<<USE COURIER REGULAR 10 FONT IF YOU WOULD LIKE TO PRINT THIS DOCUMENT>>

  Trend Micro Incorporated                             November 16, 2020

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Trend Micro(TM) ScanMail(TM) for Microsoft(TM) Exchange(TM) 14
                           Patch 4 Build 3080
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTICE: This Readme file was current as of the date above. However,
            all customers are advised to check Trend Micro's website for
            documentation updates.

            GM release documentation:
            http://docs.trendmicro.com

            Patch/Service Pack release documentation:
            http://www.trendmicro.com/download


    TIP:    Register online with Trend Micro within 30 days of
            installation to continue downloading new pattern files and
            product updates from the Trend Micro website. Register
            during installation or online at:

            https://clp.trendmicro.com/FullRegistration?T=TM


     Contents
     ==========================================================

     1.  About ScanMail (for Microsoft Exchange)

         1.1 Overview of This Release

         1.2 Who Should Install This Release

     2.  What's New

         2.1 Enhancements

         2.2 Resolved Known Issues

     3.  Documentation Set

     4.  System Requirements

     5.  Installation

         5.1 Installing

         5.2 Uninstalling

     6.  Post-Installation Configuration

     7.  Known Issues

     8.  Release History

     9.  Files Included in This Release

     10. Contact Information

     11. About Trend Micro

     12. License Agreement

     ==========================================================


  1. About ScanMail (for Microsoft Exchange)
  ======================================================================
     ScanMail protects Exchange Server 2019, Exchange Server 2016, and
     Exchange Server 2013. Use the ScanMail installation program to
     quickly install ScanMail to one or more, local or remote, Exchange
     servers. Once installed, ScanMail can protect your servers in real
     time against viruses/malware, Trojans, worms, and spyware/grayware.
     ScanMail sustains business and network integrity by screening out
     spam messages and messages containing undesirable or unwanted
     content. ScanMail monitors and protects sensitive information that
     is traveling across your network.


     1.1 Overview of This Release
     ===================================================================
     ScanMail (for Microsoft Exchange) 14 Patch 4 consolidates all
     solutions to issues resolved after the release of ScanMail for
     Microsoft Exchange 14 build.


     1.2 Who Should Install This Release
     ===================================================================
     You should install this Patch if you are currently running
     ScanMail (for Microsoft Exchange) 14 build.


  2. What's New
  ======================================================================
     NOTE: Please install the Patch before completing any procedures in
           this section (see "Installation").


     This patch addresses the following issues and includes the
     following enhancements:

     2.1 Enhancements
     ===================================================================
     The following enhancements are included in this release:

     Enhancement 1: [SEG-79499] [Hotfix 3033]
                    cmdlets - This patch provides the following two 
                    options to remove the "Organization Management" 
                    requirement. Each option has different privilege 
                    requirements.
                                        
                    Option 1: Add the "EWSLocalCall" hidden key, set the 
                    value to "0", then use Remote Runspace to run 
                    Exchange cmdlets. 
                                         
                    Option 2: If the "EWSLocalCall" hidden key does not
                    exist or is set to "1". ScanMail will use the Local
                    Runspace to run Exchange cmdlets.
                    
                    NOTE: Enable this enhancement only when ScanMail
                    services are run using a Windows account and the
                    user does not want to grant Organization Management
                    rights to the Windows account. It is not necessary
                    to enable this enhancement if the ScanMail service
                    runs as Local System since "Organization Management"
                    is not a requirement for Local System.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 1:   To set the option and the corresponding privileges
                    for the Service Account in both options:
                    
                    1. Install this patch (see "Installation").

                    2. Open the Registry Editor.

                    3. Add the following key and set the preferred
                       value:
                    * Key: HKLM\SOFTWARE\TrendMicro\ScanMail for
                      Exchange\CurrentVersion
                    * Value: EWSLocalCall
                    * Type: REG_DWORD
                    * Data value: 
                      - "1" = ScanMail runs cmdlets in a Local Runspace
                    (default value)
                      - "0" = ScanMail runs cmdlets in a Remote Runspace
                    
                                        
                    4. Select and perform the preferred option below.
                    * To use Remote Runspace to run Exchange cmdlet,
                      grant the ScanMail account the following
                      privileges: 
                      - Domain User
                      - Local Administrators
                      - Exchange ApplicationImpersonation role
                      - View-only Organization Management group
                      - Read All Properties and List content permissions
                                        
                    * To grant Read All Properties and List content
                      permissions, run the following command in the
                      Exchange Management Shell:
                                                            
                    Get-OrganizationConfig | Add-ADPermission -User
                    <ServiceAccount> -AccessRights "ListChildren,
                    ReadProperty"
                    
                    * To use the Search & Destroy feature to run
                      Exchange cmdlet, grant the ScanMail account the
                      Organization client Access role aside from the
                      five privileges listed in the first option above.
                      For other privileges required to run Search &
                      Destroy, refer to the ScanMail "Administrators
                      Guide".
                    
                    * To use the Local Runspace to run the Exchange
                      cmdlet, provide the ScanMail Service account with
                      the ms-Exch-Store-Admin right aside from the six
                      rights specified in the previous options. To do
                      this, run the following command in the Exchange
                      Management Shell:
                                                            
                    Get-MailboxDatabase | Add-ADPermission -User
                    <ServiceAccount> -ExtendedRights ms-Exch-Store-Admin
                                        
                    5. Restart ScanMail services.
                   
     Enhancement 2: Quarantine Logs – This patch adds some columns in 
                    quarantine logs that are sent to CAS.    

     Enhancement 3: [SEG-82956] [Hotfix 3049]
                    Event Log Notifications – This patch enables 
                    ScanMail to send Windows event log notifications 
                    when it scans multiple email messages unsuccessfully.


    Enhancement 4:  [SEG-86591] [Hotfix 3052]
                    Quarantine Maintenance - This patch provides an 
                    option for users to configure ScanMail to run 
                    "Quarantine Maintenance" based on the creation time 
                    of quarantined files.
                                        
                    NOTE: This enhancement works only when the "All
                    quarantined files" is specified under the "Files to
                    Delete" field in both "Manual" and "Automatic"
                    Quarantine Maintenance settings.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Procedure 4:    To configure this feature:

                    1. Install this patch (see "Installation").
                                        
                    2. Open the Registry Editor.
                                        
                    3. Locate the following key and set the preferred
                       value:

                    Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                    Exchange\CurrentVersion
                    Key: EnableQMBasedOnFileTime
                    Type: REG_DWORD
                    Data value:
                    "1" = ScanMail runs "Quarantine Maintenance" based
                    on creation time of quarantined files (default
                    behavior after this Hotfix is installed)
                    "0" = disables the feature
                                        
                    4. Restart the ScanMail service.

    Enhancement 5:  [SEG-91957]
                    Macro Files - This patch enables users to configure
                    whether ScanMail takes action on Macro files based 
                    on the email direction.

   
    Enhancement 6:  [SEG-92586]
                    Engine Updates - This patch provides a way for users 
                    to configure what type of engines that ScanMail 
                    should not download from Trend Micro 
                    Apex Central(TM).
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Procedure 6:    To configure this feature:

                    1. Install this patch (see "Installation").
                                        
                    2. Open the Registry Editor.

                    3. Locate the following keys and set the preferred 
                       values: 

                    *Path: HKLM\SOFTWARE\TrendMicro\ScanMail for 
                     Exchange\CurrentVersion
                    *Key: EngineTypesNotUpdateFromCM
                    *Type: REG_SZ
                    *Data values: "1" = VSAPI engine 
                                  "2" = TMASE engine 
                                  "3" = TMUFE engine  
                                  "4" = ATSE engine 
                                  "5" = TRXHANDLER engine

                    NOTE: For multiple values, separate each value using 
                    a semi-colon ";". If "UnsupportMessageTypesSendToCM" 
                    does not exist, it will be set to "3;5".
                    If "UnsupportMessageTypesSendToCM" is empty, all 
                    engines for ScanMail can be downloaded from Apex 
                    Central server.

                    4. Restart the ScanMail service.


     2.2 Resolved Known Issues
     ===================================================================
     This release resolves the following issues:

     Issue 1:     [SEG-75155][Hotfix 3034]
                  The Data Loss Prevention(TM) (DLP) File Attribute may 
                  not work correctly when "EmMaxDecompressLayerCount=0".
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 1:  This patch upgrades eManager to version 7.6.0.1288 
                  to ensure that the DLP File Attribute works normally 
                  when "EmMaxDecompressLayerCount=0".

     Issue 2:     [SEG-78381][Hotfix 3037]
                  An issue related to the "util_Cache.h" file triggers
                  an "Access Violation" error which causes ScanMail to
                  stop unexpectedly when it calls the "SetData"
                  function.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 2:  This patch resolves this issue.

     Issue 3:     [SEG-75109][Hotfix 3038]
                  When configuration replication runs while Virtual
                  Analyzer is running on the target machine, ScanMail
                  unregisters from and then registers again to Trend
                  Micro Deep Discovery Analyzer using a new product key.
                  If there are documents and jobs in the DTAS handling
                  queue that use the previous product key, Deep
                  Discovery Analyzer returns an error code 419 for
                  "Product is not Registered" and the files are not
                  analyzed.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 3:  This patch resolves the errors so that files in the
                  "VA" working queue are processed successfully under
                  the scenario described above.

     Issue 4:     [SEG-78714][Hotfix 3039]
                  The CMAgent sends "[Command] A duplicate command was
                  ignored" logs without a "SUCCESS" status to 
                  Apex Central. This causes Apex Central to detect a 
                  large number of failed update deployments even when 
                  the commands are still running.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 4:  This patch resolves the issue by ensuring that CMAgent 
                  promptly tags "[Command] A duplicate command was 
                  ignored" command tracking entries as "Successful"
                  commands.

     Issue 5:     [SEG-78381][Hotfix 3040]
                  When the ScanMail service restarts after ScanMail log
                  generation is enabled, tmase logs are also enabled
                  automatically and can only be disabled by disabling
                  ScanMail log generation and restarting the ScanMail
                  service.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 5:  This patch resolves the issue described above.
 
     Issue 6:     [SEG-81269][Hotfix 3042]
                  BIN files in Microsoft(TM) Excel(TM) 2007 files and
                  any higher version Excel files triggers ScanMail to
                  block these Excel files when the "Do not block
                  embedded files inside Microsoft Office 2007 or later
                  files" option is enabled.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 6:  This patch solves the issue so ScanMail skips Excel
                  files normally when the "Do not block embedded files
                  inside Microsoft Office 2007 or later files" option is
                  enabled. 
  
     Issue 7:     [SEG-81831][Hotfix 3048]
                  Multiple entries appear for the same product entity on
                  the "Product License Log Query" page of the Trend
                  Micro Control Manager(TM). All additional entries
                  display "N/A" in certain fields.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 7:  This patch updates the Control Manager Agent in
                  ScanMail to prevent duplicate ScanMail entries on the
                  Control Manager console.
  
     Issue 8:     [SEG-77257][Hotfix 3047]
                  In hybrid Exchange environments, running Search and
                  Destroy on all on-premise mailboxes triggers the
                  search server to return a "The user does not have an
                  Exchange mailbox." message.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 8:  This patch resolves the issue by adding the cmdlet
                  "Get-Mailbox" to pipe the mailboxes.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 8: To configure this Hotfix:
                  
                  1. Install this patch (see "Installation").
                  
                  2. Open the Registry Editor.
                  
                  3. Locate the following key and set the preferred
                  value:
                  
                  *Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                  Exchange\CurrentVersion
                  
                  *Key: PipeForSearchAllMailbox
                  
                  *Type: REG_DWORD
                  
                  *Data value: 
                  "1" = enable ScanMail to use the new
                  cmdlet to search all on-premise mailboxes(default
                  behavior after this Hotfix is installed)
                  
                  "0" = disable ScanMail to use the new cmdlet to search
                  all on-premise mailboxes
                  
                  4. Restart the ScanMail service.

     Issue 9:     [VRTS-4870][Hotfix N/A]
                  A directory traversal vulnerability occurs when
                  PortalProtect downloads engine files or pattern files
                  from the local ActiveUpdate (AU) server.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 9:  This patch updates the ActiveUpdate modules to resolve 
                  this issue.
  
     Issue 10:    The terms "white list" and "black list" may appear in
                  some ScanMail configuration filenames and HTML pages. 
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 10: This patch replaces these terms on affected filenames
                  and HTML pages.

     Issue 11:    [SEG-82956][Hotfix 3049]
                  An issue prevents ScanMail from restoring scan
                  mediator if scan mediator launches unexpectedly. This
                  affects filter scanning.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 11: This patch resolves the issue by ensuring that 
                  ScanMail can restore scan mediator under the scenario
                  described above. 

     Issue 12:    [SEG-82797][Hotfix 3050]
                  Some ScanMail for Exchange binary files related to the 
                  eManager module use 3rd-party digital signatures 
                  instead of the Trend Micro digital signature to run
                  the Vulnerability Scanner.                                
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 12: This patch replaces the digital signatures of these 
                  binary files with the Trend Micro digital signature.


     Issue 13:    [SEG-82945][Hotfix 3051]
                  When the "Detect new spam sources" option is enabled,
                  ScanMail does not send certain URLs to Trend Micro
                  Deep Discovery Analyzer for analysis.                                
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 13: This patch helps ensure that ScanMail sends the
                  correct URLs to Deep Discovery Analyzer for analysis
                  when the "Detect new spam sources" option is enabled.

    Issue 14:     [SEG-84214][Hotfix 3053]
                  An issue prevents Virus Scans from performing certain
                  scanning operations to detect threats when Predictive
                  Machine Learning Scan is enabled.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Solution 14:  This patch resolves this issue.


    Issue 15:     [SEG-81621][Hotfix 3054]
                  The Writing Style Training program cannot run
                  successfully on protected computers. This happens when
                  ScanMail cannot retrieve the correct Internal URL
                  property for the Exchange Web Services (EWS) virtual
                  directory or when the EWS virtual directory stops
                  working.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Solution 15:  This patch enables users to specify the Internal URL
                  property of the EWS virtual directory.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Procedure 15: To configure this option:

                  1. Install this patch (see "Installation").

                  2. Open the Registry Editor.

                  3. Locate the following key and set its value to
                     the Internal URL property:

                  * Key: HKLM\SOFTWARE\TrendMicro\ScanMail for
                    Exchange\CurrentVersion 
                  * Value: EWSInternalUrl(REG_SZ) 
                  * Data: Internal URL value of EWS Virtual Directory.


    Issue 16:     [SEG-91846]
                  When a message needs to be sent to the Deep Discovery 
                  Analyzer Server for analysis, ScanMail quarantines
                  this message temporarily and then resends it for 
                  further action.
                  When the message is resent, the Exchange Server 
                  assigns a new "Message-ID" to it which triggers 
                  ScanMail to treat the resent message as a new email 
                  and prompts it to scan the message again. 
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Solution 16:  This patch provides an option to configure ScanMail
                  to skip the Message-ID checking for quarantined email 
                  messages, so ScanMail will not scan it repeatedly.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Procedure 16: To configure this option:

                  1. Install this patch (see "Installation").

                  2. Open the Registry Editor.

                  3. Add or locate the following key and set the 
                     preferred value:

                  * Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                    Exchange\CurrentVersion
                  * Key: SkipResendMessageIdCheck
                  * Type: REG_DWORD
                  * Data value:
                    "1" = ScanMail skips Message-ID checking for 
                     quarantined email messages 
                    "0" = ScanMail checks Message-ID of quarantined 
                     email messages （default）

                  4. Restart the ScanMail service.


    Issue 17:     [SEG-88857]
                  When configuration replication runs while ScanMail
                  is connected to the Deep Discovery Analyzer server
                  using its GUID, ScanMail creates a new GUID which
                  cannot be used to connect to the Deep Discovery 
                  Analyzer server but is stored in the database. When 
                  the ScanMail service restarts, it will use the new
                  GUID to send samples to Deep Discovery Analyzer
                  which will return an error code 419 for "Product 
                  is not Registered". If this happens, the files are 
                  not analyzed.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Solution 17:  This patch resolves the error by ensuring that 
                  ScanMail does not create a new GUID during 
                  configuration replication.


    Issue 18:     [SEG-91722]
                  The ScanMail Master Service stops unexpectedly when 
                  the specified "User ID" or "Password" in the "Proxy 
                  Settings" page exceeds the length limitation.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Solution 18:  This patch adds alert messages and enables ScanMail
                  to display an alert when "User ID" or "Password" has 
                  exceeded the length limitation.



  3. Documentation Set
  ======================================================================
     To download or view electronic versions of the documentation set
     for this product, go to http://docs.trendmicro.com

     In addition to this Readme file, the documentation set for this
     product includes the following:

     - Online Help: The Online Help contains an overview of features
       and key concepts, and information on configuring and
       maintaining ScanMail (for Microsoft Exchange).

       To access the Online Help, go to http://docs.trendmicro.com

     - Installation Guide (IG): The Installation Guide contains
       information on requirements and procedures for installing and
       deploying ScanMail (for Microsoft Exchange).

     - Administrator's Guide (AG): The Administrator's Guide contains
       an overview of features and key concepts, and information on
       configuring and maintaining ScanMail (for Microsoft Exchange).

     - Support Portal: The Support Portal contains information on
       troubleshooting and resolving known issues.

       To access the Support Portal, go to
       http://esupport.trendmicro.com


  4. System Requirements
  ======================================================================
     There are no changes to the system requirements in the ScanMail
     (for Microsoft Exchange) 14 readme file.


  5. Installation
  ======================================================================
     This section explains key steps for installing.

     - This Patch supports remote and multi-server deployment.

     - This Patch automatically restarts the following services on both
       Normal and Cluster Servers:

       - ScanMail (for Microsoft Exchange) Master Service
       - ScanMail (for Microsoft Exchange) Remote Configuration Server
       - ScanMail (for Microsoft Exchange) System Watcher
       - ScanMail EUQ Monitor
       - Microsoft Exchange Transport
       - MOM service
       - HealthService service

     - To install or uninstall this Patch, you must have at least
       local administrator and domain user privileges.


     5.1 Installing
     ===================================================================
     To install:

     1. Log on using an account with local administrator and domain user
        privileges.

     2. Run "smex_140_win_en_patch4_b3080.exe" and select "Install".

        The framework automatically installs the Patch to the
        appropriate directory, replaces the outdated files, and updates
        the database.

        The "Successfully completed" count increases upon the completion
        of the installation.

     3. Clear the browser cache and re-launch the browser.


     5.2 Uninstalling
     ===================================================================
     To roll back to the previous build, run 
     "smex_140_win_en_patch4_b3080.exe" and select "uninstall".

     The framework automatically rolls back to the previous build and
     a confirmation message indicating a successful uninstallation is
     displayed on the setup screen.


  6. Post-Installation Configuration
  ======================================================================
     No post-installation steps are required.

     NOTE: Trend Micro recommends that you update your scan engine and
           virus pattern files immediately after installing the product.


  7. Known Issues
  ======================================================================
     There are no known issues in this release.


  8. Release History
  ======================================================================
     For more information about updates to this product, go to:

     http://www.trendmicro.com/download

     ScanMail 12.0 for Microsoft Exchange                 March 2016
     ScanMail 12.0 for Microsoft Exchange Service Pack 1  November 2016
     ScanMail 12.5 for Microsoft Exchange                 November 2017
     ScanMail 12.5 for Microsoft Exchange Service Pack 1  August 2018
     ScanMail 14.0 for Microsoft Exchange                 June 2019
     ScanMail 14.0 for Microsoft Exchange Patch 1         September 2019
     ScanMail 14.0 for Microsoft Exchange Patch 2         December 2019
     ScanMail 14.0 for Microsoft Exchange Patch 3         April 2020


     8.1 Patch 1
     ===================================================================

     8.1.1 Enhancements
     ===================================================================
     The following enhancements are included in Patch 1:

     Enhancement 1: [SEG-52055]
                    Attachment Blocking Filter and Virtual Analyzer -
                    Users can now configure ScanMail to detect PDF files
                    with embedded scripts through the attachment 
                    blocking filter settings and in Virtual Analyzer.

     Enhancement 2: Approved List – A global approved list feature has 
                    been added to enable ScanMail to bypass all scanning 
                    for specific senders and recipients.

     Enhancement 3: [SEG-42090]
                    Security Risk Filter - Users can now create an 
                    approved list of file extension name(s) such as 
                    "jretk" for the Security Risk filter.

     Enhancement 4: TrendX - ScanMail now supports Signature extraction 
                    in TrendX.

     Enhancement 5: ScanMail Configuration – Some common hidden keys 
                    have been added to the web console to allow users
                    to configure the related feature from the ScanMail
                    web console.

     Enhancement 6: Data Loss Prevention Template - The DLP template 
                    has been updated to version 3.1.1036.

     Enhancement 7: [SEG-45978] [SEG-52236] [Hotfix 2041]
                    Content Violation Logs – ScanMail can now send
                    unscannable message parts logs to Trend Micro 
                    Control Manager(TM). These logs will appear under 
                    Content Violations logs.

     NOTE:          For the solution to work, you need to apply
                    "tmcm_70_patch1_win_en_hfb3097.zip" onto Control
                    Manager 7 first. The hotfix can be downloaded from
                    the following link:

       https://fix-int.trendmicro.com/product/10/release/429/hotfix/9828

     Enhancement 8: [SEG-47536] [Hotfix 2046]
                    Log Queries - ScanMail uses the Envelope Sender of
                    an email message as the Mail Sender in some features
                    and stores this information in the database. This
                    means that Envelop Sender will appear as the sender
                    information in Log Query results. Users can now 
                    configure ScanMail to use and store the address from 
                    the "From" header for the sender information.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 8:   To configure this feature:

                    1. Install this patch (see "Installation").

                    2. Open the Registry Editor.

                    3. Locate the following key and set the preferred
                       value:
                       - Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                         Exchange\CurrentVersion
                       - Key: UseHeaderSenderInLog
                       - Type: REG_DWORD
                       - Data value:
                         - "0" = ScanMail uses and stores the envelope
                                 sender of an email message as the mail
                                 sender (default).
                         - "1" = ScanMail uses and stores the
                                 information in the "From" header as the
                                 mail sender.
  
                    4. Restart the ScanMail service.

     Enhancement 9: [SEG-54685] [JP Hotfix 2641]
                    Email Scans - ScanMail cannot scan deleted email
                    messages in the Recoverable Folder in Exchange 2013
                    and Exchange 2016. This patch provides an option
                    to configure ScanMail to scan deleted email messages
                    in the Recoverable Folder.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 9:   To configure this feature:

                    1. Install this patch (see "Installation").

                    2. Open the Registry Editor.

                    3. Locate the following key and set the preferred
                       value:
                       - Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                               Exchange\CurrentVersion
                       - Key: SkipScanDeletedRecoverableFolder
                       - Type: REG_DWORD
                       - Data value:
                         - "1" = ScanMail does not scan deleted email
                                 messages in the Recoverable Folder
                                 (default).
                         - "0" = ScanMail scans deleted email messages
                                 in the recoverable folder.

                    4. Restart the ScanMail service.


     8.1.2 Resolved Known Issues
     ===================================================================
     Patch 1 resolves the following issues:

     Issue 1:     [SEG-50638] [Hotfix 1311]
                  The System Watcher service closes immediately after
                  starting or restarting.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 1:  The System Watcher service now runs normally.

     Issue 2:     [SEG-51208] [Hotfix 1310]
                  Users encounter the following issues while running a
                  Quarantine Query on a remote server(s):
                  - After users delete a message from the quarantine
                    folder using the "Delete" button, the confirmation
                    pop up and progress bar appear, but the message
                    remains in the query results and in the quarantine
                    folder.
                  - If a query returns multiple pages of results,
                    clicking the next page arrow resets the page view.
                  - When users click the "Search", "Delete" or
                    "Resend" button, the "Selected Server(s)" and
                    "Available Server(s)" lists are displayed empty.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 2:  These known issues have been resolved.

     Issue 3:     [SEG-47942] [Hotfix 2037]
                  When users send time-of-click (TOC) log queries to
                  remote servers and filter results by URL, the query
                  results still display all TOC logs, but those sent to
                  local servers can filter the results normally. This
                  happens because the URL filter is not carried to the
                  remote server so remote servers respond with all TOC
                  logs.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 3:  The URL parameter has been added in the remote query
                  function to resolve this issue.

     Issue 4:     [SEG-47788]
                  Exchange email messages cannot be detected as internal
                  messages so that system email messages are sent to
                  Trend Micro Deep Discovery Analyzer for analysis.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 4:  ScanMail no longer sends system-generated email 
                  messages to Deep Discovery Analyzer.

     Issue 5:     [SEG-43197]
                  Manual Scan takes a long time to complete when the
                  "Scan messages that have not been scanned" option is
                  enabled.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 5:  This patch ensures that manual scans run normally with
                  the option.

     Issue 6:     [SEG-48122] [Hotfix 2040]
                  ScanMail may encounter a mail loop issue when the
                  "Submit email messages to Virtual Analyzer" option is
                  enabled simultaneously with the URL rewrite feature.
                  This happens when ScanMail cannot verify if the URL
                  has already been rewritten or not, and keeps
                  attempting to rewrite the URL.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 6:  This issue has been resolved.

     Issue 7:     [SEG-42320] [Hotfix 1823]
                  An issue prevents ScanMail for Microsoft Exchange from
                  running certain database operations that contain
                  datetime information on some Windows platforms.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 7:  This issue has been resolved by changing the datetime
                  format in the affected database operations.

     Issue 8:     [SEG-48497] [Hotfix 2045]
                  Users cannot delete items from a mailbox using the
                  Search & Destroy function because certificate
                  validation by EWS Managed API is not successful.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 8:  Certificate validation by EWS Management API completes 
                  successfully.

     Issue 9:     [SEG-53244] [Hotfix 2045]
                  The TrendMicro Site Safety Center URL
                  "http://reclassify.wrs.trendmicro.com" in the "Web
                  Reputation Filter" page of the ScanMail web console
                  cannot be accessed.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 9:  The TrendMicro Site Safety Center URL on the page has 
                  been updated to:

                  "https://global.sitesafety.trendmicro.com".

     Issue 10:    [SEG-52663]
                  The "Take action on unrated URLs" option in the Web
                  Reputation settings is disabled automatically when
                  the "Enable URL Analysis" option is enabled.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 10: The "Take action on unrated URLs" option in the Web 
                  Reputation settings can now be enabled successfully 
                  when the "Submit email messages to Virtual Analyzer" 
                  or "Enable URL Analysis" is disabled.

     Issue 11:    [SEG-53238] [Hotfix 1321]
                  The ScanMail 14 Online Help page redirects to
                  ScanMail 12.5 pages.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 11: The Online Help page now redirects to the correct 
                  pages.

     NOTE:        Clear your browser cache and log in to ScanMail again
                  after applying this patch.

     Issue 12:    [SEG-51440] [Hotfix 2044]
                  A URL extracted from an email message with text/plain
                  content type but is in RTF format may not contain the
                  "\line" RTF flag and may be rewritten. When this
                  happens, the email message will not display correctly.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 12: ScanMail can now correctly identify that a plain text 
                  email message that starts with an RTF flag is in RTF 
                  format. This allows ScanMail to skip rewriting URLs in 
                  this kind of email messages.

     Issue 13:    [SEG-51783]
                  The DLP policy exception does not work if other
                  non-exception addresses are listed.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 13: The issue has been resolved by adding a boundary match 
                  and a condition to decide whether to retrieve the 
                  recipient information from an email message.

     Issue 14:    [SEG-57951]
                  The following issues have been discovered in ScanMail:

                  1. The following System Event settings cannot be
                     replicated through the "Server Management" page of
                     the web console or through Control Manager.

                     - Predictive Machine Learning service was
                     - Writing Style service was

                  2. The "Apply All" button on the Notification Settings
                     section of the Administration web console does not
                     work on the following alert settings:

                     - System Event Predictive Machine Learning service
                       was
                     - Writing Style service was
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 14: Both System Event settings can now be replicated 
                  through the "Server Management" page and the 
                  Control Manager web console. This patch also ensures 
                  that the "Apply All" button works on both alert 
 
                  settings.


     8.2 Patch 2
     ===================================================================

     8.2.1 Enhancements
     ===================================================================
     The following enhancements are included in Patch 2:

     Enhancement 1: [SEG-60644][SEG-63413]
                    Unscannable Message Logs - Administrators can now 
                    configure the type of unscannable message log 
                    ScanMail sends to Control Manager.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 1:   To configure this feature:

                    1. Install this patch (see "Installation").

                    2. Open Registry Editor.

                       a. Locate the following key and set the preferred
                          values as follows:

                          *Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                                  Exchange\CurrentVersion
                          *Key: SkipSendUnscannableMessageLogToCM
                          *Type: REG_DWORD
                          *Data value:
                            - "0" = enable ScanMail to send unscannable
                                    message parts log to Control Manager
                                    (default).
                            - "1" = disable ScanMail to send
                                    unscannable message parts log to
                                    Control Manager.

                          NOTE: If SkipSendUnscannableMessageLogToCM is
                                set to 1, skip step b.

                       b. If SkipSendUnscannableMessageLogToCM is not
                          configured or set to 0, locate the following
                          key and set the preferred value:

                          - Path: HKLM\SOFTWARE\TrendMicro\ScanMail for
                                  Exchange\CurrentVersion
                          - Key:UnsupportMessageTypesSendToCM
                          - Type: REG_SZ
                          - Data value:
                            - "1;2;3;4" = (default) ScanMail sends all
                                          types of unscannable message
                                          logs to Trend Micro Control
                                          Manager.

                          NOTE: Separate unscannable message log type by
                                a semi-colon (;)
                                - 1 represents "Encrypted email
                                    messages".
                                - 2 represents "Encrypted and password
                                    protected files".
                                - 3 represents "Files outside of scan
                                    restriction criteria".
                                - 4 represents "Unsupported or corrupted
                                    files"

                    3. Restart the ScanMail service.

     Enhancement 2: Policy Violation Logs - ScanMail can now integrate 
                    with Trend Micro Cloud App Security to provide 
                    visibility of policy violation logs from one or more 
                    ScanMail servers on Cloud App Security.


     8.2.2 Resolved Known Issues
     ===================================================================
     Patch 2 resolves the following issues:

     Issue 1:     [SEG-58468][Hotfix 1335]
                  Hebrew file names do not display correctly in the Deep
                  Discovery Analyzer web console.

                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 1:  When attachment file names are encoded in base64, wide
                  characters are transformed to UTF-8 before encoding.
                  However, during base64 decoding, the function that
                  transforms multibyte characters to wide characters is
                  called instead of the one that transforms UTF-8
                  characters to wide characters. As a result, Hebrew
                  file names cannot be displayed correctly in the Deep
                  Discovery Analyzer web console.

                  The correct function is called to transforms UTF-8 to 
                  wide characters, while decoding attachment file names 
                  in base64, and thus display the Hebrew file names 
                  correctly.

     Issue 2:     [SEG-62061][Hotfix 1337]
                  TrendX scan results on the ScanMail for Exchange
                  console may not contain information on viruses
                  detected in OLE layers because the scan results are
                  released before the final scan results are recorded.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 2:  TrendX scan results are now released only after the 
                  final scan results are recorded, so that the viruses 
                  detected in OLE layers appear as detected using TrendX 
                  in scan results.

     Issue 3:     [SEG-59825]
                  When resending an email with original quarantined
                  email as attachment, the quarantined email triggers
                  Advanced Spam Prevention rule, and as a result, the
                  attachment becomes a document file.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 3:  This issue has been resolved.

     Issue 4:     [SEG-63222]
                  The numbers of Deep Discovery Analyzer submissions are 
                  sometimes mismatched between the ScanMail web console 
                  and the Deep Discovery Analyzer web console.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 4:  This issue is caused by inappropriate handling method
                  on 0 size attachment. This has been resolved.

     Issue 5:     [VRTS-3703]
                  Code Injection vulnerability in OpenSSL/libcurl is
                  caused by a non-privileged user or program that can
                  put code and a config file in a known non-privileged
                  path and make cURL automatically run the code (as an
                  OpenSSL "engine") on invocation. If that cURL is
                  invoked by a privileged user, it can do anything that
                  it is designed to perform.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 5:  The Trend Micro common modules have been updated to 
                  fix this known issue.

     Issue 6:     [SEG-59268]
                  Trend Micro Apex Central identifies and searches for 
                  connected ScanMail servers using hostname only, and 
                  not by FQDN or IP address. However, this method is
                  not ideal for large environments that contain several
                  domains where some suffixes are not in the
                  dns-suffix-search-list.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 6:  Apex Central can now identify connected ScanMail 
                  servers using FQDN.

     8.3 Patch 3
     ===================================================================

     8.3.1 Enhancements
     ===================================================================
     The following enhancements are included in Patch 3:

     Enhancement 1: Integration with Cloud App Security - ScanMail now
                    integrates with Trend Micro Cloud App Security to 
                    provide visibility and resend capability of 
                    quarantined logs from one or more ScanMail servers 
                    on Cloud App Security.
                   
     Enhancement 2: Data Loss Prevention Identifiers – ScanMail now
                    supports file attribute detection in Data Loss 
                    Prevention.
                   
     Enhancement 3: Quarantine – Users can now configure whether 
                    quarantined messages need Web Reputation rescanning 
                    before being sent.
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Procedure 3:   To configure this feature:

                    1. Install this patch (see "Installation").

                    2. Open the Registry Editor.

                    3. Locate the following key and set the preferred 
                    value:
                    
                    *Path: HKLM\SOFTWARE\TrendMicro\ScanMail for                 
                          Exchange\CurrentVersion                        
                    *Key: EnableResendWithWRSUI
                    *Type: REG_DWORD                      
                    *Data value: 
                    "1" = ScanMail shows the option to support Web 
                          Reputation protection when resending a 
                          quarantined message                     
                    "0" = ScanMail does not show the option to support 
                          Web Reputation protection when resending a 
                          quarantined message (default)         
                    

     8.3.2 Resolved Known Issues
     ===================================================================
     Patch 3 resolves the following issues:

     Issue 1:     [SEG-56061][Hotfix 3008]
                  When "SpecialUser/Groups" is configured in ScanMail 
                  filters, memory leak may happen in ScanMail.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 1:  The cache has been updated to prevent the memory usage 
                  issue.

     Issue 2:     [SEG-63660][Hotfix 3009]
                  In certain environments, one SQL instance may contain
                  a large number of ScanMail databases. This causes 
                  performance issues while ScanMail checks the database 
                  connection and runs SQL queries 
                  ["SELECT COUNT(TABLE_NAME) as num FROM 
                  INFORMATION_SCHEMA.TABLES"] from the system view.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 2:  ScanMail can now run the queries from the database 
                  itself (instead of running the queries from the system 
                  view) to help prevent the performance issues.

     Issue 3:     [SEG-70457][Hotfix 3010]
                  Quarantine Maintenance is prevented from deleting some
                  files that were quarantined by the "Quarantine message
                  part" action from the quarantine folder.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 3:  Quarantine Maintenance can now successfully delete 
                  files that were quarantined by the "Quarantine message 
                  part" action from the quarantine folder.

     Issue 4:     [SEG-67814][Hotfix 3011]
                  Under certain conditions, ScanMail may not be able to 
                  register successfully to Apex Central through port 
                  443.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 4:  ScanMail can now apply the test connection settings in 
                  the ini file of Control Manage when testing the 
                  connection to Apex Central. 

     Issue 5:     [SEG-67397][Hotfix: NA]
                  When detecting New Spam resources is enabled, URL 
                  Time-of-Click protection does not rewrite URLs except 
                  newly born URLs and unrated URLs.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 5:  The URLs can now be rewritten properly.

     Issue 6:     [SEG-69405][Hotfix: NA]
                  After ScanMail quarantines a message, the log may not 
                  be inserted into the database. Therefore, users cannot
                  find the log from quarantined logs.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 6:  The log is inserted into the database successfully. 

     Issue 7:     [SEG-64877][Hotfix 3019]
                  An issue related to the parsing function of the
                  dtSearch module prevents ScanMail for Microsoft
                  Exchange from detecting keywords.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 7:  The dtSearch has been updated to the latest version to
                  resolve the issue.

     Issue 8:     [SEG-67801/SEG-63413][Hotfix: NA]
                  Hotfix 14.0.0.1340 provides a way for users to 
                  configure the types of unscannable message parts logs
                  that ScanMail sends to the Apex Central server. 
                  Users request to implement this feature to the UI of
                  the ScanMail web console.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 8:  Hidden keys have been added to the ScanMail web 
                  console under "Administration > Apex Central Settings
                  > Unscannable Message Parts Logs". On this UI, users 
                  can select the types of unscannable message parts logs
                  sent to Apex central.

     Issue 9:     [SEG-72957][Hotfix 3014]
                  Microsoft packaged a password-protected document as a 
                  .doc file. When uses check the box to allow password 
                  protected Office documents and block .doc files, 
                  password protected Office documents will be blocked.
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 9:  When ScanMail detects .doc files, it will first skip 
                  password-protected documents. ScanMail will then block 
                  password-protected documents only if the users check 
                  the box to allow password protected Office documents.


  9. Files Included in This Release
  ======================================================================
     This is a full package release. Detail files list refer to ScanMail
     (for Microsoft Exchange) 14 installation package.


  10. Contact Information
  ======================================================================
     A license to Trend Micro software usually includes the right to
     product updates, pattern file updates, and basic technical support
     for one (1) year from the date of purchase only. After the first
     year, you must renew Maintenance on an annual basis at
     Trend Micro's then-current Maintenance fees.

     Contact Trend Micro via fax, phone, and email, or visit our website
     to download evaluation copies of Trend Micro products.

     http://www.trendmicro.com/us/about-us/contact/index.html

     NOTE: This information is subject to change without notice.


  11. About Trend Micro
  ======================================================================
     Smart, simple, security that fits

     As a global leader in IT security, Trend Micro develops innovative
     security solutions that make the world safe for businesses and
     consumers to exchange digital information.

     Copyright 2020, Trend Micro Incorporated. All rights reserved.

     Trend Micro, ScanMail, Control Manager, Data Loss Prevention,
     OfficeScan, eManager, Apex Central, and the t-ball logo are 
     trademarks of Trend Micro Incorporated and are registered in some 
     jurisdictions. All other marks are the trademarks or registered 
     trademarks of their respective companies.


  12. License Agreement
  ======================================================================
     View information about your license agreement with Trend Micro at:

     http://www.trendmicro.com/us/about-us/legal-policies/
          license-agreements

     Third-party licensing agreements can be viewed:

     - By selecting the "About" option in the application user interface

     - By referring to the "Legal" page of the Administrator's Guide
