<> Trend Micro Incorporated October 9th, 2024 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan Web Security Virtual Appliance 6.5 - Service Pack 4 English - Linux - 64 Bits Service Pack 4 build 5124 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: Before proceeding, please see the readme for complete patch or service pack details. This document contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, installation tips, known issues, and release history. The latest version of the readme file is available in electronic form at: http://www.trendmicro.com/download/ TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ================================================================ 1. About InterScan Web Security Virtual Appliance 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 5.1 Fresh Install 5.2 Inbox Upgrade from IWSVA 6.5 Service Pack 3 6. Post-installation Configuration 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement ================================================================ 1. About InterScan Web Security Virtual Appliance ======================================================================= InterScan Web Security Virtual Appliance (IWSVA) is an on-premise secure web gateway that gives you superior protection against dynamic online threats, while providing you with real-time visibility and control of employee internet usage. Interscan Web Security is also available in the cloud as a service. 1.1 Overview of This Release ==================================================================== IWSVA 6.5 Service Pack 4 is based on IWSVA 6.5 Service Pack 3 and provides the same malware protection, policy, logging, and reporting capabilities. IWSVA 6.5 Service Pack 4 contains all applicable previous fixes and patches released after IWSVA 6.5 Service Pack 3. 1.2 Who Should Install This Release ==================================================================== You should install this service pack if you are running any build of IWSVA released after version 6.5 Service Pack 3. 2. What's New ======================================================================= 2.1 Enhancements ==================================================================== The following enhancements are included in this service pack: Enhancement 1: Operating System – This service pack switches the operating system from CentOS to standard RockyLinux to ensure consistent support and maintain hardware/hypervisor compatibility with RockyLinux. Enhancement 2: This service pack adds support for installation on hardware with UEFI Secure Boot enabled. But if you need to switch to bridge mode, hardware "Secure Boot" must be disabled first. Note: Service pack from inline upgrade only supports legacy BIOS mode. 2.2 Changes ==================================================================== The following changes are included in this service pack: Change 1: If you have a network interface card (NIC) with LAN bypass features, please note that LAN bypass features in bridge mode are not supported in this service pack. 2.3 Resolved Known Issues ==================================================================== There are no known issues in this release. 3. Documentation Set ======================================================================= To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. - To access the Online Help, go to http://docs.trendmicro.com - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://success.trendmicro.com 4. System Requirements ======================================================================= 4.1 Administrator Web Console Requirements ===================================================================== - Google Chrome 100 or later - Mozilla Firefox 100 or later - Microsoft Edge on Windows 10 or later 4.2 Others ===================================================================== 4.2.1 Minimum Hardware ---------------------- - Single 2.0 GHz Intel Core2 Duo 64-bit processor supporting Intel VT or equivalent - 4 GB RAM - 50 GB disk space (IWSVA automatically partitions the detected disk space as required) 4.2.2 Server Platform Compatibility ----------------------------------- - Virtual Appliances Supports VMware ESX and ESXi v7.0, v8.0 Supports Hyper-V on Windows Server 2019 and Windows Server 2022 NOTE: If you use a virtual platform for IWSVA, reserve adequate resources for IWSVA. Otherwise, needed resources may be used by other instances on the same physical machine, and IWSVA may not function as designed. - Software Appliances IWSVA 6.5 SP4 uses Rocky Linux 9 as its base platform, the compatibility will follow Rocky Linux 9. 5. Installation ======================================================================= This section explains the key steps for installing this service pack. NOTE: Due to OS changes in IWSVA 6.5 Service Pack 4, Trend Micro recommends: 1. Perform a fresh installation of IWSVA 6.5 Service Pack 4 2. Import your backed-up IWSVA 6.5 Service Pack 3 configuration This approach is preferred over an in-box upgrade from Service Pack 3. NOTE: If performing a fresh install of the VMware ESX server, Trend Micro recommends configuring the follow settings: - For Guest OS family, select "Linux" - For Guest OS version, select "Other 5.x Linux (64-bit)" NOTE: IWSVA 6.5 Service Pack4 can only be installed on the first disk. If there are multiple physical disks, Trend Micro recommends to combine multiple physical disks into a single logical unit for IWSVA 6.5 Service Pack 4 install. 5.1 Fresh Install ==================================================================== To freshly install this release: 1. Start the system using the IWSVA Installation DVD created from the IWSVA ISO image. A page appears displaying the IWSVA Installation Menu with the following options: - Install IWSVA - Exit 2. Select "Install IWSVA". The license acceptance page appears. 3. Click "Accept" to continue. You will be prompted to choose the disks to use for the installation. 4. Select the driver(s) used for installation and click "Next". The "Hardware Profile" page displays. NOTE: IWSVA 6.5 Service Pack 4 will always be installed on the first disk. Please check the "Storage" information on the "Hardware Profile" page carefully to ensure that the installation process targets the correct disk. 5. Select "Continue". A warning page appears to notify you that the disks will be repartitioned and all data will be lost. 6. Select "Continue". The installation progress page appears. The system restarts automatically after the installation completes and the IWSVA CLI Shell page displays. 7. Login with the default system account "admin", and password "adminIWSS85". 8. Type in "enable" and the password "adminIWSS85" to enter privileged mode. 9. Run the following command. configure network basic 10. Follow the guide to set the following system configuration settings: - Host name - IPv4 address - Subnet mask - IPv4 gateway - Preferred IPv4 DNS - Alternate IPv4 DNS, this is an optional setting and can be skipped 11. Type in "Y" to confirm the changes and restart. The system restarts to complete the fresh installation. 5.2 Inbox Upgrade from IWSVA 6.5 Service Pack 3 ==================================================================== The upgrade from IWSVA 6.5 Service Pack 3 to Service Pack 4 allows administrators to run it through the web console. After the upgrade completes, the related configuration and data generated by IWSVA 6.5 Service Pack 3 is retained by IWSVA 6.5 Service Pack 4, such as report templates, text logs, and logs held in databases. You should still back up your configuration and policy files for safe-keeping and for restoration later in case an unrecoverable error occurs during the upgrade. To perform an upgrade from the previous version of IWSVA to the current version, do the steps in 5.2.1 and 5.2.2. 5.2.1 To back up existing IWSVA 6.5 Service Pack 3 settings: -------------------------------------------------------------------- 1. Log on to the web console. 2. Go to "Administration > Config Backup/Restore". 3. Click "Export". The screen displays a progress bar. After the export process finishes, a page displays the results. If the configuration export was successful, the web console opens a notification that allows you to save the configuration file to a local disk. 4. Save the file to a local drive on your computer. 5.2.2 To upgrade an earlier version of IWSVA to IWSVA 6.5 Service Pack 4: -------------------------------------------------------------------- NOTICE: When upgrading from IWSVA 6.5 SP3 to IWSVA 6.5 SP4, the NIC (Network Interface Card) ordering may change due to differences in the underlying system. 1. To handle NIC card ordering changes during the upgrade, please follow these steps: - SSH to the IWSVA backend OS and make a note of the current NIC card names and their corresponding MAC addresses on IWSVA 6.5 SP3. - It is highly recommended to remove all data ports NIC connection before you upgrade, only the management port connection is needed for the upgrade operation. 2. Log on to the web console as administrator. NOTE: Trend Micro recommends that you use Google Chrome to perform upgrade tasks. Internal tests suggest that Chrome does these tasks more quickly than other browsers. 3. Dissolve any clusters and set IWSVA to work in Standalone Mode before upgrading. Specifically, verify that IWSVA is not set to work in any of the following cluster modes: - Configuration Replication - Central Log/Reporting - High Availability (HA) mode 4. Go to "Administration > System Update" to verify the IWSVA 6.5 Service Pack 3 build. 5. If running a lower build, apply the latest patch/hotfix to IWSVA 6.5 Service Pack 3, Build 3353 or higher for the English version. 6. Download the IWSVA 6.5 Service Pack 4 upgrade package from the download page on the Trend Micro website to the host that will be performing the update. 7. Go to "Administration > System Updates", click "Choose File", locate the upgrade package, and click "Open". 8. Click "Upload" to transfer the upgrade package to the server. NOTES: - The Inbox upgrade package is huge and requires a certificate check which may take 10 to 15 minutes after clicking the "upload" button. During this time, the web console will not be responding, wait until the check has completed for the web console to respond. Do not attempt to interrupt the check. - It is recommended to check the backend file "/var/iwss/patch/log/patch.log", it will log the file upload progress details, please wait until the log says “Verification OK.” and "install sp4 inbox". 9. After the package uploads successfully, the admin UI will prompt "Install" options, and then click "Install" to install. The installation may need another 10 to 20 minutes, please wait. Please ignore the admin UI time prompt and recommend to check for backend upgrade log. NOTES: - The patch mechanism checks the service pack package and copies the upgrade script to "/var/upgrade_tool". - If you encounter the following message, delete any TMP files or CDT files in IWSVA to free up more space. "There is not enough free disk space. The minimum requirement is 3GB." - It is recommended to check the "/var/upgrade_tool/upgrade.log" while upgrading until the log says "You have successfully upgrade to IWSVA 6.5 SP4. The system will now reboot!" 10. After the upgrade finishes, IWSVA automatically reboots. Typically, the restart takes several minutes to complete. After IWSVA restarts, refresh the web console page to log on. Notes: The web console may not be accessible after reboot as NIC ordering change, please check the NIC card names with their new MAC addresses. Then reconnect IWSVA's network interfaces to the correct switch and subnet based on the new NIC cards ordering. 11. If LDAP is configured, manually sync LDAP with the local database. Otherwise, the end user may not pass LDAP authentication. To do this, go to "Administration > IWSVA Configuration > User Identification > Advanced" and then click "Sync with LDAP servers". 12. Confirm or appropriately configure all new features and settings. 6. Post-installation Configuration ======================================================================= The Deployment Wizard launches when you first log into the web console. Use the Deployment Wizard to complete your installation. 7. Known Issues ======================================================================= Known issues in this release: The following are new known issues from IWSVA 6.5 SP4: #1 After upgrading to SP4 on the Vmware, it may prompt "The configured guest OS for this virtual machine does not match the guest that is currently running(Other 5.x Linux(64-bit)). You should specify the correct guest OS to allow for guest-specific optimizations". The workaround is to follow the Vmware Actions and change the "Guest OS Version" to "Other 5.x Linux (64-bit)". #2 In IWSVA service pack 4, if add a new Network Interface card(NIC) to the system, after OS reboot, sometimes the the naming of network interfaces(NIC) will be changed. For example, eth0 changed to eth3, this can lead to confusion and misconfiguration of network settings. The workaround is to reconnect IWSVA's network interfaces to the correct switch and subnet based on the new NIC cards ordering. The following are known issues from IWSVA 6.5 SP3: #1 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This happens when IWSVA uses multiple authentication servers, and the Active Directory domain is configured before any other type of server. To fix this known issue, delete the Active Directory domain only, and configure it again. #2 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Some applications use HTTPS. Under this scenario, HTTPS decryption for this app URL must be enabled, otherwise, HTTPS-based applications cannot be blocked. For example, Yahoo mail uses HTTPS for Internet Explorer 10, Firefox 23, and Chrome 30.0. To keep granular application control working, an HTTPS decryption policy must be set. 1. Add a customized category in "HTTP > Configuration > Customized Categories". For example, "appcontrol". Add the application's connection URLs and URL keywords. 2. Enable HTTPS decryption and select a category to be decrypted. Such as: "HTTPS Decryption > Policies", enable "HTTPS Decryption". Select the URL category for "appcontrol" to be decrypted. #3 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If LDAP authentication is enabled in the bridge or WCCP mode, HTTPS requests will not trigger an LDAP query. If there are no HTTP requests to do an LDAP authentication on before the HTTPS is requested to set up the IP-user cache, HTTPS will not be able to do the user-based policy match. It will use "IP" or "Unknown" as the username. #4 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Log server mode triggers only log sources sending logs to the log server. For related configurations, log filtering settings, anonymous logging, and HTTPS tunnelling settings will not take effect on the log sources as their configurations cannot be automatically synchronized between log servers and log sources. If those features are needed, it is strongly recommended to use replication configuration and make the log server a configuration replication source as well. Use the "Manual Replication," and select "Policy & Configuration Replication" to sync both policies and configurations from the log server to the log sources. #5 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] HTTPS Decryption Limitation 1. When visiting HTTPS sites by IP address in bridge mode, the HTTPS requests will be tunnelled. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. 2. For Windows XP+IE8, HTTPS will not do decryption in bridge mode. The workaround is to change the "client_hello_no_host_tunnel=no" key in the "intscan.ini" file. #6 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] When Directory Settings are configured, IWSVA synchronizes with the listed LDAP server every 24 hours. When an LDAP user/group is added to the directory server, the change takes effect when the next synchronization cycle begins. For faster synchronization with the LDAP server, do a Manual Sync with the LDAP server. * On the "User Identification" page, click the "Sync with LDAP servers" button. #7 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Firefox users see a certification exception dialog when attempting to access HTTPS URLs with an IPv6 address in DNS. Workarounds include: * Use the host name of the IPV6 server. * Do not use the IP address to access HTTPS-related IPV6 web sites. * Use IE or Chrome web browsers to access the site. #8 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] In reverse proxy mode, traffic cannot be forwarded to IPv6 servers with a link-local address. End-users cannot access the web server and will not be protected by IWSVA. The workaround is to use a global IPV6 address for the protected server behind IWSVA. #9 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] Safari has a more stringent certificate-checking mechanism and does not accept IWSVA Captive Portal's default certificate. Workaround: Do not use Safari to surf the Internet through IWSVA, or deactivate cookie mode. #10 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] The "show network interfaces status" command is a function of IWSVA CLISH. It helps an administrator check the current interface status. If the administrator does not type anything in CLISH within 900 seconds, CLISH cannot quit the usual way through the console. The administrator can use the "killall" and "shownic" commands to quit. To stop the current timeout process: 1. Change to another console by pressing ALT+F2. 2. Use the following "killall" command to end the timeout process. `killall -9 shownic` #11 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] The Application Control feature only blocks new connections to the protocols specified in a new policy. If you deploy a new policy to block Skype after being logged on to Skype, then Skype is not blocked. However, if you log off Skype and then log on again, the policy works, and Skype is blocked. #12 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] This is caused by the time quota implementation method. The default quota unit is five minutes. Trend Micro recommends that administrators set the "Time quota" value to a multiple of five. Otherwise, IWSVA ignores the remainder if it is less than five. For example, if the value is set to four minutes, IWSVA interprets that as zero minutes. If the value is set to nine minutes, IWSVA interprets that as five minutes. The time quota setting depends on the system time. For example, if it is now 10:03 and the time quota = 5, the end user could only have access for two minutes. That happens because the time quota is split into five-minute increments (10:00-10:05, 10:05-10:10, etc.). Every five minutes, a new increment begins. #13 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If the machine cannot find a storage controller, the installer will check if the storage controller exists. If the storage controller does not exist, the installation will fail even if the minimum hardware requirements for memory and disk are met. The workaround is to skip the hardware check. To skip the hardware check: 1. When the "Minimum hardware requirements were not met" message is displayed, click "Next". 2. When the installation menu page appears, press "Tab" to open a command line. 3. Type "nohwfail" and press "Enter" to continue installing IWSVA. #14 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] For example, the HTTP connection will be reset by IWSVA if a browser keeps posting a large file and ignoring the HTTP 403 block page notification from IWSVA. In another example, the Google search page does not show any response if the query is blocked by the IWSVA query keyword filter. This happens when the Google search setting "Use Google Instant predictions and results appear while typing" is enabled. This is because the Google page uses AJAX to query data with a private format, not normal HTML. As a result, it ignores the IWSVA 403 block notification page. The block page is displayed correctly after "Google Instant" is disabled. In these examples, the HTTP Inspection filter is working correctly, content is blocked, but the user may not receive feedback explaining why the content is blocked because the browser cannot display the IWSVA notification. #15 Known issue: [Reported at: IWSVA 6.5.0 GM B1200] If the time zone is UTC+4:30 or UTC+5:45, which is not the top of the hour, the data present on dashboard or log query data and raw log data might not sync with each other, but the log in database is correct. #16 Known issue: [Reported at: IWSVA 6.5.2 Service Pack 2 B1548] IWSVA bandwidth control is implemented via Linux's traffic control subsystem, while content cache transfers the upstream traffic via the logical network interface, lo, which is not controlled by traffic control. As such, IWSVA bandwidth control does not control the upstream traffic which, instead, directs through lo. To work around this issue, disable content cache, and configure Apache Traffic Server (ATS) as an upstream proxy for IWSVA. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 9. Files Included in This Release ======================================================================== Not applicable. 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits. As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2024, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the "Administrator's Guide"