<> Trend Micro Incorporated March 17th, 2020 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Email Inspector 3.1 - GM English - Linux - 64 Bits Critical Patch - Build 1227 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: Trend Micro developed this hotfix as a workaround or solution to a problem reported by customers. As such, thishotfix has received limited testing and has not beencertified as an official product update. Consequently, THISHOTFIX IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTYOR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS HOTFIX NOR DOES TREND MICRO WARRANT THIS HOTFIX AS ERROR FREE.TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRODISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDINGBUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY,NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents ================================================================ 1. Hotfix Release Information 1.1 Resolved Known Issues 1.2 Enhancements 1.3 Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement ================================================================ 1. Hotfix Release Information ======================================================================== 1.1 Resolved Known Issues ==================================================================== This hotfix resolves the following issue(s): Issue 1: Deep Discovery Email Inspector may not work normally after the Advanced Threat Scan Engine (ATSE) is updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch ensures that Deep Discovery Email Inspector works normally with new ATSE versions. NOTE: Trend Micro recommends applying this critical patch as soon as possible to prevent issues with the Deep Discovery Email Inspector manager service and CMAgent after future ATSE updates. Issue 2: When administrators use the StartTLS command to establish an LDAP connection, the first bind runs before the StartTLS command. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch ensures that all operations run after the StartTLS command. 1.2 Enhancements ==================================================================== There are no enhancements for this hotfix release. 1.3 Files Included in This Release ==================================================================== There are no files includes in this hotfix release. 2. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://esupport.trendmicro.com 3. System Requirements ======================================================================== 1. Trend Micro Deep Discovery Email Inspector 3.1 GM Build 1194 - English - Linux - x64 4. Installation ======================================================================== This section explains key steps for installing the hotfix. 4.1 Installing ==================================================================== To install: 1. Click "Administration > Product Updates > Hot Fixes / Patches". The "Install Hot Fix / Patch" screen appears. 2. Click "Browse" and select the "ddei_31_lx_en_criticalpatch_b1227.7z.tar" critical patch file. 3. Click "Install". 4. Verify that the critical patch has been installed successfully. a. Click "Administration > Product Updates > Hot Fixes / Patches". In the "History" table, check if the "Build" is "1227" and "Description" is "Hot Fix 1227". b. Choose the "About" option under "Help". c. Verify that the "Hot fix" number on the "About" page is "1227". 5. Clean the web browser cache. NOTES: * The program version for the device will NOT change after applying this critical patch. * Deep Discovery Email Inspector 3.1 GM restarts automatically after installing this critical patch. 4.2 Uninstalling ==================================================================== No special uninstallation instructions are provided. 5. Post-installation Configuration ======================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ======================================================================== Known issues in this release: #1 Known issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** When only the "Connect to Smart Protection for Web Reputation Services" option is enabled on the "Administration > Scanning / Analysis > Other Settings > Smart Protection" screen, Deep Discovery Email Inspector does not perform connection tests for the following: * Web Inspection Service * Certified Safe Software Service * Community File Reputation **Solution:** On the "Administration > Scanning / Analysis > Other Settings > Smart Protection" screen, either clear the "Connect to Smart Protection for Web Reputation Services" checkbox or select both "Connect to Smart Protection for Web Reputation Services" and "Connect to global services using Smart Protection Server". #2 Known issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** If Web Reputation Service and Community File Reputation are unreachable using IPv4 addresses in a dual-stack network, the Administration > System Maintenance > Network Services Diagnostics screen still displays the final resolved IPv4 addresses for these services. #3 Known issue: [Reported at: DDEI 2.5.1 Service Pack 1 B1118] **Problem:** When performing sandbox analysis using a Windows 10 image that requires higher system resources, the performance of Deep Discovery Email Inspector may be affected. **Solution:** Trend Micro recommends evaluating the system load capacity on Deep Discovery Email Inspector before using a Windows 10 sandbox environment for analysis. #4 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot receive incoming emails messages from other IPv6 subnets if the "Hosts in the same address class" option is enabled on the "Administration > Mail Settings > Limits and Exceptions" screen. #5 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** After daylight savings time changes to standard time on Deep Discovery Email Inspector, a duplicate time value appears on widgets. #6 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** While operating in SPAN/TAP mode, Deep Discovery Email Inspector cannot capture VLAN traffic that is encapsulated by Cisco Inter-Switch Link (ISL) protocol. #7 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector is unable to import Virtual Analyzer images from an FTP server in active mode. Deep Discovery Email Inspector security does not allow this type of connection. **Solution:** Trend Micro recommends using FTP servers in passive mode, or importing the Virtual Analyzer images through another method. #8 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot read the subject of email messages in non-standard formats. **Solution:** Trend Micro recommends only routing standard-formatted email messages. Most mail user agents cannot read email messages in non-standard formats. #9 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Time format in the following pages cannot be changed if "Date and time format" in the "System Settings > Time" page is changed. 1. "Last updated" time of each widget in "Dashboard > Add Widgets" 2. "Last update" time in widget preview screenshot 3. Time in email screenshot in "Detection" details. **Solution: ** 1. For "Last updated" time of each widget, it was a limitation of the widget framework used in Deep Discovery Email Inspector to show time in a corresponding format. 2. For "Last update" time in the widget preview screenshot, it is not possible to be changed due to the fact that the preview screenshot is a picture. 3. For the time shown in the email screenshot, it was created by the third-party email client. It depends on locale to show proper time format, not the user-defined time format. #10 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Some risky URLs in an email may not be rewritten to be a link redirected to blocking or warning page, even if the same URLs have been rewritten, if there are more than 60 URLs in an email. **Solution:** Deep Discovery Email Inspector will at most extract 60 URLs from an email for scanning by default. If some of the URLs were scanned have a risk, they will be rewritten to a link that can redirect to a blocking or warning page. If the number of URLs in the email exceeds 60, some of URLs will not be rewritten due to the fact that they were not extracted by Deep Discovery Email Inspector. #11 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** In Deep Discovery Email Inspector 2.5, submission filters was changed that allow the user to select the specific file type groups to be analyzed. After upgrading from Deep Discovery Email Inspector 2.1, the specific file type group, (which includes file types selected in Version 2.1) will be automatically selected to be analyzed. Afterward, the other file types which belong to the specific file type group will be also selected for analyzing. **Solution:** Re-configure "Submission Filters" in the "Administration > Scanning / Analysis > Virtual Analyzer > Settings" page to select the necessary file type groups. #12 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Deep Discovery Email Inspector cannot scan password-protected Office PowerPoint 2003 files. **Solution:** The encryption of Office PowerPoint 2003 files is different from later versions, and this format cannot be decrypted. #13 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** If the user enables "Connect to Smart Protection Server for Web Reputation Services" in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page, the internal Virtual Analyzer will not run the URL block reason query, Census query or the Certified Safe Software Service query. Additionally, it will not provide Smart Feedback. **Solution:** This is the configuration of the internal Virtual Analyzer. The user can either disable "Connect to Smart Protection for Web Reputation Services" in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page or enable both "Connect to Smart Protection Server for Web Reputation Services" and "Connect to global services using Smart Protection Server" in the "Administration > Scanning / Analysis > Other Settings > Smart Protection" page. #14 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** When integrated with Deep Discovery Analyzer, the final risk level of a malicious URL in Deep Discovery Email Inspector is different with the risk level in Deep Discovery Analyzer. **Solution: **Deep Discovery Analyzer can support several different products with varying risk levels, so for Deep Discovery Email Inspector, the risk level for malicious URLs returned by Virtual Analyzer (no matter whether either internal Virtual Analyzer or Deep Discovery Analyzer) will be downgraded one level. #15 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** After upgrading from Deep Discovery Email Inspector 2.1 to 2.5, the web console cannot be redirected to the login page automatically. Additionally, the certificate of Deep Discovery Email Inspector will be changed, therefore the user needs to confirm and accept the new certificate. **Solution:** Re-open Deep Discovery Email Inspector web console and login again. #16 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** For the same email attachment which has a different file name, after being analyzed by Deep Discovery Analyzer, the analysis reports for the two attachments will have the same file name. **Solution:** As the current specification of Deep Discovery Analyzer, it will return the cached analysis result for the same files or URLs to Deep Discovery Email Inspector. #17 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Under Microsoft Edge and IE10, there will be two delete icons at the end of "Search" box in "Dashboard > Add Widgets" page. **Solution:** Microsoft IE10 and Edge will create a delete icon for "Search" box by default. However, Widget Framework has already created another delete icon. #18 Known issue: [Reported at: DDEI 2.5.0 GM B1300] **Problem:** Under the current specifications of Deep Discovery Email Inspector, Single-Sign-On from Control Manager is not supported under the HTTP protocol. **Solution:** Log into the Control Manager web console using HTTPS protocol. #19 Known issue: [Reported at: DDEI 2.6.0 GM B1298] When Deep Discovery Email Inspector connects to a proxy server that supports multiple HTTP authentication methods, some services (except ActiveUpdate and product license registration) may not function properly. On the Network Services Diagnostics screen, the service status becomes Unsuccessful. #20 Known issue: [Reported at: DDEI 2.6.0 GM B1298] When a message contains more than one suspicious file attachment with the same SHA1 value, the Detections screen displays only one entry for the multiple file attachments. #21 Known issue: [Reported at: DDEI 2.6.0 GM B1298] If the default gateway is configured on a network interface other than eth0 using CLISH, the web console does not display the current default gateway and DNS settings. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Prior Hotfixes ==================================================================== Only this hotfix was tested for this release. Prior hotfixes were tested at the time of their release. [Hotfix 1205] Issue 1: The "Detected Messages" page uses the wrong time zone when users drill down to the page from the "Suspicious Objects" page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix fixes this issue. Issue 2: There is a typographical error in the "Sender Filtering/Authentication" widget. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix corrects the error. Issue 3: The "Last Delivery Status" column for deferred email messages does not appear in the "Logs > Message Queue" page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves this issue. Issue 4: The "Approved Senders" function does not work when users configure only the "Approved Senders" item under the "Administration > Scanning/Analysis > Business Email Compromise protection" setting and leave other items blank. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix resolves this issue. Enhancement 1: This hotfix enables users to add up to 32 trusted servers in the SNMP page. The list previously supported up to five trusted servers only. Enhancement 2: This hotfix updates the Usandbox module (Usandbox 5.2.1166 with SandCastle 6.0.2833). [Hotfix 1207] Issue 1: The Smart Feedback function stops unexpectedly while handling unknown file types. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables the Smart Feedback function to work normally when it encounters unknown file types. Issue 2: When users shut down Deep Discovery Email Inspector, the shut down page displays the following message: "Configuring Deep Discovery Email Inspector Deep Discovery Email Inspector is configuring and will restart. You will be automatically redirected to the management console after a few minutes. If you are not redirected, please reopen the management console." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix corrects the message to: "Shutting Down Deep Discovery Email Inspector Deep Discovery Email Inspector is powering off. All active tasks will be stopped." Enhancement 1: This hotfix enables Deep Discovery Email Inspector 3.1 to recognize CPIO file types as archived files. [Hotfix 1210] Issue 1: The "user name" field in the "Microsoft Active Directory" page of the Deep Discovery Email Inspector web console does not support the dash character (-). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables the "user name" field in the "Microsoft Active Directory" page to support the dash character. [Hotfix 1214] Enhancement 1: This hotfix adds the "Include full URLs in URL SO scanning" feature. When this feature is disabled, Deep Discovery Email Inspector scans only the URL prefix (the part before the question mark) during URL suspicious object (SO) scans. This feature is disabled by default. [Hotfix 1215] Issue 1: When a Virtual Analyzer report contains a URL that is longer than 2138 characters, the corresponding email is incorrectly tagged as "Virtual Analyzer timeout". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves this issue by trimming URLs that are longer than 2138 characters in Virtual Analyzer reports. Enhancement 1: This hotfix improves the internal module configuration to prevent email messages from getting stuck in Virtual Analyzer. Enhancement 2: This hotfix updates the Usandbox module to version 5.2.1194 with SandCastle 6.0.2846. [Hotfix 1217] Issue 1: A content filtering rule that has been created to skip certain image file type attachments still blocks and quarantines email messages that contain these attachments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix solves the issue so that content filtering rules work normally. [Hotfix 1221] Issue 1: When users enable the Port Binding function, Deep Discovery Email Inspector appliances will not be able to sync Threat Intelligence with Deep Discovery Director. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that Deep Discovery Email Inspector appliances can sync Threat Intelligence with Deep Discovery Director when the Port Binding function is enabled. Issue 2: If Deep Discovery Email Inspector has been migrated to version 3.1 from version 2.1 or 2.5 and users change its IP address to another network segment, the default gateway setting disappears. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that users can change the Deep Discovery Email Inspector IP address without issues. Enhancement 1: This hotfix enhances the Predictive Machine Learning module to reduce false positive cases. [Hotfix 1224] Issue 1: An incorrect definition for the WAV file type triggers the content filtering rule to block TIF/TIFF files instead. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves this issue so the content filtering rule blocks the correct files. [Hotfix 1226] Enhancement 1: This hotfix improves the rollback ability of the sandcastle client engine. Enhancement 2: This hotfix updates the Usandbox module to version 5.2.1206 with SandCastle version 6.0.3430. 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits. As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide