<> Trend Micro Incorporated May 15th, 2020 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan Web Security Virtual Appliance 6.5 - Service Pack 2 - Patch 4 English - Linux - 64 Bits Critical Patch - Build 1901 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ================================================================ 1. Critical Patch Release Information 1.1 Resolved Known Issues 1.2 Enhancements 1.3 Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement ================================================================ 1. Critical Patch Release Information ======================================================================== 1.1 Resolved Known Issues ==================================================================== This Critical Patch resolves the following issue(s): (VRTS-4213) Issue 1: InterScan Web Security Virtual Appliance (IWSVA) is affected by an Authenticated Command Injection Vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch resolves the vulnerability. (VRTS-4256) Issue 2: IWSVA is affected by an Apache Solr Authentication Bypass Vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch resolves the vulnerability. (VRTS-4260) Issue 3: IWSVA is affected by an Apache Solr Directory Traversal Information Disclosure Vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This critical patch resolves the vulnerability. (VRTS-4261) Issue 4: IWSVA is affected by a Cross-Site Scripting Vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This critical patch resolves the vulnerability. 1.2 Enhancements ==================================================================== There are no enhancements for this Critical Patch release. 1.3 Files Included in This Release ==================================================================== A. Files for Current Issues ------------------------------------------------------------------ Filename Build No. ------------------------------------------------------------- IWSSGui.jar 1901 application_control_policy_account.jsp 1899 application_control_section_policy_exceptions.jsp 1899 application_control_section_policy_rule.jsp 1899 iwsvanetfun.sh 1899 httpsdecrypt_section_policy_rule.jsp 1899 urlf_section_policy_rule.jsp 1899 web.xml 1899 libhttpproxy.so 1899 tomcatctl.sh 1899 libuiauutil.so 1899 activation.js 1899 ajax_func.js 1899 csrf_func.js 1899 tm_menu.js 1899 virusscan.js 1899 xss_func.js 1899 dashboard_settings.js 1899 facet.html 1899 dashboard.html 1899 reports.js 1899 access_control_settings.jsp 1899 accessquota_policy_acc_rule.jsp 1899 accessquota_policy_list.jsp 1899 admin_patch_installation.jsp 1899 admin_patch_mgmt_progress.jsp 1899 admin_patch_uninstall.jsp 1899 admin_threshold.jsp 1899 application_control_policy_list.jsp 1899 auditlogset.jsp 1899 bandwidth_control_policy_account.jsp 1899 bandwidth_control_policy_list.jsp 1899 bandwidth_control_section_policy_rule.jsp 1899 central_log.jsp 1899 central_log_group_add.jsp 1899 changePassword.jsp 1899 cluster_management.jsp 1899 compliance_templates.jsp 1899 config_backup_collapsed.jsp 1899 config_backup_polling_progress.jsp 1899 config_backup_progress.jsp 1899 config_backup_result.jsp 1899 config_date_time.jsp 1899 config_network_interface.jsp 1899 custom_defense.jsp 1899 dw_cluster_join.jsp 1899 dw_cluster_setting.jsp 1897 dw_network.jsp 1897 dw_summary.jsp 1897 dw_system_time.jsp 1897 encode.jsp 1897 failed_https_accesses.jsp 1897 http_config_captive_portal.jsp 1897 dlp_policy_list.jsp 1897 favorites_log.jsp 1897 ftp_config_scan.jsp 1897 http_config_contentcache_exception.jsp 1897 http_config_contentcache_ss.jsp 1897 http_config_contentcache_waiting.jsp 1897 http_config_user_idetification.jsp 1897 http_ldap_DCServer_add.jsp 1897 http_ldap_DCServer_edit.jsp 1897 http_ldap_testclient.jsp 1897 https_active_dc.jsp 1897 https_cert_detail.jsp 1897 https_inactive_dc.jsp 1897 httpsdecrypt_cert_exception_list.jsp 1897 httpsdecrypt_client_certificate_handling.jsp 1897 httpsdecrypt_policy_account.jsp 1897 httpsdecrypt_policy_exceptions.jsp 1897 httpsdecrypt_policy_list.jsp 1897 httpsdecrypt_policy_rule.jsp 1897 httpsdecrypt_section_policy_exceptions.jsp 1897 im_p2p_add_policy_account.jsp 1897 im_p2p_add_policy_rule.jsp 1897 inspection_filter_edit.jsp 1897 inspection_policy_list.jsp 1897 left.jsp 1897 login_account_add_modify.jsp 1897 mmc_active_dc.jsp 1897 mmc_inactive_dc.jsp 1897 mmc_cert_detail.jsp 1897 mmc_config_java.jsp 1899 mmc_policy_account.jsp 1897 mmc_policy_activex.jsp 1897 mmc_policy_allowedlist.jsp 1897 mmc_policy_java.jsp 1897 mmc_policy_list.jsp 1897 pac_files.jsp 1897 productlicense.jsp 1897 quota_account.jsp 1897 quota_account_app.jsp 1897 ransomware_dashboard.jsp 1897 realtime_reportset.jsp 1897 register_arm_report.jsp 1897 renew_instruction.jsp 1897 replication_progress.jsp 1897 report_generate_app_category_select.jsp 1897 report_generate_category_select.jsp 1897 report_logsetting.jsp 1897 report_scheduled_profile.jsp 1897 report_scheduled_template.jsp 1897 report_scheduled_template_list.jsp 1897 reports.jsp 1897 risk_level.jsp 1897 role_add_modify.jsp 1897 scan_mode.jsp 1897 scan_policy_account.jsp 1897 scan_policy_action.jsp 1899 scan_policy_bot.jsp 1899 scan_policy_exceptions.jsp 1897 scan_policy_list.jsp 1897 scan_policy_rule.jsp 1897 scan_policy_spyware.jsp 1897 scan_policy_wrs_rule.jsp 1899 scheduled_times_add.jsp 1897 summary.jsp 1897 summary_appcontrol.jsp 1897 summary_hardware_status.jsp 1897 summary_spyware.jsp 1897 summaryurl.jsp 1897 support_capture_packet.jsp 1897 support_verbose_log.jsp 1897 system_dashboard.jsp 1897 top.jsp 1897 upgrade_instruction.jsp 1897 upload_sample_sizing.jsp 1897 urlf_policy_account.jsp 1897 urlf_policy_list.jsp 1897 urlf_policy_rule.jsp 1897 urlf_section_policy_exceptions.jsp 1897 urlf_section_policy_safesearch.jsp 1897 XSSGuard.properties 1897 report_action.js 1897 report_action.jsp 1897 proxy 1901 proxyctl.py 1897 update.jsp 1899 bandwidth_control_settings_option.jsp 1899 httpsdecrypt_ssl_method.jsp 1899 syslog_add.jsp 1899 notifications_smtp.jsp 1899 B. Files for Previous Issues ------------------------------------------------------------------ replication_choice.jsp 1847 replication_config.jsp 1847 libcommonldap.so 1847 IWSSPIDpi.so 1892 dtasagent 1862 IniRecover.sh 1849 inspection_filter_list.jsp 1849 rule_file_va6.5sp2_to_va6.5sp2.xml 1853 migration 1853 rule_file_va6.5sp2_to_va6.5sp2_ccr.xml 1853 rule_customize.xml 1853 tmcm_agent_settings.jsp 1852 libtmprotocols.so.2003353 1854 urlfcMapping.ini 1858 IWSSPIUrlFilter.so 1892 tmpstring.js 1858 i18n_log_dynamic.js 1858 IWSSPIScanVsapi.so 1892 libHTTPSDecryption.so 1892 libssl3.so 1861 libsqlite3.so 1861 libsoftokn3.so 1861 libsmime3.so 1861 libplds4.so 1861 libplc4.so 1861 libnssutil3.so 1861 libnsssysinit.so 1861 libnssdbm3.so 1861 libnssckbi.so 1861 libnss3.so 1861 libnspr4.so 1861 libgtest1.so 1861 libfreeblpriv3.so 1861 libfreebl3.so 1861 urlblocking.jsp 1862 urlf_custom_category.jsp 1867 context.xml 1884 configuration_backup_&_restore.htm 1870 libicap.so 1870 AuthDaemon 1883 configure_module.xml 1889 show_module.xml 1889 types.xml 1889 IWSSPIDlpFilter.so 1892 IWSSPINcie.so 1892 IWSSPISigScan.so 1892 libiwsshelper.so 1892 appd 1892 snmpd 1892 IWSSPIJavascan.so 1892 libReportLogging.so 1892 2. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://esupport.trendmicro.com 3. System Requirements ======================================================================== 1. Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 - Patch 4 Build 1844 - English - Linux - x64 4. Installation ======================================================================== This section explains key steps for installing the Critical Patch. 4.1 Installing ==================================================================== To install: 1. Download the "iwsva_65_sp2_ar64_en_criticalpatch_b1901.tgz" Critical Patch file to your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the "iwsva_65_sp2_ar64_en_criticalpatch_b1901.tgz" Critical Patch file and click "Open". 6. Click "Upload". Your browser uploads the Critical Patch file to IWSVA which validates if the file is a legitimate Critical Patch. 7. Click "Install" to apply the Critical Patch and update IWSVA to build 1901. The HTTP and FTP services in IWSVA restart automatically. 8. Clear the browser cache. NOTE: Applying this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 4.2 Uninstalling ==================================================================== To roll back to the previous build: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "hfb1901", and then verify the Critical Patch ID and description on the confirmation page that appears. 4. Click "Uninstall" to remove Hotfix 1901 to roll back IWSVA to the previous build. The HTTP and FTP services in IWSVA restart automatically. NOTE: Removing this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5. Post-installation Configuration ======================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ======================================================================== Known issues in this release: #1 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This happens when IWSVA uses multiple authentication servers, and the Active Directory domain is configured before any other type of server. To fix this known issue, delete the Active Directory domain only, and configure it again. #2 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This known issues happens because the squid service uses the "/etc/squid/squid.conf" configuration file. Therefore, the Scheduled Configuration Replication is unable to update this configuration file. To resolve this known issue, Trend Micro recommends using manual replication method. #3 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This known issue occurs on the latest R420 version, where the openVA kernel does not support the latest CPU. You may ignore this warning message to complete the IWSVA installation. #4 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Some applications use HTTPS. Under this scenario, HTTPS decryption for this app URL must be enabled, otherwise, HTTPS-based applications cannot be blocked. For example, Yahoo mail uses HTTPS for Internet Explorer 10, Firefox 23, and Chrome 30.0. To keep granular application control working, an HTTPS decryption policy must be set. 1. Add a customized category in "HTTP > Configuration > Customized Categories". For example, "appcontrol". Add the application's connection URLs and URL keywords. 2. Enable HTTPS decryption and select a category to be decrypted. Such as: "HTTPS Decryption > Policies", enable "HTTPS Decryption". Select the URL category for "appcontrol" to be decrypted. #5 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If LDAP authentication is enabled in the bridge or WCCP mode, HTTPS requests will not trigger an LDAP query. If there are no HTTP requests to do an LDAP authentication on before the HTTPS is requested to set up the IP-user cache, HTTPS will not be able to do the user-based policy match. It will use "IP" or "Unknown" as the username. #6 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Log server mode triggers only log sources sending logs to the log server. For related configurations, log filtering settings, anonymous logging, and HTTPS tunneling settings will not take effect on the log sources as their configurations cannot be automatically synchronized between log servers and log sources. If those features are needed, it is strongly recommended to use replication configuration and make the log server a configuration replication source as well. Use the "Manual Replication," and select "Policy & Configuration Replication" to sync both policies and configurations from the log server to the log sources. #7 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] HTTPS Decryption Limitation 1. When visiting HTTPS sites by IP address in bridge mode, the HTTPS requests will be tunneled. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 2. For Windows XP+IE8, HTTPS will not do decryption in bridge mode. The workaround is to change the "client_hello_no_host_tunnel=no"key in the "intscan.ini" file. #8 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] When Directory Settings are configured, IWSVA synchronizes with the listed LDAP server every 24 hours. When an LDAP user/group is added to the directory server, the change takes effect when the next synchronization cycle begins. For faster synchronization with the LDAP server, do a Manual Sync with the LDAP server. * On the "User Identification" page, click the "Sync with LDAP servers" button. #9 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Firefox users see a certification exception dialog when attempting to access HTTPS URLs with an IPv6 address in DNS. Workarounds include: * Use the host name of the IPV6 server. * Do not use the IP address to access HTTPS-related IPV6 web sites. * Use IE or Chrome web browsers to access the site. #10 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] In reverse proxy mode, traffic cannot be forwarded to IPv6 servers with a link-local address. End-users cannot access the web server and will not be protected by IWSVA. The workaround is to use a global IPV6 address for the protected server behind IWSVA. #11 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If a DNS server has both IPV4 and IPV6 addresses, IWSVA will connect to it without any problems. #12 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Safari has a more stringent certificate-checking mechanism and does not accept IWSVA Captive Portal's default certificate. Workaround: Do not use Safari to surf the Internet through IWSVA, or deactivate cookie mode. #13 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] The "show network interfaces status" command is a function of IWSVA CLISH. It helps an administrator check the current interface status. If the administrator does not type anything in CLISH within 900 seconds, CLISH cannot quit the usual way through the console. The administrator can use the "killall" and "shownic" commands to quit. To stop the current timeout process: 1. Change to another console by pressing ALT+F2. 2. Use the following "killall" command to end the timeout process. `killall -9 shownic` #14 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] When IWSVA 6.0 is deployed on an IBM X360 or HP 380G5, the system event log generated by the BMC agent on these devices cannot be read by IWSVA. This will lead to inaccurate hardware status log information being exported through the syslog and SNMP. #15 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This issue occurs when IWSVA 6.0 is connected to a switch at the same time another machine is connected to the same switch. That machine's MAC IP address will float between its real port and the IWSVA port. This only occurs in the Transparent Bridge mode. To fix this issue, add the MAC address filter option. To do this, access the "/etc/iscan/network.ini" file using the CLISH tool, and run one of the following commands: * add mac_filter=[mac address which you want to skip] or * add mac_filter!=[mac address which you want to scan] Then, type the command `service network restart` on console. #16 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] The Application Control feature only blocks new connections to the protocols specified in a new policy. If you deploy a new policy to block Skype after being logged on to Skype, then Skype is not blocked. However, if you log off Skype and then log on again, the policy works, and Skype is blocked. #17 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This is caused by the time quota implementation method. The default quota unit is five minutes. Trend Micro recommends that administrators set the "Time quota" value to a multiple of five. Otherwise, IWSVA ignores the remainder if it is less than five. For example, if the value is set to four minutes, IWSVA interprets that as zero minutes. If the value is set to nine minutes, IWSVA interprets that as five minutes. The time quota setting depends on the system time. For example, if it is now 10:03 and the time quota = 5, the end user could only have access for two minutes. That happens because the time quota is split into five-minute increments (10:00-10:05, 10:05-10:10, etc.). Every five minutes, a new increment begins. #18 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] When you install IWSVA on a VMware ESX Virtual Machine, occasionally you might see the following error message: "Memory for crash kernel (0x0 to 0x0) not within permissible range" This message is normal and safe to ignore. #19 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If the machine cannot find a storage controller, the installer will check if the storage controller exists. If the storage controller does not exist, the installation will fail even if the minimum hardware requirements for memory and disk are met. The workaround is to skip the hardware check. To skip the hardware check: 1. When the "Minimum hardware requirements were not met" message is displayed, click "Next". 2. When the installation menu page appears, press "Tab" to open a command line. 3. Type "nohwfail" and press "Enter" to continue installing IWSVA. #20 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] The IWSVA FTP daemon modifies the contents of the package in user mode. Some critical parts of the FTP packets that are usually recognized are changed. This change prevents the application signature engine from recognizing the data, and it will be marked as "Unclassified." The only way to avoid this issue at this time is to disable FTP scanning. #21 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] For example, the HTTP connection will be reset by IWSVA if a browser keeps posting a large file and ignoring the HTTP 403 block page notification from IWSVA. In another example, the Google search page does not show any response if the query is blocked by the IWSVA query keyword filter. This happens when the Google search setting "Use Google Instant predictions and results appear while typing" is enabled. This is because the Google page uses AJAX to query data with a private format, not normal HTML. As a result, it ignores the IWSVA 403 block notification page. The block page is displayed correctly after "Google Instant" is disabled. In these examples, the HTTP Inspection filter is working correctly, content is blocked, but the user may not receive feedback explaining why the content is blocked because the browser cannot display the IWSVA notification. #22 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If the time zone is UTC+4:30 or UTC+5:45, which is not the top of the hour. The data present on dashboard or log query data and raw log data might not sync with each other, but the log in database are correct. #23 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] When deployed in the Proxy Chain, the application control daemon cannot get the source IP to match the policy. This is a limitation. #24 Known issue: [Reported at: IWSVA 6.5.1 Service Pack 1 B1080] This happens because the web console uses the HTTPS channel by default, and the Web browser is unable to download the PAC file. This known issue occurs if the client Web browser does not import the security certificate from the IWSVA web console, or the security certificate "host name" and "common name" do not match. To work around this issue, do the following: 1. Log on to the IWSVA web console, and navigate to the following location: "Administration > Network Configuration > Web Console". 2. Select Non-SSL mode, and click "Save" to save the settings. The web console redirects to the new URL (http://[iwsva_IP_address]:1812). 3. Update the download location for the PAC file in the web browser. To get the PAC file location, navigate on IWSVA web console to: "Administration > IWSVA Configuration > PAC Files Management". #25 Known issue: [Reported at: IWSVA 6.5.2 Service Pack 2 B1548] IWSVA bandwidth control is implemented via Linux's traffic control subsystem, while content cache transfers the upstream traffic via the logical network interface, lo, which is not controlled by traffic control. As such, IWSVA bandwidth control does not control the upstream traffic which, instead, directs through lo. To work around this issue, disable content cache, and configure Apache Traffic Server (ATS) as an upstream proxy for IWSVA. #26 Known issue: [Reported at: IWSVA 6.5.2 SP2 - Patch 4 B1849] In order to resolve an issue, the dynamic certificates rule during Certification Replication has been modified. If you are using Configuration Replication, when installing hotfix 1837 or a later hotfix/patch, please upgrade the CCR Receiver first, then upgrade the CCR Source. If you have upgraded the CCR Source first, please use the steps below to copy the dynamic certificates to the Receivers: 1. WinSCP into the CCR Source > Download all files from /var/iwss/jscan/certificates/dynamic to a directory on the local machine 2. SSH into the CCR Receiver > Stop the IWSVA services: # /var/iwss/rcIwss stop (Note: this will interrupt the network traffic for a few minutes so plan accordingly) 3. WinSCP into the CCR Receiver > Upload all downloaded files to /var/iwss/jscan/certificates/dynamic 4. SSH into the CCR Receiver > Run the commands: chown iscan:iscan /var/iwss/jscan/certificates/dynamic/* /var/iwss/rcIwss start #27 Known issue: [Reported at: IWSVA 6.5.2 SP2 - Patch 4 B1901] The IWSVA web console cannot be accessed when administrators take the IWSVA HTTP scanning daemon as proxy. This happens because IWSVA has introduced a new mechanism to protect itself from unknown attacks through the HTTP scanning daemon. To make setting changes or configure IWSVA, administrators should refer to the web console directly. NOTES: If the proxy auto-config (PAC) file has been enabled, the relative rules must also be configured. #28 Known issue: [Reported at: IWSVA 6.5.2 SP2 - Patch 4 B1901] When users use a Fully Qualified Domain Name (FQDN) to access the IWSVA web console, they are redirected to the IWSVA IP and fail the web console certificate check. This issue has been fixed in Hotfix 1906. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Prior Hotfixes ==================================================================== Only this Critical Patch was tested for this release. Prior hotfixes were tested at the time of their release. [Hotfix 1847] (SEG-39546) Issue 1: The "Enable TMCM SO Sync" button in the "HTTP > Advanced Thread Protection > Custom Defense > Custom Defense Setting" page is disabled since InterScan Web Security Virtual Appliance (IWSVA) 6.5 was upgraded from Patch 2 to Patch 3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables the "Enable TMCM SO Sync" button on the page. (SEG-39863) Issue 2: In version 56 and any higher version of Mozilla(R) Firefox(R), the "Administration > IWSVA Configuration > Replication Configuration" page cannot show a required pop-up page after users click on the "Replicate Now" button. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix resolves the issue. (SEG-39015) Issue 3: LDAP round-robin does not work. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves the issue. [Hotfix 1849] (SEG-41483) Issue 1: Users cannot save the Trend Micro Deep Discovery Analyzer setting in InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2 Patch 4. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that the Deep Discovery Analyzer setting can be saved without issues. (SEG-41832) Issue 2: The HTTP inspection filter cannot import files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix enables the HTTP inspection filter to import files. Enhancement 1: This hotfix adds a way to enables the Application Control exception list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To enable the Application Control exception list: 1. Install this hotfix (see "Installation"). 2. Open the "WEBUI/etc/iscan/intscan.ini" file. 3. Add the following key in the "app-control" section and set it to "yes". [app-control] enable_app_exceptlist=yes 4. Save the changes and close the file. 5. Restart the WEBUI service by running the following command: /etc/iscan/S99IScanHttpd restart [Hotfix 1850] (SEG-41955) Issue 1: Corruption of the dtas.ini file may occur periodically. As a workaround, the corrupted dtas.ini file needs to be replaced manually each time the corruption occurs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves the issue. [Critical Patch 1852] (VRTS-3029) Issue 1: An Administrator Credential Disclosure vulnerability affects the "Administrator > IWSVA Configuration > Control Manager Server Setting" page of the InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2 EN web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch removes the vulnerability. [Hotfix 1853] Enhancement 1: By default, the Cluster Continuous Replication (CCR) receiver retrieves the dynamic certificate from the CCR source. This hotfix adds a hidden key that allows users to enable or disable dynamic certificate synchronization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To enable or disable dynamic certificate synchronization: 1. Install this hotfix on the CCR receiver (see "Installation"). 2. Install the hotfix on the CCR source. 3. Open the "/usr/iwss/migration/migration.ini" file on the CCR source, add the "disable_dynamic_cert_sync" setting under the section "common" and set the preferred value. * "no", dynamic certificate will sync in CCR * "yes", dynamic certificate will not sync in CCR 4. Save the changes and close the file. 5. Repeat steps 3 and 4 on the CCR receiver. [Hotfix 1854] (SEG-38401) Issue 1: The Granular Control Policy of the Application Control feature in InterScan Web Security Virtual Appliance (IWSVA) cannot block the DropBox program. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix upgrades the IXEngine pattern to fix this issue. [Hotfix 1855] (SEG-50220) Issue 1: URL filtering groups allow access to sites that should be blocked. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix adds "98=Cloud Applications" in the "General" group of urlfcMapping.ini to fix this issue. [Hotfix 1858] (SEG-49863) Issue 1: The "Top URL Categories Accessed" widget on the dashboard displays a gray page and does not show any information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix adds the "96=Miscellaneous" category in related files to ensure that the widget displays information normally. (SEG-52436) Issue 2: In syslog, the "tk_filter_action" value for a blocking action is incorrectly set to "0" when it should be "1". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that when the action is "block", the "tk_filter_action" will be set to "1" in syslog. [Hotfix 1859] (SEG-50649) Issue 1: InterScan Web Security Virtual Appliance (IWSVA) blocks the download of special "Compressed_Huge_File" samples even when IWSVA is configured to allow this action. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that users can download special "Compressed_Huge_File" samples when IWSVA is configured to allow the action. [Hotfix 1861] (SEG-51426) Issue 1: The macro-stripping function does not work on XLSM, DOCM, and PPTM files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that InterScan Web Security Virtual Appliance (IWSVA) can strip macro from XLSM, DOCM, and PPTM files by enabling the "CleanZipFlag" setting of the VSAPI scan engine. (SEG-55938) Issue 2: The iwssd process does not release the allocated memory in HTTPS decryption mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that the iwssd process releases memory resources promptly. (SEG-56738) Issue 3: Users may not be able to download a file when the antivirus scanning module is disabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix ensures that users can download files normally when the antivirus scanning module is disabled. (SEG-56738) Issue 4: When IWSVA is in bridge high-availability (HA) mode on an ESXi environment, it drops network packets that contain a VLan tag. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix updates the network script to ensure that IWSVA can handle VLan-tagged network packets correctly in bridge HA mode on ESXi environments. (SEG-52715) Issue 5: IWSVA cannot authenticate domains where TLS 1.0 and 1.1 are disabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This hotfix resolves this issue by enabling IWSVA to support TLS 1.2 for domain authentication. [Hotfix 1862] (SEG-55954) Issue 1: The "Last Updated" time stamp for the "Enable generated malicious entity feedback" option is not updated automatically every five minutes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix fixes the issue by rolling back the code merged for SEG-41483 and updating the procedure for processing multithread read/write files. (SEG-56487) Issue 2: InterScan Web Security Virtual Appliance (IWSVA) cannot unregister from Trend Micro Control Manager(TM) successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: The hotfix fixes the issue by preventing IWSVA from encrypting the default password that remains on the IWSVA web console. (SEG-56913) Issue 3: When a file that contains the "[block]" and "[allow]" URL lists is imported to the "Global URL Blocking" list, the URLs in the "[block]" section are automatically saved in the block list, but exceptions to the block list remain empty even when there are URLs in the "[allow]" section of the file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The hotfix resolves the issue by updating the import logic. [Hotfix 1867] (SEG-57232) Issue 1: InterScan Web Security Virtual Appliance (IWSVA) does not allow users to create more than 64 custom categories. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: The hotfix resolves the issue by increasing the maximum number of custom categories to 256. (SEG-57474) Issue 2: The "Untested" and "New Domain" URL categories are hidden on the IWSVA admin console but certain users may need to view the information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix enables users to configure the IWSVA admin console to display both URL categories. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: To configure the IWSVA admin console to display the "Untested" and "New Domain" URL categories: 1. Install this hotfix (see "Installation"). 2. SSH to the IWSVA shell. 3. Open the "/etc/iscan/IWSSPIUrlFilter.dsc" file. 4. Locate the "vendor" section. 5. Add the following key and set it to "yes". [vendor] show_hidden_categories=yes 6. Save the changes and close the file. (SEG-3257) Issue 3: The IWSVA program may be vulnerable to Cross-Site Scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix removes the vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 3: To enable the XSS protection: 1. Install this hotfix (see "Installation"). 2. SSH to the IWSVA shell. 3. Open the "/var/iwss/intscan.ini" file. 4. Locate the "http" section. 5. Add the following key and set it to "enable". [http] xss_protect=enable 6. Save the changes and close the file. 7. Restart the web console service. [Hotfix 1870] (SEG-55877) Issue 1: The Online Help for the "Configuration Backup and Restore" feature does not contain any information about the automatic clean-up of backup files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix adds the information to the Online Help. (SEG-60817) Issue 2: When InterScan Web Security Virtual Appliance (IWSVA) is deployed in ICAP mode, users encounter a "400 Bad Request Error response: Bad Content-Length" while logging onto "https://success.trendmicro.com/sign-in". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: The hotfix resolves the issue. (SEG-60852) Issue 3: The customized approved list of URLs does not work when XSS protection is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The hotfix ensures that the customized approved URL list works normally. [Hotfix 1876] (SEG-63367) Issue 1: iwssd suddenly crashs when dealing with DNS TTL information, which causes the followings. - The failure/delay in Web access - many coredumps of iwssd created ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: The hotfix resolves this issue. [Hotfix 1879] (SEG-62291) Issue 1: The HTTPS decryption feature cannot run on Apple(R) devices running iOS 13 or Mac(TM) OS 10.15 because InterScan Web Security Virtual Appliance (IWSVA) cannot create resigned certificates with a 2048-bit key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves this issue and saves the new default certificates (CA) (SHA256/2048bit) in "/var/iwss/https/certstore/new_default_ca". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To use the new default CA: 1. Install this hotfix (see "Installation"). 2. Login to the Linux console of IWSVA as rootuser. 3. Stop all the IWSVA services by running the following command: /etc/iscan/rcIwss stop 4. Copy the new CA files by running the following commands: cd /var/iwss/https/certstore/new_default_ca cp default.cer ../https_ca/default.cer cp default_key.cer ../https_ca/default_key.cer cp .default.passphrase ../https_ca/.default.passphrase 5. Remove the current resigned certificate cache by running the following commands. cd /var/iwss/https/certstore/cache/ rm -f resigned_cert 6. Restart all the IWSVA services by running the following command. /etc/iscan/rcIwss start [Hotfix 1883] (SEG-64962) Issue 1: When ip-user cache is disabled, the authentication window would be displayed even if the customer entered the correct information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves this issue. (SEG-65283) Issue 2: The following description in the online help is no longer applicable and needs to be removed from the documentation: "Account that have administrator privilege can log in to the terminal console through SSH." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix resolves this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: Clear the browser cache to show the latest help content. (SEG-57281) Issue 3: Heap overflow occurred in the Java Virtual Machine (JVM) in IWSVA's Tomcat service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves this issue. (SEG-63090) Issue 4: The following content in the online help is no longer applicable and needs to be removed from the documentation: HTTPS Accelerator Card Support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix resolves this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 4: Clear the browser cache to show the latest help content. [Hotfix 1885] (SEG-64084) Issue 1: Users may not be able to access certain web pages when InterScan Web Security Virtual Appliance (IWSVA) connects to the Internet through an ipv6 server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that users can access approved web pages through ipv6. [Hotfix 1887] (SEG-65844) Issue 1: Users cannot establish a stable connection to the Xetra website from InterScan Web Security Virtual Appliance (IWSVA). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that users can connect to Xetra through IWSVA. [Hotfix 1889] (SEG-70778) Issue 1: In InterScan Web Security Virtual Appliance (IWSVA), the default maximum RSA key length (rsa_length) for HTTPS decryption is 2048 bits which may cause network and performance issues on protected computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix sets the default maximum RSA key length to 1024 bits and adds a hidden key to enable IWSVA to support changes to the "rsa_length" value. NOTE: Changes "rsa_length" to 2048 bits might requires more CPU cores when many HTTPS sites are decrypted at the same time because the key length becomes longer. Trend Micro recommends tripling the number of CPU cores under this scenario. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To configure the "rsa_length" value: 1. Install this hotfix (see "Installation"). 2. Log on to IWSVA either directly or with Secure Shell (SSH) as administrator. 3. Run the following commands: enable configure module https public-key length 2048 exit NOTE: To restore default settings run: enable configure module https public-key length 1024 exit [Hotfix 1892] (SEG-74522), (SEG-73160) Issue 1: Memory leak occurred when the daemon reloaded. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix fixes this memory leak issue. (SEG-70793) Issue 2: IWSVA sent many certificate revocation messages when validating the certificate chain. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix provides a setting to change the certificate check process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: 1. SSH to iwsva 2. Run the following command to stop iwssd: /etc/iscan/S99ISproxy stop 3. Edit section [https-scanning] in /etc/iscan/intscan.ini as follows: Change "match_cert_exception_with_alt_names" to yes; and change "trust_active_ca" to yes. 4. Run the following command to start iwssd: /etc/iscan/S99ISproxy start 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits. As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide