<> Trend Micro Incorporated April 24, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) Web Security Virtual Appliance 6.5 Service Pack 2 Patch 2 - Build 1765 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/Service Pack release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ========================================================== 1. About InterScan Web Security Virtual Appliance 1.1 Overview of this Release 1.2 Who Should Install this Release 2. What's New? 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 5.1 Installing 5.2 Uninstalling 6. Post-installation Configuration 7. Known Issues 8. Release History 9. Files Included in this Release 10. Contact Information 11. About Trend Micro 12. License Agreement ========================================================== 1. About InterScan Web Security Virtual Appliance ====================================================================== InterScan Web Security Virtual Appliance (IWSVA) is a highly scalable and reliable web security solution that includes virus protection for HTTP and FTP traffic. IWSVA delivers best-in-class HTTP and FTP virus scanning that leverages the administration, policy, and centralized management of Trend Micro's Enterprise Protection Strategy. 1.1 Overview of this Release =================================================================== IWSVA 6.5 Service Pack 2 Patch 2 is cumulative and contains all product changes released after IWSVA 6.5 Service Pack 2 GM Build. 1.2 Who Should Install this Release? =================================================================== Install this patch if you are currently running any IWSVA 6.5 Service Pack 2 build. 2. What's New? ====================================================================== Note: Please install this patch before completing any of the procedures indicated in this section (see "Installation"). 2.1 Enhancements =================================================================== The following enhancements are included in this patch: Enhancement 1: This patch includes Hotfix 1762 which adds IPv6 support in WCCP mode. Procedure 1: To enable this enhancement: a. Navigate to the following directory: cd /usr/iwss/wccp b. Run the following command: bash wccp_ipv6.sh apply Enhancement 2: This patch includes Hotfix 1762 which adds the new TMUFE category "Dynamic DNS". Enhancement 3: This patch adds a client HTTPS certificate option. Enhancement 4: This patch adds support for DDAN protocol 1.3. Enhancement 5: This patch adds support for SOCKS5 white list and ACL. Enhancement 6: This patch provides the followng FTP enhancements: - Wording in the FTP access log now uses "FQDN" instead of "IP address" - Enables the saving of FTP connection information even if no file transfer occurred Enhancement 7: This patch replaces Oracle JDK with Open JDK. 2.2 Resolved Known Issues =================================================================== Note: Patch 2 includes solutions to issues resolved in all fixes released from November 11, 2015 to April 19, 2017. Patch 2 resolves the following issues: Issue 1: A vulnerability in the IWSVA 6.5 Service Pack 2 program may allow certain irregularly formatted viruses in HTTP responses to bypass it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: [Hotfix 1709] This hotfix removes the vulnerability to enable IWSVA (TT-333456) to catch these viruses in HTTP responses. Issue 2: Users can click on the "Enable FTP scanning" checkbox in the "FTP Scan Rules" tabs when ICAP is enabled in reverse proxy mode ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: [Hotfix 1709] This hotfix enables IWSVA to automatically disable the (TT-345130) checkbox in the FTP Scan Rules tabs when ICAP is (TT-342955) enabled in reverse proxy mode. Issue 3: The user name information does not appear in the virus logs from IWSVA when viewed from the Trend Micro Control Manager(TM) console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: [Hotfix 1709] This hotfix resolves an issue to ensure that the user (TT-342826) name information can be displayed properly in the IWSVA virus logs on the Control Manager console. Issue 4: When users search for specific application control policies, IWSVA cannot retrieve and display all the applicable policies if the appd process has stopped running. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: [Hotfix 1709] This hotfix enables IWSVA to retrieve and display all (TT-345284) applicable application control policies even when the appd process has stopped. Issue 5: IWSVA does not run the AutoSetupAlchemySettings script automatically after the system's memory set-up changes, for example, when memory is added. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: [Hotfix 1709] This hotfix enables IWSVA to run the (TT-346623) AutoSetupAlchemySettings script automatically after the system's memory changes. Issue 6: IWSVA does not display the report type when the time zone is set to "America/Cordoba". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: [Hotfix 1709] This hotfix ensures that IWSVA displays the correct (TT-347847) report type Issue 7: In versions 8 and 10 of the Microsoft(TM) Internet Explorer(TM) web browser, users encounter a JSP error while migrating the configuration file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: [Hotfix 1709] This hotfix ensures that IWSVA can migrate the (TT-348090) configuration file normally on Internet Explorer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: When the IWSVA daemon restarts, it generates a new client UUID and registers again to Trend Micro Deep Discovery Analyzer as a new IWSVA. However, the original client UUID remains in the Deep Discovery Analyzer database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: [Hotfix 1709] This hotfix ensures that each IWSVA only takes one (TT-349120) UUID. Issue 9: The IWSVA log server stops receiving logs after a log upload process stops unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: [Hotfix 1709] This hotfix ensures that the IWSVA log server can still (TT-342579) receive logs after a log upload process stops unexpectedly. Issue 10: When HTTPS decryption is enabled, IWSVA cannot load an HTTPS webpage if the HTTP header does not contain a "Content-length" or "Transfer-Encoding" heading. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: [Hotfix 1710] This hotfix ensures that users can access HTTPS websites (TT-349268) successfully while HTTPS decryption is enabled. Issue 11: Microsoft(TM) Internet Explorer(TM) stops responding when users import the list of blocked URLs to IWSVA and the list has more than 7000 entries. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: [Hotfix 1712] This hotfix updates the parsing algorithm to improve the (TT-348926) parsing speed to enable Internet Explorer to handle large blocked URL lists. Issue 12: [Hotfix 1714] When a client uploads files to a server through an (TT-351297) application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Issue 13: [Hotfix 1715] IWSVA stops unexpectedly when it calls the strncpy (TT-351297) function and the length of the char pointer is "0". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This hotfix resolves the issue by enabling IWSVA to check the length of the char pointer before calling the strncpy function. Issue 14: [Hotfix 1716] IWSVA cannot save changes to the priority setting of a (TT-352892) URL filtering policy if the current policy priority is lower than 2498. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This hotfix ensures that IWSVA can save changes to the priority setting of a URL filtering policy. Issue 15: [Hotfix 1717] The URL filtering feature of IWSVA 6.5 Service Pack 2 may (TT-352982) block the wrong domains. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This hotfix ensures that IWSVA can correctly match URLs with the filtering policy so that it blocks the correct domains. Enhancement: This hotfix integrates the Trend Micro Deep Discovery [Hotfix 1721] Inspector and Trend Micro Control Manager(TM) SO acquirement interface into the IWSVA web console. This enables IWSVA to retrieve the SO list from both products, to block SOs on the list including IPs, URLs, domains, and files, and perform Advanced Threat Protection scanning. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the feature: a. Open the "intscan.ini" file in the "/etc/iscan" folder. b. Locate or add the "so_integration_enabled" key and set its value to "1". Note: To disable the feature, set "so_integration_enabled=0". c. Save the changes and close the file. d. Refresh the "HTTP > Advanced Threat Protection > Custom Defense > Custom Defense Settings" page. Issue 16: [Hotfix 1726] After updating to IWSVA Service Pack 2 Build 1707, (TT-350383) users may not be able to browse HTTPS websites properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This hotfix resolves the issue by ensuring that IWSVA can correctly handle the TCP FIN, so that when this is killed in the webserver, the corresponding HTTP header will keep it alive. Issue 17: [Hotfix 1726] When a client uploads files to a server through an (TT-351297) application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Issue 18: [Hotfix 1726] Websites do not load properly when HTTPS decryption is (TT-352011) enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This hotfix resolves the issue by enabling IWSVA to properly handle zero length data from a webserver. Issue 19: [Hotfix 1726] The isftpd process triggers a 100% CPU usage issue. (TT-352635) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This hotfix adds the isftpd process to the approved list in IWSVA to prevent the high CPU usage issue. Issue 20: [Hotfix 1728] An issue may prevent source IWSVA devices from sending (TT-352510) chunked data to registered child IWSVA devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: This hotfix resolves the issue by allowing the source IWSVA device to choose between chunked mode or content- length mode response to child IWSVA devices. Issue 21: [Hotfix 1729] Dropbox cannot sync in bridge mode after users add (TT-355847) "dropbox.com" to the global trusted list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This hotfix resolves the issue by enabling IWSVA to run through the list of global trusted domains before it attempts to connect to websites. Issue 22: [Hotfix 1730] The LDAP server diagnostic tool returns a "failed" (TT-357017) result even when the LDAP server has connected normally. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This hotfix ensures that the diagnostic tool returns the correct LDAP server connection results. Issue 23: [Hotfix 1730] HTTPS request authentication may fail when IWSVA is (TT-355574) deployed in bridge mode between a client and the upstream proxy and the upstream proxy uses Kerberos authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This hotfix ensures that HTTPS request authentication can run successfully under the scenario described above. Issue 24: [Hotfix 1731] End users cannot see the shared remote desktop using (TT-351773) Skype(TM) in WCCP mode. This issue occurs because the OpenSSL module sends an alert message when it comes across Skype HTTPS traffic. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This hotfix handles this issue to channel Skype HTTPS traffic. Issue 25: [Hotfix 1731] Non-administrator users are able to go beyond their (TT-355725) access permissions and apply administrator operations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 25: This hotfix validates the user's permissions before applying administrator operations in the web service process. Issue 26: [Hotfix 1732] In some situations, the IWSVA FTP daemon may cause high (TT-357304) CPU usage. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: This hotfix resolves the high CPU issue for the FTP daemon. Issue 27: [Hotfix 1733] If the IWSVA user information sync fails from the trust (TT-355470) domain of the Global Catalog, even if the user authenticates successfully through Global Catalog, the connection still fails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 27: This hotfix resolves this issue by letting the connection pass when the user authentication is successful, even if the user information sync failed from the Global Catalog. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the function: a. Open the "intscan.ini" file under the "/etc/iscan/" folder. b. Under the "http" section, set the value of the "pass_auth_not_in_ldapcache" key to "yes". c. Under the "LDAP-Setting" section, set the value of the "Prefer-sAMA" key to "yes". d. Save the changes and close the file. e. Log on into IWSVA with SSH, and restart http proxy with the following command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start Issue 28: [Hotfix 1735] IWSVA cannot tunnel the failed extract file. (TT-352640) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 28: This hotfix ensures that IWSVA can tunnel the failed extract file by enabling a hidden key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 28: To enable this function: a. Open the "intscan.ini" file in the "/etc/iscan/" folder. b. Under the "Scan-configuration" section, locate or add the "failed_extract" key and set its value to "pass". c. Locate the "skipSpecificVirus" key and add "Failed_Extract_File" to it. d. Save the changes and close the file. e. Log on to IWSVA with SSH, and restart the HTTP proxy with the following command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start Issue 29: [Hotfix 1735] The "*.co/*" should not match the "*.com:443" value (TT-357285) when IWSVA performs URL matching. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 29: This hotfix ensures that IWSVA can perform URL matching normally. Issue 30: [Hotfix 1735] The IWSVA cannot send the correct event time to Control (TT-350271) Manager when the system time zone observes daylight savings. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 30: This hotfix ensures IWSVA could not send the correct event time to Control Manager when the system time zone observes daylight savings. Issue 31: [Hotfix 1735] Sometimes, it takes a long time to browse through (TT-357018) websites in computers protected by IWSVA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 31: This hotfix resolves the issue. Issue 32: [Hotfix 1736] HTTPS pages will not load when the UA string is (TT-357135) Microsoft Internet Explorer 11. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 32: This hotfix handles the SSL alert message, which the HTTPS server sends to IWSVA, to resolve the decryption issue. Issue 33: [Critical Patch 1737] A vulnerability in the IWSVA 6.5 Service Pack 2 (TT-333456) program may allow certain irregularly formatted viruses in HTTP responses to bypass it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 33: This hotfix removes the vulnerability to enable IWSVA to catch these viruses in HTTP responses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the solution: a. Open the "intscan.ini" file in the "/etc/iscan/" folder. b. Locate or add the "scan_trunk_deep" key and set its value to "yes". NOTE: The default value is "no" which disables the solution. c. Save the changes and close the file. d. Restart HTTP daemon with the command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start Issue 34: [Hotfix 1738] IWSVA still cannot generate the RSA 4096 key certificate (TT-358779) for HTTPS decryption. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 34: This hotfix ensures that IWSVA can generate the RSA 4096 key certificate for HTTPS decryption by enabling a hidden key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the solution: a. Open the "intscan.ini" file in the "/etc/iscan/" folder. b. Under the "https-scanning" section, add the "rsa_length" key and set the value to "4096". c. Save the changes and close the file. d. Log on to IWSVA with SSH, and restart the HTTP proxy and FTP with the following command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start /etc/iscan/S99ISftp stop;/etc/iscan/S99ISftp start Issue 35: [Hotfix 1739] (TT-358217, 358168, 358215, 358213, 358214, 358216, 358218, 358219, 358208, 358209, 358210, 358211, 358212, 358304, 358412) The IWSVA web service process does not validate user permissions and input parameters, leading to Remote Code Execution vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 35: This hotfix validates the user permissions and input parameters before applying the user's requested operations in the web service process. Issue 36: [Hotfix 1740] IWSVA does not properly handle an abnormal incoming (TT-357473) request, which causes a memory exception and crashes the system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 36: This hotfix checks the parameter of the incoming request to avoid memory usage exceptions. Issue 37: [Hotfix 1741] Formatting errors in a user's HTTPS decryption exception (TT-355124) list trigger a Java exception which will make the IWSVA web console inaccessible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 37: This hotfix enables IWSVA to handle these format errors to ensure that the access to the IWSVA web console is not interrupted. Issue 38: [Critical Patch 1742] (TT-358220, 358221, 358413,358412, 358746, VRTS-16, VRTS-91) The IWSVA web service process does not validate user permissions and input parameters, leading to Remote Code Execution vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 38: This hotfix enabled IWSVA to validate the user permissions and input parameters. Issue 39: [Critical Patch 1746] (TT-358909, VRTS-219, VRTS-222, VRTS-224, VRTS-226, VRTS-227) The IWSVA web service process does not validate user permissions and input parameters, leading to Remote Code Execution vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 39: This critical patch validates the user permissions and input parameters before applying the user's requested operations in the web service process. Issue 40: [Critical Patch 1746] The svc monitor is forced to kill the IWSVA http daemon (TT-353999) after configuration replication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 40: This critical patch ensures that the IWSVA http daemon works normally after configuration replication. Issue 41: [Hotfix 1751] The FTP process is affected by a file descriptor (FD) leak issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 41: This hotfix resolves the FD leak issue. Issue 42: [Hotfix 1751] The iwssd process is affected by an FD leak issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 42: This hotfix resolves the FD leak issue. Issue 43: [Hotfix 1751] Users encounter an "HTTP status 500" error on the (SEG-2700) policy editing page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 43: This hotfix ensures that users can access and edit policies normally through the policy editing page. Issue 44: [Hotfix 1751] IWSVA does not tunnel HTTPS traffic with (SEG-2016,SEG-2635) "*.domain.com". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 44: This hotfix updates the URL matching policy rule to resolve the issue. Issue 45: [Hotfix 1751] A URL category name was changed in TMUFE, but was not (TT-359323) updated on the IWSVA side. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 45: This hotfix updates the URL category name on the IWSVA side to match the information in TMUFE. Issue 46: [Hotfix 1751] When IWSVA performs LDAP authentication on (SEG2645) administrator accounts, the user account password appears in the IWSVA local log file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 46: This hotfix ensures that user passwords are not recorded in the IWSVA local log file. Issue 47: [Hotfix 1751] In rare instances, the IWSVA web service may record (SEG1389) an unusually large bandwidth data usage in logs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 47: This hotfix ensures that the correct information appears in logs. Issue 48: [Hotfix 1751] After installing Critical Patch 1742, users encounter (SEG-2641) exception errors while attempting to view some administration pages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 48: This hotfix ensures that users can view the administration pages properly. Issue 49: [Hotfix 1753] During configuration replication, the "keep_ssl_version" (TT-349268) setting in the "intscan.ini" file is not synchronized between the source and the receiver IWSVA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 49: This hotfix ensures that the receiver IWSVA inherits the "keep_ssl_version" setting of the source IWSVA after configuration replication. Issue 50: [Hotfix 1755] The Central Log cannot be configured through the web (SEG-2722) console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 51: This hotfix resolves the user privilege validation error to ensure that users can configure the Central Log from the web console. Issue 52: [Hotfix 1755] HA proxy cannot be configured through the web console. (SEG-2952) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 52: This hotfix resolves the user privilege validation error to ensure that users can configure the HA proxy from the web console. Issue 53: [Hotfix 1755] The Static Router is affected by a remote code (VRTS-326, 328)execution vulnerability through the web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 53: This hotfix removes the vulnerability by adding a function that validates parameters. Issue 54: [Hotfix 1756] An issue may trigger the iwssd daemon to stop (SEG-2567) unexpectedly when IWSVA is deployed in ICAP mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 54: This hotfix ensures that IWSVA uses the correct head file to ensure that the iwssd daemon works normally in ICAP mode. Issue 55: [Hotfix 1757] An issue prevents the Application Control "Block play (TT-359900) media" feature in IWSVA from blocking videos in YouTube. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 55: This hotfix ensures that the "Block play media" feature can effectively block YouTube videos. Issue 56: [Hotfix 1758] Application Control cannot block the latest version of (TT-357941) the Teamviewer program. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 56: This hotfix updates the ixEngine lib to enable Application Control to block Teamviewer 12. Issue 57: [Hotfix 1758] The policy editing module encounters an HTTP status 500 (SEG-2700) - ArrayIndexOutOfBoundException error. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 57: This hotfix adds the corresponding data range restriction to prevent the error. Issue 58: [Hotfix 1759] An issue may prevent users from mounting an external log (SEG-4076) device using the "mount" command on the IWSVA web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 58: This hotfix resolves this issue so users can mount an external log device without issues. Issue 59: [Hotfix 1761] A null pointer issue can trigger IWSVA to stop (SEG-2567) unexpectedly when it receives an ICAP message that does not have any content. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 59: This hotfix resolves the issue by preventing IWSVA from attempting to access a null pointer when it receives an ICAP message that does not have any content. Issue 60: [Hotfix 1762] User may not be able to access HTTPS websites that (TT-359683) use a special cipher suite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 60: This hotfix enables IWSVA to support the cipher suite. Issue 61: [Hotfix 1763] The backend web service for the web console cannot (TT-4745) retrieve the correct time zone setting. As a result, the wrong time information appears in the exported log files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 61: This hotfix resolves this issue to ensure that the web console can retrieve the time zone setting successfully so the correct time information appears in the exported log files. Issue 62: [Hotfix 1764] Self-defined users are redirected to the wrong web page, (TT-4826) because of an issue that prevents the backend web service for the web console from querying the privileges of self-defined roles. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 62: This hotfix resolves this issue to ensure that the web console can query self-defined role privileges so that users are redirected to the correct web page. Issue 63: (CVE-2016-5195) IWSVA is affected by CVE-2016-5195 which may lead an unprivileged local user to increase their privileges on the system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 63: This hotfix ensures that IWSVA is not affected by this vulnerability. 3. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining IWSVA. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying IWSVA. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining IWSVA. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ====================================================================== Install this Patch on computers running any build released after IWSVA 6.5 Service Pack 2 Build 1548. 5. Installation ====================================================================== This section explains key steps for installing. 5.1 Installing =================================================================== To install: 1. Download the "iwsva_65_sp2_ar64_en_patch2.tgz" patch file onto your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the patch file and click "Open". 6. Click "Upload". Your browser uploads the patch file to IWSVA and IWSVA validates if the file is a legitimate patch. 7. Click "Install". Note: Applying this patch will interrupt the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5.2 Uninstalling =================================================================== To roll back to the previous build: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "patch2". A confirmation page appears. 4. Verify the patch ID and description on the confirmation page. 5. Click "Uninstall". Note: Removing this patch will interrupt the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 6. Post-installation Configuration ====================================================================== No post-installation steps are required. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 7. Known Issues ====================================================================== There are no known issues for this patch release. 8. Release History ====================================================================== IWSVA 6.5 Service Pack 2 GM Build, November 9, 2015 IWSVA 6.5 Service Pack 2 Patch 1 - Build 1707, July 11, 2016 8.1 Patch 1 =================================================================== 8.1.1 Enhancements =================================================================== There are no enhancements in IWSVA 6.5 EN SP2 Patch 1. 8.1.2 Resolved Known Issues =================================================================== IWSVA 6.5 SP2 Patch 1 resolves the following issues: Patch 1 resolves the following issues: Issue 1: Configuration replication may fail after users add a large amount of replication source information on the replication source machine. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: [Hotfix 1606] This patch ensures that configuration replication (TT-330566) works normally under the scenario described above. Issue 2: When IWSVA is deployed in bridge mode between a client and the proxy server, IWSVA may not be able to correctly categorize HTTPS websites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: [Hotfix 1606] This patch ensures that IWSVA can correctly (TT-325466) categorize HTTPS websites when deployed in bridge mode between a client and the proxy server. Issue 3: Multicast data packets cannot pass through when IWSVA 6.5 is in bridge mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: [Hotfix 1606] This patch disables the "multicast_snooping" feature (TT-329888) to enable multicast data packets to pass through in bridge mode. Issue 4: Importing IWSVA 6.0 Service Pack 1 onto IWSVA 6.5 Service Pack 2 breaks the local SPS configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: [Hotfix 1606] This patch ensures that the local SPS configuration (TT-334243) file remains undamaged after importing the IWSVA 6.0 Service Pack 1 package onto IWSVA 6.5 Service Pack 2. Issue 5: IWSVA for Linux 6.5 Service Pack 2 does not support SMTP authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: [Hotfix 1606] This patch enables IWSVA to support SMTP (TT-328947) authentication. Issue 6: The IWSVA for Linux 6.5 Service Pack 2 stops unexpectedly while uploading log data while the log exception feature is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: [Hotfix 1606] This patch ensures that IWSVA can upload the log (TT-329327) data correctly while the log exception feature is enabled. Issue 7: In WCCP mode, the WCCPD daemon still communicates with the Cisco(TM) router after the HTTP/FTP scanning service stops. This results in HTTP/FTP traffic interruptions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: [Hotfix 1606] This patch adds a mechanism for monitoring the (TT-328981) status of the FTP/HTTP scanning service and the WCCPD daemon. This mechanism helps prevent HTTP/FTP traffic interruptions by stopping the WCCPD daemon from communicating with the Cisco server when the HTTP/FTP scanning service stops. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 7: To enable this feature: a. Install this patch (see "Installation"). b. Run the following script: # nohup /usr/iwss/wccpd_monitor.py & Notes: The corresponding log will appear in the "/etc/iscan/log/wccpd_monitor.log" file. Issue 8: The DNS cache of IWSVA uses a fixed TTL setting of 12 hours and is not configurable. As a result, users may not be able to access certain websites with IP addresses that change frequently. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: [Hotfix 1606] This patch enables the DNS cache of IWSVA to (TT-332549) synchronize the TTL from the DNS server instead of using a fixed TTL. Issue 9: When users configure the local SPS through the web console, there are no instructions about the correct format for the SPS URL. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: [Hotfix 1606] This patch adds this information to the local SPS (TT-334245) instructions. Issue 10: IWSVA is affected by a certain vulnerability related to the autorun section in HTTP requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: [Hotfix 1606] This patch enables IWSVA to filter the malicious autorun section in HTTP requests to resolve the vulnerability. Issue 11: IWSVA 6.5 may generate several scheduled reports with the same timestamps. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: [Hotfix 1606] This patch ensures that IWSVA 6.5 does not generate (TT-330785) duplicate scheduled reports. Issue 12: The TMUSE engine stops unexpectedly when users enable the Dynamic URL Categorization feature. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: [Hotfix 1606] This patch resolves this issue by updating the TMUSE (TT-333247) engine. Issue 13: Sometimes, users cannot successfully import the configuration file of IWSVA 6.5 Service Pack 1 to version 6.5 Service Pack 2 and the HTTP daemon may not be able to start. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: [Critical Patch 1608] This patch ensures that users can (TT-336035) successfully import the configuration file from IWSVA 6.5 Service Pack 1 to version 6.5 Service Pack 2. Issue 14: Sometimes, authentication fails when users add multiple domains in IWSVA 6.5 Service Pack 2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This patch ensures that the authentication succeeds in multiple domain environments. Issue 15: After upgrading to IWSVA 6.5 SP2, users cannot access some HTTPS sites through IWSVA with HTTPS decryption enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This patch ensures that users can access HTTPS sites successfully even when enabling HTTPS decryption. Issue 16: IWSVA 6.5 Service Pack 2 may stop unexpectedly and generate dump files while parsing special types of cookies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: [Critical Patch 1608] This patch enables IWSVA 6.5 Service Pack 2 [SEGTT-336907] to handle special types of cookies. Issue 17: In IWSVA 6.5, administrators cannot retrieve reports for the last several days because the corresponding data have not been uploaded to the common log server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: [Critical Patch 1608] This patch resolves the issue by enabling (TT-336728) IWSVA 6.5 to regulate the size of the upload queue, which helps ensure that the log agent on clients can parse data more efficiently. Issue 18: When doing migration from configuration from the latest build of IWSVA6.5 Service Pack 1, all the HTTPS websites cannot be accessed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: [Critical Patch 1608] This patch updates the configuration of SSL (TT-337176) methods to fix this issue. Issue 19: A race issue between the appd daemon and kernel prevents clients from connecting to the Internet in proxy mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: [Hotfix 1609] This patch enables users to allow only the HTTP (TT-332780) scanning daemon to handle application control. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 19: To allow only the HTTP scanning daemon to handle application traffic: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in the "/etc/iscan/" folder. c. Locate or add the "enable_appd_daemon" key in the "app-control" section and set its value to "no". [app-control] enable_appd_daemon=no d. Save the changes and close the file. e. Restart the appd daemon by running the following command: /usr/iwss/S99ISappd restart Issue 20: Under certain conditions, when users add a period "." to an organizational unit (OU) in the "Base distinguished name" Active Directory (AD) setting and save the configuration, a "DC=" string is inserted instead. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: [Hotfix 1612] This patch ensures that the correct setting is saved (TT-337279) in the "http_config_user_idetification.jsp" file. Issue 21: An issue related to how IWSVA receives HTTP data triggers a high CPU usage issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: [Hotfix 1612] This patch resolves the issue. (TT-337061) Issue 22: When IWSVA generates reports based on an LDAP group that starts with the "&" token, the reports do not display any information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: [Hotfix 1612] This patch ensures that these reports display (TT-338606) complete and accurate information. Issue 23: Users receive blank pattern update notifications from IWSVA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: [Hotfix 1613] This patch ensures that pattern update notifications (TT-339400) from IWSVA contain complete and accurate information. Issue 24: Email notifications from IWSVA 6.5 Service Pack 2 cannot be displayed correctly because IWSVA cannot recognize and parse the "\n" characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: [Hotfix 1616] This patch ensures that IWSVA can correctly recognize (TT-341216) and handle "\n" as line breaks. Issue 25: A line in the Diagnostic Tool script file causes the FTP download testing to fail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: [Hotfix 1616] This patch resolves the issue to ensure that the (TT-335781) Diagnostic Tool can perform FTP download testing correctly. Issue 26: Users may not be able to access certain HTTPS websites through IWSVA when the HTTPS decryption feature is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: [Hotfix 1617] This patch ensures that users can access HTTPS (TT-338216) websites normally when HTTPS decryption is enabled. Issue 27: When users download a file to the computer and the "Scan before delivery" option is enabled, the download process stops unexpectedly and the file will not be saved. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 27: [Hotfix 1617] This patch updates the way IWSVA 6.5 Service Pack 2 (TT-339799) determines if a download has completed when the "Scan before delivery" option is enabled. This helps ensure that users can download files normally under this scenario. Issue 28: An issue related to how the rest APIs of the following functions receive parameters from users may leave the computer vulnerable to remote code execution attacks. - testConfiguration function - wmi_domain_controllers function - domains ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 28: [Hotfix 1618] This patch safeguards against remote code execution (TT-338692, attacks by enabling IWSVA to enclose input TT-338693, parameters in double quotation marks and to skip and TT-338695) special characters inside these parameters. Issue 29: An issue prevents ixEngine from identifying the upload protocol from Google Drive and DropBox, which prevents IWSVA from blocking these programs using Application Control. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 29: [Hotfix 1618] This patch adds new protocols in ixEngine to enable (TT-343197) it to block specific programs. Issue 30: The "X-Infection-Found:" header in ICAP responses is followed by two space characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 30: [Hotfix 1619] This patch removes the extra space character so that (TT-343676) the "X-Infection-Found:" header in ICAP responses is followed by a single space character. Issue 31: Users cannot access HTTPS websites with non-standard ports through IWSVA when both the upstream proxy and content cache are enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 31: [Hotfix 1621] This patch ensures that users can access HTTPS (TT341162) websites with non-standard ports through IWSVA when both the upstream proxy and content cache are enabled. Issue 32: The ransomware detections are not displayed on the web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 32: [Hotfix 1622] This patch ensures that the total number of (TT-346050) ransomware detections displays on the Dashboard of the web console. Issue 33: The link to syncing Mozilla(TM) certificate authorities (CA) is out-of-date which prevents IWSVA from syncing certificates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 33: This patch updates the link to make sure that IWSVA can sync Mozilla CA successfully. Issue 34: The "Enable FTP scanning" button is not greyed-out automatically in ICAP and reverse proxy modes, but this feature is not supported in these modes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 34: (TT345130) This patch enables IWSVA to grey-out the "Enable FTP scanning" button in FTP pages in ICAP and reverse proxy modes. Issue 35: IWSVA uses an HTTP channel by default for ActiveUpdate (AU). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 35: This patch changes the default AU upgrade channel to an HTTPS channel. Issue 36: The Global approved and blocked lists has been enhanced for website option ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 36: (TT-342336) This patch enables users to configure IWSVA to add two entries to include both the domain and its sub domain in the Global approved and blocked lists when the website option is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 36: To enable this feature: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in "/etc/iscan/" and add the following key in the "URL-blocking" section. [URL-blocking] convertDomain=yes c. Save the changes and close the file. d. Restart Tomcat(TM) by running the following command: /etc/iscan/S99IScanHttpd restart e. Clear the web browser cache. Issue 37: IWSVA does not record access logs when the network connection is interrupted unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 37: This patch enables users to configure IWSVA to record an access log each time it detects that the network connection is interrupted unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 37: To enable IWSVA to record an access log each time it detects that the network connection is interrupted unexpectedly: a. Install this patch (see "Installation"). b. Open the "IWSSPIProtocolHttpProxy.pni" file in "/etc/iscan/" and add the following key in the "http" section. [http] enable_interrupted_log=yes c. Save the changes and close the file. d. Restart Tomcat by running the following command: /etc/iscan/S99IScanHttpd restart e. Clear the web browser cache. Issue 38: The web browser uses the connect method to notify IWSVA that it will send an HTTPS request for a specific website. Usually, the connect method requires the host name, however, in special environments, it uses several extra headers such as the "X-FORWARDED-FOR" and some custom-built headers. A user requests for a way to enable IWSVA to record logs for these requests which can be differentiated according to the headers used in the connect method. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 38: This patch provides a "customized text-based log" feature which can customize the HTTP header and keep the connect method to log files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 38: To enable this feature: a. Install this patch (see "Installation"). b. Disable https decryption in the IWSVA web console. c. Enable text log, specify the header name which will appear in the log format setting. For example: `log_format=%a|%u|%H|%{ca_forwarded_for}h| %{x_forwarded_for}h|%{recv_request_begin}t|%{host}h| %r|%s|%{downstream_payload}p|%{handle_time}l|%n| %w|%m|%{name}f|%{size}f` Note: This setting will enable IWSVA to generate logs for requests using the header value if the header name is "x_forwarded_for" and "ca_forwarded_for". The header name is case insensitive and "_" is treated as "-". d. Open the " log_format.ini" file in "/etc/iscan/" and set "enable_text_based_log=yes" under the "text_log" section. e. Save the changes and close the file. f. Reload the daemon by running the following command: $/etc/iscan/S99ISproxy reload g. Check the log files in IWSVA. The log file is located in "/var/textlog/customized_access*" by default. Issue 39: The IWSVA socks proxy server does not support authentication and XML firewalling. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 39: This patch switches the socks proxy from "ssh" to "antinat" to enable it to support authentication and XML firewalling. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 39: To enable this feature: a. Install this patch (see "Installation"). b. Enable the socks proxy by adding the following lines in "/etc/iscan/network.ini": socks5_proxy_enabled=yes socks5_proxy_port=1080 c. Specify the other settings. - enable authentication for the request, for example: socks5_auth_enable=yes - specify the username and password for authentication, separating each user with a ";", for example: socks5_auth_users=testuser/ testpassword;testuser2/testpassword2 - specify the destination port to block, separate each port with a ";", for example: socks5_reject_dstport=443;8443 - specify the default action for the socks proxy, for example: default_allow_action=yes Notes: - "yes" means the default action is "allow", coordinate with the "socks5_reject_srcip" setting. - "no" means the default action is "reject", coordinate with the "socks5_allow_srcip" setting - specify the source IP range that should be blocked, for example: socks5_reject_srcip=172.16.0.0/12;127.0.0.1/32 - specify the source IP range which is allowed, for example: socks5_allow_srcip=172.16.0.0/12;127.0.0.1/32 d. Save the changes and close the file. e. Restart the socks proxy service by running the following command: $/etc/iscan/S99ISsocks5 restart Issue 40: IWSVA does not list down all websites that require client certificates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 40: This patch provides a way to configure IWSVA to list down all websites that require client certificates allows users to configure whether it should tunnel or block these websites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 40: To enable this feature: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in "/etc/iscan/" and add the following key in the " https-scanning" section. [https-scanning] clientcert_handling_enhance=yes c. Save the changes and close the file. d. Restart Tomcat by running the following command: /etc/iscan/S99IScanHttpd restart e. Clear the web browser cache. Issue 41: IWSVA does not support high availability (HA) in forward proxy mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 41: This patch provides a way for users to enable IWSVA to support active/active HA mode and active/standby HA mode in forward proxy mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 41: To enable IWSVA to support active/active HA mode and active/standby HA mode in forward proxy mode: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in "/etc/iscan/", add the following lines. [HaProxy] enable=1 c. Save the changes and close the file. d. Restart Tomcat by running the following command: /etc/iscan/S99IScanHttpd restart e. Clear the web browser cache. Issue 42: IWSVA does not support customized ip-user cache TTL for specific usernames. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 42: This patch enables users to customize the ip-user cache TTL for specific usernames. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 42: To customize the ip-user cache TTL for specific usernames: a. Install this patch (see "Installation"). b. Set the number of the users that will be configured with custom TTL for ip-user cache by adding the following lines in "/usr/iwss/ commonldap/LdapCache.ini": [CustomTTL] UserNum=x Note: the maximum value of "UserNum" is 64. c. Set the sub-items for the detailed username and TTL starting with "0" as the suffix of the "User_" section and increasing by degrees. For example: [User_0] username=domain1\username1 TTL=90 [User_1] username=domain2\username2 TTL=30 Note: Use the full "domain\username" format to set the username. d. Save the changes and close the file. e. Restart IWSVA by running the following commands: $/etc/iscan/S99ISAuthDaemon stop $/etc/iscan/S99ISproxy stop $rm /usr/iwss/commonldap/.authentication_cache.dat $/etc/iscan/S99ISAuthDaemon start $/etc/iscan/S99ISproxy start Issue 43: Some environments may use several LDAP servers and need a customized notification page for users from each domain. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 43: This patch enables users to customize the notification page for each domain. Issue 44: IWSVA does not support Full Kerberos Authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 44: This patch provides a way to enable IWSVA to support Full Kerberos Authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 44: To enable IWSVA to support Full Kerberos Authentication: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in "/etc/iscan/" and add the following key in the "user-identification" section. [user-identification] enable_full_kerberos_feature=yes c. Save the changes and close the file. d. Restart Tomcat by running the following command: /etc/iscan/S99IScanHttpd restart e. Clear the web browser cache. Issue 45: Users cannot disable autoswitch for SPS. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 45: This patch allows users to disable SPS autoswitch. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 45: To disable SPS autoswitch: a. Install this patch (see "Installation"). b. Open the "intscan.ini" file in "/etc/iscan/" and add the following key in the "Scan-configuration" section. [Scan-configuration] enable_auto_switch=0 c. Save the changes and close the file. d. Reload the daemon by running the following command: /etc/iscan/S99ISproxy reload Issue 46: When the "scan before delivery" option is enabled, users are warned of space characters in the "tmpfs" file in "/var/iwss/tmp/". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 46: (TT-339805) This patch updates the mechanism for the "scan before delivery" option to resolve this issue. 9. Files Included in this Release ====================================================================== Filename Build No. =================================================================== libdaemon.so 1765 svcmonitor 1765 isdelvd 1765 libproductbase.so 1765 ftp_config_action.jsp 1765 ftp_config_dlp.jsp 1765 ftp_config_exception.jsp 1765 ftp_config_spyware.jsp 1765 libProductLibrary.so 1765 IWSSPIDpi.so 1765 appd 1765 AutoSetupAlchemySettings 1765 northamerica 1765 config_backup_popup.jsp 1765 client.py 1765 urlblocking.jsp 1765 server.xml 1765 IWSSPIUrlFilter.so 1765 dtasagent 1765 urlf_policy_list.jsp 1765 custom_defense.jsp 1765 support.jsp 1765 support_capture_packet.jsp 1765 support_diagnostic_tool.jsp 1765 support_verbose_log.jsp 1765 upload_sample_sizing.jsp 1765 risk_level.jsp 1765 IWSSPIScanVsapi.so 1765 query_blacklist.py 1765 query_ddi_blacklist.py 1765 S99ISdtasd 1765 test_connection.py 1765 get_sandbox_feedback_blacklists.xml 1765 IWSSGui.jar 1765 libhttpproxy.so 1765 LDAPTest 1765 left.jsp 1765 ha_proxy_active_active.jsp 1765 upload_sample_sizing.jsp 1765 uihelper 1765 beuihelper 1765 cmd_check.json 1765 dw_cluster_setting.jsp 1765 dw_cluster_join.jsp 1765 top.jsp 1765 system_dashboard.jsp 1765 switchRole.jsp 1765 summary_hardware_status.jsp 1765 staticRoutes.jsp 1765 staticRouteEdit.jsp 1765 SSHConfig.jsp 1765 shutdown_progress.jsp 1765 restart_sw_progress.jsp 1765 replication_config.jsp 1765 reboot_progress.jsp 1765 modify_cluster_management.jsp 1765 mgmt_ipConfig.jsp 1765 mail_config_spam.jsp 1765 mail_config_scan.jsp 1765 mail_config_proxy.jsp 1765 http_config_captive_portal.jsp 1765 ha_proxy_active_standby.jsp 1765 data_ipConfig.jsp 1765 config_date_time.jsp 1765 cluster_management_change_weight.jsp 1765 cluster_management.jsp 1765 bandwidth_control_get_status.jsp 1765 admin_patch_mgmt2.jsp 1765 admin_patch_mgmt.jsp 1765 timezone.jsp 1765 ftp_clientip.jsp 1765 access_control_settings.jsp 1765 migration.sh 1765 migration.ini 1765 libHTTPSDecryption.so 1765 custom_category_url_add.jsp 1765 urlfcMapping.ini 1765 rb_java_urlf.txt 1765 tmpstring.js 1765 libuiauutil.so 1765 statser2.py 1765 rule_file_va6.5sp2_to_va6.5sp2.xml 1765 cmd_check.json 1765 libicap.so 1765 libtmctl.so.2.5.1029 1765 libtmdata.so.2.5.1029 1765 libtmengine.so.2.5.1029 1765 libtmfilter.so.2.5.1029 1765 libtmsecurity.so.2.5.1029 1765 libtmspn.so.2.5.1029 1765 libftp.so 1765 libiwsshelper.so 1765 iptables-1.4.16.3.tgz 1765 kernel-lt-3.10.104-1.el6.elrepo.x86_64.rpm 1765 wccp_ipv6.sh 1765 urlfcMapping.ini 1765 i18n_log_dynamic.js 1765 libhttpproxy.so 1765 libuiauutil.so 1765 httpsdecrypt_client_certificate_handling.jsp 1765 https_clientcertificate_decrypt.jsp 1765 HttpsClientCertDecryp.ini 1765 cmd_check.json 1765 report_logsetting.jsp 1765 report_logsetting.js 1765 IWSSPIDlpFilter.so 1765 lang.js 1765 kernel-2.6.32-504.OpenVA.3.5.1375.el6.x86_64.rpm kernel-devel-2.6.32-504.OpenVA.3.5.1375.el6.x86_64.rpm kernel-firmware-2.6.32-504.OpenVA.3.5.1375.el6.x86_64.rpm kernel-headers-2.6.32-504.OpenVA.3.5.1375.el6.x86_64.rpm lanbypass-comps-3.5.1375-0.el6.x86_64.rpm openva-extra-drivers-3.5-1375.el6.x86_64.rpm OpenVA-kmodules-3.5.1375-0.el6.x86_64.rpm ssl-acc-adapter-3.5.1375-6.x86_64.rpm IWSSPIJavascan.so 1765 IWSSPINcie.so 1765 IWSSPISigScan.so 1765 allwidgets.json 1765 log_agent.ini 1765 iwss_log_converter.py 1765 logFilteringByHits.py 1765 common_id.py 1765 syncclientcert.sh 1765 HttpsClientCertTunnelDomains.ini 1765 https_clientcertificate_tunneling.jsp 1765 libHTTPSDecryption.so 1765 lg_remove_old_clientcert.sql ui_GetDiffCountsLogClientCertificateOnedayuser.sql ui_GetDiffLogClientCertificate.sql ui_GetCountsLogClientCertificatedomain.sql ui_GetDiffCountsLogClientCertificateSevendaydomain.sql ui_GetDiffLogClientCertificateuserdomain.sql ui_GetCountsLogClientCertificateOnedaydomain.sql ui_GetDiffCountsLogClientCertificateSevenday.sql ui_GetDiffLogClientCertificateuser.sql ui_GetCountsLogClientCertificateOneday.sql ui_GetDiffCountsLogClientCertificateSevendayuserdomain.sql ui_GetLogClientCertificatedomain.sql ui_GetCountsLogClientCertificateOnedayuserdomain.sql ui_GetDiffCountsLogClientCertificateSevendayuser.sql ui_GetLogClientCertificateOnedaydomain.sql ui_GetCountsLogClientCertificateOnedayuser.sql ui_GetDiffCountsLogClientCertificate.sql ui_GetLogClientCertificateOneday.sql ui_GetCountsLogClientCertificateSevendaydomain.sql ui_GetDiffCountsLogClientCertificateuserdomain.sql ui_GetLogClientCertificateOnedayuserdomain.sql ui_GetCountsLogClientCertificateSevenday.sql ui_GetDiffCountsLogClientCertificateuser.sql ui_GetLogClientCertificateOnedayuser.sql ui_GetCountsLogClientCertificateSevendayuserdomain.sql ui_GetDiffLogClientCertificatedomain.sql ui_GetLogClientCertificateSevendaydomain.sql ui_GetCountsLogClientCertificateSevendayuser.sql ui_GetDiffLogClientCertificateOnedaydomain.sql ui_GetLogClientCertificateSevenday.sql ui_GetCountsLogClientCertificate.sql ui_GetDiffLogClientCertificateOneday.sql ui_GetLogClientCertificateSevendayuserdomain.sql ui_GetCountsLogClientCertificateuserdomain.sql ui_GetDiffLogClientCertificateOnedayuserdomain.sql ui_GetLogClientCertificateSevendayuser.sql ui_GetCountsLogClientCertificateuser.sql ui_GetDiffLogClientCertificateOnedayuser.sql ui_GetLogClientCertificate.sql ui_GetDiffCountsLogClientCertificatedomain.sql ui_GetDiffLogClientCertificateSevendaydomain.sql ui_GetLogClientCertificateuserdomain.sql ui_GetDiffCountsLogClientCertificateOnedaydomain.sql ui_GetDiffLogClientCertificateSevenday.sql ui_GetLogClientCertificateuser.sql ui_GetDiffCountsLogClientCertificateOneday.sql ui_GetDiffLogClientCertificateSevendayuserdomain.sql ui_GetDiffCountsLogClientCertificateOnedayuserdomain.sql ui_GetDiffLogClientCertificateSevendayuser.sql i18n_warnmsg.js 1765 web.xml 1765 iwsvafw.sh 1765 ui_AddHaProxyDevice.sql 1765 ui_AddHaProxyEvent.sql 1765 ui_DeleteHaProxyAllDevice.sql 1765 ui_DeleteHaProxyDevice.sql 1765 ui_DeleteHaProxyEvent.sql 1765 ui_GetHaProxyDevice.sql 1765 ui_GetHaProxyDeviceCount.sql 1765 ui_GetHaProxyDeviceList.sql 1765 ui_GetHaProxyEventList.sql 1765 libcommoncache.so 1765 jscan.jar 1765 libIWSSAuthClient.so 1765 create_krb5.sh 1765 AuthDaemon 1765 LdapSyncTool 1765 libcommonldap.so 1765 test_configure 1765 http_config_user_idetification.jsp 1765 ldapUtil.js 1765 iwsvaAdmin.properties 1765 ransomware_dashboard.jsp 1765 iwsvaHttp.properties 1765 dashboard.html 1765 ca_converter.py 1765 urlblocking.jsp 1765 trustedurl.jsp 1765 commonurllist.js 1765 DiagnosticTool.sh 1765 ConfigCMP.py 1765 diagnostic_tool.ini 1765 httpsdecrypt_ssl_method.jsp 1765 LDAP_query_handler.py 1765 email_sender.py 1765 FtpDownload.sh 1765 libtmprotocols.so.2003317 1765 cache_helper.sh 1765 rcIwss 1765 IWSVA_6.5-SP1_Linux.tar 1765 wccpd_monitor.py 1765 report_task.py 1765 report_template.py 1765 notifications_smtp.jsp 1765 email_sender_logging.ini 1765 libtmuseng.so.1.0.1013 1765 db_table_convert_6.5sp1_to_6.5sp2.py 1765 agent_config.py 1765 rule_file_va6.5sp1_to_va6.5sp2.xml 1765 iwss-process 1765 S99ISproxy 1765 CollectProductInfo.sh 1765 CDT_Config.ini 1765 ftp_config_action.jsp 1765 ftp_config_dlp.jsp 1765 ftp_config_exception.jsp 1765 ftp_config_spyware.jsp 1765 report_action.jsp 1765 report_action.js 1765 report_engine.py 1765 report_config.py 1765 report_config.ini 1765 dashboard_settings.js 1765 S99ISappd 1765 ADAutoDetect 1765 tmskynet.crt 1765 libProductLibrary.so 1765 AutoSetupAlchemySettings 1765 northamerica 1765 config_backup_popup.jsp 1765 dtasagent 1765 lg_remove_old_ha_event.sql 1765 DbOldDataCleanup 1765 select_users_groups.js 1765 urlf_policy_list.jsp 1765 custom_defense.jsp 1765 support.jsp 1765 support_capture_packet.jsp 1765 support_diagnostic_tool.jsp 1765 support_verbose_log.jsp 1765 upload_sample_sizing.jsp 1765 risk_level.jsp 1765 query_blacklist.py 1765 query_ddi_blacklist.py 1765 S99ISdtasd 1765 test_connection.py 1765 get_sandbox_feedback_blacklists.xml 1765 nginx 1765 LDAPTest 1765 uihelper 1765 beuihelper 1765 cmd_check.json 1765 dw_cluster_setting.jsp 1765 dw_cluster_join.jsp 1765 top.jsp 1765 system_dashboard.jsp 1765 switchRole.jsp 1765 summary_hardware_status.jsp 1765 staticRoutes.jsp 1765 staticRouteEdit.jsp 1765 SSHConfig.jsp 1765 shutdown_progress.jsp 1765 restart_sw_progress.jsp 1765 replication_config.jsp 1765 reboot_progress.jsp 1765 modify_cluster_management.jsp 1765 mgmt_ipConfig.jsp 1765 mail_config_spam.jsp 1765 mail_config_scan.jsp 1765 mail_config_proxy.jsp 1765 http_config_captive_portal.jsp 1765 data_ipConfig.jsp 1765 config_date_time.jsp 1765 cluster_management_change_weight.jsp 1765 cluster_management.jsp 1765 bandwidth_control_get_status.jsp 1765 admin_patch_mgmt2.jsp 1765 admin_patch_mgmt.jsp 1765 timezone.jsp 1765 ftp_clientip.jsp 1765 access_control_settings.jsp 1765 migration.sh 1765 migration.sh 1765 migration.ini 1765 custom_category_url_add.jsp 1765 rb_java_urlf.txt 1765 statser2.py 1765 libtmctl.so.2.5.1029 1765 libtmdata.so.2.5.1029 1765 libtmengine.so.2.5.1029 1765 libtmfilter.so.2.5.1029 1765 libtmsecurity.so.2.5.1029 1765 libtmspn.so.2.5.1029 1765 bifconnect 1765 urlfcMapping.ini 1765 iptables-1.4.16.3.tgz 1765 kernel-lt-3.10.104-1.el6.elrepo.x86_64.rpm 1765 wccp_ipv6.sh 1765 i18n_log_dynamic.js 1765 https_clientcertificate_decrypt.jsp 1765 HttpsClientCertDecryp.ini 1765 socks_load_crond.sh 1765 10. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, InterScan, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http:/www.trendmicro.com/us/about-us/legal-policies/ license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide