content analysis 1 2 4 4_rn

Content Analysis System Version 1.2.4.4 Release Notes

Version: 1.2.4.4Build: 157593Release Date: 5/15/2015Document Revision: 2.0 on 5/18/2015

IntroductionThese release notes apply to the Blue Coat Content Analysis appliance. For release specific information, refer to the following:

p Section A: "Content Analysis 1.2.4.4 Release"

p Section B: "Content Analysis 1.2.4.3 Release"

p Section C: "Content Analysis 1.2.4.2 Release" on page 5

p "Content Analysis 1.2.4.2 Resolved Issues" on page 7

p "Content Analysis 1.2.4.2 Known Issues" on page 7

p Section D: "Content Analysis 1.2.3 Release" on page 9

p "Content Analysis 1.2.3 Resolved Issues" on page 9

p "Content Analysis 1.2.3 Known Issues" on page 9

p Section E: "Content Analysis 1.2.1.3 Release" on page 10

p Section F: "Content Analysis 1.2.1.2 Release" on page 11

p Section G: "CAS 1.1.5.2 Release" on page 13

p Section H: "CAS 1.1.5.1 Release" on page 14

p Section I: "CAS 1.1.4.2 Release" on page 15

p Section J: "CAS 1.1.4.1 Release" on page 16

p Section K: "CAS 1.1.3.1 Release" on page 17

Before you install or configure Content Analysis, refer to the following sections:

p "How does Content Analysis System Work?" on page 2

p "Initial Configuration" on page 8

p "Content Analysis System Licensing" on page 8

p "Support" on page 18

Blue Coat Content Analysis 1.2.4.4 Release Notes

Upgrade NoticeUpgrades to Content Analysis version 1.2 releases are only supported from version 1.1.5.2 or above. If your appliance is running a release earlier than version 1.1.5.2, please upgrade to 1.1.5.2 prior to upgrading to 1.2 releases.

How does Content Analysis System Work?p Anti-virus, malware, and spyware scanning with multiple simultaneous anti-virus

vendors.

p Whitelisting compares requested files hashes against a whitelist of specific files, hosts, and destination addresses.

p When a file is found to not be a virus and is not in the file whitelist, Content Analysis can send the file to an external appliance (Blue Coat’s Malware Analysis Appliance or FireEye appliance) to run the file in a virtualized Windows workstation environment. The actions of the file (registry edits, requests to malicious web sources), are identified and included in a detailed report sent to the Content Analysis administrator.

p Cached Responses can be used to speed up processing for files that have been scanned previously.

p The Blue Coat WebPulse service is an integral part of Content Analysis protection. Users are protected by the BCWF database on the ProxySG appliance, and when viruses and malware are discovered through scanning, those results can be shared with Blue Coat to classify bad URLs for the benefit of all WebPulse users worldwide.

2


Section A: Content Analysis 1.2.4.4 Release

What’s New?No new features have been added to this release.

Content Analysis 1.2.4.4 Resolved IssuesThis release resolves the following issues:

p Upgrade failure on Content Analysis Virtual Appliance due to a timeout while downloading the birth certificate (B#215250).

p Slow browsing due to queued ICAP connections (B# 216223).

p Content Analysis handles 301 HTTP response incorrectly (B# 217381).

p Whitelisting file verification causes scanning latency (B# 217380).

p Unknown reboot on Content Analysis running 1.2.4.1 (B# 216266).

3


Section B: Content Analysis 1.2.4.3 Release

What’s New?No new features have been added to this release.

Content Analysis 1.2.4.3 Resolved IssuesThis release resolves the following issues:

p Sophos updates fail periodically with Content Analysis 1.2.4.1. (B#216003)

p Slow browsing due to queued ICAP connections. (B#216223)

4


Section C: Content Analysis 1.2.4.2 ReleaseWhat’s New?

S200 Hardware SupportContent Analysis has added S200 hardware support to this release.

Dashboard UpdatesContent Analysis has added increased visibility from the management console into threats detected, scanned, and scanning as well as a system summary and last antivirus pattern updates. The home page of the management console includes the Last 5 Threats Discovered.

To drill down on any information in the home page, go to Statistics > Overview, as shown in the following example:

5


Email Day ReportAn Email Day Report option has been added to the Statistics tab. The report is available from Statistics > Overview, Cache Hits, Connections, CPU/Memory Usage, ICAP Objects, Object Bytes, Sandboxing and Whitelisting. Users have the option to schedule the day report:

SNMPv1 and SNMPv3 SupportSNMP v1 and SNMPv3 Support has been added to this release.

CLI command >access_listThe CLI command >access list has been added to this release. The command enables the setup of network access for ICAP and web management.

6


Content Analysis 1.2.4.2 Resolved Issuesp Ghost Vulnerability (CVE-2015-0235) has been fixed in the COE. (B#214093)

p Blocking AV File Types when using Kaspersky is not working as expected. (B#211929)

p Duplicate routes noticed after adding a network route to CAS device. (B#214089)

p Services are not restored after crash. (B#214522)

p Unable to add routes with Netmask of 255.255.255.255 (B#214615)

p Whitelisting (hours) is confused with Whitelisting (days). (B#212583)

p MAA reports error, 'failed with HTTP code 404' when trying to send .zip archives. (B#214286)

p Unable to delete IP address on 2nd interface. (B#203507)

p McAfee messages not going to remote syslog. (B#213634)

p McAfee reports 'File within archive size exceeded' instead of 'MIFS' on some files. (B#214038)

p Front Panel LED is set to green before hardware configuration completes. (B#213482)

p Enable editable email and text alerts in the UI. (B#213447)

p CAS does not block some JavaScript files. (B#210028)

p Expose additional monitoring SNMP MIBs. (B#211579)

p Received ‘Server error: 500 Server error’ improperly instead of decode/decompression error. (B#214281)

p Whitelist results are reported as known bad instead of Whitelisted. (B#214036)

p Sophos is not blocking Java byte code. (B#215003)

Content Analysis 1.2.4.2 Known Issuesp Email Day Report button is not documented. See "Dashboard Updates"

7


Initial Configuration 1. Connect to the appliance through the Serial Console connection at the rear

of the appliance.

2. Launch a terminal application, such as hyperterm. Enter the following connection settings: BPS: 9600Data bits: 8Parity: noneStop bits: 1Flow control: none

3. To start the initial configuration wizard, select Initial Setup. This wizard prompts you to define the following settings:IP Address Subnet MaskDefault GatewayDNS ServerAlternate DNS ServerAdministrator password

4. After you have defined the settings in Step 3, you can reach the CAS management console via a web browser as follows: https://x.x.x.x:8082 (replace x.x.x.x with the CAS appliance IP address defined in the previous step)

5. Enter the administrative credentials to log in to the appliance: username: adminpassword: <defined in step 3>

6. On first access, Content Analysis prompts you to apply a license file. You can obtain your license file by registering your appliance at https://bto.bluecoat.com/licensing.

Web Browser SupportThe following Web browsers are compatible with the CAS management console:p Microsoft Internet Explorer version 9 and later.p Mozilla Firefox version 2 and later, including latest stable release.p Google Chrome, latest stable release.

Content Analysis System LicensingYour Content Analysis license defines the components to which your appliance has access. The available components are: p Content Analysis Base license - this is the appliance license and is included

with each subscription.p Anti Virus vendor licenses from Kaspersky Labs, Sophos and McAfee.p Sandboxing - this provides Content Analysis with the ability to analyze

suspicious files in an external sandbox environmentp Whitelisting - component that uses a hash to identify files and sources that

may appear suspicious but are trusted.

8


Section D: Content Analysis 1.2.3 Release

Content Analysis 1.2.3 Resolved Issuesp Java script was not available as a data type to select in the UI to create

policy. (B#211586)

Note: Note: If the policy for CAS is to block or ignore java script files but the web server sends the files compressed or otherwise encoded, CAS does not recognize those files as java script and does not perform the expected action (to block or ignore java script files).

p Selecting an MAA plugin to use (for sample detonation) was not available in the CAS UI. (B#211585)

p Files within archives were not being passed to MAA sandbox for detonation. (B#211584)

p CAS sends host name rather than FQDN (fully qualified domain name) on SMTP connection. (B#210884)

p (SR 2-1003787288) 10G Fiber NIC card does not support bypass mode. (B#209707)

p (SR 2-929566911) Added the ability to disable SNMP (B#209256)

p (SR 2-989676102) Some MP3 files were being treated as executables. (B#209301)

p CAS was not properly checking content length of headers when scanning. (B#208796)

p In some circumstances when ICAP Preview is enabled, CAS will return 400 bad requests. (B#208498)

p After pattern updates, under some circumstances some files will return an error. (B#206570)

p AVWatchdog aggressively restarts SNMP server. (B#205414)

Content Analysis 1.2.3 Known Issuesp CRC errors on sending .rar file to MAA. (B#211270) MERGED WITH Files

inside a .rar archive not being sent to MAA. (B#211302)

CAS HAS LIMITED RAR SUPPORT: Libachive© has limited support for reading RAR archives. Currently, Libarchive can read RARv3 format archives which have been either created un-compressed, or compressed using any of the compression methods supported by the RARv3 format. Libarchive can also read self-extracting RAR archives.

p Files are passed to the MAA sandbox (maximum allowed: 5 archive layers) for detonation. (B#211584)

9


Section E: Content Analysis 1.2.1.3 Release

Content Analysis 1.2.1.3 Resolved Issuesp This release resolves the security vulnerability CVE-2014-6271. For more

information on this vulnerability, please see Blue Coat security advisory SA82 at https://kb.bluecoat.com/index?page=content&id=SA82.

p When the file size exceeded 10MB it was sent to disk, which was closed when the hash was computed. This fix reopens the file before sending the response. (B#208423)

p When the Content Analysis receives updated AV patterns or configuration elements changed, the ISTag was not updated. (#B209492)

10

https://kb.bluecoat.com/index?page=content&id=SA82




Section F: Content Analysis 1.2.1.2 Release

What’s New?p Sandboxing service configuration improved to allow for multiple Blue Coat

Malware Analysis appliances, load balanced based on system health and emulation and IntelliVM queues.

p Support for multiple MAA IntelliVM file execution profiles, as well as SandBox VM emulation on each configured MAA.

p Antivirus, Sandbox and Whitelisting caches can now be cleared from the management console.

Content Analysis 1.2.1.2 Resolved IssuesThe following issues are resolved in Content Analysis 1.2:

p Blue Coat Support Service Request (SR) numbers higher than 2-xxxxxxxxx are now supported (B#200992).

p Sophos fails to block a file when it is larger than the defined Maximum Inividual File Size (MIFS) (B#201706).

p McAfee incorrectly identifies Maximum Individual File Size as File Within Archive

Size Exceeded (B#201707).

p Anti-virus setting for Allow generated a File Blocked message but served the file (B#201361).

p McAfee update fails with the error, “Incremental resolver failed” (B#201197).

p Syslog latency hangs the anti-virus service (B#201223).

p LCD should display appliance IP address and appliance name (B#201563).

p Sandboxing returns an error, “MAA::Pool::GetNext() called, no valid hosts found” (B#201608).

p Sandboxing fails with “:SendGetRequest:failed with HTTP code 401” (B#201610).

p Unable to change DNS addresses in the Management Console (B#201035).

p Error in catalina.out, “Could not parse date::Unparseable date:” (B#201067).

p Logs filling with “Error:Semaphoe::Wait:Timed Out” error messages (B#201384).

p Email alerts should prefix the location of known bad file with “hxxp://rather than “http://” as documented, for safety (B#201565).

p Pattern download status not displayed (B#202023).

11


Content Analysis 1.2 Known IssuesThe following issues are known in Content Analysis 1.2:

p When processing a request modification ICAP scan, Content Analysis does not block file types set in the Global Options file type list (B#193352).Workaround: Define blocked file types for ICAP requests in Kaspersky or

Sophos anti-virus settings directly.

p When processing a request modification ICAP scan, Content Analysis blocks all files if unknown is set in Kaspersky anti-virus settings (B#191055).Workaround: Do not set the Unknown file type to block.

p The error, Failure occurred when requesting a log rotation is produced when system logs are rotated. The log rotation does take place, but the error suggests that it did not (B#202088). No workaround required.

p Downgrading from Content Analysis 1.2 to 1.1.5.2 with LDAPS configured causes an exception when trying to authenticate as an LDAP user (B#201922). Workaround: In this scenario, administrators should log in with a local user account.

p Issues are caused by exporting and importing a configuration file when extended characters are present at the end of the Content Analysis system hostname (B#196562).Workaround: Refrain from using extended characters when defining system hostnames.

p The screen does not automatically refresh the page after the administrator clicks the Reset All Historical Statistics button (B#196688)Workaround: Manually refresh the screen to see a refreshed view of the statistics report.

p Setting a blank LDAP Role Attribute will cause an exception and can lead to unpredictable results (B#198357).Workaround: Do not set a blank LDAP Role Attribute.

p Whitelisting and Sandboxing threats are not detected in files that are uploaded via forms encoded in MIME (B#202393).Workaround: None.

12


Section G: CAS 1.1.5.2 Release

CAS 1.1.5.2 Resolved IssuesThe following issues are resolved in CAS 1.1.4.2:

p In previous versions, CAS was vulnerable to OpenSSL 1.0.1. TLS/DTLS heartbeats are vulnerable to buffer over-read that discloses information kept in process memory. For specific information regarding Security Advisory 79, see:


For all Blue Coat Security Advisories, refer to:https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS

13


https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS


Section H: CAS 1.1.5.1 Release

What’s New?p CAS 1.1.5.1 is being released as a virtual appliance for general availability.

p Support for up to 4 NICS on the S400 Platform.


p ICTM wasn’t immediately dropping slow connections (B#199784).

p Whitelisting performance optimization (B#199388).

p MAA traffic is no longer routed through the explicit proxy (B#199375).

CAS 1.1.5.1 Known IssuesThe following issues are known in CAS 1.1.5.1:

p If you are changing explicit proxy settings, you must restart the ICAP service, in order for whitelisting traffic to use the new settings (B#199781).

p Premature failed update alerts are sent on pattern download failures even though the server recovers automatically (B#199019).

14


Section I: CAS 1.1.4.2 Release


p In previous versions, CAS was vulnerable to a command injection attack from the CLI (B#199318). For specific information about Security Advisory 78, see:


For all Blue Coat Security Advisories, refer to:https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS

15


https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS


Section J: CAS 1.1.4.1 Release

CAS 1.1.4.1Content Analysis System (CAS) 1.1.4.1 is the initial general availability release.

CAS 1.1.4.1 Known IssuesIssue: The Management Console permits saving an invalid network route (B#198738).

Workaround: Provide a network address for a route, not a host address.

Issue: DNS cache is not cleared automatically when you change the DNS server addresses (B#198569).

Workaround: Reboot the appliance after changing DNS settings.

Issue: Upon initial boot or after restoring the appliance to a factory default state, the Onboard Diagnostics tab may display no data (B#198178).

Workaround: Reboot the appliance.

Issue: The Quick Start Guide Addendum Step #1 indicates that there is a default password.

Workaround: This is no longer valid: you can set the default password. For more information, see previous section within these Release Notes.

16


Section K: CAS 1.1.3.1 Release

CAS 1.1.3.1Content Analysis System (CAS) 1.1.3.1 an initial limited availability release.

CAS 1.1.3.1 Known IssuesIssue: When diagnostic data is uploaded to a Blue Coat Service Request, the appliance may report errors.Workaround: The error messages can be ignored.Issue: When a secondary interface on the CAS appliance is configured, removing the IP address and subnet mask has no effect (B#197138).Workaround: If a second interface is not required for your CAS deployment, leave this option blank. If no cable is connected to the secondary interface, this value can be ignored. If you have configured the second interface and need to clear the value, restore the appliance to a default state and only configure the primary interface.Issue: The Test option on Sandboxing doesn't work until you save changes (B#196510).Workaround: Save any changes to the sandboxing configuration before testing.Issue: Reset All Historical Statistics button does not immediately reset all graphs. The graphs clear at the next 30 second update interval (B#196688).Workaround: After clicking Reset All Historical Statistics on the CAS home page, wait as much as 30 seconds for the graphs under Statistics to clear.Issue: When modifying TLS and Cipher ICAP settings, the ICAP service restarts. ICAP scanning is then unavailable for the next 30 seconds or so. Future releases of CAS will include a warning after committing a change to these values (B#196736).Workaround: Wait 30 seconds after making a change to TLS and Cipher settings before scanning ICAP traffic. Note, ICAP scanning logs report failures for this interval.Issue: Administrators can add duplicate local users with conflicting roles. After refreshing the CAS management console, the duplicate user entry replaces the initial user entry (B#195635).Workaround: Avoid creating multiple accounts with the same user name.Issue: When processing a request modification ICAP scan, the CAS appliance blocks all files if unknown is set to block (B#191055).Workaround: Deployments that use the CAS appliance to scan requests should avoid setting the unknown file type to block.Issue: When processing a request modification ICAP scan, the CAS appliance does not block files set in the Global Options file type list (B#193352).Workaround: Define blocked files for ICAP requests in Kaspersky or Sophos settings directly.Issue: The CAS management console does not report the SNMP version being used for SNMP messaging (B#195459).Workaround: The CAS appliance uses SNMP version 3 for traps.

Issue: Audit logs shows enable/disable, serve/block as 0 and 1 when setting file behavior (B#190807).

17


Workaround: When examining CAS appliance logs, note that 0 represents enabled or serve and 1 represents disabled or block.

Issue: Deleting packet capture does not prompt you to confirm the action or refresh the page (B#195591).

Workaround: Use caution when using Troubleshooting > PCAP, as the delete button provides no warning.

Issue: After committing a change to the appliance configuration, a message appears at the bottom of the CAS UI to advise that the change was successful. This message does not clear from AV Scanning Behavior (B#195266).

Workaround: Log out of the CAS management console or use a hard browser refresh, (CTRL+F5) for the success message to clear.

Issue: Using HTTPS for image or license downloads from an internal HTTPS server requires that the server have a trusted certificate installed. Self-signed certificates are not supported.

Workaround: If your HTTPS server does not have a trusted certificate, use an internal HTTP server for local image and license downloads.

SupportFor general information about Blue Coat: [email protected].

Direct support questions regarding this release to Blue Coat Support. For more information, visit: http://www.bluecoat.com/support/contactsupport

Blue Coat Knowledge BaseBlue Coat has a Knowledge Base, which contains information about this product that might not be available in the documentation or Release Notes. The Knowledge Base contains information in the following categories:p Solutionsp FAQsp Alerts—including security alertsp Technical field informationBlue Coat recommends that you regularly search the Knowledge Base for late-breaking information that might not be included in the documentation or release notes.

To view articles in the Knowledge Base:

1. Enter the following URL in your browser’s address or location field:

https://kb.bluecoat.com

2. Do any of the following:• To get an answer to a specific question, enter the question in the Ask a

question field, and click Ask.• To view a specific set of articles, click a selection in the horizontal

navigation bar (Solutions, FAQs, and so on).All of the sections enable you to browse by product, operating system, type of deployment, or topic.

3. Follow the prompts on your screen to locate the desired information.

18

http://www.bluecoat.com/support/contactsupport

https://kb.bluecoat.com


© Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, CAS, MAA, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas: Rest of the World:Blue Coat Systems, Inc. Blue Coat Systems International SARL420 N. Mary Ave. 3a Route des ArsenauxSunnyvale, CA 94085 1700 Fribourg, Switzerland

19


20

content analysis 1 2 4 4_rn

Documents

content analysis version

content analysis administrator

content analysis protection

content analysis system

p support

p section g

p section h

p section j