<> Trend Micro Incorporated December 14th, 2022 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Director 5.3 - GM English - Linux - 64 Bits Patch2 - Build 1261 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ================================================================ 1. Patch Release Information 1.1. Resolved Known Issues 1.2. Enhancements 1.3. Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1. Installing 4.2. Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement ================================================================ 1. Patch Release Information ======================================================================== 1.1. Resolved Known Issues ==================================================================== This Patch resolves the following issue(s): Issue 1: When combining some Active Directory account information, the combined data may exceed length limitations, causing Deep Discovery Director to fail to store the account data. Deep Discovery Director is unable to locate the Active Directory account and rejects login attempts by the account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: The patch updates the data processing schema to prevent account data from exceeding the length limitation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: After applying the fix, log on to the Deep Discovery Director web console with a local administrator account. Go to Administration > Integrated Products/Services > LDAP and click the Sync All button to update user data with the new data schema. 1.2. Enhancements ==================================================================== The following enhancements are included in this Patch: Enhancement 1: The patch adds the Recurring Plans feature, allowing users to run configuration replication plans regularly to sync Deep Discovery Email Inspector configurations. 1.3. Files Included in This Release ==================================================================== There are no files included in this Patch release. 2. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://success.trendmicro.com 3. System Requirements ======================================================================== 1. Deep Discovery Director 5.3 GM Build 1130 - English - Linux - x64 2. Deep Discovery Director 5.3 GM Critical Patch Build 1228 - English - Linux - x64 4. Installation ======================================================================== This section explains key steps for installing the Patch. 4.1. Installing ==================================================================== To install: 1. Open the Deep Discovery Director management console. 2. Go to "Administration > Updates" and click the "Hotfixes/Patches" tab. 3. Click "Select File..." and then select the Patch file from the folder where you downloaded the files. 4. Click "Upload" to upload the Patch file. 5. Click "Install", and then click "OK" when a confirmation message appears. 6. Clear the browser cache. 4.2. Uninstalling ==================================================================== To roll back to the previous build: 1. Open the Deep Discovery Director management console. 2. Go to "Administration > Updates" and click the "Hotfixes/Patches" tab. 3. Click "Roll Back" button, and then click "OK" when a confirmation message appears. 5. Post-installation Configuration ======================================================================== No post-installation steps are required. 6. Known Issues ======================================================================== Known issues in this release: #1 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director is unable to function correctly if the system is installed with multiple network adapters and if VMXNET is configured as the first adapter. Trend Micro recommends using a single network driver for all network interfaces. #2 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director does not support the VMXNET 2 (Enhanced) network adapter. #3 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Active Directory accounts without a User Principal Name (UPN) cannot be used to access the management console. #4 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director only supports certificates with the following attributes: * The file format is PEM. * The certificate and the private key are in the same file. * The private key uses the RSA algorithm and is not password-encrypted. * The certificate digest uses SHA-256 or higher. A certificate chain is not used. #5 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director is unable to connect to a global NTP server when proxy settings are configured. Use a local NTP server instead. #6 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] The status of plans that were "pending" or "in progress" at the time of a backup, but that have been completed successfully while restoring the backup, may display as "unsuccessful" after the backup is restored and Deep Discovery Director receives plan status updates from appliances. #7 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Microsoft Internet Explorer is unable to connect to Deep Discovery Director because SHA512 is disabled in Windows. Apply the Microsoft Windows update to enable the signature and hash algorithm combination for RSA\SHA512 for the Transport Layer Security (TLS) 1.2 protocol. For details, see https://support.microsoft.com/en-us/kb/2973337. #8 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] The number of results shown on the "Affected Hosts" screen after searching for a specific host name, and the number of results shown on the "Affected Hosts - Host Details" screen after drilling down may differ because drill downs always use the IP address. Host names are not unique, and multiple host names may be associated with one IP address. #9 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Virtual Analyzer image files cannot be uploaded to Deep Discovery Director through shared network folders that are on endpoints that are located in a different subnet than Deep Discovery Director. Ensure that Virtual Analyzer image files are in valid shared network folders, or use SFTP to upload them. #10 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Virtual Analyzer image files cannot be uploaded to Deep Discovery Director through shared network folders that are on endpoints that use IPv6 addresses. Ensure that Virtual Analyzer image files are in valid shared network folders, or use SFTP to upload them. #11 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Firefox users may see an internal error screen if an error occurs when attempting to view the Virtual Analyzer report of a detection. Use another web browser to navigate the management console. #12 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] When a system service has to be restarted to recover from an error, Deep Discovery Director may not be able to recover detection logs that were corrupted. #13 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Folders and appliances cannot be moved in the Directory unless the user's account role has the "Administrator" permission and the root "Managed" folder selected. #14 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Tooltips that appear near the bottom of the screen may blink uncontrollably. #15 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] The file archivers built into Windows and macOS are be unable to extract files with very long file names from archive files generated by Deep Discovery Director. Use third-party archiving software to extract those files. #16 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Archive Utility built into macOS is unable to extract files from archive files generated by Deep Discovery Director. Use third- party archiving software on macOS to extract those files. #17 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Internet Explorer is unable to download archive files generated by Deep Discovery Director. Use another web browser to download those files. #18 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director is unable to restore configuration settings and database from backup files that take longer than 5 minutes to upload. #19 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Network and email security alerts may contain URLs in the body and the attached CSV file. Deep Discovery Director processes all URLs and replaces any "." with "[.]". This is done to prevent accidentally opening malicious URLs and flagging by antivirus programs on a user's computer. #20 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] When you enter two (00) or three (000) digit numbers as keywords to query MTA logs, the results may include entries where the timestamps match the keywords. #21 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director is unable to install a firmware upgrade if free repository disk space is insufficient. Add extra available disk space to Deep Discovery Director before installing firmware upgrades. #22 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] The "File and Network Activity" section of the Deep Discovery Director generated Virtual Analyzer Report for email message detections will look different from the Deep Discovery Email Inspector native Virtual Analyzer Report when the email messages have no-risk attachments. Deep Discovery Email Inspector does not include the information of no-risk items in the logs it sends to Deep Discovery Director. #23 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Opening the PDF version of Virtual Analyzer Reports in a Chrome web browser may cause the hyperlinks in the 'Analysis Overview' section to be not clickable. Use the bookmarks to navigate, or open the PDF file in a PDF reader or another web browser. #24 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director only sends trap messages for the status of the eth0 (management) port, even if multiple network interface cards are installed and port binding is configured. #25 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] When the Deep Discovery Director management console becomes unavailable because the system is powering off, restarting, undergoing maintenance, or other similar reasons, users that were logged on to the EUQ console will not be redirected to temporary status screens. A notification message informing them of the system status will be displayed instead. #26 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery appliances are unable to send their logs to Deep Discovery Director if Deep Discovery Director and its host machine's system time are different. Configure Deep Discovery Director and its host machine to have matching system times and restart Deep Discovery Director to resolve the issue. #27 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] FTP active mode causes the client and server IP addresses to be reversed in the correlation data results. This issue results in Deep Discovery Director - Network Analytics as a Service identifying the wrong IP address as the Interested IP. #28 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] In Deep Discovery Director, you can configure a Synchronized Suspicious Object (VASO) to never expire. However, maximum data retention for Deep Discovery Director - Network Analytics as a Service is 180 days. The report of a VASO that never expires will be deleted after 180 days. Deep Discovery Director displays a report not found error when a user tries to open a report of a VASO that never expires and the VASO has existed for longer than the retention date. #29 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Configuration changes will not be reflected on an existing correlation snapshot. When users want to view correlation events, they click on the "Correlated Data" icon in Deep Discovery Director to trigger the generation of the correlation data. In Deep Discovery Director - Network Analytics as a Service 5.0, a design change was made to save time for users waiting for the dynamic generation of the correlation data. In the design change, the correlation snapshot is generated prior to the user trigger. However, the side effect is that newly added configurations (such as adding the Trusted Internal Network List or Domain Exceptions list) won't be reflected in an already existing correlation snapshot. #30 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director allows you to add objects that you consider harmless to the Exceptions list. Deep Discovery Director - Network Analytics as a Service 5.0 does not consider the Exceptions list when correlating data. #31 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] Deep Discovery Director - Network Analytics as a Service is unable to display the Endpoint Analysis Report status of IPv6 endpoints. Apex Central currently does not support querying IPv6 endpoints for Endpoint Analysis Reports. #32 Known issue: [Reported at: DDD 5.0.0 GM - Patch 1 B2069] When a document is embedded inside a Word document, there are two SHA-1 hash values associated with the file - the SHA-1 hash value of the embedded document and the SHA-1 hash value of the parent document. When Deep Discovery Inspector (ATSE Engine) scans a file with an embedded document, Deep Discovery Inspector only returns the SHA-1 hash value of the parent document. In the Correlation Data screen, the SHA-1 hash value for the embedded document is displayed as zeros. Additionally, the embedded document will not be part of correlations. #33 Known issue: [Reported at: DDD 5.1.0 GM B1198] Deep Discovery Director 5.1 no longer supports SOCKS4/SOCKS5 protocol for proxy. The proxy setting will be disabled if SOCKS4 or SOCKS5 was selected before upgrading to Deep Discovery Director 5.1. Manually enable the proxy setting after upgrading. #34 Known issue: [Reported at: DDD 5.1.0 GM B1198] The number of results shown on the "Email Messages" screen after searching for a specific subject, and the number of results shown in the "Top Email Subjects" section of the Email Security report differ because Deep Discovery Director's search is not case sensitive. #35 Known issue: [Reported at: DDD 5.1.0 GM B1198] When viewing Virtual Analyzer Reports, clicking on a link in the "Notable Threat Characteristics" column of the "MITRE ATT&CK(TM) Framework Tactics and Techniques" section does not take you to the "Notable Threat Characteristics" section if the section is collapsed. Expand the section before clicking on a link in the "Notable Threat Characteristics" column. #36 Known issue: [Reported at: DDD 5.1.0 GM B1198] Deep Discovery Director cannot connect to the Trend Micro Email Encryption Server when a proxy server that uses Digest or NTLM is configured to connect to the Internet. Disable proxy settings or specify a non-Digest/NTLM proxy server to connect to the Internet. #37 Known issue: [Reported at: DDD 5.1.0 GM B1198] When viewing PDF files generated by Deep Discovery Director that contain tables, the header row of a table may be separated from the data rows if the table appears at the bottom of a page. #38 Known issue: [Reported at: DDD 5.1.1 Service Pack 1 B1040] Deep Discovery Director can export user-defined suspicious objects to a comma-, semicolon-, space-, or tab-separated CSV file for offline viewing. Import, however, is only supported from a comma-separated CSV file. Use a spreadsheet program such as Microsoft Excel to convert non-comma-separated CSV files before importing. #39 Known issue: [Reported at: DDD 5.1.1 Service Pack 1 B1040] The number of events displayed on the Triggered Alerts screen may differ from the number of records displayed on the Network Detections or Email Messages screens when drilling down from the Triggered Alerts screen because the related detection logs were not yet synced to Deep Discovery Director when the alert was triggered. #40 Known issue: [Reported at: DDD 5.3.0 GM B1249] After installing the Deep Discovery Director 5.3 Patch 1 package, Deep Discovery Director performs an initial data sync with any previously configured Microsoft Active Directory server. Active Directory accounts may become temporarily unavailable during the initial data sync procedure, with only local accounts able to log in. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Prior Hotfixes ==================================================================== Only this Patch was tested for this release. Prior hotfixes were tested at the time of their release. [Hotfix 1258] Enhancement 1: The hotfix updates OpenSSL to version 3.0. [Hotfix 1254] Issue 1: Deep Discovery Directory possibly affected by vulnerability CVE-2022-40674. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Patched CVE-2022-40674 vulnerability by updating library. [Hotfix 1253] Issue 1: Unable to log onto Deep Discovery Director web console using Single Sign-On (SSO). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Fixed SAML integration for configured IDP server. Issue 2: LDAP server unable to authenticate with certificate. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: Fixed authentication process for LDAP servers with certificate. Issue 3: Potential CWE-1236 issue when exporting system log CSV files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: Enhanced neutralization/normalization process when exporting system log CSV files. Issue 4: Insufficient HSTS expiration time may allow for possible vulnerable connections while accessing the console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: Extended HSTS expiration time. Issue 5: System might not procude an error message or correct audit log entry for unsuccessful LDAP server sync. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: Enhanced error handling for unsuccessful LDAP server sync. [Patch 1249] Enhancement 1: Deep Discovery Director now supports integrating and connecting with multiple Microsoft Active Directory and openLDAP servers. The new feature also allows specifying a custom attribute and filter settings for LDAP servers. [Hotfix 1237] Issue 1: Deep Discovery Director is unable to encode Active Directory (AD) group names which contain Unicode characters. Users belonging to the group may be unable to sign in. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix adds encoding support for AD group names to prevent sign in issues. [Hotfix 1236] Issue 1: The EUQ digest treats a user's primary email address and alias email address as different users. This results in generating separate EUQ digests for the primary and alias email addresses of a user. This can cause a user to receive multiple EUQ digests, creating noise and making the information unclear. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables Deep Discovery Director to combine information for the user's primary and alias email addresses into a single EUQ digest which is sent only to the user's primary email address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: N/A [Hotfix 1235] Issue 1: The system uses a case-sensitive method for comparing email addresses mapped to multiple End User Quarantine accounts. This may prevent information, such as approved senders lists, from being displayed on accounts mapped to the same email address if the email address was entered with different letter cases (i.e., abc123@xyz.com vs ABC123@XYZ.COM). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix changes the comparison method to no longer be case-sensitive to prevent this issue. [Hotfix 1234] Issue 1: When the detection logs include an IP address that cannot retrieve a corresponding country name from geo database, DDD will fail to generate a PDF report. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enhances error handling to prevent an error in this situation. Issue 2: On the directory page, the sync time columns cannot display the correct sync time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix fixes the issue to display the correct sync time. Enhancement 1: This hotfix increases the number of trusted manager server addresses in SNMP to 32. [Hotfix 1232] Issue 1: Deep Discovery Director executes the OpenDXL distribute frequency outside the configured frequency when the system has configured another Auxiliary Product/Services distribute setting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Hotfix resolves the OpenDXL distribute frequency issue even when the system previously configured another Auxiliary Product/Services distribute setting. 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits. As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2022, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide