<> Trend Micro, Inc. November 2, 2015 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ InterScan Web Security Virtual Appliance 6.5 SP2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ===================================================================== 1. About InterScan Web Security Virtual Appliance 2. What's New 3. Documentation Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ===================================================================== 1. About InterScan Web Security Virtual Appliance ======================================================================== InterScan Web Security Virtual Appliance (IWSVA) is a highly scalable and reliable web security solution that includes virus protection for HTTP and FTP traffic. IWSVA delivers best-in-class HTTP and FTP virus scanning features that leverage the administration, policy, and centralized management of Trend Micro's Enterprise Protection Strategy. 2. What's New ======================================================================== IWSVA 6.5 SP2 is based on IWSVA 6.5 SP1 and provides the same malware protection, policy, logging, and reporting capabilities. IWSVA 6.5 SP2 contains all applicable previous fixes and patches available since the release of IWSVA 6.5 SP1. The following features are new in this release: 2.1 Bandwidth control ===================================================================== Allows administrators to configure policies that control communications, reduce unwanted traffic, and appropriately allocate bandwidth to critical traffic or services. 2.2 Content cache enhancement ===================================================================== Enhanced performance and enabled RAM caching options for the existing content cache feature. 2.3 TLS/SSL HTTPS encryption support enhancement ===================================================================== Enhanced existing IWSVA support of Transport Layer Security (TLS) and Secure Sockets Layer (SSL). The web console now allows administrators to select their preferred SSL protocols, including TLS 1.1 and TLS 1.2. 2.4 ICAP over SSL ===================================================================== Allows IWSVA to use TLS/SSL encrypted ICAP (ICAPS) between IWSVA and ICAP clients. To enable ICAPS, do the following from the web console: 1) Upload your server certificate and specify a listening port. 2) Enable ICAPS on the ICAP screen of the Deployment Wizard. 2.5 New "Ransomware" URL filtering category supported ===================================================================== Allows administrators to more clearly identify "ransomware" malware types in "Internet Security" for URL filtering. 3. Documentation Set ======================================================================== In addition to this readme.txt, you can access the following IWSVA 6.5 SP2 documentation set: - Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy the product smoothly. - Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get your product "up and running". Also includes instructions on performing other administrative tasks for the day-to-day use and maintenance of your product. Additionally, consider the following sources of information: - Electronic versions of the printed manuals are available at: http://docs.trendmicro.com - Online Help -- Context-sensitive Help screens that provide guidance to performing a task. - Knowledge Base -- A searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== 4.1 Administrator Web Console Requirements ===================================================================== - Microsoft Internet Explorer 9 or 10 - Mozilla Firefox 39 or later - Google Chrome 44 or later 4.2 Others ===================================================================== No changes from the previous version's system requirements. For a complete description of the minimum IWSVA server requirements, and to install for an evaluation version, see the Installation Guide. The minimum requirements provide enough resources to evaluate the product under light traffic loads. The recommended requirements specified provide general production sizing guidance. 4.2.1 Minimum Hardware ---------------------- - Single 2.0 GHz Intel Core2 Duo 64-bit processor supporting Intel VT or equivalent - 4 GB RAM - 50 GB disk space (IWSVA automatically partitions the detected disk space as required) NOTE: For testing purposes, it is recommended to leave the 50 GB disk allocation at its default. For production environments, provide at least 300 GB for logging and reporting. 4.2.2 Recommended Hardware -------------------------- - Single 3.3 GHz Intel Quad Core processor supporting Intel Hyper- Thread Technology or equivalent - 8 GB RAM - 300 GB disk space or more for log intensive environments IWSVA automatically partitions the detected disk space as per recommended Linux practices 4.2.3 Server Platform Compatibility ----------------------------------- - Virtual Appliances Supports VMware ESX and ESXi v4.0, v4.1, v5.0, v5.1, v5.5 Supports Hyper-V 2.0, 3.0 NOTE: If you use a virtual platform for IWSVA, reserve adequate resources for IWSVA. Otherwise, needed resources may be used by other instances on the same physical machine, and IWSVA may not function as designed. - Software Appliances For the latest Certified by Trend Micro platforms: http://www.trendmicro.com/go/certified 4.2.4 Directory Servers for End-User Authentication --------------------------------------------------- To configure policies based on Lightweight Directory Access Protocol (LDAP) users and groups, the product integrates with the following LDAP directory services: - Microsoft Active Directory (AD) 2003, 2008, and 2012 - Linux OpenLDAP Directory 2.2.16 or 2.3.39 - Sun Java System Directory Server 5.2 (formerly Sun ONE Directory Server) - Novell eDirectory 8.8 5. Installation ======================================================================== 5.1 Fresh Install ===================================================================== See Chapter 2 of the Installation Guide for installation instructions. 5.2 Upgrade from IWSVA 6.5 SP1 ===================================================================== The patch upgrade from IWSVA 6.5 SP1 to IWSVA 6.5 SP2 provides a method for administrators to upgrade by using the web console. After upgrading, the related configuration and data generated by IWSVA 6.5 SP1 is retained by IWSVA 6.5 SP2, such as report templates, text logs, and logs held in databases. But, you should back up your configuration and policy files for safe-keeping and for restoration later in case an unrecoverable error occurs during the upgrade. To perform an upgrade from the previous version of IWSVA to the current version, do the steps in 5.2.1 and 5.2.2. 5.2.1 To back up existing IWSVA 6.5 SP1 settings, do the following: --------------------------------------------------------------------- 1. Log on to the web console. 2. Go to Administration > Config Backup/Restore 3. Click "Export". The screen displays a progress bar. After the export process finishes, a page displays the results. 4. If the configuration export was successful, the web console opens a notification that allows you to save the configuration file to a local disk. Save the file to a local drive on your computer. 5.2.2 To upgrade an earlier version of IWSVA to IWSVA 6.5 SP2, do the following: --------------------------------------------------------------------- 1. Log on to the web console as administrator. NOTE: Trend Micro recommends that you use Chrome (version 44 or later) to perform upgrade tasks. Internal tests suggest that Chrome does these tasks more quickly than other browsers. 2. Dissolve any clusters and set IWSVA to work in Standalone Mode before upgrading. Specifically, verify that IWSVA is not set to work in any of the following cluster modes: - Configuration Replication Server/Source - Central Log Report Server/Source - High Availability (HA) mode 3. Verify that you are running IWSVA 6.5 SP1. For example, go to Administration > System Update to view the version number. 4. Download the IWSVA 6.5 Service Pack 2 upgrade package from the download page on the Trend Micro website to the host that will be performing the update. 5. Go to Administration > System Updates, and then click "Browse". 6. Locate the upgrade package and then click "Open". 7. Click "Upload" to transfer and then click "Install" to install the upgrade package. After the upgrade finishes, IWSVA automatically restarts. Typically, the restart takes several minutes to complete. NOTE: - The patch mechanism checks the patch package and copies the upgrade script to /var/upgrade_tool. - You might encounter the following error message: "There is not enough free disk space. The minimum requirement is 2GB." If you encounter this message, delete any TMP files or CDT files in IWSVA to make more space available. 8. After IWSVA restarts, refresh the web console page to log on. 9. If LDAP is configured, manually sync LDAP with the local database. Otherwise, the end user may not pass the LDAP authentication. For example, go to Administration > IWSVA Configuration > User Identification > Advanced and then click "Sync with LDAP servers". 10. Confirm or appropriately configure all new features and settings. NOTE: If needed, you can access the upgrade log information at the following path: /var/upgrade_tool/upgrade.log 6. Post-Installation Configuration ======================================================================== The following post-installation steps are required: 6.1 Configuration after Fresh Installation ------------------------------------------ - Start post-installation the configuration process from the beginning. See "Post-installation Notes" in the IWSVA Installation Guide. - To migrate configuration settings from a previous IWSVA version, re-import a backup configuration file. See "Migrating to InterScan Web Security Virtual Appliance" in the current version's Installation Guide. 7. Known Issues ======================================================================== The following is a known issue from IWSVA 6.5 SP2: 7.1 Bandwidth control does not work when enabling content cache ===================================================================== IWSVA bandwidth control is implemented via Linux's traffic control subsystem, while content cache transfers the upstream traffic via the logical network interface, lo, which is not controlled by traffic control. As such, IWSVA bandwidth control does not control the upstream traffic which, instead, directs through lo. To work around this issue, disable content cache, and configur Apache Traffic Server (ATS) as an upstream proxy for IWSVA. The following is a known issue from IWSVA 6.5: 7.2 Multiple domain authenticate not work at special scenario ===================================================================== If two domains configured, first LDAP server is AD, second LDAP server is not AD. Standard Authentication enabled, and NTLM is not disabled. Then authenticate with account in seconded domain. The client will use the NTLM to do authentication, so the authentication will be always failed. Use the AD as second domain can skip this issue. The following are known issues from IWSVA 6.0 SP1: 7.3 Granular Application Control might not block HTTPS-based applications ===================================================================== Some applications use HTTPS. Under this scenario, HTTPS decryption for this app URL must be enabled, otherwise, HTTPS-based applications cannot be blocked. For example, Yahoo mail uses HTTPS for IE10, Firefox 23, and Chrome 30.0. To keep granular application control working, an HTTPS decryption policy must be set. 1) Add a customized category in HTTP > Configuration > Customized Categories. For example, "appcontrol." Add the application's connection URLs and URL keywords. 2) Enable HTTPS decryption and select a category to be decrypted. Such as: HTTPS Decryption > Policies, enable "HTTPS Decryption." Select the URL category for "appcontrol" to be decrypted. 7.4 In WCCP mode, HTTPS requests will not trigger an LDAP authentication ===================================================================== If LDAP authentication is enabled in the bridge or WCCP mode, HTTPS requests will not trigger an LDAP query. If there are no HTTP requests to do an LDAP authentication on before the HTTPS is requested to set up the IP-user cache, HTTPS will not be able to do the user-based policy match. It will use "IP" or "Unknown" as the username. 7.5 Log server mode does not synchronize related configurations ===================================================================== Log server mode triggers only log sources sending logs to the log server. For related configurations, log filtering settings, anonymous logging, and HTTPS tunneling settings will not take effect on the log sources as their configurations cannot be automatically synchronized between log servers and log sources. If those features are needed, it is strongly recommended to use replication configuration and make the log server a configuration replication source as well. Use the "Manual Replication," and select "Policy & Configuration Replication" to sync both policies and configurations from the log server to the log sources. 7.6 HTTPS Decryption Limitation ===================================================================== 1) When visiting HTTPS sites by IP address in bridge mode, the HTTPS requests will be tunneled. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 2) For Windows XP+IE8, HTTPS will not do decryption in bridge mode. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. The following are known issues from IWSVA 6.0: 7.7 Policies do not immediately take effect when LDAP users/groups are added. ===================================================================== When Directory Settings are configured, IWSVA synchronizes with the listed LDAP server every 24 hours. When an LDAP user/group is added to the directory server, the change takes effect when the next synchronization cycle begins. For faster synchronization with the LDAP server, do a Manual Sync with the LDAP server. - On the User Identification page, click the "Sync with LDAP servers" button. 7.8 Firefox does not process HTTPS IPV6 addresses smoothly. =================================================================== Firefox users see a certification exception dialog when attempting to access HTTPS URLs with an IPv6 address in DNS. Workarounds include: - Use the host name of the IPV6 server. - Do not use the IP address to access HTTPS-related IPV6 Web sites. - Use IE or Chrome web browsers to access the site. 7.9 Reverse proxy does not support protecting IPV6 web servers using local-link IPv6 addresses. ==================================================================== In reverse proxy mode, traffic cannot be forwarded to IPv6 servers with a link-local address. End-users cannot access the Web server and will not be protected by IWSVA. The workaround is to use a global IPv6 address for the protected server behind IWSVA. 7.10 IWSVA cannot connect to a DNS server if that server only has an IPV6 address. ==================================================================== If a DNS server has both IPV4 and IPV6 addresses, IWSVA will connect to it without any problems. 7.11 When cookie mode is enabled on IWSVA, the Safari web browser might not display some web sites correctly. ==================================================================== Safari has a more stringent certificate-checking mechanism and does not accept IWSVA Captive Portal's default certificate. Workaround: Do not use Safari to surf the Internet through IWSVA, or deactivate cookie mode. 7.12 Command Line Interface Shell (CLISH) has a time-out issue. ==================================================================== The "show network interfaces status" command is a function of IWSVA CLISH. It helps an administrator check the current interface status. If the administrator does not type anything in CLISH within 900 seconds, CLISH cannot quit the usual way through the console. The administrator can use the "killall" and "shownic" commands to quit. To stop the current timeout process: a. Change to another console by pressing ALT+F2. b. Use the following "killall" command to end the timeout process. killall -9 shownic 7.13 The System Event log (SEL) hardware information cannot be read by IWSVA 6.0. ==================================================================== When IWSVA 6.0 is deployed on an IBM X360 or HP 380G5, the system event log generated by the BMC agent on these devices cannot be read by IWSVA. This will lead to inaccurate hardware status log information being exported through the syslog and SNMP. 7.14 MAC Addresses will float from one port to another port when the switch is connected to multiple machines. ===================================================================== This issue occurs when IWSVA 6.0 is connected to a switch at the same time another machine is connected to the same switch. That machine's MAC IP address will float between its real port and the IWSVA port. This only occurs in the Transparent Bridge mode. To fix this issue, add the MAC address filter option. To do this, access the /etc/iscan/network.ini file using the CLISH tool, and run one of the following commands: - add mac_filter=[mac address which you want to skip] or - add mac_filter!=[mac address which you want to scan] Then, type the command "service network restart" on console. 7.15 Application Control may not block an already established connection. ===================================================================== The Application Control feature only blocks new connections to the protocols specified in a new policy. If you deploy a new policy to block Skype after being logged on to Skype, then Skype is not blocked. However, if you log off Skype and then log on again, the policy works, and Skype is blocked. 7.16 The time quota value requires settings to be in multiples of 5. ===================================================================== This is caused by the time quota implementation method. The default quota unit is five minutes. Trend Micro recommends that administrators set the "Time quota" value to a multiple of five. Otherwise, IWSVA ignores the remainder if it is less than five. For example, if the value is set to four minutes, IWSVA interprets that as zero minutes. If the value is set to nine minutes, IWSVA interprets that as five minutes. The time quota setting depends on the system time. For example, if it is now 10:03 and the time quota = 5, the end user could only have access for two minutes. That happens because the time quota is split into five-minute increments (10:00-10:05, 10:05-10:10, etc.). Every five minutes, a new increment begins. 7.17 An error message may be returned when you install IWSVA on a VMware ESX Virtual Machine. ===================================================================== When you install IWSVA on a VMware ESX Virtual Machine, occasionally you might see the following error message: "Memory for crash kernel (0x0 to 0x0) not within permissible range" This message is normal and safe to ignore. 7.18 A missing storage controller causes the system to show the "minimum hardware requirements were not met" message. ===================================================================== If the machine cannot find a storage controller, the installer will check if the storage controller exists. If the storage controller does not exist, the installation will fail even if the minimum hardware requirements for memory and disk are met. The workaround is to skip the hardware check. To skip the hardware check: 1. When the "Minimum hardware requirements were not met" message is displayed, click "Next." 2. When the installation menu page appears, press "Tab" to open a command line. 3. Type "nohwfail" and press "Enter" to continue installing IWSVA. 7.19 File Transfer Protocol (FTP) data will be identified as "Unclassified" in the application category details when FTP scanning is enabled. ===================================================================== The IWSVA FTP daemon modifies the contents of the package in user mode. Some critical parts of the FTP packets that are usually recognized are changed. This change prevents the application signature engine from recognizing the data, and it will be marked as "Unclassified." The only way to avoid this issue at this time is to disable FTP scanning. 7.20 Some browsers or applications might not display the IWSVA blocking notification page if those browsers do not handle the HTTP 403 forbidden error well or if they ignore the error. ===================================================================== For example, the HTTP connection will be reset by IWSVA if a browser keeps posting a large file and ignoring the HTTP 403 block page notification from IWSVA. In another example, the Google search page does not show any response if the query is blocked by the IWSVA query keyword filter. This happens when the Google search setting "Use Google Instant predictions and results appear while typing" is enabled. This is because the Google page uses AJAX to query data with a private format, not normal HTML. As a result, it ignores the IWSVA 403 block notification page. The block page is displayed correctly after "Google Instant" is disabled. In these examples, the HTTP Inspection filter is working correctly, content is blocked, but the user may not receive feedback explaining why the content is blocked because the browser cannot display the IWSVA notification. 7.21 If the time zone is not the UTC+_ n hours, the dashboard and log query information will not sync. ===================================================================== If the time zone is UTC+4:30 or UTC+5:45, which is not the top of the hour. The data present on dashboard or log query data and raw log data might not sync with each other, but the log in database are correct. 8. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2015, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and InterScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide