<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Vulnerability Protection Agent 2.0 Service Pack 2 Patch 7 Platforms supported: - Microsoft(TM) Windows(TM) Server 2016 (64-bit) - Windows Server 2012 (64-bit) - Windows Server 2012 R2 (64-bit) - Windows 10 (32-bit and 64-bit) - Windows 8.1 (32-bit and 64-bit) - Windows 8 (32-bit and 64-bit) - Windows 7 (32-bit and 64-bit) - Windows Server 2008 R2 Service Pack 1 (64-bit) - Windows Server 2008 (32-bit and 64-bit) - Windows Vista(TM) (32-bit and 64-bit) - Windows Server 2003 Service Pack 1 (32-bit and 64-bit) patched with Windows Server 2003 Scalable Networking Pack - Windows Server 2003 Service Pack 2 (32-bit and 64-bit) - Windows Server 2003 R2 Service Pack 2 (32-bit and 64-bit) - Windows XP (32-bit and 64-bit) Platforms not supported: - Windows Server 2008 and 2012 Core - Microsoft Virtual Server 2005 R2 Service Pack 1 Supported platforms for Vulnerability Protection Agent with the relay feature: - Windows 10 (64-bit) - Windows 8.1 (64-bit) - Windows 8 (64-bit) - Windows 7 (64-bit) - Windows Server 2016 (64-bit) - Windows Server 2012 (64-bit) - Windows Server 2012 R2 (64-bit) - Windows Server 2008 R2 Service Pack 1 (64-bit) - Windows Server 2008 (64-bit) - Windows Vista (64-bit) - Windows Server 2003 Service Pack 1 (64-bit) patched with Windows Server 2003 Scalable Networking Pack - Windows Server 2003 Service Pack 2 (64-bit) - Windows Server 2003 R2 Service Pack 2 (64-bit) Date: July 11, 2019 Release: 2.0 Service Pack 2 Patch 7 Build Version: 2.0.3.8904 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Vulnerability Protection products, visit our website at: http://us.trendmicro.com/us/solutions/enterprise/security-solutions/ virtualization/deep-security/ Download the latest version of this readme from the "Software" page at the Trend Micro Download Center website: http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Vulnerability Protection 2.0 Service Pack 2 Patch 7 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Known Incompatibilities 6. Known Issues in Vulnerability Protection Agent 2.0 Service Pack 2 Patch 7 7. Release History 8. Files Included in This Release 9. Contact Information 10. About Trend Micro 11. License Agreement 12. Third Party Software =================================================================== 1. About Vulnerability Protection 2.0 Service Pack 2 Patch 7 ======================================================================== 1.1 Overview of This Release ===================================================================== Vulnerability Protection 2.0 Service Pack 2 Patch 7 contains solutions to several issues and new feature enhancements. Refer to "What's New" for more information. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running the following versions of Vulnerability Protection or are installing Vulnerability Protection for the first time: - 2.0 Service Pack 2 - 2.0 Service Pack 2 Patch 1 - 2.0 Service Pack 2 Patch 2 - 2.0 Service Pack 2 Patch 3 - 2.0 Service Pack 2 Patch 4 - 2.0 Service Pack 2 Patch 5 - 2.0 Service Pack 2 Patch 6 2. What's New ======================================================================== This release includes the following enhancements and resolves the following known issues: 2.1 Enhancements ===================================================================== The following enhancements are included in this patch: Enhancement 1:[DSSEG-2770] The Vulnerability Protection Agent installer no longer installs all feature modules when the module plug-in files are located in the same folder as the installer. The required plug-in files are downloaded from a Relay when a policy is applied to a protected computer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2:[DSSEG-773] The version of OpenSSL used by the Vulnerability Protection Agent and Vulnerability Protection Relay has been updated to openssl-1.0.2o. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== Vulnerability Protection Agent 2.0 Service Pack 2 Patch 7 resolves the following issues: Issue 1: [DSSEG-3337] The Network Filter Driver lacked error handling for some cases when memory allocation failed. This sometimes resulted in a system crash, especially when the system memory was exhausted. Solution 1: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-3332/VP-669/SEG-41367] Due to a side effect from a previous fix, the Network Filter Driver would pass packets through a broadband wireless interface. Solution 2: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-2737/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-2861/SEG-36443/00131713/SEG-36443] The Vulnerability Protection Agent was affected by a vulnerability related to renegotiation within SSL/TLS protocols. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-3478/VP-670/SEG-44652] Vulnerability Protection Agent could reach high CPU usage when handling Windows registry key. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-3510/SEG-39711/SF01397109] Vulnerability Protection Agent's Intrusion Prevention module silently dropped zero payload UDP packets. Solution 6: The issue is fixed in this release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-3582/VP-672/SEG-47257] The Tbimdsa driver crashed due to an invalid IPv6 header. Solution 7: The issue is fixed in this release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com/en-us/enterprise/ vulnerability-protection.aspx In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Vulnerability Protection Agent. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Vulnerability Protection Agent. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Vulnerability Protection Agent. 4. System Requirements ======================================================================== For a complete list of the system requirements, please refer to the Vulnerability Protection 2.0 Service Pack 2 Patch 7 Installation Guide. 5. Known Incompatibilities ======================================================================== - Resonate Load Balancer (5.0.1) Vulnerability Protection Agents Affected: All Issue: Environments may experience a loss of Resonate functionality when both the Resonate load balancing software and the Vulnerability Protection Agent are installed. Resolution: Restart the Resonate Central Dispatch Controller services. - Realtek RTL8169/8110 Family Gigabit Ethernet NIC Vulnerability Protection Agents Affected: All Issue: Issues have been noted when using Version 5.663.1212.2006 of the Realtek Gigabit Ethernet NIC. Resolution: Upgrade the driver to the latest version. - Intel(R) PRO/100+ Dual Port Server Adapter Vulnerability Protection Agents Affected: All Issue: Issues have been noted when using Intel NIC cards with driver versions lower than 8.0.17.0. Resolution: Upgrade the driver to version 8.0.19 or later. - Microsoft Network Load Balancer (MS-NLB) Vulnerability Protection Agents Affected: All Issue: Issues have been noted when using Microsoft Network Load Balancer (MS-NLB). Resolution: MS-NLB is incompatible with Vulnerability Protection Agent and there is currently no available solution for this incompatibility. - Wireshark Vulnerability Protection Agents Affected: All agents on endpoints installed with Windows Vista, 7, 2008 and 2008 R2. Issue: When monitoring packets using Wireshark, outgoing packets are incorrectly labeled as passing through the NdisFilterRecv packet, which is the path for incoming packets. Resolution: Use Microsoft Network Monitor instead of Wireshark to capture packets. - Trend Micro Intrusion Defense Firewall Vulnerability Protection Agents Affected: All Issue: Issues have been noted when Trend Micro Intrusion Defense Firewall client is already installed. Resolution: Intrusion Defense Firewall is incompatible with Vulnerability Protection Agent. Consider migrating IDF agents to Vulnerability Protection Manager. Request for details from your support provider about Trend Micro Intrusion Defense Firewall Migration Tool. 6. Known Issues in Vulnerability Protection Agent 2.0 Service Pack 2 Patch 7 ======================================================================== - Vulnerability Protection does not support Code Integrity checking on agent endpoints running Windows 10 (32-bit or 64-bit platforms). Enabling Code Integrity checking on endpoints running Windows 10 with Vulnerability Protection Agent installed will cause BSOD. - The Vulnerability Protection Agent service may stop unexpectedly after users upgrade to Windows 10. As a workaround, Trend Micro recommends setting the default timeout value for the service manager to 60 seconds. Important: Follow these steps carefully. Incorrectly editing the registry may severely damage your system. Before making changes, back up the registry. a. Click "Start", and then click "Run". b. In the "Open" box, type "regedit". c. Locate and then click the following tree: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control d. Locate or add the "ServicesPipeTimeout" value. To add this entry: i. Click "Edit" > "New" > "DWORD Value". ii. Type "ServicesPipeTimeout", and then press "Enter". e. Right-click "ServicesPipeTimeout", and then click "Modify". f. Click "Decimal", type "60000", and then click "OK". This value represents the time in milliseconds before the service times out. g. Restart the endpoint. - The Relay feature uses TCP port 4122. When enabling the relay feature, make sure that all firewalls used allow the TCP port 4122. [22749] - Relay feature is not supported on Windows XP.[17729] - Windows Add/Remove Programs or Programs and Features does not show the exact version of the Vulnerability Protection Agent. Vulnerability Protection Agent uses the version format "..". However, Windows only displays the version number using the format "..". [21990] - When upgrading to Vulnerability Protection Agent 2.0 Service Pack 2 on Windows 2012, the following error message may appear: "Service "Trend Micro Vulnerability Protection Agent" (ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." This may be fixed by running Windows Update troubleshooter. For more information, see http://support.microsoft.com/kb/910336. [23728] - Some security components of a Vulnerability Protection Agent with the Relay feature enabled may be removed unexpectedly after an update. As a workaround, deploy the security update again. [24004] - In some cases, a laptop computer has the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, with the same MAC address. This triggers Vulnerability Protection Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - The following system event log appears when you install Vulnerability Protection Agent on Windows Vista, Windows 2008, or Windows 7: "The Trend Micro Vulnerability Protection Agent service is marked as an interactive service. However, the system is configured not allow interactive services. This service may not function properly." This is a normal warning on Windows Vista or later. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Vulnerability Protection Agent tries to use interactive services. This desktop interaction feature is used by the Vulnerability Protection Agent to provide the restart notice on pre-Vista versions of Windows. The warning message can be safely ignored. - On Windows Vista and later, you may sometimes encounter problems while upgrading the Vulnerability Protection Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble on Vista or later and only if the version of the RTL has not changed. The problem is caused by some corrupted Windows components. As a workaround, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before restarting the upgrade procedure. http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, you should restart the computer or the upgrade may still be unsuccessful. To recover from this, you can install the package, re-run the installer, and restart the computer. [Vulnerability Protection 8.0-01044] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - On Windows XP, you may encounter the following message if you attempt to uninstall the Vulnerability Protection Agent through the "Add/Remove programs" page while the agent's "Self Protection" function is enabled: "Fatal Error During Installation." This message comes from Windows indicating that the uninstall did not proceed because self-protection is enabled. It is not a Vulnerability Protection error. - If network connectivity is lost for an extended period of time during a Vulnerability Protection Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Vulnerability Protection Agent installation or uninstallation if they do not properly free packets when requested to unbind. Vulnerability Protection Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Vulnerability Protection Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and it happens rarely. If this does occur, you can restart the computer and try to install, uninstall, or upgrade Vulnerability Protection Agent again. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Vulnerability Protection Virtual Appliance status will display "Stand By". However, the Vulnerability Protection Virtual Appliance is actually online and IP/FW event logs are still generated as rules are triggered. [10948] - On Windows 10 platforms, if users have installed and uninstalled an older Agent version (2.0 Service Pack 1 Patch 1 or 2.0 Service Pack 2) with the Network Filter driver, and then install a newer Agent version and enable the Firewall/IPS module, the Trend Micro LightWeight Filter Driver will not bind to the interface. This will prevent the Firewall/IPS function from working properly. To work around this issue, manually enable the Trend Micro LightWeight Filter Driver from the interface properties page or reinstall the Agent. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Previous releases include the following: - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 6 (Build 2.0.3.8587), October 9, 2019 - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 5 (Build 2.0.3.8288), March 22, 2018 - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 4 (Build 2.0.3.8065), September 8, 2017 - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 3 (Build 2.0.3.7690), February 24, 2017 - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 2 (Build 2.0.3.7256), September 09, 2016 - Vulnerability Protection Agent 2.0 Service Pack 2 Patch 1 (Build 2.0.3.6400), May 06, 2016 - Vulnerability Protection Agent 2.0 Service Pack 2 (Build 2.0.3.1308), September 1, 2015 - Vulnerability Protection Agent 2.0 Service Pack 1 (Build 2.0.2.2409), December 30, 2014 - Vulnerability Protection Agent 2.0 (Build 2.0.0.3057), April 29, 2014 7.1 Vulnerability Protection Agent 2.0.0.3057 ===================================================================== 7.1.1 Enhancements ===================================================================== - Helps achieve timely protection against known and zero-day attacks - Uses vulnerability rules to shield a known vulnerability from an unlimited number of exploits 7.2 Vulnerability Protection Agent 2.0.2.2409 ===================================================================== 7.2.1 Enhancements ===================================================================== Vulnerability Protection 2.0 SP1 contains a number of bug fixes as well as new feature enhancements. For a complete list of the major changes in Vulnerability Protection 2.0 SP1, please see the "What's New in Vulnerability Protection 2.0 SP1" section of the online help or the Administrator's Guide, available for download from the Trend Micro Download Center. 7.3 Vulnerability Protection Agent 2.0.3.1308 ===================================================================== 7.3.1 Enhancements ===================================================================== Smarter, lightweight Agent - Lightweight installer - Selective deployment of Protection Modules to Agents based on Security Policy requirements results in a smaller Agent footprint - Support for Windows Action Center Improvements related to Software Update - Addition of Vulnerability Protection Relay for Modules deployment 7.3.2 Resolved Known Issues ===================================================================== Vulnerability Protection 2.0 Service Pack 2 (SP2) contains a number of bug fixes. For a complete list of the major changes in Vulnerability Protection 2.0 SP2, see "Major New Features in VP 2.0 SP2" of the Vulnerability Protection 2.0 SP2 Support Training for Internal BETA, available for download from Internalftp2. 7.4 Vulnerability Protection Agent 2.0.3.6400 ===================================================================== 7.4.1 Enhancements ===================================================================== Enhancement 1: Vulnerability Protection Agent has being enhanced to log "Agent Self-Protection Enabled" or "Agent Self- Protection Disabled" events under System Events when the Agent Self-Protection settings are modified in the Vulnerability Protection Manager console (in the Computer > Settings > Agent Self-Protection section), or using the dsa_control command-line utility. 7.4.2 Resolved Known Issues ===================================================================== Issue 1: [TT329913] In rare cases, when users configure the network engine driver and the system memory is low, the driver may encounter a NULL memory because the memory descriptor list (MDL) is not allocated correctly. This triggers BSOD. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch enables the driver to handle the NULL memory issue properly to prevent BSOD. Issue 2: [DSSEG-53] The Vulnerability Protection Agent would crash due to accessing an invalid memory address on Agent event writing. The issue would occur if the Vulnerability Protection Agent needs to reboot Windows to update the VPA drivers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue has been fixed. Issue 3: [DSSEG-85] The NIC teaming features used in Windows 2012 R2 leads to duplicate or triplicate packets. If the Windows NIC teaming sets NIC to promiscuous mode and the related port in the switch is set to trunk mode, the NICs would receive duplicate packets. An error is being displayed on a blue screen happens due to a race condition in Vulnerability Protection Filter Driver when these duplicate or triplicate packets are handled in separate threads, and one of the thread is touching functions that had not been initialized by the other thread. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This condition has been fixed. Issue 4: [DSSEG-176] During the installation or service restart of the Vulnerability Protection Agent, the Windows Firewall (ICS: Internet Connection Sharing) may cause a network disconnection issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this patch. Issue 5: [TT332353/DSSEG-76] When a configuration is updated, the Vulnerability Protection Agent sends a heartbeat containing the current information to the Vulnerability Protection Manager. There was an issue where the local interface information did not match the security configuration information, even when the Vulnerability Protection Manager updated the configuration repeatedly. As a result, "Events Retrieved" and "Policy Sent" events were recorded under the System Events tab for every heartbeat. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This issue has been fixed in this patch. Issue 6: [741] In certain circumstances, when a remote session logged off, the Vulnerability Protection Agent service would be stopped because it received a shutdown event. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This issue is fixed in this release. Issue 7: [520/743] When the number of TCP connections in a network exceeds the maximum number, a race condition occurs and triggers the Vulnerability Protection Agent computer to restart unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This release helps to prevent the race condition so the Vulnerability Protection Agent can run normally under this scenario. 7.5 Vulnerability Protection Agent 2.0.3.7256 ===================================================================== 7.5.1 Enhancements ===================================================================== There are no enhancements for this release. 7.5.2 Resolved Known Issues ===================================================================== Issue 1: [TT341349/DSSEG-318] Blue screen of death (BSOD) may appear with a Microsoft Windows error message may appear when the Vulnerability Protection Filter Driver (tbimdsa) receives IP fragments that are not in the correct format. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch enables Vulnerability Protection Agent to handle these IP fragments to resolve the issue. Issue 2: [DSSEG-328] You can configure Vulnerability Protection Agents to forward events from specific protection module logs to a syslog server (in the computer editor, under Settings > SIEM). Under some circumstances, when the syslog server log forwarding process was set up, it failed to forward syslog entries and the Firewall and Intrusion Prevention modules stopped working correctly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue has been fixed. Issue 3: [TT-346126/DSSEG-332] Intrusion Prevention Rule compilation sometimes failed due to time-out value set to one minute for its compilation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The compilation time-out is extended to three minutes and the event message will show the error without any other note messages. Issue 4: [DSSEG-338] When there are many application types assigned to monitor the same port, there's some chances that some of those connections wont' be monitored due to an internal defect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue has been fixed. Issue 5: [DSSEG-235] On Windows machines, if a Vulnerability Protection Relay was being installed and downloaded the Security Updates, instead of downloading the incremental updates, it downloaded full updates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This issue has been fixed. Issue 6: [DSSEG-293] There is a Known Issue in remotely upgrading (from the Vulnerability Protection Manager console) Vulnerability Protection Agents on Windows Vista and Windows 2008 platforms, due to Microsoft's CRT (C Run-time Library) being removed and then failing to be reinstalled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: MS VC++ SP1 Redistributable libraries has been added in the Vulnerability Protection Agent package and resolves this known issue. Issue 7: [DSSEG-246] Vulnerability Protection Agent required an upgrade to the OpenSSL protocol toolkit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This release upgraded the Vulnerability Protection Agent with OpenSSL version 1.0.2h. 7.6 Vulnerability Protection Agent 2.0.3.7690 ===================================================================== 7.6.1 Enhancements ===================================================================== Enhancement 1: This Patch enables the Vulnerability Protection Agent to support the Windows Server 2016 platform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-530] The Vulnerability Protection Agent communication port (4118) previously allowed connections using a Triple- DES based cipher suite. The Triple-DES based cipher suite was removed from the list of acceptable cipher suites and new SHA-256 based cipher suites were added. 7.6.2 Resolved Known Issues ===================================================================== Issue 1: [TT353472/DSSEG-496] The Vulnerability Protection Agent registers its firewall status to the WAC every 10 minutes. As a result, the WAC may indicate that the Vulnerability Protection firewall is off within the first 10 minutes after the computer starts even when the firewall has started successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch sets the WAC registration interval to one minute so the WAC can display the correct Vulnerability Protection firewall status promptly. Issue 2: [TT354541,TT354315/DSSEG-499] When system memory is low after saving the configuration, the network engine driver may encounter a NULL memory issue results in a blue screen error. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch adds system checks to prevent a blue screen error when a memory descriptor list (MDL) is not allocated correctly by the operating system. Issue 3: [DSSEG-485] The Vulnerability Protection Relay Web Server port (4122) allowed SSL connections using Anonymous and Triple DES cipher suites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: These cipher suites have been removed from the set of cipher suites allowed to connect to this server. Issue 4: [DSSEG-556] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Vulnerability Protection Agent detects an illegal character, the Vulnerability Protection Manager will show the illegal character in an Intrusion Prevention event. However, the Vulnerability Protection Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Vulnerability Protection Manager. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this patch. Issue 5: [DSSEG-258/TT339655/TT340875] RFC7627 defines a new hash method to compute the master secret for SSL connection; however, Vulnerability Protection didn't implement this and the SSL cypher text could not be successfully decrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: modify the implementation to identify if SSL connection is based on RFC7627, and compute the new hash for cypher-text decryption. Issue 6: [DSSEG-538] DSRU16-032 rule introduced a new rule to monitor HTTP traffic. When the rule is applied and multiple rules monitor HTTP traffic, one particular rules order could mistakenly trigger the 'duplicate content len' event. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This issue is fixed in this patch. Issue 7: [DSSEG-579/TT354605] The Vulnerability Protection NDIS driver (tbimdsa.sys) would drop Wireshark loopback packets, resulting in broken network connections and invalid flags in the Firewall events. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This issue is fixed in this patch. Issue 8: [DSSEG-471] Under certain circumstances, the Vulnerability Protection Relay-enabled Agent would fail to download any package if it encountered one failure. In this case, the Agent error log showed "easy handle already used in multi handle". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This is now fixed. The Relay-enabled Agent will continue to download other packages even if one fails. Issue 9: [DSSEG-468] The IPS engine could sometimes cause a system error displayed on a blue screen when there was a certain rule combination and traffic pattern, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This issue has been fixed. Issue 10: [DSSEG-454] An OpenSSL minor version upgrade was required to patch low-impact vulnerabilities like: CVE-2016-6305, CVE-2016-2182 and CVE-2016-6304 is required ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: OpenSSL 1.0.2h is upgraded to 1.0.2j Issue 11: [DSSEG-492] When Vulnerability Protection Manager is installed using IPV6 address and the co-located relay option is selected on Windows Platform, the module/feature installation fails due to libcurl.dll library doesn't support IPV6. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This issue is fixed in this patch. 7.7 Vulnerability Protection Agent 2.0.3.8065 ===================================================================== 7.7.1 Enhancements ===================================================================== Enhancement 1: [DSSEG-873/SEG-3838] By default, Vulnerability Protection agents send Ping requests to a domain controller (DC) every 10 seconds for the Contexts function. This patch allows users to set agents not to send Ping requests to domain controllers if the Contexts function is not used. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note : This enhancement requires users to upgrade Vulnerability Protection Manager to version 2.0 SP2 Patch 4 Build 2.0.8367 or later to set agents not to send Ping requests to domain controllers. Enhancement 2: [DSSEG-577/SEG-527/351879] The Vulnerability Protection Agent did not securely generate the SSL Master Secret when the "Client key exchange" and "Certificate verify" handshake records were both in one packet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue is fixed in this patch. Enhancement 3: [DSSEG-928] When a user had privileges to add specific keys to the Windows registry, the user was able to inject code to control the Vulnerability Protection Agent. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This release enhances agent self-protection to prevent specific keys from being injected. 7.7.2 Resolved Known Issues ===================================================================== Issue 1: [DSSEG-1030/SEG-5945] When a packet with an incorrect header is received, the system generates an event and calculates the length of the packet payload based on the incorrect header. This may cause an access violation if the payload length is beyond the accessible data range. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch ensures that the system uses the actual payload length of a packet instead of based on the calculation using a incorrect packet header. Issue 2: [DSSEG-741/SEG-744/SEG-562/SEG-8184] On a Large Send Offload (LSO) network, multiple "Invalid IP Datagram Length" firewall events may occur due to incorrect IP datagram length calculation by the firewall driver in the LSO environment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue is fixed in this patch. Issue 3: [DSSEG-1167/SEG-8504] A race condition when the ds_agent kernel module was handling TCP connections caused an error displayed on a blue screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The issue is fixed in this patch. Issue 4: [DSSEG-921/SEG-4381/SF00259026] After Vulnerability Protection Agent had been running on a web server for a long time, it would interrupt HTTPS traffic. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this patch. Issue 5: [DSSEG-762/SEG-1716] The Vulnerability Protection Agent created temporary files in the temp directory but these files were not removed after use, which resulted in inodes filling up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This issue is fixed in this patch. Issue 6: [DSSEG-756/SEG-370] The Vulnerability Protection firewall/intrusion prevention driver sometimes did not bind to a specific Network Interface Controller (NIC). When the Vulnerability Protection Agent took it as StandbyAdapter, it would cause a Vulnerability Protection Agent exception during initialization and fail to generate the firewall/intrusion prevention driver configuration file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: The issue is fixed in this patch. Issue 7: [DSSEG-386] The ds_agent process sometimes terminated unexpectedly during the installation of new plugins. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: The ds_agent shutdown sequence was adjusted to prevent this failure. Issue 8: [DSSEG-717] Vulnerability Protection Agent should allow you to enable the Windows Firewall by creating a ds_agent.ini file that contains: dsp.fwdpi.disableNativeFirewall=false This setting did not work. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This issue is fixed in this patch. Issue 9: [DSSEG-222] In certain situations, if an Intrusion Prevention event was already sent to the Vulnerability Protection Manager, then restarting the Vulnerability Protection Agent service would send the event to the Vulnerability Protection Manager again, causing duplicate events to appear in the Vulnerability Protection Manager console on the Intrusion Prevention Events page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This issue is fixed in this patch. 7.8 Vulnerability Protection Agent 2.0.3.8288 ===================================================================== 7.8.1 Enhancements ===================================================================== There are no enhancements for this release. 7.8.2 Resolved Known Issues ===================================================================== Issue 1: [DSSEG-1250/SEG-10957] A stop error may occur on Windows servers in an IPv6 environment with vLAN tagging. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This issue is fixed in this patch. Issue 2: [DSSEG-1694/SEG-10127] When event logs are aggregated, the MAC address for an aggregated event may be incorrect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue is fixed in this patch. Issue 3: [DSSEG-1369/SEG-11821] The Vulnerability Protection Agent may not be able to complete an SSL handshake when the agent connects to Vulnerability Protection Manager using a proxy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This issue is fixed in this patch. Issue 4: [DSSEG-1348] When the Vulnerability Protection Agent lightweight filter driver (tbimdsa.sys) is installed in a Windows environment where NIC teaming is set to LACP mode, the "Microsoft Network Adapter Multiplexor Driver" device is changed to the "Network cable unplugged" state. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this patch. Issue 5: [DSSEG-1507] A brief network disconnection occurs when installing the Trend Micro Lightweight Filter Driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: On Windows 2012 R2 or later, network connection is still available even when a filter is hooked or unhooked during installation. To perform a product upgrade, a system reboot is required to enable FilterRunType transition for the Filter Driver. 7.9 Vulnerability Protection Agent 2.0.3.8587 ===================================================================== 7.9.1 Enhancements ===================================================================== There are no enhancements in this patch. 7.9.2 Resolved Known Issues ===================================================================== Vulnerability Protection Agent 2.0 Service Pack 2 Patch 6 resolves the following issues: Issue 1: [SEG-32775/DSSEG-2587/VP-659] When the firewall feature is enabled, Vulnerability Protection Agent is not registered to Windows Security Center in Windows 10 version 1803 (April 2018 Update). This results in incorrect firewall status in Windows Security Center and Windows Defender Security Center. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This issue is fixed in this patch. 8. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files to install this release: - 64-bit: VPAgent-Windows-2.0.3-8904.x86_64.zip - 32-bit: VPAgent-Windows-2.0.3-8904.i386.zip 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2019, Trend Micro Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 12. Third-Party Software ======================================================================== Vulnerability Protection employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]\licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2019 Trend Micro Inc. All rights reserved.