<> Trend Micro Incorporated August 28, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Manager 9.5 Service Pack 1 Patch 3 Update 6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Platforms: Windows Server 2012 (64-bit), Windows Server 2012 R2 (64-bit), Windows Server 2008 (64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2003 R2 SP2 (64-bit), Red Hat Enterprise Linux 5 (64-bit), Red Hat Enterprise Linux 6 (64-bit) Not Supported: Red Hat Enterprise Linux (RHEL) Xen Hypervisor Windows Server 2012 Core Windows Server 2008 Core Deep Security Manager is no longer supported on 32-bit versions of the Windows platform. Date: August 28, 2017 Release: 9.5 Service Pack 1 Patch 3 Update 6 Build Version: 9.5.7230 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ index.html Download the latest version of this readme from the Deep Security page at the Trend Micro Download Center website: http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 6 1.1 Overview of This Release 1.2 Who Should Install This Release 1.3 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 6 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security Manager 9.5 Service Pack 1 Patch 3 Update 6 contains feature enhancements as well as bug fixes. For a list of the major changes in Deep Security 9.5, please see the "What's New" section of the Installation Guides, which are available for download from the Trend Micro Download Center. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 8.0, 9.0, 9.5, or 9.5 SP1. All new Deep Security users should install Deep Security 9.5 SP1 Patch 3 Update 6. 1.3 Upgrade Notice ===================================================================== - If you choose to upgrade your Deep Security Manager to version 9.5 Service Pack 1 Patch 3 Update 6 while running older versions of Deep Security Agents under protection, you will be warned during the upgrade installation that this version will no longer be able to communicate with those Agents. Deep Security Manager 9.5 Service Pack 1 Patch 3 Update 6 ONLY supports the latest 8.0 and 9.x versions of Deep Security Agent, and Deep Security Virtual Appliance. Please refer to the "Known Incompatibilities" section of this readme file for details. - Deep Security 9.5 Service Pack 1 Patch 3 Update 6 does not support ESXi version 4.1. To deploy Deep Security 9.5 Service Pack 1 Patch 3 Update 6, your VMware infrastructure (vCenter, vShield Manager, vShield Endpoint, and vShield Endpoint drivers) must be upgraded to version 5.x. Also be sure to read the VMware documentation for upgrading your VMware environment including the KB article on VMware's web site: http://kb.vmware.com/kb/2032756 http://kb.vmware.com/kb/2052329 Upgrade the Deep Security Filter Driver to SP1 Patch 3 version build 9.5.3-4507 prior to upgrading the Deep Security Virtual Appliance to 9.5 SP1 Patch 3 on a non-NSX environment. Engine offline errors will occur after upgrading Deep Security Virtual Appliance without upgrading the Filter Driver. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-1121] When changing a user password, the password was available as plain in the body of the response. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-638] When a scheduled malware scan was running, the URL of a Deep Security Virtual Appliance displayed in the Malware Scan Status widget was incorrect. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Deep Security 9.5. The following Installation Guides are available in Trend Micro Download Center: Deep_Security_95_SP1_Install_Guide_basic_EN.pdf Deep_Security_95_SP1_Install_Guide_vcloud_EN.pdf Deep_Security_95_SP1_Install_Guide_nsx_EN.pdf Deep_Security_95_SP1_Install_Guide_vmsafe_EN.pdf Deep_Security_95_SP1_Install_Guide_azure_EN.pdf - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. It also contains post-installation instructions on how to configure the settings to help you get Deep Security "up and running". All of the content of the Administrator's Guide can be found in the Deep Security Manager's online help. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com - TrendEdge is a program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics. http://trendedge.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security 9.5 Installation Guide. 5. Installation ======================================================================== Refer to the "Deep Security Manager 9.5 Installation Guide", available for download from the Trend Micro Download Center. 6. Known Incompatibilities ======================================================================== - Deep Security Manager 9.5 Service Pack 1 Patch 3 Update 6 does not support version 7.5 and earlier versions of Deep Security Virtual Appliance and Deep Security Agent. 7. Known Issues ======================================================================== - The CPU Usage (Agent only) setting under Manual and Scheduled Scan Configuration in the Deep Security Manager console is not working on SUSE 10 SP3 and SP4. [20717] - Coordinated approach in NSX is not supported in this build. Appliance (agentless) protection appears active and online even when Deep Security Agent is installed and online. - Agentless protection is not supported in ESX 5.1 with NSX. ESX 5.5, VCenter 5.5 and NSX Manager 6.0.5 are the minimum requirements for agentless protection. [22062] - Excluding a folder in Anti-Malware agentless protection would also exclude folders that starts with the same folder name. For example, excluding c:\temp also excludes c:\temp1 and c:\temp2 from Anti-Malware scanning. [22037] - Anti-Malware, Web Reputation, Integrity Monitoring, and Log Inspection should not be enabled on the policy that is assigned to the Deep Security Virtual Appliance itself. These features are not supported when applied to the Deep Security Virtual Appliance and may produce error events. [21250] - It can take up to 30 minutes before the appliance is ready for deployment through NSX Manager after importing the Deep Security Virtual Appliance package to the DSM. Deploying the appliance before the package is in place at \temp would result in failure. [23150] - When preparing ESXi 5.5 for Deep Security Virtual Appliance (DSVA) 9.5 deployment, you get the following error during Filter Driver installation: "The installation transaction failed". Refer to http://esupport.trendmicro.com/solution/en-US/1102068.aspx for complete details on the recommended action. - The Deep Security Manager will display the platform of CentOS machines as Red Hat. This is because the agent package used in CentOS and Red Hat are the same and labeled as Red Hat agent package. [21674/25156] - Location awareness will not work on pure IPv6 environment. [12776] - Infected file will still appear in Quarantined Files list even if the Anti-Malware Event says Quarantine Failed. [21620] - In the computer updates page, DSM will show Smart Scan Agent Pattern, Spyware Active Monitoring Pattern and Virus pattern in Deep Security Agent for Linux regardless of the scan mode. [21829] - Software update using IPv6 is currently not supported by Trend Micro download center. [25937] - Deep Security Agent running on SUSE in Azure cloud will not be managed under Azure cloud account in the Deep Security Manager. The agent will appear under normal computers list. [26499] - When the real-time Integrity Monitoring feature of Deep Security Agent is being used on Windows, the events "Get Events Failed" and "Agent/Appliance Error" may appear with the following description: "SQLITE_BUSY[5]: database is locked." When this event occurs, restart the Deep Security Agent service. - After Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do Clear Warnings and Errors and perform a Check Status to reflect the actual status of the agent. [26619] - The Out of Sync relays hyperlink displays the correct count but clicking the link will display both out of date computers and relays. [23418/21042] - In NSX 6.1.2 and earlier, if more than one NSX Security Groups are defined and applied to the NSX Security Policy that contains Deep Security Services, any un-applying of the policy will not be reflected in Deep Security Manager with respect to NSX Security Group membership. [25304] - In NSX 6.1.1 and earlier, if you remove the Deep Security Services from an NSX Security Policy, it will not be reflected in Deep Security Manager with respect to NSX Security Group membership. [25303] - Deep Security Manager does not support installation paths that contain special characters (non-alphabet and non-numeric characters). The same restriction also applies to the database name and/or database account used by Deep Security Manager. [16708] - When a user runs Agent-initiated recommendation scan using the "dsa_control -m RecommendationScan:true" command, no system event related to recommendation scan is recorded. - In rare situations, Deep Security Manager may not correctly identify the status of the EPsec Driver installed on an ESXi. When you activate an Appliance, if Deep Security Manager does not identify the correct status of vShield Endpoint, it will not register with the vShield Manager. If Deep Security Manager gives you this warning, perform a full "Synchronize" with your vCenter and it will update the current installation status of all drivers on all ESXi(s) in the environment. [17636] - In Multi-Tenant installations, the Primary tenant Deep Security Manager may cause "Reconnaissance Detected: Network or Port Scan" alerts on Tenants' Deep Security Managers. To avoid these alerts, Tenants can manually add the Primary Tenant's Deep Security Manager IP address to the "Ignore Reconnaissance" IP list. (Policies > Common Objects > Lists > IP Lists). [17175] - In rare cases, adding a vCloud or AWS Cloud Account in Deep Security Manager can result in the creation of two identical Cloud Accounts. If this occurs, either one of the two accounts can be safely removed. [17280/17051] - In a cloud provider environment if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - If the Manager node(s) and the Database are installed on machines with synchronized clocks but configured for different time-zones, an error indicating that the clocks are not synchronized will be triggered incorrectly. [17100] - On Windows 2008 and Server 2012 systems, after installing the Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically appear in the Windows notification area. However, the Deep Security Notifier will still function. Users need to re-launch the Deep Security Notifier from the "Start" menu or restart the system. [17533] - When using Deep Security in iCRC mode, a DNS server must be available. If a DNS server is unavailable the Anti-Malware feature of the Deep Security Virtual Appliance may not function correctly. [Deep Security 8.0-01169] - Deep Security Manager does not support License updates or connecting to the Trend Micro Certified Safe Software Service using a SOCKS5 proxy. To use these two features, use an HTTP proxy. [Deep Security 8.0-1024] - In certain cases, when attempting to use the dsm_s stop command on Linux to stop the Deep Security Manager service, you may get the following message: "Timeout. Daemon did not shutdown yet." Dsm_s is based on install4j whose timeout value is 15 seconds, which cannot be changed. The Deep Security Manager may require longer than this to shut down. To ensure the service has been shut down run the "ps -ef | grep DSMService" command before using the dsm_s stop command. [Deep Security 8.0-00095] - Air-gapped Relays will still try to contact an Update Server to check for Updates. To avoid update failure alerts, set the Relay to use itself as an update source: 1. In the Relay's "Details" window, go to "System > System Settings > Updates". 2. In the "Relays" area, select "Other Update Source:" and add "https://localhost:4122". 3. Click "Save". [Deep Security 8.0-01124] - If an ESXi with an installed vShield Endpoint driver is removed from its vCenter, Deep Security Manager cannot detect the installed driver if the ESXi is later re-added to the vCenter. This will cause any newly Deep Security Virtual Appliance- protected virtual machines to not have Anti-Malware enabled. The workaround is to uninstall and reinstall the driver through the VSM. [Deep Security 8.0-01036] - Intrusion Prevention is not supported over SSL connections when using IPv6. - The Anti-Malware scan inclusion/exclusion directory settings are sensitive to forward slash "/" and backslash "\". For use with Windows operating systems the inclusion/exclusion paths must use the backslash "\". [7.5 SP1-00231] - When creating custom Integrity Monitoring Rules using the "RegistryKeySet" tag, the attribute values must be in uppercase letters. For example, . Using lowercase may result in an "Integrity Monitoring Rule Compile Issue" error. [7.5 SP1-00171] - Malware scans of network shared folders are only supported using real-time scan. Manual scans or scheduled scans will not work. [7.5-00012] - If a CD or a mounted ISO file contains malware and the Anti-Malware configuration is set to "Delete" upon detection, Deep Security Manager will still report that the malware was "deleted" even if it was unable to do so. [7.5-00010] - Deep Security Manager cannot display an incorrect filename event in the Anti-Malware Event if the malware was found in the "Recycle Bin". [7.5-00023] - During an upgrade, the Deep Security Manager service may not be able to install properly on some platforms if the "Services" screen is open. To work around this, make sure the "Services" screen is closed prior to installation or upgrade of Deep Security Manager. - If you receive a "java.lang.OutOfMemoryError" error during the installation of Deep Security Manager, please refer to the "Installation Guide" for instructions on how to configure the maximum memory usage for the installer. - During an upgrade, if you receive a message stating that the Deep Security Manager cannot start the service, restarting Deep Security Manager usually fixes the problem. In rare cases, you may have to run the installer again in Upgrade/Repair mode after restarting. - If Windows Firewall is enabled on Deep Security Manager, it may interfere with port scans causing false port scan results. Windows Firewall may proxy ports 21, 389, 1002, and 1720 resulting in these ports always appearing open regardless of any filter placed on the computer. - By default Exchange 2000 and later servers will dynamically assign a non-privileged port (1024-65535) for communications between the client and the server for the System Attendant, Information Store, and Name Service Provider Interface (NSPI) services. If you will be using the Microsoft Exchange Server profile with an Exchange 2000 or later server then you should configure these services to use static ports as described in the article "Exchange 2000 and Exchange 2003 static port mappings" (http://support.microsoft.com/?kbid=270836). Once static ports have been configured you should extend the appropriate Exchange Server port list to include the ports that have been assigned to these services. You may also want to set the "No RFR Service" registry setting to "1" to prevent the Exchange server from referring clients to the domain controller for address book information. See the article "How Outlook 2000 Accesses Active Directory" (http://support.microsoft.com/?kbid=302914) for more information. Alternatively, it is possible to configure Exchange RPC to run over HTTPS if you are using Outlook 2003 on Windows XP Service Pack 1 or later with Exchange Server 2003. In this case only port 443 needs to be added to the Exchange port list. - The "Recommendation" Alert may remain raised on some computers even after all recommended Intrusion Prevention, Integrity and Log Inspection Rules appear to have been applied. This can occur because even though an "Application Type" may be recommended for a computer, the "Application Type" will not be displayed in the "Show Recommended" view if no Intrusion Prevention Rules associated with Application Type are currently recommended. To resolve the situation, use the "Show All" view of the Intrusion Prevention Rules screen and assign all recommended "Application Types" (even if no associated Rules are currently recommended). Alternatively, you can just dismiss the alert after verifying that you have assigned all recommended rules to the computer. [8345] - When an Appliance-protected VM is migrated from one Appliance-protected ESXi to another, and if that virtual machine currently has warnings or errors associated with it (for example "Reconnaissance Detected"), those errors may incorrectly get cleared during the migration. [10602] - Log Inspection Events have a size limitation of 6000 characters. 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download - Deep Security Manager 9.5, Build 9.5.2456, August 18, 2014 - Deep Security Manager 9.5, Build 9.5.2459, October 30, 2014 - Deep Security Manager 9.5, Critical Patch Build 9.5.2461, Nov 18, 2014 - Deep Security Manager 9.5 Patch 1, Build 9.5.4112, December 5, 2014 - Deep Security Manager 9.5 SP1 Patch 2, Build 9.5.6511, September 23, 2015 - Deep Security Manager 9.5 SP1 Patch 3, Build 9.5.7008, November 6, 2015 - Deep Security Manager 9.5 SP1 Patch 3 Critical Patch 1, Build 9.5.7200, June 07, 2016 - Deep Security Manager 9.5 SP1 Patch 3 Update 3, Build 9.5.7222, March 10, 2017 - Deep Security Manager 9.5 SP1 Patch 3 Update 4, Build 9.5.7226, April 07, 2017 - Deep Security Manager 9.5 SP1 Patch 3 Update 5, Build 9.5.7228, June 07, 2017 - Deep Security Manager 9.5 SP1 Patch 3 Update 6, Build 9.5.7230, August 28, 2017 8.1 Deep Security Manager 9.5.2456 ===================================================================== 8.1.1 Enhancements ===================================================================== Deep Security Manager 9.5.2456 adds the following enhancements: vSphere 5.5 Support - Security for Software-Defined Data Center NSX - Support for mixed-model deployments (NSX and non-NSX) Smarter, Lightweight Agent - Lightweight installer - Selective deployment of Protection Modules to Agents based on Security Policy requirements results in smaller Agent footprint - Automatic support for new Linux Kernels Trend Micro Control Manager Enhancements - More dashboard widgets with drill-down capability - Full events - Anti-Malware and Web Reputation - Command and Control Communication Prevention Linux Support - New Distributions: Oracle Unbreakable - On-demand Anti-Malware scanning for all distributions - Real-Time Anti-Malware for Red Hat and SuSE Improvements to Security and Software Update Management - Improved visibility into Update status - Improved accessibility to Software Updates 8.1.2 Resolved Known Issues ===================================================================== - This release includes all resolved issues that were resolved in Deep Security 9.0 SP1 Patch 3 except those explicitly listed in the section "Known Issues in Deep Security Manager 9.5" below. 8.2 Deep Security Manager 9.5.2459 (Critical Patch) ===================================================================== 8.2.1 Enhancements ===================================================================== This critical patch includes the following enhancement: Enhancement 1: Amazon Web Services (AWS) added the Frankfurt Region which is not currently supported in Deep Security Manager 9.5. This critical patch enables Deep Security Manager 9.5 to support the AWS Frankfurt Region. 8.2.2 Resolved Known Issues ===================================================================== This critical patch resolves the following issue: Issue 1: An issue with the SSLv3 protocol triggers a certain vulnerability in Deep Security Manager 9.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch enables Deep Security Manager 9.5 web servers to accept only TLSv1.0 connections and prevents these from accepting SSLv3 connections to resolve the vulnerability. 8.3 Deep Security Manager 9.5.2461 (Critical Patch) ===================================================================== 8.3.1 Enhancements ===================================================================== This Critical Patch does not add any enhancement. 8.3.2 Resolved Known Issues ===================================================================== This critical patch resolves the following issues: Issue 1: An issue related to an SSLv2 hello protocol attribute prevented Deep Security Manager from deploying the Filter Driver on ESXi 5.0 or 5.1. Solution 1: This critical patch resolves the issue related to the SSLv2 hello protocol attribute so that Deep Security Manager can successfully deploy the Filter Driver on ESXi 5.0 or 5.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: When Deep Security Manager responded to URL requests, the response contained the Deep Security Manager web server type and version information. Solution 2: This critical patch removes the server type and version information from the "server.xml" parameter that Deep Security Manager uses to respond to URL requests so that this information does not appear in the URL request responses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: An issue with the SSLv3 protocol triggered a certain vulnerability in Deep Security Manager 9.5. Solution 3: To resolve the vulnerability, this critical patch enables Deep Security Manager 9.5 web servers to accept only TLSv1.0 connections and prevents them from accepting SSLv3 connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: Amazon Web Services (AWS) added the Frankfurt Region, which was not supported in Deep Security Manager 9.5. Solution 4: This critical patch enables Deep Security Manager 9.5 to support the AWS Frankfurt Region. 8.4 Deep Security Manager 9.5.4112 ===================================================================== 8.4.1 Enhancements ===================================================================== Deep Security Manager 9.5 Patch 1 does not add any enhancement. 8.4.2 Resolved Known Issues ===================================================================== Deep Security Manager 9.5 Patch 1 resolves the following issues: Issue 1: [25132/25109/TT308912] Recommendation Scan with either Agent-initiated mode or Manager-initiated mode on Windows Azure endpoint fails, since Windows Azure disconnects connection between DSM and DSA when the connection is in idle over 4 minutes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Enable Keep-Alive socket option to prevent being disconnected by Windows Azure when connection is in idle. With this fix, the connection between DSM and DSA is able to get TCP/IP Keep-Alive packet by Windows with the following settings: Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcp \Parameters Name: KeepAliveTime Type: REG_DWORD Default Value: 0x6DDD00 (7,200,000 milliseconds = 2 hours) Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters Name: KeepAliveInterval Type: REG_DWORD Default Value: 0x3E8 (1,000 milliseconds = 1 second) Issue 2: [25167/24845/TT307842] An issue with the SSLv3 protocol triggers a certain vulnerability in Deep Security Manager 9.0 Service Pack 1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch enables Deep Security Manager 9.5 web servers to accept only TLSv1.0 connections and prevents these from accepting SSLv3 connections to prevent the vulnerability. Issue 3: [25168/25110/TT307416] Some Log Inspection events have mistranslation in Japanese version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: fix the translation. Issue 4: [25340/25333/TT309982] DSM fails to prepare ESXi 5.0/5.1 because of SSLv2 Hello protocol attribute. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hot fix resolves above issue. Filter Driver now can be deployed successfully on ESXi 5.0/5.1. Issue 5: [25341/24139/TT302914] For an valid URL request to Deep Security Manager, the response includes DSM web server type and version information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: Changing the server.xml parameter to remove server type and version information. Issue 6: [20448/19960/TT279384] Some widgets on Dashboard always show items in English even if user's display language is Japanese. Due to this behavior, the user can't see any events in "Events & Reports" by clicking the items on the widgets. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: Widgets and Reports show items based on user's language setting. Issue 7: [22745/21578/TT290832/TT247366] When DSM is installed on RHEL 5 and RHEL 6 with a JP locale, the diagnostic package collected may not be able to show Japanese characters in the pdf file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This release fixes bug in diagnostic package pdf file. 8.5 Deep Security Manager 9.5.5600 ===================================================================== 8.5.1 Enhancements ===================================================================== Deep Security Manager 9.5 Service Pack 1 adds following enhancements: Extended support for Microsoft Azure - Deep Security can now connect to Microsoft Azure accounts using shared certificates. For more information, see the Deep Security 9.5 SP1 Installation Guide (Cloud). Extended support for VMware NSX Security Policies - Event-Based Tasks are now available that allow users to monitor the VMware NSX Security Policy assigned to a VM and perform Deep Security Tasks (such as the activation or deactivation of Deep Security protection) based on changes to the NSX Security Policy. For more information, see "Deploying Agentless Protection in an NSX Environment" in the Deep Security 9.5 SP1 Installation Guide (NSX). Extended support for NSX tagging - Deep Security can now apply NSX tags based on Intrusion Prevention Events, as well as Anti-Malware Events. For more information, see "Deploying Agentless Protection in an NSX Environment" in the Deep Security 9.5 SP1 Installation Guide (NSX). Extended Proxy Support for Relays - Relay Groups can now be configured to use unique proxy servers to retrieve Security Updates from Trend Micro. The option is available in the Relay Group's properties window. Support for log only HTTP Protocol Decoder errors - Certain errors determined by the HTTP Protocol decoder can now be manually set to be log only. The errors are: Double Decoding Exploit Illegal Character in URI Invalid Hex Encoding Invalid Use of Character Invalid UTF8 Encoding IPS Events are now viewable in Trend Micro Control Manager - Deep Security Intrusion Prevention Events can now be monitored in Trend Micro Control Manager. Proxy settings for communication with Cloud Instances - Deep Security Manager can now be configured to use a separate proxy server to communicate with protected Cloud Account instances. The proxy settings are available in the Deep Security Manager on the Administration > System Settings > Proxies tab. Recommendation Scan Performance Improvements - Improvements to the recommendation scan analysis algorithms have resulted in a fivefold improvement in the average amount of time required to carry out a Recommendation Scan on a computer. Display X-Forwarded-For header in Intrusion Prevention Events - Deep Security can now display X-Forwarded-For headers in Intrusion Prevention events when available in the packet data. This information can be useful when the Deep Security Agent is behind a load balancer or proxy. When X-Forwarded-For header data is available, it is displayed in the Event's Properties window. 8.5.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: Recommendation Scan with either Agent-initiated mode or Manager-initiated mode on Windows Azure endpoint failed, since Windows Azure disconnected connections between the Deep Security Manager and Deep Security Agent when the connection was idle more than 4 minutes. Solution 1: Enable the Keep-Alive socket option to prevent being disconnected by Windows Azure when a connection is idle. With this fix, the connection between Deep Security Manager and Deep Security Agent is able to get TCP/IP Keep-Alive packet by Windows with the following settings: Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcp \Parameters Name: KeepAliveTime Type: REG_DWORD Default Value: 0x6DDD00 (7,200,000 milliseconds = 2 hours) Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters Name: KeepAliveInterval Type: REG_DWORD Default Value: 0x3E8 (1,000 milliseconds = 1 second) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: An issue with the SSLv3 protocol triggered a certain vulnerability in Deep Security Manager 9.0 Service Pack 1. Solution 2: This critical patch enables Deep Security Manager 9.5 web servers to accept only TLSv1.0 connections and prevents these from accepting SSLv3 connections to prevent the vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: Some Log Inspection events had mistranslations in the Japanese version. Solution 3: The translation has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: Deep Security Manager failed to prepare ESXi 5.0/5.1 because of SSLv2 Hello protocol attribute. Solution 4: This hot fix resolves the issue. The Filter Driver can now be deployed successfully on ESXi 5.0/5.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: For a valid URL request to Deep Security Manager, the response includes Deep Security Manager web server type and version information. Solution 5: Changed the server.xml parameter to remove server type and version information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: Some widgets on the Dashboard always show items in English, even if user's display language is Japanese. Due to this behavior, the user can't see any events in "Events & Reports" by clicking the items on the widgets. Solution 6: Widgets and Reports show items based on user's language setting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: When Deep Security Manager is installed on RHEL 5 and RHEL 6 with a JP locale, the diagnostic package collected may not be able to show Japanese characters in the PDF file. Solution 7: This release fixes the bug in the diagnostic package PDF file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: When you add more than one NIC to an existing guest virtual machine (VM), vCenter will update the IP address list in a last-in first-out (LIFO) pattern. When Deep Security Manager queries vCenter, vCenter will provide the most recently-added IP address for each guest VM. If the IP address and the corresponding NIC card is not accessible from Deep Security Manager or vCenter at that time, the corresponding guest VM status will be "offline". Solution 8: This release allows users to specify a preferred IP address for each guest VM through the "settings.configuration.preferredGuestVMIpAddress" parameter. Deep Security Manager will always use this preferred IP address to connect to a guest VM with multiple IP addresses and NICs. This helps ensure that Deep Security Manager can always connect to Deep Security Agent even when the NIC changes as long as the specified IP address is correct. 8.6 Deep Security Manager 9.5.6008 ===================================================================== 8.6.1 Enhancements ===================================================================== Deep Security Manager 9.5 SP1 Patch 1 adds following enhancements: Enhancement 1: [29456] Deep Security Manager has been enhanced for aggregating Deep Security events from multiple Manager Nodes using External ID based on CEF Format. This adds External IDs to Syslog Messages that are being extracted from the Deep Security Manager database hosts table. They can be set when Agent-initiated activation happens or when any Agent-initiated heartbeat occurs. Enhancement 2: [26956] This Patch adds support for the AWS GovCloud (US) Region in Deep Security Manager. It appears under "Computers > New > Add Cloud Account" for Amazon Cloud Provider. Enhancement 3: [27164] This Patch adds support for the AWS China North (Beijing) Region in Deep Security Manager. It appears under "Computers > New > Add Cloud Account" for Amazon Cloud Provider. Enhancement 4: [28256] This release includes a fix for the CWE-331 Insufficient Entropy issue. 8.6.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [26558] In the Computer Details "Recommendations" area, the Unresolved Recommendations count included unrecommendable rules. If you created a custom rule and assigned it after running a recommendation scan, Deep Security Manager would always display "Unassign XX currently assigned rule(s)". Solution 1: Deep Security Manager now counts only recommendable rules and generates a correct description. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [20735] Deep Security Manager's debug-level logging is enabled. Solution 2: The Deep Security Manager's debug level logging is now enabled without restarting the Deep Security Manager service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [26532] Certain indexes were causing issues. Solution 3: The following indexes have been deprecated: hosts_statecode hosts_outstandingagentcommands hosts_requiresstatuscheck hosts_activateagent hosts_requiresupgrade hosts_deactivateagent hosts_requireslogfetch hosts_reqdetectengexec hosts_requiresscan hosts_lastmodified hosts_locked hosts_requiresupdate hosts_antimalwaremanualscanstate hosts_antimalwarescheduledscanstate hosts_integrityscanstate hosts_rebuildbaselinestate managerjobs_type managerjobs_priority packetlogdatas_hostid_dataindex NOTE: If you perform a Deep Security Manager upgrade, these indexes will be removed. If you perform a fresh install, the indexes will not be added. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [26863/TT312935] Attempting to add a vCloud user account using the REST API would fail with a "400 Bad Request" error. Solution 4: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [26924/TT312992] Deep Security Manager accepted some invalid directory/ file paths under the exclusion lists for various policy configurations. Solution 5: Improved the validations in the Deep Security Manager to prevent invalid file/directory paths. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [27011/TT318318] In some circumstances (for example if the Deep Security Manager service was temporarily offline), using vMotion to move a protected VM from one protected ESXi to another could result in a situation where the Virtual Appliance on the original ESXi would still report the VM as being present but that Anti-Malware and network engines were offline. Solution 6: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [27012/TT314483] On the Overrides tab for a computer, the value for "System > Computer Settings Overridden" was incorrectly incremented when overriding some of the "Advanced" settings for various security modules. Solution 7: With this Patch, the override information provided on the Overrides tab is accurate. Module-specific overrides are counted in the "Settings" totals for individual modules, rather than in "Computer Settings Overridden". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [27714/TT317700] When trying to add Microsoft Azure Cloud Connector, an error message "Unable to add cloud connector" was sometimes observed. Solution 8: The connector parameters have been modified to avoid seeing these error messages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [28247/TT320382] In a multi-tenant environment, when the user clicked "Database Upgrade" on a deleted tenant whose status was "Pending deletion", the status of the deleted tenant would become "Active". The expected functionality is that the tenant stays in a "Pending deletion" state for seven days, after which the Deep Security Manager deletes it. Solution 9: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [28286] \93Unable to save\94 error appeared in the Deep Security Manager console when trying to create a new Scan Cache Configuration; however, the configuration was created successfully. Solution 10: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [28300/TT316718] Deep Security Manager could not communicate with Microsoft SQL Server if traffic encryption was enabled. Solution 11: This fix resolves the issue. Notes for installation: ======================= 1. For a clean Deep Security Manager installation on Linux: - Make sure MS SQL Server traffic encryption is disabled. - Follow instructions in the Installation Guide to install the Deep Security Manager normally. - Stop the Deep Security Manager service: # service dsm_s stop - Edit /opt/dsm/webclient/webapps/ROOT/WEB-INF /dsm.properties to add following line: --------------------------------------------------- database.SqlServer.ssl=require --------------------------------------------------- - Under /opt/dsm, create a dsm_s.vmoptions file that contains the following line: --------------------------------------------------- -Djsse.enableCBCProtection=false --------------------------------------------------- - Enable Microsoft SQL Server traffic encryption and restart the SQL service. - Start the Deep Security Manager service: # service dsm_s start 2. For a clean Deep Security Manager installation on Windows: - Make sure MS SQL Server traffic encryption is disabled. - Follow instructions in the Installation Guide to install the Deep Security Manager normally. - Stop the Deep Security Manager from the Service Manager. - Edit \Program Files\Trend Micro\Deep Security Manager \webclient\webapps\ROOT\WEB-INF\dsm.properties to add the following line: --------------------------------------------------- database.SqlServer.ssl=require --------------------------------------------------- - Under \Program Files\Trend Micro\Deep Security Manager, create a Deep Security Manager.vmoptions file that contains the following line: --------------------------------------------------- -Djsse.enableCBCProtection=false --------------------------------------------------- - Enable Microsoft SQL Server traffic encryption and restart the SQL service. - Start the Deep Security Manager service from the Service Manager. 3. For a Deep Security Manager Upgrade on Linux: - Make sure Microsoft SQL Server traffic encryption is disabled and that the Deep Security Manager can connect successfully to the database. - Follow instructions in the Installation Guide to upgrade the Deep Security Manager normally. - Stop the Deep Security Manager service: # service dsm_s stop - Edit /opt/dsm/webclient/webapps/ROOT/WEB-INF /dsm.properties to add following line: --------------------------------------------------- database.SqlServer.ssl=require --------------------------------------------------- - Under /opt/dsm, create a dsm_s.vmoptions file that contains the following line: --------------------------------------------------- -Djsse.enableCBCProtection=false --------------------------------------------------- - Enable Microsoft SQL Server traffic encryption and restart the SQL service. - Start the Deep Security Manager service: # service dsm_s start 4. For a Deep Security Manager Upgrade on Windows: - Make sure MS SQL Server traffic encryption is disabled and that the Deep Security Manager can connect successfully to the database. - Follow instructions in the Installation Guide to upgrade the Deep Security Manager normally. - Stop the Deep Security Manager from the Service Manager. - Edit \Program Files\Trend Micro\Deep Security Manager \webclient\webapps\ROOT\WEB-INF\dsm.properties to add the following line: --------------------------------------------------- database.SqlServer.ssl=require --------------------------------------------------- - Under \Program Files\Trend Micro\Deep Security Manager, create a Deep Security Manager.vmoptions file that contains the following line: --------------------------------------------------- -Djsse.enableCBCProtection=false --------------------------------------------------- - Enable Microsoft SQL Server traffic encryption and restart the SQL service. - Start the Deep Security Manager service from the Service Manager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [28304] When a customer set "Perform ongoing Scans for Recommendations" to YES in a parent policy, the inherited value for YES was not inherited properly. As a result, the recommendation scan did not start. Solution 12: With this release, if any parent policy has "Perform ongoing Scans for Recommendations" set to YES, Deep Security Manager will run ongoing Recommendation scans properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [28373] New Firewall events could not be inserted into the packetlogs table if the Primary Key (PacketLogID) maximum was reached. Solution 13: This issue has been fixed in this release. IMPORTANT NOTE: During the installation, depending on its size, the upgrade process for Microsoft SQL Server-based installations can take an extremely long time. It is STRONGLY RECOMMENDED that administrators make a backup of their entire Deep Security Manager database before attempting an upgrade, as well as highly encouraged to first consult with technical support for further assistance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [28373/TT323137] In Agent-initiated Mode, Deep Security was unable to set the certificate for SSL inspection. The Next Button was disabled. Solution 14: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [28841/TT322254] When a policy was edited to unassign an Application Type setting and then the policy was imported into another Deep Security Manager, the override was not always imported correctly. Solution 15: This issue has been fixed in this release. The override setting is imported correctly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [28871/TT323596] Custom reports from older versions of Deep Security Manager were sometimes unable to run under Deep Security Manager 9.x. Solution 16: New fields have been added to make sure that all custom reports run successfully in the current release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [28881/TT322685] System Events Reports produced by Deep Security Manager 9.5 do not use the same icons and colors as the reports produced by Deep Security Manager 9.0. Solution 17: The code has been fixed to produce the same results as Deep Security Manager 9.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [29070/TT322852] The Japanese version of the Deep Security Manager console contained a typo in an error message. Solution 18: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [29073/TT323886] Event-based tasks were not working when a condition was set with a combination of "Computer Moved" and "Folder Name". Solution 19: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [29192/TT323877] Active Directory users with apostrophes in their email addresses could not be added due older RFC for email validation. Solution 20: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [29263/TT324533] Deep Security Manager did not configure the TN permission on the DPI Port Lists setting, which caused the TN user to not be able to view or modify the Port Lists, even when the T0 user gave them permission to do so. Solution 21: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [29264] When importing the Agent package into the Deep Security Manager, it complained that it was not signed. Solution 22: The signature check defect has been fixed, so that it can correctly verify the build. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [27789/TT311094] The Deep Security Manager's Web GUI port was capable of allowing SSL/TLS compression, which is no longer required. Solution 23: TLS Layer compression has been disabled in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 24: [27933/TT318130] Event-based tasks (EBTs) based on folder names with negation-type expressions such as ^((?!Linux).)*$ did not appear to work. For example, the task would still run against computers contained within the folder being excluded. Solution 24: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 25: [27968/TT319410] Starting with 9.5 SP1, the "Inherited" check box did not disable the advanced network engine settings. When the user clicked "Settings" > "Network Engine" for a particular host, all network engine values were editable even when the "Inherited" checkbox was selected. Solution 25: With this fix, all network engine values are disabled when the "Inherited" check box is selected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 26: [27993] Active Directory Synchronization with Deep Security Manager under very large load sometimes caused the SQL Server Database to hang. Solution 26: Removed the excess broadcase calls during syncHosts, which fixed this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 27: [28072] Intrusion Prevention rules that must be configured before use kept showing a warning icon even after they were configured. Solution 27: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 28: [28292] Event 1668 "Scan for Integrity Resumed" displayed the incorrect description "Scan for Integrity Requested". Solution 28: The description in the event definition was modified to display "Scan for Integrity Resumed". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 29: [28845/TT320011] In a vCloud environment, users could not download quarantined files from a vCloud-managed computer using any tenant account. Solution 29: This release enables users to download quarantined files from a vCloud-managed computer using any tenant account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 30: [29194/TT321755] Any directory list created using wild card characters could not be saved and used for Scan Settings for Anti-Malware configuration. However, a bug was identified under Real-Time and Scheduled Scan configuration, where re-editing the wild card settings and removing those wild cards from Directory Lists twice could actually save the wild card under this list, which caused confusion. Solution 30: This issue has been fixed in this release. The wild cards cannot be used under scan settings for directory list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 31: [29581] The Deep Security Manager reset the virtual appliance ID to the old DSVA after VMotion happened to clean up rogue Agents. This caused a mismatch of ESXi and DSVA information for the virtual machine. Solution 31: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 32: [24545] Deep Security Manager showed incomplete data for an Intrusion Prevention event if the packet was a jumbopacket. Solution 32: This is particularly true when the back-end database is Oracle. The column type of the previous DSM DPI event table does not have the capacity to store more than 2000 bytes of data. The fix introduces a new column type that can store up to 4KB of packet data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 33: [28182] vCenter Synchnronization with Deep Security Manager sometimes failed due to Account Permission. Solution 33: This has been fixed in current release. 8.7 Deep Security Manager 9.5.6511 ===================================================================== 8.7.1 Enhancements ===================================================================== Deep Security Manager 9.5 SP1 Patch 2 adds following enhancements: Enhancement 1: [TT327545/TT325349/29665] By default, the Deep Security Manager console uses TLSv1, TLSv1.1, TLSv1.2 protocols to communicate with port 4119. This release enhances the Deep Security Manager's capability to allow configuration of supported protocols by adding the protocols parameters to the configuration.properties file or limiting this communication to use any single protocol. Follow the procedure below to use this capatibility. Procedure to change settings: a) Stop the Deep Security Manager Service. b) Open the configuration.properties file under C:\ProgramFiles\ TrendMicro\DeepSecurityManager. c) Add the following entry at the end of file and save the file: protocols=TLSv1.2 Note: You can define more than one protocol by separating them with commas, for example: protocols=TLSv1,TLSv1.1,TLSv1.2 d) Start the Deep Security Manager Service. e) Use the OpenSSL s_client command to verify the protocol on the Deep Security Manager's Web Console port 4119 as follows: OpenSSL> s_client -connect Deep_Security_Manager_IP_Address:4119 Under the SSL-Session section, verify that Protocol is TLSv1.2 or the one you defined in the configuration.properties file. Please Note: This change of protocol type for the Deep Security Manager's web console port 4119 affects operations like accessing the web GUI from a browser, preparing an ESXi server for Filter Driver, deploying Agents using deployment scripts, and deploying the Deep Security Virtual Appliance in an NSX environment. Administrators modifying the configuration.properties file are required to make sure, if the Operating System they are using for deploying agents using deployment scripts, supports the protocol defined in configuration.properties file, otherwise the deployment will fail. This is also true for different ESXi versions customers are using in preparing ESXi in non-NSX environment, and deploying DSVA in an NSX environments. 8.7.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [TT326589/29698] The Deep Security Manager handled the connection type for some policies incorrectly. In some cases, unnecessary rules were recommended. Solution 1: The Deep Security Manager code logic has been corrected to fix this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT328621/TT32903/29902] With Deep Security Manager 9.5 SP1, it was no longer possible to place Environment Variables inside an exception list, for example, ${windir}. If set to backslash, this error also appeared "The list of directories contains an invalid entry. All directory paths must end with a slash. ('\' for Windows, '/' for Linux.)". Solution 2: A change to the logic of the validating Environment Variable caused the breakage. The new logic has been enhanced to cover this case as well as other cases that were supported previously. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT328231/29967] Agent reactivation did not work when only Agent-initiated communication was allowed. Solution 3: This code defect has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [29969] When users performed a fresh install of Deep Security Manager 9.5 with a co-located Relay, the version 9.6 Relay-enabled Agent was installed. In addition, the Update screen showed version 9.6 of the Deep Security Agent in the software update screen. This was also true for Deep Security Virtual Appliance Deployment. Solution 4: With this patch, the installer installer will download only Deep Security 9.5 SP1 Patch 1 (latest) Agent as the Deep Security Relay and the Software update list shows only Deep Security version 9.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [29787] The Deep Security Manager 9.5 SP1 Patch 1 included a database schema change. While upgrading to Patch 1, customers encountered an upgrade timeout situation and restarted the Deep Security Manager service while the schema upgrade was happening. This was being triggered because the Deep Security Manager console waited for only 10 minutes for the Deep security Manager service to start. As a result, the database schema upgrade became corrupted or migration stopped. Solution 5: In this Patch, the upgrade process is being divided into steps: a) First, use the steps in this Knowledge Base Article to upgrade the database schema: http://esupport.trendmicro.com/solution/en-US/1112218.aspx b) Once the database schema change/migration is completed, run the installer as usual to upgrade Deep Security Manager to Patch 3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [TT330295/30128] The Deep Security Manager did not check the parse item count, so when a File List item consisted of only comment '#' symbols, it caused an ArrayIndexOutOfBoudsException. Solution 6: This issue has been fixed in this release. 8.8 Deep Security Manager 9.5.7008 ======================================================================== 8.8.1 Enhancements ===================================================================== Deep Security Manager 9.5 Service Pack 1 Patch 3 adds the following enhancement. Enhancement 1: [30083/30269] The Deep Security Network Engine has been enhanced to choose Anti-Evasion Settings for the Intrusion Prevention System. These settings are available under the Computer > Settings > Network Engine tab. For more details, please refer to online help. 8.8.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [TT321245/30296] When offline vMotion happened, an "Send Policy Failed" error occurred before Deep Security Manager activated the VMs. Solution 1: The problem with Deep Security Manager has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT327952/30297] A thread in the iCRC common module behaved abnormally and could trigger a high CPU usage issue. Solution 2: This Patch resolves the issue by disabling the abnormal thread in the iCRC common module. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT327732/30307] A Deep Security Virtual Appliance recommendation scan request would time out when a customer had another anti-malware product running on the VM that affected the file scan performance. The timeout value was hard- coded and could not be configured to extend its value. Solution 3: This release has been enhanced with a new setting to configure the timeout value. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [TT332807/30303] Constraints violation errors were continuously reported in the Deep Security Manager (9.5) log files after migrating from Deep Security Manager version 8.x to 9.5. The upgrade process failed to migrate existing hosts related data to new table(s). One of the fields in the Deep Security Manager database table, AntimalwareHosts, was not null-able, causing these errors to appear repeatedly in the Deep Security Manager logs. Solution 4: This issue has been fixed in this release. 8.9 Deep Security Manager 9.5.7200 ======================================================================== 8.9.1 Enhancements ===================================================================== Deep Security Manager 9.5 Service Pack 1 Patch 3 Critical Patch 1 adds the following enhancement: Enhancement 1: [DSSEG-275] Deep Security Manager 9.5 Service Pack 1 Patch 3 Critical Patch 1 adds two new widgets for tracking ransomware events caught by Deep Security. The Ransomware Status widget gives the total number of events caught by Deep Security within the selected timeframe. The Ransomware Event History indicates the number of events caught by module (Anti-malware, Web Reputation, Intrusion Prevention, and Integrity Monitoring). The two new widgets can be added to your Deep Security Dashboard by clicking the Add/Remove Widgets button and scrolling to Ransomware. 8.9.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-273] Deep Security Manager synchronization with the NSX Manager sometimes failed if the NSX Service Profile did not have a Service Instance associated with it. This sometimes happend when another 3rd-party security solution was also deployed in the environment. Solution 1: This issue has been fixed. 8.10 Deep Security Manager 9.5.7222 ======================================================================== 8.10.1 Enhancements ===================================================================== There are no enhancements in this release. 8.10.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-519] The total number of "Unresolved Recommendations" shown on the General tab was incorrect. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-289/DSSEG-282] Upgrading the Deep Security Manager from older versions of 9.0 Service Pack 1 running with Oracle Databases sometimes failed due to constraint handling (non- exsisting constraints) over some specific database tables. Solution 2: The Schema Manager has been upgraded in this release to avoid any Deep Security Manager upgrade failures. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-234] When Deep Security Manager forwarded syslog messages to an ArcSight Server, CEF format network-related data did not match the ArcSight Server's data type or validation. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.11 Deep Security Manager 9.5.7226 ======================================================================== 8.11.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-823/SEG-3242] A misconfigured rule in a policy could cause a rule compilation failure. The Deep Security Manager did not indicate this error state. Solution 1: This release adds an error event and a new alert to indicate this error state. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.11.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-794] Deep Security Manager used a Long type when composing an SQL query on an integer-type data field, which resulted in a class case exception. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.12 Deep Security Manager 9.5.7228 ======================================================================== 8.12.1 Enhancements ===================================================================== There are no enhancements in this release. 8.12.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1033] Deep Security Manager was affected by one or more of the CVEs reported in the Oracle Critical Patch Update issued April 18, 2017. Solution 1: The Java JRE used in Deep Security Manager has been upgraded to the version released for the above-mentioned CriticalPatch Update (Java 8 u131). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1019/SEG-4929] If the database connection was not stable when the Deep Security Manager service started, the manager could fail to get a setting from the database and think it hadn't done the setting migration yet. If that happened, the manager would mistakely perform the setting migration again and cause some settings to be restored to their default values. Solution 2: After applying this hot fix, if Deep Security Manager cannot get the setting from the database due to an unexpected error, it will not perform the setting migration at that time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Manager-Windows-9.5.7230.x64.exe (64-bit) Manager-Linux-9.5.7230.x64.sh (64-bit) 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2017 Trend Micro Inc. All rights reserved. Published in Canada.