<> Trend Micro, Inc. July 15, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ InterScan(TM) Web Security Virtual Appliance 6.5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ===================================================================== 1. About InterScan Web Security Virtual Appliance 2. What's New? 3. Documentation Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ===================================================================== 1. About InterScan Web Security Virtual Appliance ======================================================================== InterScan Web Security Virtual Appliance (IWSVA) is a highly scalable and reliable web security solution that includes virus protection for HTTP and FTP traffic. IWSVA delivers best-in-class HTTP and FTP virus scanning that leverages the administration, policy, and centralized management of Trend Micro's Enterprise Protection Strategy. 2. What's New? ======================================================================== IWSVA 6.5 is based on IWSVA 6.0 SP1 and provides the same malware protection, policy, logging, and reporting capabilities. IWSVA 6.5 contains all applicable previous fixes and patches available since the release of IWSVA 6.0 SP1. The following features are new in this release. 2.1 Advance Persistent Threat (APT) detection ===================================================================== New Web-borne Advance Persistent Threat (APT) detection technology with real-time browser emulation to detect malicious Web content. 2.2 Smart Scan ===================================================================== Smart Scan provides fast, real-time file reputation lookup capability in the cloud or groups. 2.3 Role-Based administration support ===================================================================== Uses Role-based Administration to grant and control access to the IWSVA Web console. If there are several IWSVA administrators in your organization, you can use this feature to assign specific Web console privileges to the administrators and present them with only the tools and permissions necessary to perform specific tasks. 2.4 LDAP encryption support ===================================================================== If LDAP server enables encryption, IWSVA can support LDAPv3 StartTLS extension and LDAP over SSL. 2.5 Proxy Auto-config (PAC) files management ===================================================================== IWSVA enables you to create, edit, copy and delete the PAC file. This means, you do not require another Web service to maintain Proxy Auto-config (PAC) file. 2.6 Configuration Replication Enhancement ===================================================================== Schedule Configuration Replication replicates IWSVA policies and configurations. 2.7 Dynamic URL categorization of non-categorized URLs in local server ===================================================================== IWSVA uses Dynamic URL Categorization technology to perform real time categorization of the Web site, based on the Web site content and HTTP URL. 2.8 Active Directory (AD) User Principle Name (UPN) authentication support ===================================================================== Adds User Principle Name (UPN) authentication support for AD users. 2.9 SNMP V3 authentication and encryption support for SNMP notifications ===================================================================== Adds SNMP V3 authentication and encryption support for SNMP notifications 2.10 Guest port to provide Internet connectivity to network users who are not in the AD/LDAP directory. ===================================================================== Adds Guest Port support in Forward proxy mode to enable Guest Policy, to provide Internet access to guest users. 2.11 HTTPS enhancement ===================================================================== Adds exception list for HTTPS certification validation. Also, enhances URL filtering policy to match HTTPS Web sites even when the HTTPS feature in IWSVA is disabled. 2.12 Log system enhancement ===================================================================== Adds log offload support to save logs to other locations for permanent storage, and retrieve logs for later analysis. Also, adds Device Group Management for Central Log/Reporting configuration. One-month limitation for log analysis is also removed in this version. 2.13 Reporting feature enhancement ===================================================================== Adds Device Group support in Report settings. This version also enables you to select bar and table charts in the same report. In addition, the following reports are new in this version: - Internet Activity Level by Days - Traffic bandwidth breakdown by days - Most Violation for HTTP Malware Scan Policy - Top Users by HTTP Inspection - Most Violation for URL Filtering Policy - Most Violation for Application Control Policy - Most Violation for Access Quota Control Policy - Most Violation for Applets and ActiveX policy - Most Violation for HTTP Inspection Policy - Most Violation for Data Loss Prevention Policy 2.14 New platforms and system integration support ===================================================================== Adds support for the