<<<>>> Trend Micro Incorporated August 7th, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Email Inspector 2.6 - GM English - Linux - 64 Bits Critical Patch Build 1324 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ============================================================================== 1. Critical Patch Release Information 1.1 Resolved Known Issues 1.2 Enhancements 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 7.1 Prior Hotfixes 8. Contact Information 9. About Trend Micro 10. License Agreement ============================================================================== 1. Critical Patch Release Information ============================================================================== 1.1 Resolved Known Issues ============================================================================ This Critical Patch resolves the following issue(s): Issue 1: The wvWare third-party tool Deep Discovery Email Inspector uses to analyze old versions of Microsoft(TM) Office(TM) files contains a potential vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch removes the wvWare tool and upgrades the Apache POI - the Java API for Microsoft Documents tool to support old versions of Office files. Issue 2: The "Message Tracing" page of the Deep Discovery Email Inspector is affected by Cross-Site Scripting (XSS) vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch resolves the XSS vulnerability. Issue 3: After updating or rolling back the SAL pattern from the ActiveUpdate (AU) server, Deep Discovery Email Inspector does not reload the new pattern or restart the corresponding process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This critical patch ensures that Deep Discovery Email Inspector reloads the SAL pattern immediately after the pattern has finished updating or rolling back. 1.2 Enhancements ============================================================================ There are no enhancements for this Critical Patch release. 2. Documentation Set ============================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://esupport.trendmicro.com 3. System Requirements ============================================================================== 1. Trend Micro Deep Discovery Email Inspector 2.6 GM Build 1298 - English - Linux - x64 4. Installation ============================================================================== This section explains key steps for installing the Critical Patch. 4.1 Installing ============================================================================ To install: 1. Click "Administration > Product Updates > Hot Fixes / Patches". The "Install Hot Fix / Patch" screen appears. 2. Click "Browse" and select the "ddei_26_lx_en_criticalpatch_b1324.tgz.tar" hotfix file. 3. Click "Install". 4. Verify that the hotfix has been installed successfully. a. Click "Administration > Product Updates > Hot Fixes / Patches". In the "History" table, check if the "Build" is "1324" and "Description" is "Hot Fix 1324". b. Choose the "About" option under "Help". c. Verify that the "Hot fix" number on the "About" page is "1324". 5. Clean the web browser cache. NOTES: * The program version for the device will NOT change after applying this hotfix. * Deep Discovery Email Inspector 2.6 GM restarts automatically after installing this hotfix. 4.2 Uninstalling ============================================================================ To roll back to the previous build: 1. Click "Administration > Product Updates > Hot Fixes / Patches". The "Hot Fixes / Patches" screen appears. 2. Click "Roll Back". 3. Verify that the hotfix has been successfully uninstalled. a. After Deep Discovery Email Inspector restarts, verify that the hotfix number has been removed from the "About" screen on the management console. b. Click "Administration > Product Updates > Hot Fixes / Patches". The "History" table should be empty. NOTE: Deep Discovery Email Inspector will restart automatically after hotfix uninstallation. 5. Post-installation Configuration ============================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ============================================================================== Known issues in this release: #1 Known Issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** When only the "Connect to Smart Protection for Web Reputation Services" option is enabled on the Administration > Scanning / Analysis > Other Settings > Smart Protection screen, Deep Discovery Email Inspector does not perform connection tests for the following: * Web Inspection Service * Certified Safe Software Service * Community File Reputation **Solution:** On the Administration > Scanning / Analysis > Other Settings > Smart Protection screen, either clear the "Connect to Smart Protection for Web Reputation Services" checkbox or select both "Connect to Smart Protection for Web Reputation Services" and "Connect to global services using Smart Protection Server". #2 Known Issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** If Web Reputation Service and Community File Reputation are unreachable using IPv4 addresses in a dual-stack network, the Administration > System Maintenance > Network Services Diagnostics screen still displays the final resolved IPv4 addresses for these services. #3 Known Issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** When performing sandbox analysis using a Windows 10 image that requires higher system resources, the performance of Deep Discovery Email Inspector may be affected. **Solution:** Trend Micro recommends evaluating the system load capacity on Deep Discovery Email Inspector before using a Windows 10 sandbox environment for analysis. #4 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot receive incoming emails messages from other IPv6 subnets if the "Hosts in the same address class" option is enabled on the Administration > Mail Settings > Limits and Exceptions screen. #5 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** After daylight savings time changes to standard time on Deep Discovery Email Inspector, a duplicate time value appears on widgets. #6 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** While operating in SPAN/TAP mode, Deep Discovery Email Inspector cannot capture VLAN traffic that is encapsulated by Cisco Inter-Switch Link (ISL) protocol. #7 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector is unable to import Virtual Analyzer images from an FTP server in active mode. Deep Discovery Email Inspector security does not allow this type of connection. **Solution:** Trend Micro recommends using FTP servers in passive mode, or importing the Virtual Analyzer images through another method. #8 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot read the subject of email messages in non-standard formats. **Solution:** Trend Micro recommends only routing standard-formatted email messages. Most mail user agents cannot read email messages in non-standard formats. #9 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Time format in the following pages cannot be changed if "Date and time format" in System Settings > Time page is changed. 1. "Last updated" time of each widget in "Dashboard > Add Widgets” 2. "Last update" time in widget preview screenshot 3. Time in email screenshot in "Detection" details. **Solution: ** 1. For "Last updated" time of each widget, it was a limitation of the widget framework used in Deep Discovery Email Inspector to show time in a corresponding format. 2. For "Last update" time in the widget preview screenshot, it is not possible to be changed due to the fact that the preview screenshot is a picture. 3. For the time shown in the email screenshot, it was created by the third-party email client. It depends on locale to show proper time format, not the user-defined time format. #10 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Some risky URLs in an email may not be rewritten to be a link redirected to blocking or warning page, even if the same URLs have been rewritten, if there are more than 60 URLs in an email. **Solution:** Deep Discovery Email Inspector will at most extract 60 URLs from an email for scanning by default. If some of the URLs were scanned have a risk, they will be rewritten to a link that can redirect to a blocking or warning page. If the number of URLs in the email exceeds 60, some of URLs will not be rewritten due to the fact that they were not extracted by Deep Discovery Email Inspector. #11 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** In Deep Discovery Email Inspector 2.5, submission filters was changed that allow the user to select the specific file type groups to be analyzed. After upgrading from Deep Discovery Email Inspector 2.1, the specific file type group, (which includes file types selected in Version 2.1) will be automatically selected to be analyzed. Afterward, the other file types which belong to the specific file type group will be also selected for analyzing. **Solution:** Re-configure "Submission Filters" in "Administration > Scanning / Analysis > Virtual Analyzer > Settings" page to select the necessary file type groups. #12 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot scan password-protected Office PowerPoint 2003 files. **Solution:** The encryption of Office PowerPoint 2003 files is different from later versions, and this format cannot be decrypted. #13 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** If the user enables "Connect to Smart Protection Server for Web Reputation Services" in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page, the internal Virtual Analyzer will not run the URL block reason query, Census query or the Certified Safe Software Service query. Additionally, it will not provide Smart Feedback. **Solution:** This is the configuration of the internal Virtual Analyzer. The user can either disable “Connect to Smart Protection for Web Reputation Services” in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page or enable both “Connect to Smart Protection Server for Web Reputation Services” and “Connect to global services using Smart Protection Server” in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page. #14 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** When integrated with Deep Discovery Analyzer, the final risk level of a malicious URL in Deep Discovery Email Inspector is different with the risk level in Deep Discovery Analyzer. **Solution: **Deep Discovery Analyzer can support several different products with varying risk levels, so for Deep Discovery Email Inspector, the risk level for malicious URLs returned by Virtual Analyzer (no matter whether either internal Virtual Analyzer or Deep Discovery Analyzer) will be downgraded one level. #15 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** After upgrading from Deep Discovery Email Inspector 2.1 to 2.5, the web console cannot be redirected to the login page automatically. Additionally, the certificate of Deep Discovery Email Inspector will be changed, therefore the user needs to confirm and accept the new certificate. **Solution:** Re-open Deep Discovery Email Inspector web console and login again. #16 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** For the same email attachment which has a different file name, after being analyzed by Deep Discovery Analyzer, the analysis reports for the two attachments will have the same file name. **Solution:** As the current specification of Deep Discovery Analyzer, it will return the cached analysis result for the same files or URLs to Deep Discovery Email Inspector. #17 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Under Microsoft Edge and IE10, there will be two delete icons at the end of "Search" box in "Dashboard > Add Widgets" page. **Solution:** Microsoft IE10 and Edge will create a delete icon for "Search" box by default. However Widget Framework has already created another delete icon. #18 Known Issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Under the current specifications of Deep Discovery Email Inspector, Single-Sign-On from Control Manager is not supported under the HTTP protocol. **Solution:** Log into the Control Manager web console using HTTPS protocol. #19 Known Issue: [Reported at: DDEI 2.6.0 GM B1298] When Deep Discovery Email Inspector connects to a proxy server that supports multiple HTTP authentication methods, some services (except ActiveUpdate and product license registration) may not function properly. On the Network Services Diagnostics screen, the service status becomes Unsuccessful. #20 Known Issue: [Reported at: DDEI 2.6.0 GM B1298] When a message contains more than one suspicious file attachment with the same SHA1 value, the Detections screen displays only one entry for the multiple file attachments. #21 Known Issue: [Reported at: DDEI 2.6.0 GM B1298] If the default gateway is configured on a network interface other than eth0 using CLISH, the web console does not display the current default gateway and DNS settings. 7. Release History ============================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 7.1 Prior Hotfixes ============================================================================ Only this hotfix was tested for this release. Prior hotfixes were tested at the time of their release. [Hotfix 1321] Enhancement 1: This hotfix adds a hidden page in the Deep Discovery Email Inspector 2.6 web console where users can generate Certificate Signing Requests (CSR). Enhancement 2: This hotfix enables Deep Discovery Email Inspector to automatically send URLs under category 97 (Low Confidence or Low Prevalence URL) to Virtual Analyzer for further analysis. Enhancement 3: This hotfix upgrades the Usandbox module to fix several issues, including hashcat coredump events and OSError exceptions. [Hotfix 1315] Issue 1: In the "Administration > System Settings" page, when the "Server address" field and "User name" field contain the special character "-", these settings may not take effect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables these fields to support the "-" character. Issue 2: South Korean characters in email messages cannot be displayed properly in screenshots on the "Detection Details" page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that South Korean characters are captured and displayed normally in screenshots on the "Detection Details" page. Issue 3: Under certain conditions, users cannot add accounts after restoring configuration files on Deep Discovery Email Inspector. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix updates the backup/restore function to ensure that users can add accounts successfully after restoring configuration files. Enhancement: This hotfix adds a switch in the Deep Discovery Email Inspector RDQA page to enable users to configure whether Deep Discovery Email Inspector RDQA should append its hostname to email addresses when it receives email messages with header addresses that do not contain an "@". [Hotfix 1313] Issue 1: In some situations, Deep Discovery Email Inspector (DDEI) incorrectly deletes or crashes sandbox instances by deleting the sandbox group. This issue occurs when customers use more than one sandbox groups. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix updates the usandbox to prevent this issue. Issue 2: The "Message Tracing" module fails to parse the Postfix log when the log includes unfamiliar strings. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix updates the parsing logic in the "Message Tracing" module to resolve this issue.. Issue 3: Administrators cannot set zero (0) value on the "Timeout Setting" on the hidden page > "Password Analyzer Setting". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves this issue by allowing zero (0) as a value in this configuration. [Hotfix 1311] Issue: Deep Discovery Email Inspector (DDEI) may not import some images after users apply Hotfix 1305 and succeeding builds. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves this issue by upgrading some internal modules in DDEI. [Hotfix 1309] Issue: Deep Discovery Email Inspector may truncate quoted and href-tagged URLs that appear in multiple lines and extracted from the Content-Type text/html part of an email message. These truncated URLs may increase the occurrence of false negatives. For example, the following URL in the href tag occupies two lines (using hxxp for demonstration): Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix optimizes the URL scanning mechanism to prevent URL truncation under the scenario described above. [Hotfix 1307] Issue: When the password analyzer module compares given passwords against the password bank file, the passwords are converted to lowercase unexpectedly. When this happens, the module will not be able to match and delete passwords from the password bank files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix helps prevent the password conversion to enable the password analyzer module to compare passwords without issues. Enhancement 1: This hotfix enables the curl cookie engine with hyperlink for the URL filter. Enhancement 2: This hotfix disables some weak ciphers for TLS-based services to prevent some possible vulnerabilities. Enhancement 3: This hotfix updates the password analyzer module to improve the way it handles email messages. [Hotfix 1305] Issue 1: Virtual Analyzer reports generated for certain special samples may contain inaccurate information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix optimizes the report generation logic to ensure that Virtual Analyzer reports always contain complete and accurate information. Issue 2: Deep Discovery Email Inspector still attempts to insert an end stamp to email messages that do not contain an email body. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix prevents Deep Discovery Email Inspector from inserting an end stamp to email messages that do not have an email body. Issue 3: Deep Discovery Email Inspector may not be able to scan PDF files that are encrypted with "document opening require password" or "require password for other actions" protection because it cannot distinguish these two types from each other. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix enables Deep Discovery Email Inspector to distinguish between a PDF file that has been encrypted with "document opening require password" protection and one with "require password for other actions" protection. Issue 4: Deep Discovery Email Inspector uses PBAgent to integrate with Deep Discovery Director. The current PBAgent version remains in downloading status if the current time is past the execution time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix updates PBAgent to solve this issue. Issue 5: The "Policy > Exception > URL Keywords" page stops unexpectedly when users attempt to delete all the items from the list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This hotfix updates the frontend Javascript to ensure that users can edit the URL keywords list without issues. Enhancement 1: This hotfix increases the limit on the number of records that Deep Discovery Email Inspector can send out in each message from 256 to 512 records. Enhancement 2: This hotfix upgrades the Usandbox module to fix several issues and enable it to support Microsoft(TM) Windows(TM) 10 Build 1607 (RedStone 1). Enhancement 3: This hotfix adds an rdqa page where users can remove seldomly used logs from the debug log CDT package. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 3: To remove seldomly used debug logs from the debug log CDT package: a. Install this hotfix (see "Installation"). b. Open a web browser window, access "https://DDEIIPADDRESS/hidden/rdqa.php", and log in using a valid account and password. NOTE: Replace "DDEIIPADDRESS" with the IP address of the computer where Deep Discovery Email Inspector is installed. c. Go to the "Debug Log Setting" page. d. Select the checkbox for the "Only collect application logs" option. e. Click "Save". NOTE: This feature is disabled by default. [Hotfix 1300] Issue: HTML reports do not display any information when users view the detections detail page in Internet Explorer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves a browser compatibility issue to ensure that HTML reports display complete and accurate information in Internet Explorer. 8. Contact Information ============================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ============================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Control Manager, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ============================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide