<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro(TM) Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 Critical Patch 1 Platforms supported: - Microsoft(TM) Windows(TM) Server 2016 (64-bit) - Windows Server 2012 R2 (64-bit) - Windows Server 2012 (64-bit) - Windows Server 2008 with SP2 (64-bit) - Windows Server 2008 R2 with SP1 (64-bit) Platforms not supported: - Windows Server 2012 Core - Windows Server 2008 Core - Windows Vista(TM) Date: September 5, 2019 Release: 2.0 Service Pack 2 Patch 7 Critical Patch 1 Build Version: 2.0.8451 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ============================================================== 1. About Vulnerability Protection 2.0 Service Pack 2 Patch 7 Critical Patch 1 1.1 Overview of This Release 1.2 Who Should Install This Release 1.3 Upgrade Notice 2. What's New 2.1 Enhancements 2.1 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Known Incompatibilities 6. Known Issues in Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 Critical Patch 1 7. Release History 8. Files Included in This Release 9. Contact Information 10. About Trend Micro 11. License Agreement 12. Third Party Software ============================================================== 1. About Vulnerability Protection 2.0 Service Pack 2 Patch 7 Critical Patch 1 ======================================================================== 1.1 Overview of This Release ===================================================================== Vulnerability Protection 2.0 Service Pack 2 Patch 7 Critical Patch 1 installs a security update. Refer to "What's New" for more information. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running any of the following versions of Vulnerability Protection or are installing Vulnerability Protection for the first time: - 2.0 Service Pack 2 - 2.0 Service Pack 2 Patch 1 - 2.0 Service Pack 2 Patch 1 Critical Patch 1 - 2.0 Service Pack 2 Patch 2 - 2.0 Service Pack 2 Patch 3 - 2.0 Service Pack 2 Patch 3 Critical Patch 1 - 2.0 Service Pack 2 Patch 4 - 2.0 Service Pack 2 Patch 5 - 2.0 Service Pack 2 Patch 6 - 2.0 Service Pack 2 Patch 7 1.3 Upgrade Notice ===================================================================== To upgrade to Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 Critical Patch 1, you must be running one of the following versions of Vulnerability Protection Manager: - 2.0 Service Pack 1 - 2.0 Service Pack 2 - 2.0 Service Pack 2 Patch 1 - 2.0 Service Pack 2 Patch 1 Critical Patch 1 - 2.0 Service Pack 2 Patch 2 - 2.0 Service Pack 2 Patch 3 - 2.0 Service Pack 2 Patch 3 Critical Patch 1 - 2.0 Service Pack 2 Patch 4 - 2.0 Service Pack 2 Patch 5 - 2.0 Service Pack 2 Patch 6 - 2.0 Service Pack 2 Patch 7 2. What's New ======================================================================== NOTE: Please install this release before completing any procedures in this section. 2.1 Enhancements ===================================================================== There are no enhancements for this release. 2.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue: [VRTS-3663, VP-676] The Vulnerability Protection Manager is affected by a CVE-2019-9488 vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This critical patch resolves the vulnerability. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com/en-us/enterprise/ vulnerability-protection.aspx In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Vulnerability Protection Manager. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Vulnerability Protection Manager. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Vulnerability Protection Manager. 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Vulnerability Protection 2.0 Service Pack 2 Patch 7 Installation Guide. 5. Known Incompatibilities ======================================================================== Vulnerability Protection Manager does not support Windows Vista. You will encounter issues running Vulnerability Protection Manager on this platform. 6. Known Issues in Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 Critical Patch 1 ======================================================================== The following are the known issues: - Location awareness is not supported on IPv6 environments. [12776] - Vulnerability Protection Manager does not support installation paths that contain special characters (non-alphabet and non-numeric characters). The same restriction also applies to the database name and/or database account used by Vulnerability Protection Manager. [16708] - When a user runs Agent-initiated recommendation scan using the "dsa_control -m RecommendationScan:true" command, no system event related to recommendation scan is recorded. - If the Manager node(s) and the Database are installed on machines with synchronized clocks but configured for different time zones, an error indicating that the clocks are not synchronized will be triggered incorrectly. [17100] - During an upgrade, the Vulnerability Protection Manager service may not be installed properly on some platforms if the "Services" screen is open. As a workaround, make sure the "Services" screen is closed prior to installation or upgrade. - During an upgrade, if you receive a message stating that the Vulnerability Protection Manager cannot start the service, restarting the host usually fixes the problem. In rare cases, you may have to run the installer again in Upgrade/Repair mode after restarting. - If Windows Firewall is enabled on Trend Micro Vulnerability Protection Manager, it may interfere with port scans causing false port scan results. Windows Firewall may use ports 21, 389, 1002, and 1720 as a proxy resulting in these ports always appearing open regardless of any filter placed on the computer. - Transport Layer Security (TLS) versions 1.1 and 1.2 are not supported in the SSL Inspection of Intrusion Prevention feature. [18091] - The Relay feature uses TCP port 4122. When enabling the relay feature, make sure that all firewalls used allow TCP port 4122. [22749] - Relay feature is not supported on Windows XP. [17729] - Windows Add/Remove Programs or Programs and Features does not show the exact version of the Vulnerability Protection Agent. Vulnerability Protection Agent uses the version format "..". However, Windows only displays the version number using the format "..". [21990] - When upgrading to Vulnerability Protection Agent 2.0 Service Pack 2 on Windows 2012, the following error message may appear: "Service "Trend Micro Vulnerability Protection Agent" (ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." This may be fixed by running Windows Update troubleshooter. For more information, see http://support.microsoft.com/kb/910336. [23728] - Some security components of a Vulnerability Protection Agent with the Relay feature enabled may be removed unexpectedly after an update. As a workaround, deploy the security update again. [24004] - In some cases, a laptop computer has the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, using the same MAC address. This triggers Vulnerability Protection Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - The following system event log appears when you install Vulnerability Protection Agent on Windows Vista, Windows 2008, or Windows 7: "The Trend Micro Vulnerability Protection Agent service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly." This is a normal warning on Windows Vista or later. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Vulnerability Protection Agent tries to use interactive services. This desktop interaction feature is used by the Vulnerability Protection Agent to provide the restart notice on pre-Vista versions of Windows. The warning message can be safely ignored. - On Windows Vista and later, you may sometimes encounter problems while upgrading the Vulnerability Protection Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble on Vista or later and only if the version of the RTL has not changed. The problem is caused by some corrupted Windows components. As a workaround, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before restarting the upgrade procedure: http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, restart the computer or the upgrade may still be unsuccessful. To recover from this, you can install the package, re-run the installer, and restart the computer. [Vulnerability Protection 8.0-01044] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - On Windows XP, you may encounter the following message if you attempt to uninstall the Vulnerability Protection Agent through the "Add/Remove programs" page while the agent's "Self-Protection" function is enabled: "Fatal Error During Installation." This message comes from Windows indicating that the uninstall did not proceed because self-protection is enabled. It is not a Vulnerability Protection error. - If network connectivity is lost for an extended period of time during a Vulnerability Protection Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Vulnerability Protection Agent installation or uninstallation if they do not properly free packets when requested to unbind. Vulnerability Protection Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Vulnerability Protection Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and it happens rarely. If this does occur, you can restart the computer and try to install, uninstall, or upgrade Vulnerability Protection Agent again. - Vulnerability Protection Agent might not install properly on endpoints that did not perform a system restart after installing Windows updates. To resolve this issue, restart the system and repeat the agent installation process. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Previous releases include the following: - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 (Build 2.0.8450), July 11, 2019 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 6 (Build 2.0.8434), October 9, 2018 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 5 (Build 2.0.8424), March 22, 2018 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 4 (Build 2.0.8367), September 8, 2017 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 3 Critical Patch 1 (Build 2.0.8346), June 30, 2017 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 3 (Build 2.0.8324), February 24, 2017 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 2 (Build 2.0.8306), September 12, 2016 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 1 Critical Patch 1 (Build 2.0.8215), June 24, 2016 - Vulnerability Protection Manager 2.0 Service Pack 2 Patch 1 (Build 2.0.8206), May 6, 2016 - Vulnerability Protection Manager 2.0 Service Pack 2 (Build 2.0.8171), September 1, 2015 - Vulnerability Protection Manager 2.0 Service Pack 1 (Build 2.0.4618), December 30, 2014 - Vulnerability Protection Manager 2.0 (Build 2.0.1590), April 29, 2014 7.1 Vulnerability Protection Manager 2.0.1590 ===================================================================== 7.1.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.1590 adds the following enhancements: - Support for IPv6 Firewall - A new user interface for the Vulnerability Protection management console, with improved workflow for Policy management - Support for embedded SQL Express with an option for customers to select a remote database 7.2 Vulnerability Protection Manager 2.0.4618 ===================================================================== 7.2.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.4618 adds the following enhancements: Smarter, Lightweight Agent - Lightweight installer - Selective deployment of Protection Modules to Agents based on Security Policy requirements results in smaller Agent footprint Trend Micro Control Manager(TM) Enhancements - More dashboard widgets with drill-down capability - Full events - Intrusion Prevention - User information - License deployment Improvements to Software Update - Addition of the Vulnerability Protection Relay for Modules deployment Improvements to Management - Multi-nodes support to allow easy management for large number of endpoints Improvements to Recommendation Scan Performance - Recommendation Scan now runs up to four times faster than in the previous release 7.2.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.4618 resolves the following issue: In the Manager console, endpoints running Windows 2012 R2 and Windows 8.1 are incorrectly labelled. The manager console displays the platforms as Windows 2012 and Windows 8, respectively. 7.3 Vulnerability Protection Manager 2.0.8171 ===================================================================== 7.3.1 Enhancements ===================================================================== Vulnerability Protection 2.0 Service Pack 2 provides the following improvements: - A new Cancel option during a Recommendation Scan - Addition of Reconnaissance Scans in Firewall module - Enhancements when viewing Windows Active Directory (AD) sub-domains using a role granted with domain after synchronization - Trend Micro OfficeScan(TM) Agent tree synchronization - The Recommendation Scan default CPU is now set to Medium - Support for Windows Action Center - Microsoft SQL Server(TM) Express 2012 Service Pack 2 is the built-in SQL package Important: If you plan to install Vulnerability Protection Manager with the built-in SQL package, only the following operating systems are supported: - Windows Server 2012 R2 (64-bit) - Windows Server 2012 (64-bit) - Windows Server(TM) 2008 R2 with Service Pack 1 (64-bit) This constraint follows after the Microsoft specifications. For a complete list of the System requirements, please refer to the Vulnerability Protection 2.0 Service Pack 2 Installation Guide. 7.4 Vulnerability Protection Manager 2.0.8206 ===================================================================== 7.4.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.8206 adds the following enhancements: Enhancement 1: This patch allows users to configure Vulnerability Protection Manager to identify and synchronize OfficeScan endpoints using IP addresses and to display each endpoint's hostname next to the IP address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To configure this setting: a. Install this patch (see "Installation"). b. Go to the "Computer" page of the Vulnerability Protection console. c. Add a synchronization for OfficeScan endpoints. Refer to the Vulnerability Protection Administrator Guide. d. On the "Computers" page, right-click the OfficeScan server and click "Properties > Settings". e. Enable the "Use IP address to identify synchronized endpoints." check box and save the changes. NOTE: This setting will take effect after the next scheduled synchronization with the OfficeScan server which is configured to run every 10 minutes by default. To synchronize with OfficeScan endpoints by IP address immediately, click "Synchronize Now" on the OfficeScan server properties page. Enhancement 2: [TT331848] Vulnerability Protection Agent has being enhanced to log "Agent Self-Protection Enabled" or "Agent Self- Protection Disabled" events under System Events when the Agent Self-Protection settings are modified in the Vulnerability Protection Manager console (in the "Computer > Settings > Agent Self-Protection" section), or using the dsa_control command-line utility. 7.4.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8206 resolves the following issues: Issue 1: [TT331006] If the heartbeat communication is set as agent-initiated and users upgrade the Vulnerability Protection Agent from version 2.0 GM build to version 2.0 Service Pack 2, the Agent is updated successfully but the security feature is not updated. This happens because the security feature updates cannot be downloaded properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch ensures that the security feature updates are downloaded and applied successfully after the upgrade. Issue 2: [TT331006] After users install Vulnerability Protection Manager 2.0 Service Pack 2 and set the "CPU Usage During Recommendation Scans" setting in the "Administration > System Settings > Advanced" page to "Medium (75%)", the setting automatically switches to 50% after the Vulnerability Protection Manager restarts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch ensures that the "CPU Usage During Recommendation Scans" setting does not change unexpectedly after the Vulnerability Protection Manager restarts. Issue 3: [TT334724] When Vulnerability Protection Manager synchronizes an OfficeScan endpoint tree and the domain name of the OfficeScan endpoint tree contains double-byte characters (Japanese or Chinese), Vulnerability Protection Manager may not be able to display the domain name properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch ensures that Vulnerability Protection Manager can display the domain name of synchronized OfficeScan endpoint trees properly. Issue 4: [TT340545] If users assign the default policy "Windows Mobile Laptop" to agents, the network connection of some agents may be blocked and these agents will not be able to connect to Vulnerability Protection Manager because the "Interface Isolation" setting is enabled by default for this policy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This patch disables the "interface isolation" setting for the "Windows Mobile Laptop" policy by default. Issue 5: [TT343004, TT343188] The OfficeScan server may fail to send endpoint information to VPM. When endpoint synchronization is turned on and the administrator enables the setting to automatically delete OfficeScan endpoints and groups, all OfficeScan endpoints and groups are removed from the VPM web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This patch ensures that OfficeScan endpoint and group information is not removed and generates a synchronization failure event log if the OfficeScan server is unable to send endpoint information to VPM. Issue 6: If an Event-Based Task is configured for "Agent-Initiated Activation" with Assign Policy, the policy is not assigned when the event is triggered and the system becomes unresponsive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This patch release resolves this issue. 7.5 Vulnerability Protection Manager 2.0.8215 ===================================================================== 7.5.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.8215 adds the following enhancement: Enhancement: This critical patch adds two new widgets for tracking ransomware caught by Vulnerability Protection. The Ransomware Status widget gives the total number of ransomware events caught by Vulnerability Protection within a selected timeframe. The Ransomware Status (Computers) widget shows the number of computers where ransomware events have been detected within the selected timeframe. These two new widgets can be added to your Vulnerability Protection Dashboard by clicking the "Add/Remove Widgets" button and scrolling to "Ransomware". 7.5.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8215 resolves the following issue: Issue: [TT345836/DSSEG-265] When a network outage or interruption occurs while a scheduled AD synchronization task is running, the synchronization completes but some enlisted computers disappear from the Vulnerability Protection Manager console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This critical patch ensures that the all registered computers appear on the Vulnerability Protection Manager console after the AD synchronization completes. 7.6 Vulnerability Protection Manager 2.0.8306 ===================================================================== 7.6.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.8306 adds the following enhancements: Enhancement 1: AD User Account Information - This patch allows users to search for and select specific AD user accounts to import using the "Synchronize with directory" function. This Patch also enables users to assign different user roles to different AD user groups. If an AD user belongs to multiple groups, users also can configure the priority for each user group so that Vulnerability Protection Manager can map the AD users according to the highest priority of user group roles. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To use the "Synchronize with directory" function with this enhancement: a. Install this patch. b. Go to the "Administration > User management > Users or Contacts" page of the Vulnerability Protection Manager console. c. Click "Synchronize with Directory", the Synchronize with Directory wizard appears. d. Select the appropriate access options and provide logon credentials, then click "Next". e. On the "Select Groups to Synchronize" page, use the search bar to look for particular user groups in your directory, select the groups to synchronize with Vulnerability Protection Manager, then click "Next". f. On the "Select Options for New users/Contacts" page, select "Assign Vulnerability Protection Role to Users/Contacts based on their Directory Group membership", choose a default role, then click "Next". g. Configure the appropriate settings for each user groups. i. Assign different roles for each user groups. ii. Sync users or contacts for each user group. iii. Configure the priority for each user group. After synchronization, the wizard generates a report, indicating the number of objects imported. h. Click "Finish". Enhancement 2: Reports - This patch adds the "IPS Rule Recommendation Report". Based on recommendation scan results, this report provides information about how many computers have been recommended to be assigned a specific IPS rule and how many of these computers have not been assigned the IPS rule. The report also provides a list of the recommended IPS rules for each computer. Enhancement 3: Vulnerability Protection Agent Hostname - Vulnerability Protection Manager displays each agent's hostname on the management console and updates the hostname displayed in the computer's "Name" column based on the hostname that Vulnerability Protection Manager resolved from the DNS server. This patch enables users to choose one of the following two ways to update the hostname information: - "Use hostname obtained from DNS server": Updates the hostname displayed in the computer's "Name" column based on the hostname that Vulnerability Protection Manager resolved from the DNS server. - "Use hostname specified by the Agent": Updates the hostname displayed in the computer's "Name" column based on the hostname that the agent specified. 7.6.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8306 resolves the following issues: Issue 1: If AD computers or Trend Micro OfficeScan(TM) computers have been added and activated under the regular computer group and users synchronize and import these computers to the AD connector group or OSCE connector group using the "Add Directory" or "Add OfficeScan Endpoints" functions, then later activate the computers under the AD connector group or OSCE connector group, users will encounter an "Activation Failed (Duplicate Computer)" message. This happens because there is a duplicate entry for each of these computers under the regular computer group which have already been activated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch resolves this issue so that when users activate an AD computer under AD connector group or an OfficeScan computer under the OfficeScan connector group, Vulnerability Protection Manager can still activate the computers even when it finds duplicate entries under the regular computer group. In this case, Vulnerability Protection Manager will automatically remove the duplicate entry under regular computer group. Issue 2: When users use the Vulnerability Protection deployment tool to install the Vulnerability Protection Agent on an OfficeScan computer with a fully qualified domain name (FQDN) hostname that has been synced to the Vulnerability Protection Manager, the FQDN hostname will appear activated under the regular computer group but not under the OfficeScan connector group. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch resolves the issue so that these agents appear under the OfficeScan connector group only and do not generate duplicate entries under the regular computer group. NOTE: This solution requires users to upgrade the Vulnerability Protection deployment tool to the version in Vulnerability Protection 2.0 Service Pack 2 Patch 2 version. 7.7 Vulnerability Protection Manager 2.0.8324 ===================================================================== 7.7.1 Enhancements ===================================================================== There are no enhancements for this release. 7.7.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8324 resolves the following issues: Issue 1: [TT348366/DSSEG-527] When using Vulnerability Protection Manager with Oracle Database 12c version 12.1.0.2.0 or higher, a maintenance job would not complete successfully. In the Vulnerability Manager console, under "Administration > System Information > System Details > Optimizations > Maintenance ob Schedule", the "Last run" time would display as "Never". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch upgrades the JDBC driver to ver12.1.0.2, which enhances database performance and resolves this issue. Issue 2: [TT357087/DSSEG-597] As a vulnerability fix, the following new log reasons have been added to the Vulnerability Protection Agent code: log_reason_invalid_timestamp = 153, log_reason_syn_with_data = 154, log_reason_tcp_split_handshake = 155, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: The Vulnerability Protection Manager has been enhanced to log these events properly. Issue 3: [TT351655,TT356143/DSSEG-658] Vulnerability Protection Manager (VPM) generates multiple "Contact by Unrecognized Client" system event logs due to the OfficeScan synchronization with VPM. OfficeScan synchronization removes the wrong agents if the "Delete endpoints and groups when they are removed from the OfficeScan server" setting is enabled in some environments. Since VPA is installed on the removed agents (which are managed by VPM), VPM generates a "Contact by Unrecognized Client" system event log if these agents send heartbeat messages to VPM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch resolves this issue by correcting the logic when OfficeScan synchronizes and matches agents to ensure that the "Delete endpoints and groups when they are removed from the OfficeScan server" option works properly. 7.8 Vulnerability Protection Manager 2.0.8346 ===================================================================== 7.8.1 Enhancements ===================================================================== There are no enhancements for this release. 7.8.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8346 resolves the following issue: Issue: [DSSEG-1097] The Vulnerability Protection Manager was affected by one or more of the CVEs reported in the Oracle Critical Patch Update issued April 18, 2017 and by a vulnerability related to CVE-2014-3490. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix upgrades the Java Runtime Environment (JRE) (used in the Vulnerability Protection Manager) to the version released for the above-mentioned Critical Patch Update (Java 8 u131). This hotfix also resolves the vulnerability related to CVE-2014-3490. 7.9 Vulnerability Protection Manager 2.0.8367 ===================================================================== 7.9.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.8367 adds the following enhancements: Enhancement 1: This patch enhances the recommendation scan performance. Recommendation scan now runs significantly faster than in the previous release. Enhancement 2: [DSSEG-873/SEG-3838] By default, Vulnerability Protection agents send Ping requests to a domain controller (DC) every 10 seconds for the Contexts function. This patch allows users to set agents not to send Ping requests to domain controllers if the Contexts function is not used. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: To set the agents not to send Ping requests to domain controllers: a. Install this patch. b. Go to the "Administration > System Settings > Contexts" page on the Vulnerability Protection Manager console. c. Select "Never" for the "Test Interval" setting and click "Save". d. Perform the "Send Policy" action for the Vulnerability Protection agents Note: This enhancement also requires users to upgrade Vulnerability Protection agents to version 2.0 SP2 Patch 4 Build 2.0.3.8065 or later to make the changes take effect. Enhancement 3: [FB30197] By default, the Vulnerability Protection Manager console uses TLSv1, TLSv1.1, and TLSv1.2 protocols to communicate through port 4119. This patch enhances the Vulnerability Protection Manager's capability to allow configuration of supported protocols by adding the protocol parameters to the configuration.properties file. ***IMPORTANT*** By default, Vulnerability Protection Agents use TLSv1 to communicate with Vulnerability Protection Manager and you cannot change the communication protocol. If you need to change the settings in the following procedure, you must add TLSv1 along with other protocols to enable agent-manager communication. Refer to step c) for an example. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 3: To change this setting: a. Stop the Vulnerability Protection Manager service. b. Open the configuration.properties file under C:\ProgramFiles\TrendMicro\Vulnerability Protection Manager c. Add the following entry at the end of file and save the file: protocols=TLSv1,TLSv1.2 NOTE: You can define more than one protocol by separating them with commas, for example: protocols=TLSv1,TLSv1.1,TLSv1.2 d. Start the Vulnerability Protection Manager service. e. Use the OpenSSL s_client command to verify the protocol on the Vulnerability Protection Manager web console on port 4119 as follows: OpenSSL> s_client -connect Vulnerability_Protection_Manager_IP_Address:4119 Under the SSL-Session section, verify that Protocol is TLSv1.2 or the one you defined in the configuration.properties file. Enhancement 4: This patch changes the SQL database lock behavior to prevent database deadlock. 7.9.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8367 resolves the following issue: Issue: [VP-552/SEG-4840] If the "Enable regular synchronization with the OfficeScan server" setting is disabled, the scheduled task for OfficeScan synchronization is not executed and synchronized with the OfficeScan server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This patch separates the OfficeScan synchronization scheduled task and the "Enable regular synchronization with the OfficeScan server" setting so that the scheduled task for OfficeScan synchronization is still executed even if the "Enable regular synchronization with the OfficeScan server" setting is disabled. 7.10 Vulnerability Protection Manager 2.0.8424 ===================================================================== 7.10.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0.8424 adds the following enhancement: Enhancement: [VP-616] This patch enables the OfficeScan endpoint tree synchronization process in OfficeScan XG Service Pack 1. 7.10.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0.8424 resolves the following issues: Issue 1: [DSSEG-911/SEG-4359] In previous releases, the default value for the "Automatically delete System Events older than:" setting in "Administration > System Settings > Storage" is "Never". If this default setting is not changed, the size of the Vulnerability Protection Manager SystemEvents table can become too big when old event logs are not deleted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Starting with this release, the default setting for "Automatically delete System Events older than" is set to "53 Weeks". NOTE: This fix will only take effect in a fresh install of Vulnerability Protection Manager. Issue 2: [DSSEG-1358] In previous releases, the default connection pool configuration setting may cause Vulnerability Protection Manager to open and close database connections frequently, leading to unnecessary security alerts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: The default configuration has been changed to reduce the number of database connections being recreated. Issue 3: [DSSEG-1466] When the Vulnerability Protection Manager database name contained non-alphabetic characters, the "database.SqlServer.useReadCommittedSnapshot=true" setting does not work properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This issue is fixed in this release. Issue 4: [DSSEG-1690/SEG-18498] The "User Password Expires Soon" alert may not display even when the password expiry setting is enabled and one or more users have passwords that are about to expire in seven days. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this release. Issue 5: [DSSEG-1752/SEG-17876] The "Intrusion Prevention Rule Compilation Failed" event appears when Vulnerability Protection Agent is unable to compile intrusion prevention rules. In previous releases, the warning message is not dismissed automatically when the agent successfully compiles the rules in a subsequent attempt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This issue is fixed in this release so that the warning message is dismissed automatically. Issue 6: [DSSEG-1540/SEG-15172] In Event-Based Tasks, adding an asterisks "*" character to the beginning of a regular expression to match ALL parent folders does not work properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This issue is fixed in this release. Issue 7: [VP-636/SEG-14974] Duplicate computers sometimes appeared under the same AD. The duplicate entries cannot be deleted after an AD synchronization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This issue is fixed in this release. Issue 8: [VP-644/SEG-10032] Vulnerability Protection Manager may experience high memory usage when performing recommendation scans on endpoints with excessive number of software application installed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This issue is fixed in this release. 7.11 Vulnerability Protection Manager 2.0.8434 ===================================================================== 7.11.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0 Service Pack 2 Patch 6 adds the following enhancements: Enhancement 1: [DSSEG-1839/SEG-19575] A new password rule has been added for Vulnerability Protection Manager users. This rule checks that passwords do not match a username or a username that is spelled backwards (not case sensitive). Enhancement 2: [DSSEG-2195/SEG-23903/746940] The versions of Java JRE used in Vulnerability Protection Manager have been upgraded to Java 8 u172. 7.11.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0 Service Pack 2 Patch 6 resolves the following issues: Issue 1: [SEG-25636/VP-655] If an Intrusion Prevention (IPS) event without the Application Type information occurs, Vulnerability Protection Manager (VPM) stops sending IPS event logs to the Control Manager server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This issue is fixed in this release. Issue 2: [DSSEG-2560/VP-660] If a firewall rule is created to block Address Resolution Protocol (ARP) traffic, an "Agent offline" message is generated in Vulnerability Protection Manager. This issue occurs when the required traffic (DNS or DHCP) is blocked even though ARP traffic is passed through the network engine. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This release resolves this issue by adding "Force Allow" firewall rules for ARP. Additionally, you can control whether to "force allow" DNS, DHCP, and ICMP packet fragments using the new "Force Allow DHCP DNS" and "Force Allow ICMP type3 code4" settings. To find these settings, access the policy editor or the Computer editor in Vulnerability Protection Manager and click "Settings > Advanced". You may also consider disabling DNS, DHCP, and ICMP if security concerns outweigh "Agent offline" messages. Issue 3: [DSSEG-1820/SEG-20095] When the regular expression used for an event-based task contains a negation (for example, do not activate a computer name that begins with a particular string), the system displays unexpected match results. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This issue is fixed in this release. Issue 4: [VP-662/SEG-34426] The numbers displayed in the Reconnaissance section of an Attack Report is incorrect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This issue is fixed in this release. Issue 5: [VP-656/SEG-28457] When agent self-protection is enabled in a policy and the policy is duplicated, the duplicate copy of the policy does not include the correct self-protection password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This issue is fixed in this release. A duplicate policy includes the agent self-protection password, if the password is specified in the original policy. 7.12 Vulnerability Protection Manager 2.0.8450 ===================================================================== 7.12.1 Enhancements ===================================================================== Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 adds the following enhancements: Enhancement 1: [DSSEG-2785] The version of Apache Tomcat used in Vulnerability Protection Manager has been upgraded to 8.5.34. Enhancement 2: [DSSEG-3202/VP-667] Oracle JRE 8u181 has been replaced with Azul Zulu OpenJDK 8u192. 7.12.2 Resolved Known Issues ===================================================================== Vulnerability Protection Manager 2.0 Service Pack 2 Patch 7 resolves the following issue: Issue 1: [DSSEG-2814] Beginning with JDK version 8u181, the JVM enforces endpoint identification for LDAPS connections by default. The JVM verifies the server address of an AD connector against the server certificate Common Name (or subjectAltName, if it exists). As a result, if the existing AD connector uses a server address that does not match the certificate CN (or subjectAltName), the connector cannot synchronize successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This issue has been fixed in this release. When performing a fresh install, endpoint identification is enabled. When performing an upgrade, if Vulnerability Protection Manager has an existing Active Directory connector (for either a computer or a user) that connects using LDAPS, endpoint identification is disabled. If no AD connector is found, endpoint identification is enabled by default. Issue 2: [VP-663] Installing Vulnerability Protection Manager with Embedded Microsoft SQL Server Express on Windows Server 2016 platforms may be unsuccessful. The installation process did not include a specific check condition for Windows Server 2016. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue has been fixed in this release. In addition, the embedded SQL Express version has been replaced with SQL Server 2012 SP4 Express. Issue 3: [VP-675/SEG-53377] If a new user signs into the Vulnerability Protection Manager web console, the Dashboard may be unable to load properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This issue has been fixed in this release. 8. Files Included in This Release ======================================================================== This release is a complete installation. Use the following file to install this release: - 64-bit all-in-one with agent and SQL Express: VP-Windows-2.0.8451.x64-sqlexp.exe 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2019, Trend Micro Incorporated. All rights reserved. Trend Micro, OfficeScan, Control Manager, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 12. Third-Party Software ======================================================================== Vulnerability Protection employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]\licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2019 Trend Micro Incorporated. All rights reserved.