<> Trend Micro, Inc. January 17, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ InterScan? Web Security Virtual Appliance 6.0 Service Pack 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ===================================================================== 1. About InterScan? Web Security Virtual Appliance 2. What's New? 3. Documentation Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ===================================================================== 1. About InterScan? Web Security Virtual Appliance ======================================================================== InterScan? Web Security Virtual Appliance (IWSVA) is a highly scalable and reliable web security solution that includes virus protection for HTTP and FTP traffic. IWSVA delivers best-in-class HTTP and FTP virus scanning that leverages the administration, policy, and centralized management of Trend Micro's Enterprise Protection Strategy. 2. What's New? ======================================================================== IWSVA 6.0 SP1 is based on IWSVA 6.0 and provides the same malware protection, policy, logging, and reporting capabilities. IWSVA 6.0 SP1 contains all applicable previous fixes and patches available since the release of IWSVA 6.0 The following features are new in this release. 2.1 Granular Application Control ===================================================================== The Granular Application Control feature allows more than a simple allow-or-block option for applications within a category. Like Facebook, for example, but you could also allow the application and still block newly posted messages. 2.2 Schedule Object Support ===================================================================== IWSVA supports you specifying the days and hours you want to set for different actions. When configuring URL Filtering, Application Control, or HTTP Inspection policies, you can have IWSVA differentiate between multiple scheduled times. For example, you can allow recreational Web surfing or the use of IM applications before and after scheduled work hours. Filtering schedules can be policy based; different schedules can be given to different individuals or groups. 2.3 Global Log Filtering ===================================================================== Use global log filtering when you want specific data omitted from your logs. For example, use this filter in a case where you do not need to log Internet Access logs for user John Smith or Bandwidth usage for users who visit www.google.com. 2.4 Anonymous Logging ===================================================================== Some European countries have laws that state user names cannot be recorded within logs. After enabling this feature, user names within logs are recorded as MD5 values instead of using the actual user names. 2.5 Central Log Enhancement ===================================================================== Administrators can view the log source list and get status from the log server. 2.6 Configuration Replication Enhancement ===================================================================== Administrators can view the replication receiver list, get status from the replication source, and trigger manual replications from the replication source. 2.7 Top Users Reported By Browsing Time Reports ===================================================================== A new report template called "Top user report by browsing time" was added in the Internet Access Report Group. 2.8 Scheduled Backup for Configure and Policy Settings ===================================================================== A Scheduled Backup UI setting was added in the Configuration Backup & Restore page. With this setting, IWSVA checks daily whether configuration changes have occured since the last backup, and a new backup file will be exported. All backup files can be selected and restored or deleted. 2.9 HTTPs Enhancement ===================================================================== 1) Failed HTTPs connections will be logged with an error code, and viewed from the web UI where administrators can select them for tunneling. See HTTP > HTTPs Decryption > Tunneling > Failed HTTPs Accesses 2) Auto tunneling for fatal errors is now supported. When enabled, domains that recieve one the following errors will be added to the tunnel list: - Server returns a handshake failure - Server closes connection unexpectedly - Unable to get server certificate after handshake is completed You can find the auto-tunneled domain list here: HTTP > HTTPs Decryption > Tunneling > Domain Tunneling 3) You can import certificates to the active list from a certificate list file exported from IE at: HTTP > Configuration > Digital Certificates > Active Certificates > Add Certificate > Upload the CAs exported from IE. 2.10 DDA Integration Enhancement ===================================================================== 1) Known good files submission is supported, administrators can submit samples to DDA based on file types, even when it is a known malware or a known good file. 2) For each sample submitted to DDA, the system event logs will be recorded including the sample file name and the submission time. 3) For each DDA blacklist sync, the system event logs will be recorded. 2.11 UI Enhancement ===================================================================== 1) In the original version, for the policy setting page, the username/group selection field was so narrow customers could not view a full name when it was long. IWSVA 6.0 SP1 has enlarged the username/group select box and added a horizontal scroll bar. 2) For raw log queries, change the "unkown" for URL category to "Generic." An empty field will be shown as "--" instead. 2.12 Added support for VM environment lanbypass NIC ===================================================================== IWSVA 6.0 SP1 provides an SOP for the install/enable lanbypass NIC based on the Vmware ESX Server 5.0. 3. Documentation Set ======================================================================== In addition to this readme.txt, you can access the following IWSVA 6.0 SP1 documentation set: - Administrator's Guide -- Detailed deployment and configuration instructions and also in-depth information about IWSVA. Electronic versions of the printed manuals are available at: http://downloadcenter.trendmicro.com/index.php?prodid=86 - Online Help -- Context-sensitive Help screens that provide guidance to performing a task. - TrendEdge is a program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics. http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx - Knowledge Base -- A searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com/enterprise/default.aspx 4. System Requirements ======================================================================== 4.1 Administrator Web Browser Requirements ====================================================================== No changes from the IWSVA 6.0 GM's web browser requirements. Administrator Web Browser Requirements -------------------------------------- - Microsoft Internet Explorer 8, 9, 10 - Mozilla Firefox 15, 16+ - Google Chrome 22, 23+ 4.2 Others: ====================================================================== No changes from the IWSVA 6.0 GM's system requirements. For a complete description of the minimum IWSVA server requirements, and to install for an evaluation version, see the Installation Guide. The minimum requirements provide enough resources to evaluate the product under light traffic loads. The recommended requirements specified provide general production sizing guidance. For more detailed sizing information for production environments, refer to the IWSVA Sizing Guide at: http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx and search for "sizing guide." Minimum Requirements --------------------- - Single 2.0 GHz Intel(TM) Core2Duo(TM) 64-bit processor supporting Intel VT(TM) or equivalent - 4 GB RAM - 20 GB disk space (IWSVA automatically partitions the detected disk space as required) - A monitor with 1024x768 resolution and 256 colors or higher Recommended Requirements ------------------------ - 300 GB disk space or more for log intensive environments. IWSVA automatically partitions the detected disk space as per recommended Linux practices Server Platform Compatibility ----------------------------- - Virtual Appliances Support VMware ESX and ESXi v4.0, v4.1, V5.0, V5.1 Support Hyper-V 2.0, 3.0 - Software Appliances For the latest Certified by Trend Micro platforms: http://www.trendmicro.com/go/certified Directory Servers for End-User Authentication --------------------------------------------- - Microsoft Active Directory(TM)2003 and 2008 - Linux OpenLDAP Directory 2.2.16 or 2.3.39 - Sun(TM) Java System Directory Server 5.2 (formerly Sun(TM) ONE Directory Server) 5. Installation ======================================================================== This section discusses how to install IWSVA 6.0 SP1. Important Note: - This version of IWSVA 6.0 SP1 does not support rollback. - Please make sure that the IWSVA 6.0 "/var" has more than 3GB free space before upgrade to SP1. - If you want to migrate logs from IWSVA 5.6 or IWARM 1.6, please finish the log migration on IWSVA 6.0 before this upgade. 5.1 upgrade from IWSVA 6.0 to IWSVA 6.0 SP1 ===================================================================== If you need to install IWSVA 6.0, refer to the IWSVA 6.0 Installation Guide for installation instructions. The on-box (or in-place) upgrade from IWSVA 6.0 to IWSVA 6.0 SP1 provides an easy method for IWSVA administrators to upgrade from the IWSVA Web console. After upgrading, the related configuration and data generated by IWSVA 6.0 will be kept in IWSVA 6.0 SP1, such as text and database logs. But the reports files are removed. You should backup your configuration files and policy files for safe keeping and for restoration later in case an unrecoverable error occurs during the upgrade. To back up the existing IWSVA 6.0 settings: 1. Access the IWSVA 6.0 Web console. 2. Select Administration > Config Backup/Restore 3. Click Export. The screen displays a progress bar. When the export process finishes, results page displays the status. If configuration export is successful, IWSVA opens a dialog box to prompt you to save the configuration file to a local disk. 4. Save the file to a local drive on your computer. To perform an upgrade from IWSVA 6.0 to IWSVA 6.0 SP1: 1. Log in as an administrator to the IWSVA 6.0 Web console. 2. Verify that IWSVA is not configured as one the following cluster working mode. Dissolve the cluster and make IWSVA work in standalone mode before continuing the upgrade. 2.1) Configuration Replication Server/Source 2.2) Central Log Report Server/Source 2.3) HA mode 3. Prepare to upload certificates after the upgrade completes. If you uploaded private or 3rd party certificates to IWSVA, make sure you have these ready after the upgrade. You will need to re-import them into the IWSVA 6.0 SP1. To review and backup your settings, follow the links below for each certificate type. - HTTPS decryption CA configured at HTTP > HTTPS Decryption > Settings - Applet re-signing certificate at HTTP > Applets and ActiveX > Settings 4. Verify that you are running IWSVA 6.0. The version number is shown on the Administration > System Update page. If you have configured an LDAP server, make sure the IWSVA system time is synced with the LDAP server. 5. Download the IWSVA 6.0 SP1 package from the download page on the Trend Micro website to the host that will be performing the update. Download site is located at: http://downloadcenter.trendmicro.com/index.php?prodid=86 6. Go to "Administration > System Updates," and click "Choose File" to locate the upgrade package. Click "Upload" to transfer the IWSVA 6.0 SP1 upgrade package.As the upgrade package is large, the upload may take several minutes. Note: - The patch mechanism checks the patch package and copies the upgrade/rollback scripts to /var/upgrade_tool. - You might encounter the following error message: "There is not enough free disk space. The minimum requirement is 2GB." If so delete any TMP files or CDT files in IWSVA to make more space available. 7. Click "Install" to install the IWSVA 6.0 SP1 upgrade package. When the upgrade finishes, IWSVA automatically restarts to enable the new features. The reboot process takes several minutes to complete. 8. After IWSVA restarts, refresh the Web console to log on to IWSVA 6.0 SP1. 9. If needed, access the upgrade log information at: /var/upgrade_tool/upgrade.log 6. Post-Installation Configuration ======================================================================== After upgrading to IWSVA 6.0 SP1 from IWSVA 6.0, some additional procedures might be required. Note: Clear your browser's caches before opening the IWSVA 6.0 SP1 Admin UI to avoid UI compatibility issues. 1) To restore your certificates information, follow the links below for each certificate type. - HTTPS decryption CA configured at HTTP > HTTPS Decryption > Settings - Applet re-signing certificate at HTTP > Applets and ActiveX > Settings 2) Update the patterns to latest version - Update > Manual Update > Update All 3) If you are deploying IWSVA in HA mode, refer to the section called "Transparent Bridge Mode - High Availability Deployment Mode" in the IWSVA 6.0 Administration Guide. 7. Known Issues ======================================================================== 7.1 The following known issues have been fixed in this release. 7.1.1 In transparent mode (bridge mode or WCCP mode), IWSVA uses the destination IP to perform the handshake with the HTTPS site. ==================================================================== If one site has multiple virtual servers at a single network address (Google.com and Google.de), the HTTPS connection will be blocked by Firefox and Chrome. This is because Firefox and Chrome check the site's domain name and the HTTPS certificate's common name. If the domain name is different from the certificate (returned from the HTTPS site), it is regarded as unsafe and the connection is blocked. There is no known workaround. 7.1.2 If an https site needs client certification, the tunnel feature does not work in the bridge mode. ====================================================================== Most web sites that need client certification are Financial related sites or use key confidential information, these types of sites are not recommended to decrypt. If such websites are not decrypted, this problem will not be met by end users. The workaround is to Select Do Not decrypt these kinds of websites. 7.1.3 IWSVA 6.0 does not support configuring LDAP servers with an IPV6 address. ====================================================================== When configuring LDAP servers with an IPV6 address, IWSVA prompts with a long error message and the configuration cannot be saved. The workaround is to use the IPV4 addresses of the LDAP server. 7.2 Here are additional known issues in this release: 7.2.1 In-box-upgrade limitation ===================================================================== 1) IWSVA 6.0 SP1 does not support rollback. 2) The IWSVA 6.0 Hotfix/patch installation history will be removed when upgrading to SP1. SP1 includes all hotfixes released through 12/31/2013. 3) Reports created before installing IWSVA 6.0 will be deleted when upgrading IWSVA. Back up reports before upgrading. 4) Pattern files could change to one included in the IWSVA 6.0 SP1 package. Do a manual update after upgrading to patch 1 to keep the pattern/engine files up-to-date. 7.2.2 Granular Application Control might not block HTTPS-based applications ===================================================================== Some applications use HTTPs. Under this scenario, HTTPs decryption for this app URL must be enabled, otherwise, HTTPS-based applications cannot be blocked. For example, Yahoo mail uses HTTPs for IE10, Firefox 23, and Chrome 30.0. To keep granular application control working, an HTTPS decryption policy must be set. 1) Add a customized category in HTTP > Configuration > Customized Categories. For example, "appcontrol." Add the application's connection URLs and URL keywords. 2) Enable HTTPS decryption and select a category to be decrypted. Such as: HTTPs Decryption > Policies, enable "HTTPs Decryption." Select the URL category for "appcontrol" to be decrypted. 7.2.3 In bridge or WCCP mode, HTTPS requests will not trigger an LDAP authentication ===================================================================== If LDAP authentication is enabled in the bridge or WCCP mode, HTTPS requests will not trigger an LDAP query. If there are no HTTP requests to do an LDAP authentication on before the HTTPS is requested to set up the IP-user cache, HTTPS will not be able to do the user-based policy match. It will use "IP" or "Unknown" as the username. 7.2.4 Log server mode does not synchronize related configurations ===================================================================== Log server mode triggers only log sources sending logs to the log server. For related configurations, log filtering settings, anonymous logging, and HTTPS tunneling settings will not take effect on the log sources as their configurations cannot be automatically synchronized between log servers and log sources. If those features are needed, it is strongly recommended to use replication configuration and make the log server a configuration replication source as well. Use the "Manual Replication," and select "Policy & Configuration Replication" to sync both policies and configurations from the log server to the log sources. 7.2.5 HTTPS Decryption Limitation ===================================================================== 1) When visiting HTTPS sites by IP address in bridge mode, the HTTPS requests will be tunneled. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 2) For Windows XP+IE8, HTTPS will not do decryption in bridge mode. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 7.3 Here are known issues in IWSVA 6.0. 7.3.1 Policies do not immediately take effect when LDAP users/groups are added. ===================================================================== When Directory Settings are configured, IWSVA synchronizes with the listed LDAP server every 24 hours. When an LDAP user/group is added to the directory server, the change takes effect when the next synchronization cycle begins. For faster synchronization with the LDAP server, do a Manual Sync with the LDAP server. - On the User Identification page, click the "Sync with LDAP servers" button. 7.3.2 Firefox does not process HTTPS IPV6 addresses smoothly. ==================================================================== Firefox users see a certification exception dialog when attempting to access HTTPS URLs with an IPv6 address in DNS. Workarounds include: - Use the host name of the IPV6 server. - Do not use the IP address to access HTTPS-related IPV6 web sites. - Use IE or Chrome web browsers to access the site. 7.3.3 Reverse proxies cannot be installed in front of IPV6 servers without global IPv6 addresses. ==================================================================== In reverse proxy mode, traffic cannot be forwarded to IPv6 servers with a link-local address. End-users cannot access the web server and will not be protected by IWSVA. The workaround is to use a global IPV6 address for the protected server behind IWSVA. 7.3.4 IWSVA cannot connect to a DNS server if that server only has an IPV6 address. ==================================================================== If a DNS server has both IPV4 and IPV6 addresses, IWSVA will connect to it without any problems. 7.3.5 When cookie mode is enabled on IWSVA, the Safari web browser might not display some web sites correctly. ==================================================================== Safari has a more stringent certificate-checking mechanism and does not accept IWSVA Captive Portal's default certificate. Workaround: Do not use Safari to surf the Internet through IWSVA, or deactivate cookie mode. 7.3.6 Command Line Interface Shell (CLISH) has a time-out issue. ==================================================================== The "show network interfaces status" command is a function of IWSVA CLISH. It helps an administrator check the current interface status. If the administrator does not type anything in CLISH within 900 seconds, CLISH cannot quit the usual way through the console. The administrator can use the "killall" and "shownic" commands to quit. To stop the current timeout process: a. Change to another console by pressing ALT+F2. b. Use the following "killall" command to end the timeout process. killall -9 shownic 7.3.7 The System Event log (SEL) hardware information cannot be read by IWSVA 6.0. ==================================================================== When IWSVA 6.0 is deployed on an IBM X360 or HP 380G5, the system event log generated by the BMC agent on these devices cannot be read by IWSVA. This will lead to inaccurate hardware status log information being exported through the syslog and SNMP. 7.3.8 MAC Addresses will float from one port to another port when the switch is connected to multiple machines. ===================================================================== This issue occurs when IWSVA 6.0 is connected to a switch at the same time another machine is connected to the same switch. That machine's MAC IP address will float between its real port and the IWSVA port. This only occurs in the Transparent Bridge mode. To fix this issue, add the MAC address filter option. To do this, access the /etc/iscan/network.ini file using the CLISH tool, and run one of the following commands: - add mac_filter=[mac address which you want to skip] or - add mac_filter!=[mac address which you want to scan] Then, type the command "service network restart" on console. 7.3.9 Application Control may not block an already established connection. ===================================================================== The Application Control feature only blocks new connections to the protocols specified in a new policy. If you deploy a new policy to block Skype after being logged on to Skype, then Skype is not blocked. However, if you log off Skype and then log on again, the policy works, and Skype is blocked. 7.3.10 The time quota value requires settings to be in multiples of 5. ===================================================================== This is caused by the time quota implementation method. The default quota unit is five minutes. Trend Micro recommends that administrators set the "Time quota" value to a multiple of five. Otherwise, IWSVA ignores the remainder if it is less than five. For example, if the value is set to four minutes, IWSVA interprets that as zero minutes. If the value is set to nine minutes, IWSVA interprets that as five minutes. The time quota setting depends on the system time. For example, if it is now 10:03 and the time quota = 5, the end user could only have access for two minutes. That happens because the time quota is split into five-minute increments (10:00-10:05, 10:05-10:10, etc.). Every five minutes, a new increment begins. 7.3.11 An error message may be returned when you install IWSVA on a VMware ESX Virtual Machine. ====================================================================== When you install IWSVA on a VMware ESX Virtual Machine, occasionally you might see the following error message: "Memory for crash kernel (0x0 to 0x0) not within permissible range" This message is normal and safe to ignore. 7.3.12 A missing storage controller causes the system to show the "minimum hardware requirements were not met" message. ====================================================================== If the machine cannot find a storage controller, the installer will check if the storage controller exists. If the storage controller does not exist, the installation will fail even if the minimum hardware requirements for memory and disk are met. The workaround is to skip the hardware check. To skip the hardware check: 1. When the "Minimum hardware requirements were not met" message is displayed, click "Next." 2. When the installation menu page appears, press "Tab" to open a command line. 3. Type "nohwfail" and press "Enter" to continue installing IWSVA. 7.3.13 File Transfer Protocol (FTP) data will be identified as "Unclassified" in the application category details when FTP scanning is enabled. ====================================================================== The IWSVA FTP daemon modifies the contents of the package in user mode. Some critical parts of the FTP packets that are usually recognized are changed. This change prevents the application signature engine from recognizing the data, and it will be marked as "Unclassified." The only way to avoid this issue at this time is to disable FTP scanning. 7.3.14 Some browsers or applications might not display the IWSVA blocking notification page if those browsers do not handle the HTTP 403 forbidden error well or if they ignore the error. ====================================================================== For example, the HTTP connection will be reset by IWSVA if a browser keeps posting a large file and ignoring the HTTP 403 block page notification from IWSVA. In another example, the Google search page does not show any response if the query is blocked by the IWSVA query keyword filter. This happens when the Google search setting "Use Google Instant predictions and results appear while typing" is enabled. This is because the Google page uses AJAX to query data with a private format, not normal HTML. As a result, it ignores the IWSVA 403 block notification page. The block page is displayed correctly after ?ˇăGoogle Instant?ˇŔ is disabled. In these examples, the HTTP Inspection filter is working correctly, content is blocked, but the user may not receive feedback explaining why the content is blocked because the browser cannot display the IWSVA notification. 7.3.15 If the time zone is not the UTC+_ n hours, the dashboard and log query information will not sync. ====================================================================== If the time zone is UTC+4:30 or UTC+5:45, which is not the top of the hour. The data present on dashboard or log query data and raw log data might not sync with each other, but the log in database are correct. 7.3.16 APP Control cannot match the user policy in the Proxy Chain. ====================================================================== When deployed in the Proxy Chain, the application control daemon cannot get the source IP to match the policy. This is a limitation. 8. Release History ======================================================================== IWSVA 6.0 June 28, 2013 IWSVA 5.6 June 30, 2012 IWSVA 5.5 August 5, 2011 IWSVA 5.1 SP1 January 26, 2011 IWSVA 5.1 August 11, 2010 IWSVA 5.0 August 15, 2009 IWSVA 3.1 July 9, 2008 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customer's needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network? infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, InterScan? Web Security Virtual Appliance are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed: - By accessing "/usr/share/doc" - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide