputation Service (WRS) events are sent to Trend Micro Control Manager(TM). However, in Control Manager, ad hoc queries for Web Violation Information, if users set "Custom Criteria" to "Block", they would not be able to find any events. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: This Patch enables Deep Security Manager to set the "Action" to "Block" when sending WRS events to Control Manager so that the users can send queries using the custom criteria. Issue 27: Hierarchical relay groups do not follow the predefined order when running security updates. This occurs because security update requests are being triggered on all relays instead of being triggered only on the relays that belong to the relay group that is currently being processed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 27: This Patch ensures that security updates are triggered only on the relays that belong to the relay group that is currently being processed. Issue 28: In multi-node Deep Security Manager systems, several "Couldn't find host component with componentID X, not mapping" appear in the "server0.log" file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 28: This Patch updates the component cache and resolves some multi-threaded issues to help resolve the problem. Issue 29: Users cannot access certain web sites when WRS is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 29: This Patch ensures that users can access allowed web sites when WRS is enabled Issue 30: An issue prevents Deep Security Manager from synching with vCenter. When this happens, an SQL exception error occurs and users cannot see virtual machines on the Deep Security Manager console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 30: This fix resolves the issue to ensure that Deep Security Manager can successfully sync with vCenter. Issue 31: [19495/TT271519] Role with Delete only policy rights can not delete policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 31: This fix resolves the issue to ensure the validation logic on Computer and Policy Page verify against the correct Right. 8.4 Deep Security Manager 9.0.5370 ===================================================================== 8.4.1 Enhancements ===================================================================== Deep Security 9.0.5370 contains following enhancements. - Localization support of Deep Security Manager and Notifier - Enhancements for Trusted Common Baseline: a) The ability to define an auto-tagging rule so that a change to a file on any Computer in a group of Computers is tagged as okay so long as a file with the same contents and name exists on some other Computer in the group. b) Scalability of auto-tagging integrity events - Enhancement in DSM UI to allow configuration of Max Files in Anti-Malware Compressed file scanning. Such setting can be apply to every agent which anti-malware protection is enabled (per-agent setting). - Enhancement to allow user select Relay Groups on the New Computer wizard. - Enhancement to allow Relay set to update patterns only. 8.4.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.0.5370 resolves the following issues. Issue 1: [17008/TT252018] In some situations, it has been reported that the Integrity Monitoring/Anti-Malware scanning would cause 100% CPU usage. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: A hidden global setting for CPU usage control has been added to DSM to allow high/medium/low control of CPU usage for IM/AM scanning. Such setting applies to the following platforms: - Linux(TM) Red Hat(TM) 5 64-bit - AIX(TM) 5.3 - Solaris(TM) 10 Sparc Note: On AIX system, the CPU usage shows differently in system command "topas" and "ps." It is recommended that user uses "ps" command, if needed, to verify the CPU usage control feature on the AIX system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [17351] On occasion the Download Security Update wizard appears to stop and time out, even though the rules have been applied successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue has been fixed in this release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [17840/17881/TT263949] Under certain circumstances DSM would open a connection to the DSVA but not supply the tunneling header. This would leave the DSVA in a hung state waiting for a blocking read. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: Fixed by applying a 30 second timeout to the read. Impact: The agent will only stay in the hung state now for 30 seconds. After 30 seconds it will log a message that the tunneling header was not received and communication with DSM will be re-established. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [18152/18144/TT266650] The Directory list won't accept "." in the path. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: Implement logic that allows "." in the Windows/UNC/Linux path. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [17986/17784/18537/18649/18875/18845/19065] [TT264045/TT269107/TT269326/TT265819/TT267339] Issues were found where the DSM console takes too long time to respond when there is a significant number of activated agents. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: Changes have been made in the code to greatly improve the performance of DSM page displays. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [17990/17785/TT264045] Unable to perform a Virtual Sync when failing with the following error: Jan dd, YYYY h:mm:ss AM com.thirdbrigade.manager.core.virtual.VirtualSync doVirtualSync SEVERE: Virtual Synchronize Job Failed: The DELETE statement conflicted with the REFERENCE constraint "FNQTKCOHXZWIQIYA". The conflict occurred in database "dsm", table "dbo.hosts", column 'HostGroupID'. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: Fixed the issue for SQL constraint exception. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [17945] Test Database Connection on the Tenant Properties window could place the DSM in an error state from which it could not recover without a service restart. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: The fix consists of two modifications: - If the tenant database is actually the primary database, the test connection will return success. - If the tenant database is one of the secondary databases, DSM will call clean/close database if and only if the database handlers were specifically created to perform the test connection operation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [18001/17999/TT265517] When creating an exclusion list, DSM would not accept certain variable parameters like ${systemroot}\system32\LogFiles\. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [18023/17530/TT262614] A custom Intrusion Prevention rule will switch to "Detect only" mode after a Deep Security Rule Update (DSRU). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [17497] The contents of the "Type" field on the "General" tab of the auto-tag rule properties page would disappear from the display after switching to another tab. The workaround was to close and re-open the properties page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: The issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [TT263203/17662] Deep Security Manager cannot sort Intrusion Prevention rules on the "Intrusion Prevention Rules" screen by the "Issued" date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: The issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [18048/17879/TT264045] Occasionally the DSVA was not cleaning up resources after a Guest VM was vMotioned to another ESXi/DSVA. This resulted in the first DSVA reporting an interface out of sync for that guest VM while the new DSVA reported interface in sync. This would cause DSM and vCenter to periodically generate reconfiguration events for a guest VM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: The issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [17750] If synchronization with an Active Directory failed, there was a possibility that users could be removed from the DSM. They would get added during the next successful synchronization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: The issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [17522] There was an issue since early releases where, with App Type ports not being updated it caused an "app type misconfiguration" error in DSM. This issue would prevent Deep Security Rules Update (DSRU) from having the ability to add ports to App Types when new vulnerabilities come out. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: The issue is fixed by preventing users from editing the Application Types issued by Trend Micro (also known as Authoritative). They can still create and edit their own types, but not Trend's. If the user wants to make changes to an Authoritative Application Type he/she needs to create an override for a specific Policy or Host. The best way to achieve the old “global” change is to create an override on the Base Policy, which will be inherited by all of the other Policies/Hosts in the system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [18036] In DS 9.0, the Directory List Objects only support the UNC path with the format "\\ComputerName\Shared\" However in some use cases computers managed by the DSM may have network resources of certain computer(s) that are not directly managed by the DSM. If a user wishes to exclude scanning of those network resources, but keep the ability of an Anti-Malware network scan, the exclusion list with network computer name is needed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This is fixed by allowing “\\ComputerName\” (without the directory name) entries in the Directory List Object on DSM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [18240] Performance of Event related screens in the DSM is slow. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: Some fixes have been made to make sure the table in the forensic report is not locked. Also some event loading code is optimized to help with the performance of the event viewer and reports. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [18259/18117/TT266286] DSM Integreted AWS(EC2 & VPC)environment, Instance's Hostname is null. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: The issue is now fixed. EC2 instances with an elastic IP assigned use the FQDN of the elastic IP as the hostname until the elastic IP is released. Once released, the hostname will change to the instance's FQDN on the next cloud connector sync. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [17749/18337/TT266120] Customers need to generate a computer report in order to view their Computer status (managed/unmanaged). Unfortunately the Computer Report will only be available in DSM if Firewall/DPI is licensed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: The issue is fixed so that the Computer Report will be generated even if the user only has an Anti-Malware license. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [17940/TT261297] There is a UI issue on the DSM Updates page, where DSM will use the same counter for both Agents and Relays. Reproduction: 1. On DSM with both Agents and Relays activated. 2. Go to the Updates page and you will see that Relays and Agents have the same counts although Relays are normally 1 or two in number. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: The issue is fixed by using separate counters for Agents/Relays. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [18399/TT266590] Deep Packet Inspection (DPI) rules are assigned automatically even though the application type was specified to exclude from "scanning for the recommendations". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: After the fix, a DPI rule is not listed in the recommendations if the application type is specified to exclude it from "scanning for the recommendations". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [18476/18474/TT265831] An issue is found in DSM where old log data is being sent to the syslog server when the DSM and the database are busy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: The issue is fixed by improving the log processing function to avoid sending old logs to syslog server when database query exception happens. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [18991/18993/TT270016] In the DSM multi-tenants environment, if users browse to the Administration->System Setting->Tenants-> Database Servers->View Database Servers->Property page of the primary database and click the "OK" button, then go to Administration->Tenants->New and run through the wizard, the new tenant creation will fail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: The issue is fixed in the DSM by properly collecting data from disabled UI fields and setting the correct state in the database accordingly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [18310/18243/18244/TT 260393] The Manager Panel is missing on Updates page for DSM nodes on Linux platform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.5 Deep Security Manager 9.0.4017 ===================================================================== 8.5.1 Enhancements ===================================================================== Deep Security 9.0.4017 adds the following enhancements: Enhancement 1: vSphere, vCenter, and vShield Support – Deep Security Manager now supports vSphere 5.1, vCenter 5.1, and vShield 5.1. Enhancement 2: IPv6 Firewall Support - Deep Security Manager now supports IPv6 Firewall. Enhancement 3: Agentless Recommendation - Deep Security Manager now supports Agentless Recommendation. Enhancement 4: Anti-Malware On-demand Scans – The performance of anti-malware on-demand scans has been improved. Enhancement 5: Cloud Environment Support - Deep Security Manager now supports cloud environments. Enhancement 6: Multi-Tenancy Support - Deep Security Manager now supports multi-tenancy. Enhancement 7: Hypervisor Integrity Monitoring - Deep Security Manager now monitors Hypervisor Integrity. Enhancement 8: Deep Security Management Console - A new user interface has been added for the Deep Security management console which exhibits improved workflow for policy management. Enhancement 9: Certificate Rollover Support - Deep Security Manager now supports certificate rollover. 8.5.2 Resolved Known Issues ===================================================================== Deep Security 9.0.4017 resolves the following issue: Issue: [14617] The Event-Based Task for "Computer Moved" for vCenter virtual machines works only if the machine is moved between ESXi(s). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The Event-Based Task for "Computer Moved" for vCenter virtual machines can now be triggered when moving machines between folders as well as ESXi. This release includes all resolved issues that were resolved in Deep Security 8.0 Service Pack 2 except those explicitly listed in the section "Known Issues in Deep Security Manager 9.0" and "Issues fixed in previous Deep Security release but which did not make it to 9.0 Service Pack 1 release. 9. Files Included in this Release ======================================================================== This release is a complete installation. Use one of the following files: Manager-Windows-9.0.6601.x64.exe (64-bit) Manager-Linux-9.0.6601.x64.sh (64-bit) 10. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our website. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Trend Micro" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Deep Security, and "deep security solutions" are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ 13. Third Party Software ======================================================================== Deep Security Manager employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [INSTALL DIRECTORY]\licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2014 Trend Micro Inc. All rights reserved. Published in Canada.