following platform and system integration servers: - VMware ESX 5.5 Support - Novell eDirectory Support - Windows AD 2012 Support 3. Documentation Set ======================================================================== In addition to this readme.txt, you can access the following IWSVA 6.5 documentation set: - Administrator's Guide -- Detailed deployment and configuration instructions and also in-depth information about IWSVA. Electronic versions of the printed manuals are available at: http://downloadcenter.trendmicro.com/index.php?prodid=86 - Online Help -- Context-sensitive Help screens that provide guidance to performing a task. - TrendEdge is a program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics. http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx - Knowledge Base -- A searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com/enterprise/default.aspx 4. System Requirements ======================================================================== 4.1 Administrator Web Browser Requirements ====================================================================== No changes from the IWSVA 6.5 GM's web browser requirements. Administrator Web Browser Requirements -------------------------------------- - Microsoft Internet Explorer 9, 10, 11 - Mozilla Firefox 30+ - Google Chrome 35+ 4.2 Others: ====================================================================== No changes from the IWSVA 6.5 GM's system requirements. For a complete description of the minimum IWSVA server requirements, and to install for an evaluation version, see the Installation Guide. The minimum requirements provide enough resources to evaluate the product under light traffic loads. The recommended requirements specified provide general production sizing guidance. For more detailed sizing information for production environments, refer to the IWSVA Sizing Guide at: http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx and search for "sizing guide." Minimum Requirements --------------------- - Single 2.0 GHz Intel(TM) Core2Duo(TM) 64-bit processor supporting Intel VT(TM) or equivalent - 4 GB RAM - 50 GB disk space (IWSVA automatically partitions the detected disk space as required) - A monitor with 1024x768 resolution and 256 colors or higher Note: For testing purposes, it is adequate to leave the 50 GB disk allocation at its default. For production environments, provide at least 300 GB for logging and reporting Recommended Requirements ------------------------ - 300 GB disk space or more for log intensive environments. IWSVA automatically partitions the detected disk space as per recommended Linux practices Server Platform Compatibility ----------------------------- - Virtual Appliances Support VMware ESX and ESXi v4.0, v4.1, V5.0, V5.1, V5.5 Support Hyper-V 2.0, 3.0 Note: If you use virtualization platform to install IWSVA, you must reserve CPU and memory resources. Otherwise, IWSVA will not run normally. - Software Appliances For the latest Certified by Trend Micro platforms: http://www.trendmicro.com/go/certified Directory Servers for End-User Authentication --------------------------------------------- - Microsoft Active Directory(TM)2003, 2008, 2012 - Linux OpenLDAP Directory 2.2.16 or 2.3.39 - Sun(TM) Java System Directory Server 5.2 (formerly Sun(TM) ONE Directory Server) - Novell eDirectory 2.0.0.v20130628 with simple authentication 5. Installation ======================================================================== 5.1 Fresh Install ===================================================================== See Chapter 3 of the Installation Guide for installation instructions. Note: Since IWSVA 6.5 introduces report template and log schema change, Trend Micro strongly recommends a fresh installation of IWSVA 6.5, instead of upgrading 6.0 SP1 to 6.5. 5.2 Upgrade from IWSVA 6.0 SP1 ===================================================================== The on-box (or in-place) upgrade from IWSVA 6.0 SP1 to IWSVA 6.5 provides a method for IWSVA administrators to upgrade from the IWSVA Web console. After upgrading, the related configuration will be kept in IWSVA 6.5. You should backup your configuration files and policy files for safe keeping and for restoration later in case an unrecoverable error occurs during the upgrade. As the report template and the log schema have been changed, after upgrade, the IWSVA 6.0 SP1 log/report related features are impacted. 1) User cannot create report on old data. 2) After upgrade, the old logs query will be very slow. Important Note: - This version of IWSVA 6.5 does not support rollback. - Please make sure that the IWSVA 6.0 SP1 "/var" has more than 3GB free space before upgrade to SP1. To back up the existing IWSVA 6.0 SP1 settings: 1. Access the IWSVA 6.0 SP1 Web console. 2. Select Administration > Config Backup/Restore 3. Click Export. The screen displays a progress bar. When the export process finishes, results page displays the status. If configuration export is successful, IWSVA opens a dialog box to prompt you to save the configuration file to a local disk. 4. Save the file to a local drive on your computer. To perform an upgrade from IWSVA 6.0 SP1 to IWSVA 6.5: 1. Log in as an administrator to the IWSVA 6.0 SP1 Web console. 2. Verify that IWSVA is not configured as one the following cluster working mode. Dissolve the cluster and make IWSVA work in standalone mode before continuing the upgrade. 2.1) Configuration Replication Server/Source 2.2) Central Log Report Server/Source 2.3) HA mode 3. Prepare to upload certificates after the upgrade completes. If you uploaded private or 3rd party certificates to IWSVA, make sure you have these ready after the upgrade. You will need to re-import them into the IWSVA 6.0 SP1. To review and backup your settings, follow the links below for each certificate type. - HTTPS decryption CA configured at HTTP > HTTPS Decryption > Settings - Applet re-signing certificate at HTTP > Applets and ActiveX > Settings 4. Verify that you are running IWSVA 6.0 SP1. The version number is shown on the Administration > System Update page. If you have configured an LDAP server, make sure the IWSVA system time is synced with the LDAP server. 5. Download the IWSVA 6.5 in-box-upgrade package from the download page on the Trend Micro website to the host that will be performing the update. 6. Go to "Administration > System Updates," and click "Choose File" to locate the upgrade package. Click "Upload" to transfer the IWSVA 6.5 upgrade package. Note: - The patch mechanism checks the patch package and copies the upgrade/rollback scripts to /var/upgrade_tool. - You might encounter the following error message: "There is not enough free disk space. The minimum requirement is 2GB." If so delete any TMP files or CDT files in IWSVA to make more space available. 7. Click "Install" to install the IWSVA 6.5 upgrade package. When the upgrade finishes, IWSVA automatically restarts to enable the new features. The reboot process takes several minutes to complete. 8. After IWSVA restarts, refresh the Web console to log on to IWSVA 6.5. 9. If the LDAP is configured, manual sync the LDAP with local database. Go to "Administration > IWSVA Configuration > User Identificaition > Advanced", click "Sync with LDAP servers".Otherwise, end user may not pass the LDAP authentication. 10. If needed, access the upgrade log information at: /var/upgrade_tool/upgrade.log 6. Post-Installation Configuration ======================================================================== The following post-installation steps are required: 6.1 Configuration after Fresh Installation ------------------------------------------ 6.1.1 Start the post-installation process configuring from the beginning. See "Post-installation Notes" in the IWSVA 6.5 Installation Guide. 6.1.2 To migrate configuration settings from a previous IWSVA version, re-import a backup configuration file. See topic "Migrating to InterScan Web Security Virtual Appliance" in the IWSVA 6.5 Installation Guide. 7. Known Issues ======================================================================== 7.1 Here are additional known issues in this release 7.1.1 IWSVA is unable to authenticate user even though the authentication servers are configured correctly. ====================================================================== This happens when IWSVA uses multiple authentication servers, and the Active Directory domain is configured before any other type of server. To fix this known issue, delete the Active Directory domain only, and configure it again. 7.1.2 The /etc/squid/squid.conf configuration file on source and receiver has different content after scheduled configuration replication. ====================================================================== This known issues happens because the squid service uses the /etc/squid/squid.conf configuration file. Therefore, the Scheduled Configuration Replication is unable to update this configuration file. To resolve this known issue, Trend Micro recommends using manual replication method. 7.1.3 Installing IWSVA on R420 displays a warning message "UNSUPPORTED HARDWARE DEVICE". ====================================================================== This known issue occurs on the latest R420 version, where the openVA kernel does not support the latest CPU. You may ignore this warning message to complete the IWSVA installation. 7.2 Here are additional known issues in 6.0 sp1 7.2.2 Granular Application Control might not block HTTPS-based applications ===================================================================== Some applications use HTTPs. Under this scenario, HTTPs decryption for this app URL must be enabled, otherwise, HTTPS-based applications cannot be blocked. For example, Yahoo mail uses HTTPs for IE10, Firefox 23, and Chrome 30.0. To keep granular application control working, an HTTPS decryption policy must be set. 1) Add a customized category in HTTP > Configuration > Customized Categories. For example, "appcontrol." Add the application's connection URLs and URL keywords. 2) Enable HTTPS decryption and select a category to be decrypted. Such as: HTTPs Decryption > Policies, enable "HTTPs Decryption." Select the URL category for "appcontrol" to be decrypted. 7.2.3 In bridge or WCCP mode, HTTPS requests will not trigger an LDAP authentication ===================================================================== If LDAP authentication is enabled in the bridge or WCCP mode, HTTPS requests will not trigger an LDAP query. If there are no HTTP requests to do an LDAP authentication on before the HTTPS is requested to set up the IP-user cache, HTTPS will not be able to do the user-based policy match. It will use "IP" or "Unknown" as the username. 7.2.4 Log server mode does not synchronize related configurations ===================================================================== Log server mode triggers only log sources sending logs to the log server. For related configurations, log filtering settings, anonymous logging, and HTTPS tunneling settings will not take effect on the log sources as their configurations cannot be automatically synchronized between log servers and log sources. If those features are needed, it is strongly recommended to use replication configuration and make the log server a configuration replication source as well. Use the "Manual Replication," and select "Policy & Configuration Replication" to sync both policies and configurations from the log server to the log sources. 7.2.5 HTTPS Decryption Limitation ===================================================================== 1) When visiting HTTPS sites by IP address in bridge mode, the HTTPS requests will be tunneled. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 2) For Windows XP+IE8, HTTPS will not do decryption in bridge mode. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 7.3 Here are known issues in IWSVA 6.0. 7.3.1 Policies do not immediately take effect when LDAP users/groups are added. ===================================================================== When Directory Settings are configured, IWSVA synchronizes with the listed LDAP server every 24 hours. When an LDAP user/group is added to the directory server, the change takes effect when the next synchronization cycle begins. For faster synchronization with the LDAP server, do a Manual Sync with the LDAP server. - On the User Identification page, click the "Sync with LDAP servers" button. 7.3.2 Firefox does not process HTTPS IPV6 addresses smoothly. ==================================================================== Firefox users see a certification exception dialog when attempting to access HTTPS URLs with an IPv6 address in DNS. Workarounds include: - Use the host name of the IPV6 server. - Do not use the IP address to access HTTPS-related IPV6 web sites. - Use IE or Chrome web browsers to access the site. 7.3.3 Reverse proxies cannot be installed in front of IPV6 servers without global IPv6 addresses. ==================================================================== In reverse proxy mode, traffic cannot be forwarded to IPv6 servers with a link-local address. End-users cannot access the web server and will not be protected by IWSVA. The workaround is to use a global IPV6 address for the protected server behind IWSVA. 7.3.4 IWSVA cannot connect to a DNS server if that server only has an IPV6 address. ==================================================================== If a DNS server has both IPV4 and IPV6 addresses, IWSVA will connect to it without any problems. 7.3.5 When cookie mode is enabled on IWSVA, the Safari web browser might not display some web sites correctly. ==================================================================== Safari has a more stringent certificate-checking mechanism and does not accept IWSVA Captive Portal's default certificate. Workaround: Do not use Safari to surf the Internet through IWSVA, or deactivate cookie mode. 7.3.6 Command Line Interface Shell (CLISH) has a time-out issue. ==================================================================== The "show network interfaces status" command is a function of IWSVA CLISH. It helps an administrator check the current interface status. If the administrator does not type anything in CLISH within 900 seconds, CLISH cannot quit the usual way through the console. The administrator can use the "killall" and "shownic" commands to quit. To stop the current timeout process: a. Change to another console by pressing ALT+F2. b. Use the following "killall" command to end the timeout process. killall -9 shownic 7.3.7 The System Event log (SEL) hardware information cannot be read by IWSVA 6.0. ==================================================================== When IWSVA 6.0 is deployed on an IBM X360 or HP 380G5, the system event log generated by the BMC agent on these devices cannot be read by IWSVA. This will lead to inaccurate hardware status log information being exported through the syslog and SNMP. 7.3.8 MAC Addresses will float from one port to another port when the switch is connected to multiple machines. ===================================================================== This issue occurs when IWSVA 6.0 is connected to a switch at the same time another machine is connected to the same switch. That machine's MAC IP address will float between its real port and the IWSVA port. This only occurs in the Transparent Bridge mode. To fix this issue, add the MAC address filter option. To do this, access the /etc/iscan/network.ini file using the CLISH tool, and run one of the following commands: - add mac_filter=[mac address which you want to skip] or - add mac_filter!=[mac address which you want to scan] Then, type the command "service network restart" on console. 7.3.9 Application Control may not block an already established connection. ===================================================================== The Application Control feature only blocks new connections to the protocols specified in a new policy. If you deploy a new policy to block Skype after being logged on to Skype, then Skype is not blocked. However, if you log off Skype and then log on again, the policy works, and Skype is blocked. 7.3.10 The time quota value requires settings to be in multiples of 5. ===================================================================== This is caused by the time quota implementation method. The default quota unit is five minutes. Trend Micro recommends that administrators set the "Time quota" value to a multiple of five. Otherwise, IWSVA ignores the remainder if it is less than five. For example, if the value is set to four minutes, IWSVA interprets that as zero minutes. If the value is set to nine minutes, IWSVA interprets that as five minutes. The time quota setting depends on the system time. For example, if it is now 10:03 and the time quota = 5, the end user could only have access for two minutes. That happens because the time quota is split into five-minute increments (10:00-10:05, 10:05-10:10, etc.). Every five minutes, a new increment begins. 7.3.11 An error message may be returned when you install IWSVA on a VMware ESX Virtual Machine. ====================================================================== When you install IWSVA on a VMware ESX Virtual Machine, occasionally you might see the following error message: "Memory for crash kernel (0x0 to 0x0) not within permissible range" This message is normal and safe to ignore. 7.3.12 A missing storage controller causes the system to show the "minimum hardware requirements were not met" message. ====================================================================== If the machine cannot find a storage controller, the installer will check if the storage controller exists. If the storage controller does not exist, the installation will fail even if the minimum hardware requirements for memory and disk are met. The workaround is to skip the hardware check. To skip the hardware check: 1. When the "Minimum hardware requirements were not met" message is displayed, click "Next." 2. When the installation menu page appears, press "Tab" to open a command line. 3. Type "nohwfail" and press "Enter" to continue installing IWSVA. 7.3.13 File Transfer Protocol (FTP) data will be identified as "Unclassified" in the application category details when FTP scanning is enabled. ====================================================================== The IWSVA FTP daemon modifies the contents of the package in user mode. Some critical parts of the FTP packets that are usually recognized are changed. This change prevents the application signature engine from recognizing the data, and it will be marked as "Unclassified." The only way to avoid this issue at this time is to disable FTP scanning. 7.3.14 Some browsers or applications might not display the IWSVA blocking notification page if those browsers do not handle the HTTP 403 forbidden error well or if they ignore the error. ====================================================================== For example, the HTTP connection will be reset by IWSVA if a browser keeps posting a large file and ignoring the HTTP 403 block page notification from IWSVA. In another example, the Google search page does not show any response if the query is blocked by the IWSVA query keyword filter. This happens when the Google search setting "Use Google Instant predictions and results appear while typing" is enabled. This is because the Google page uses AJAX to query data with a private format, not normal HTML. As a result, it ignores the IWSVA 403 block notification page. The block page is displayed correctly after "Google Instant" is disabled. In these examples, the HTTP Inspection filter is working correctly, content is blocked, but the user may not receive feedback explaining why the content is blocked because the browser cannot display the IWSVA notification. 7.3.15 If the time zone is not the UTC+n hours, the dashboard and log query information will not sync. ====================================================================== If the time zone is UTC+4:30 or UTC+5:45, which is not the top of the hour. The data present on dashboard or log query data and raw log data might not sync with each other, but the log in database are correct. 7.3.16 APP Control cannot match the user policy in the Proxy Chain. ====================================================================== When deployed in the Proxy Chain, the application control daemon cannot get the source IP to match the policy. This is a limitation. 8. Release History ======================================================================== IWSVA 6.0 SP1 January 17, 2014 IWSVA 6.0 June 28, 2013 IWSVA 5.6 June 30, 2012 IWSVA 5.5 August 5, 2011 IWSVA 5.1 SP1 January 26, 2011 IWSVA 5.1 August 11, 2010 IWSVA 5.0 August 15, 2009 IWSVA 3.1 July 9, 2008 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customer's needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, InterScan(TM) Web Security Virtual Appliance are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed: - By accessing "/usr/share/doc" - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide