<> Trend Micro, Inc. January 15, 2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Network VirusWall(TM) Enforcer 1200 Version 2.0, build 1142 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------IMPORTANT------------------------------- Network VirusWall Enforcer 1200 is compatible with Trend Micro Control Manager(TM) version 3.5 and version 3.0. If you are using an earlier version, upgrade Control Manager to ensure communication between Control Manager and Network VirusWall Enforcer 1200. Contents ==================================================================== 1. About Trend Micro Network VirusWall Enforcer 1200 1.1 Overview of this release 2. What's New 3. Documentation Set 4. Recommended System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreements ==================================================================== 1. About Trend Micro Network VirusWall Enforcer 1200 ======================================================================== Trend Micro Network VirusWall Enforcer controls access to the corporate network to ensure that all devices-managed or unmanaged, local or remote-comply with corporate security policies before they connect. It prevents threats from entering the network by scanning devices for the most up-to-date security software and critical Microsoft patches. As an agent-less solution, it has minimal impact on client devices and requires no end user intervention. Non-compliant devices are immediately quarantined and sent through automatic remediation. As soon as a device is cleaned and meets the security requirements, it is allowed access to the network. Network VirusWall Enforcer also filters network traffic to detect and block network worms and BOTs-with zero false positives. The easy-to-manage appliance isolates infected areas from the rest of the network so threats cannot spread. Network VirusWall Enforcer 1200 supports the Trend Micro Enterprise Protection Strategy and can be managed by Trend Micro Control Manager(TM) 3.5 and 3.0. 1.1 Overview of this release ===================================================================== The following are the main features of Network VirusWall Enforcer 1200: - Purpose-built appliance: Product designed and implemented on a purpose-built appliance hardware platform that will serve as the secure platform for Network VirusWall Enforcer 1200. - Fail open: Network VirusWall Enforcer 1200 provides fail open (under certain deployments)to deal with network blocking issues. - Easy installation: Perform a preconfiguration procedure to configure device and network settings. When you connect Network VirusWall Enforcer 1200 to your network, by simply attaching network cables to the ports, the device automatically registers with the Control Manager server. - Web and text based management consoles: Accessed using a Web browser or SSH, these consoles allow you to manage Network VirusWall Enforcer 1200 remotely and configure device settings. In addition, Network VirusWall Enforcer supports a serial console for local access. - Policy Enforcement: Provides multiple policy features that allow you to create a maximum of 64 policies. You can select to monitor, block, quarantine endpoint, drop packet, or redirect to URL if the client violates the policy. - Manual or scheduled component updates: Network VirusWall Enforcer 1200 can obtain network virus pattern files, network scan engines, Vulnerability/Damage Cleanup Engine, Vulnerability Patterns, Damage Cleanup Pattern and program files from the Trend Micro ActiveUpdate server or from a specified update source. - Network segmentation: If an outbreak occurs, Network VirusWall Enforcer 1200 isolates the infected part of the network, helping prevent the spread of infection. - Outbreak Prevention Policy support: Network VirusWall Enforcer 1200 receives Outbreak Prevention commands from the Control Manager server. Network VirusWall Enforcer 1200 can block the following: - IP addresses: a single destination IP address or a range of addresses - Protocols: TCP, UDP, and ICMP protocols - Ports: a single destination port or a range of ports - Instant Message channels: MSN Messenger(TM), and Yahoo! Messenger(TM) - File transfers: file names or extensions transferred via FTP, HTTP, and Windows network file-sharing protocols - Trend Micro(TM) Damage Cleanup Services(TM) support: Damage Cleanup Services (DCS) built into Network VirusWall Enforcer repairs damaged systems and eliminates threats that may remain on the network. If an outbreak occurs, Network VirusWall Enforcer 1200 can request DCS to clean up any infected machines. - Virtual Local Area Network (VLAN) support: Create and edit VLAN tags that conform to the existing VLAN rules on your network. - Simple Network Management Protocol (SNMP) v2 support: Configure Simple Network Management Protocol notification settings to have Network VirusWall Enforcer 1200 send traps to a network management station. Also configure SNMP agent settings, which add security to SNMP communications. 2. What's New ======================================================================== - Remote access console support: This version provides a Web console that allows you to configure settings from a Web browser, and SSH console access for the remote text mode console. - Multiple policy enforcement: Administrators can create different policies for endpoint clients. - ActiveDirectory service support for client authentication - Multiple policy creation based on different targets - CIDR - Network Port - VLAN - Service: A policy can consist of one or more services. Each service can have different actions for endpoint violations. Endpoint security - Antivirus detection: Detects more than 99 antivirus products - Pattern detection: Detects the endpoint pattern version and if the version is the latest one. - System thread scan: Quickly scans the endpoint system folder - Vulnerability scan: Identifies vulnerable endpoints on the network. Network VirusWall Enforcer 1200 can find out which endpoints are vulnerable to attacks or virus infections and block or pass traffic from these endpoints. - Registry scan: Specify registry keys or values to detect in endpoint computers and specify an action to perform if the required or prohibited registry key is missing or present. Network Threat detection - Network Virus detection Network management service - Protocol management: Allows you to monitor, reject, or drop TCP\UDP\ICMP packets. - Instant messaging detection: Allows you to create a policy to manage instant messaging (IM). Configure settings to allow clients to chat using IM, while blocking file transfer activity. - File transfer detection: Allows you to quarantine a file transfer in a CIFS network and helps you block specific file names that you do not want transferred in your CIFS network. Agent - One-time agent (temp agent) - this agent type only occurss when the Authentication function is enabled with agentless mode (You can also use Remote log on) - Agentless - a one time install/terminate (valid until the system is assessed) through ActiveX/Remote login - Persistent agent - an agent that remains on the endpoint computer through ActiveX/Remote login Policy Features - Comprehensive report function support for the effectiveness of policy enforcement: Administrators can install Control Manager version 3.5 or 3.0 to query Network VirusWall Enforcer 1200 policy violation reports such as: - Violation by service - Violation by policy - Flexible Assessment method: Agentless - Remote login for administrated endpoints (Administrator rights required to deploy and execute PEAgent) - Endpoint status assessment through ActiveX download for non-administrated endpoints (Administrator rights required to execute the ActiveX file) - Non-Internet Explorer support: PEAgent Installer is provided to install PEAgent on endpoints with Web browsers other than Internet Explorer (Firefox, Mozilla) Daylight Savings Time Support - Network VirusWall Enforcer 1200 supports automatic Daylight Savings Time changes. Users have to select their time zone, and Network VirusWall Enforcer 1200 automatically makes the time changes for Daylight Savings Time. 3. Documentation Set ======================================================================== In addition to this readme file, the documentation set for this product includes the following: - Getting Started Guide -- product overview, installation planning, installation and preconfiguration instructions, and basic information intended to get you "up and running." - Administrator's Guide -- product architecture details, configuration, troubleshooting, and FAQs. - Upgrade Guide -- takes you through the upgrade procedure. - Quick Start Guide -- Basic information intended to get you "up and running" as quickly as possible - Online help -- context-sensitive help screens that provide guidance for performing a task. 4. Minimum System Requirements ======================================================================== Network VirusWall Enforcer requires the following: - Ethernet cables (standard CAT-5 cables with RJ-45 connectors) Use multiple cables to connect to segments of the network that Network VirusWall Enforcer 1200 will protect. - A terminal communications program (for example, HyperTerminal) to connect to the console port through a serial cable This program is required if you want to perform Network VirusWall Enforcer 1200 preconfiguration through the preconfiguration console. TIP: Always refer to the Getting Started Guide when performing preconfiguration. - Requirements for endpoint computers where the "Endpoint installation method" is "ActiveX" Requirements: Operating system: Windows 98, ME, 2000, XP, 2003 Web browser: Internet Explorer 5 or above with the "Download signed ActiveX controls" security setting enabled - Requirements for endpoint computers where the "Endpoint installation method" is "Remote login, ActiveX" Required operating system: Windows 2000, XP, 2003 for Remote login 5. Installation ======================================================================== Network VirusWall Enforcer 1200 can easily connect to your existing network. Please refer to the Network VirusWall Enforcer 1200 Getting Started Guide for detailed instructions. 6. Post-Installation Configuration ======================================================================== There are no post-installation requirements for Network VirusWall Enforcer 1200 2.0. Trend Micro Control Manager is not required to manage Network VirusWall Enforcer 1200. 7. Known Issues ======================================================================== The following are the known issues for this release: Services - Endpoint Security ===================================================================== 7.1. Redirect URL ----------------- - HTTPS traffic cannot be redirected using the redirect URL feature. 7.2. Exception URL List ----------------------- HTTPS cannot be added to the exception URL List. 7.3. Double Byte Characters (DBCS) URL not supported ---------------------------------------------------- Network VirusWall Enforcer does not support Double Byte Character (DBCS) URLs for the Redirect URL or URL Exception features. 7.4. Antivirus Detection in boot status --------------------------------------- When the endpoint is in boot status and sends packets to Network VirusWall Enforcer 1200, the device assumes the endpoint does not have any antivirus product installed. 7.5. Enforcement Exception List -------------------------------------- If users input a URL link on the Enforcement page, the URL link should be input to the Exception list manually. For example: (a.b.c.d must be manually input in to the exception list). 7.6. Antivirus product detection issues --------------------------------------- - If the endpoint has more than one antivirus product installed, only the first product is detected. - Using Agent mode Antivirus product detection only supports detection of the English version of antivirus products installed on Windows 9x platforms - Trend Micro CSM can be detected but the result will show "Trend Micro OfficeScan" - The antivirus product detection function may not work if a very large number of concurrent endpoints connect at the same time. If you use network protocols to detect antivirus products on endpoints, and more than 128 endpoints connect through the device at the same time, there may be a few endpoints that will not be able to connect. Browsers on these endpoints should be closed and then reopened. 7.7. PEAgent Installation -------------------------------------- Installing the PEAgent component requires Windows Installer engine 2.0, that is included in the Windows XP platform. However, for the previous versions (Win98/ME, Win2000), you will need to download or update the Windows Installer engine. 7.8. PEAgent Service Authority --------------------------------------- Installing and starting the PEAgent service requires Administrator authority. If a user installs the PEAgent with administrator authority and the logs in with user authority, the PEAgent service cannot be started. 7.9. PEAgent 1200 installation over PEAgent 2500 ---------------------------------------- A client computer that has Network VirusWall Enforcer 1200's PEAgent then has a PEAgent by Network VirusWall Enforcer 2500 installed over the 1200 PEAgent. In this situation, another Network VirusWall Enforcer 1200 PEAgent cannot be installed over the Network VirusWall Enforcer 2500. Services - Network Threat Detection ===================================================================== 7.10. Damage Cleanup Services (DCS) deployment through Remote login (not ActiveX) ------------------------------------------------------------------ DCS can only be deployed through Remote login (not ActiveX) if the "Network Virus Detection" service action is set to "Drop" (drop packet). Services - Network Management Service ===================================================================== 7.11. FTP and HTTP blocked files may be transferred --------------------------------------------------- Blocked FTP and HTTP files may be transferred after 10 minutes. 7.12. Not all file transfers can be blocked ------------------------------------------- If a connection already exists prior to enabling the policy, file transfers cannot be blocked. 7.13. IM activities limitation ------------------------------ Network VirusWall Enforcer cannot block Instant Messaging activities with Socks4 and Socks5. 7.14. IM Detection limitations ---------------------------------------- Instant Messaging detection does not support AIM pro. 7.15. HTTP files not blocked ---------------------------- When a user uploads an HTTP file and the file name is listed on the quarantine page, Network VirusWall Enforcer will not block the file. 7.16. Stateful function for FTP not supported --------------------------------------------- Stateful function for FTP is not supported in an environment where: - The first policy accepts packets for FTP transfer from A to B - The second policy requires User Authentication This means that A can establish a connection with B, but B cannot establish a data connection with A. The connection from B to A will match a different policy than the connection from A to B. 7.17. FTP files not blocked --------------------------- In the "Step5: Specify Network Application Policy" tab of the Edit Policy screen, FTP files are not blocked when double-byte characters (such as Chinese, Japanese or Korean characters) are typed in the "File to access" text box. Management Consoles ===================================================================== 7.18. Resizing the SSH application window ----------------------------------------- When entering the Preconfiguration Console with SSH connection, resizing of the SSH window will cause the screen to jump back to the Preconfiguration login screen. 7.19. Log on issue ------------------ After three unsuccessful attempts to log on to the Preconfiguration console, the screen becomes blank, and will timeout for about 30 sec before being accessible. 7.20. Configuring the IP address using the LCM ---------------------------------------------- When you configure the IP address using the LCM, a prompt will display for registering the device to Control Manager. This is due to the possibility that user might modify the CM IP also. However, it is an optional choice for Network VirusWall Enforcer to register to Control Manager. 7.21. Windows XP SP2 issue -------------------------- Pop up messages do not work properly on Windows XP with SP2 installed because the Messenger Service is disabled and the Firewall is enabled by default. 7.22. Summary Page Issues ------------------------- If there are a large number of endpoints in the Network VirusWall Enforcer endpoint database, the Web browser will display an internal error. 7.23. Issues with the Policies page on the Web console ------------------------------------------------------ In the "Policy Enforcement > Policies" page, you need to click the "Copy" button only once to create a new policy based on an existing policy. If you do not see the new policy at once and you click the button again, another policy will be added. Network-Related Issues ===================================================================== 7.24. Network VirusWall Enforcer Preconfiguration ------------------------------------------------- Garbage characters are displayed on the Preconfiguration console when exporting the configuration file. 7.25. Network VirusWall Enforcer Hardware Integration ----------------------------------------------------- The interface speed auto-negotiation function is incompatible with some network switches (such as D-Link and SMC Gigabit switches). As a workaround, use the Preconfiguration console > "Configure Interface Speed and Duplex Mode Setting" to specify the interface speed for incompatible switches. 7.26. Network disconnection --------------------------- A 10-second network disconnection occurs when resetting Network VirusWall Enforcer. 7.27. No differentiation between protected and non-protected network -------------------------------------------------------------------- In this version, there is no differentiation between a protected and non-protected network. 7.28. Refreshing the ARP table when disabling a port ---------------------------------------------------- When you disable a port, clearing the ARP table is necessary to ping the device. Use "arp -d" to clear the ARP table and you should be able to ping the device. 7.29. Refreshing the ARP table when specifying the Management port ------------------------------------------------------------------ If you specify the Management port, refreshing the ARP table is necessary to ping the device. Use the "arp -d" command to refresh the ARP table. 7.30. Network VirusWall Enforcer policy enforcement --------------------------------------------------- Enforcement may not be performed properly when there is an HTTP proxy server installed between the device and your network. If you enable HTTP messages to display on quarantined and blocked endpoints, the blocking pages may not display. 7.31. Looping in PEAgent Deployment ----------------------------------- The following conditions may cause looping in the deployment of PEAgent: - Endpoints and Network VirusWall Enforcer are not on the same segment. - Traffic from endpoint machines is configured to pass through a router after passing through Network VirusWall Enforcer. 7.32. Failopen Spanning-Tree convergence takes a long time --------------------------------------------------- The failopen function is severely affected by the Spanning-Tree Protocol. 7.33. Speed/Duplex inconsistency issue ----------------------------------- Switches are not aware a link is down when the speed/duplex settings of the switch are not consistent with the settings of Network VirusWall Enforcer 1200. LDAP Authentication ===================================================================== 7.34. User authentication screen not displaying ----------------------------------------------- Windows 98 users will not see the user authentication screen which uses an HTTPS connection if Microsoft Internet Explorer 6 Service Pack 1 is not used. 7.35. Different requirements for authentication ----------------------------------------------- If simple authentication for Microsoft Active Directory Server is enabled, type Domain\account or account@domain for the account. However, if Kerberos authentication is enabled for Microsoft Active Directory Server, the domain information should not be included. 7.36. Specifying the LDAP server's hostname if using OpenLDAP ------------------------------------------------------------- Using an IP address instead of a hostname for the LDAP server and KDC server is supported. You must have a DNS server that has the OpenLDAP server's hostname and IP address resolved in order to use the IP address under the OpenLDAP settings. Deploying the PEAgent using Remote Login ===================================================================== 7.37. Windows versions not supported for deploying the PEAgent -------------------------------------------------------------- The Remote Login deployment is not available for Windows XP Home Edition, Windows ME, Windows 98, and earlier versions. 7.38. Endpoint setting restriction -------------------------------- The Remote Login deployment is not available if the endpoint user checks "Simple files sharing". 7.39. Network segment restriction --------------------------------- If the endpoint is in a NAT network segment different from Network VirusWall Enforcer, Remote Login deployment may not be successful. 7.40. Privileges required for Remote Login accounts --------------------------------------------------- The accounts stored in NVWE for remote deploy purpose should have at least administrator privilege. ActiveX Deployment ===================================================================== 7.41. Internet Explorer version supported ----------------------------------------- Internet Explorer 5.0 and above is required. 7.42. "Download signed ActiveX controls" required ------------------------------------------------- In your Internet Explorer Security settings, ensure that "Download signed ActiveX controls" is enabled or select to install the ActiveX control from the prompt. In addition, ensure that the account you use has administrator privileges and can download ActiveX controls. 7.43. Policy Enforcement Agent (PEAgent) not running on certain operating systems --------------------------------------------------------------- - Policy Enforcement Agent cannot download on endpoints using Windows 2003 Server R2 if the Internet Explorer security settings is set to "High". The message "Error while running on current page" displays while the Policy Enforcement Agent is downloading. - Policy Enforcement Agent does not run on Windows NT 4 or Vista (64-bit) environments. Detection of Web page ===================================================================== 7.44. Unable to stop background services ---------------------------------------- When PEAgent cannot stop background services like Vulnerability Assessment, the Web page that shows the detection notice will hang. A user needs to reboot the computer to enforce the service stop and resolve the issue. 7.45. PEAgent Download and Web page conflict ---------------------------------------- Web pages freeze when a user presses F5 or refreshes during the PEAgent download process. 7.46. Too many registry scan items creates a client loop in detection stage ----------------------------------------- If more than 30 items are specified as registry scan items for the same client, the Network VirusWall Enforcer database program may crash when receiving the client's report. This keeps the client in the detection stage indefinitely. Logs ===================================================================== 7.47. System Logs ----------------- Different times are displayed on the Syslog application display for logs sent by the Kernel and logs sent by the User application. Trend Micro Control Manager (TMCM) integration ===================================================================== 7.48. Trend Micro Control Manager Integration --------------------------------------------- There is no setting to configure the time interval to send system logs from Network VirusWall Enforcer 1200 to Control Manager. 7.49. Trend Micro Control Manager (TMCM) Registration Incompatibility --------------------------------------------------------------------- Network VirusWall Enforcer may not be able to register to the Control Manager server if there are multiple Network Interface Cards (NICs) or IP addresses on the Control Manager server. 7.50. Default port number used ------------------------------ The default port number for Network VirusWall Enforcer to communicate with TMCM is port 443. There is no setting in the Web console to configure the port number. Therefore, in the machine where the TMCM server is installed, a user needs to enable port 443 on the IIS settings window to allow Network VirusWall Enforcer 1200 to register to TMCM successfully. 7.51. Patch file installation ----------------------------- For NVWE 1200 compatibility - please use hot fix "CM35Patch1_en_.exe" for TMCM 3.5 and SP6 + hot fix "CM30B5025_en.exe" for TMCM 3.0 You can find the patch file in [CD drive]:\Programs\TMCM_Patch\3.0\ [CD drive]:\Programs\TMCM_Patch\3.5\ 7.52. Deploying components to devices using schedule update ----------------------------------------------------------- If scheduled update is selected on the TMCM server and the Network VirusWall Enforcer 1200 device has the same schedule settings, an update conflict occurs. The result is that TMCM or the device will experience an update failure and log it accordingly. 7.53. OPP status cannot update to newly registered MCP agents ------------------------------------------------------------- If a Network VirusWall Enforcer 1200 devices registers to TMCM after TMCM has deployed OPP, then the newly registered device will not receive the OPP deployment command and OPP will not start. Product Update ===================================================================== 7.54. Schedule update --------------------- Schedule update will not trigger when the update time is configured at the exact time when daylight savings time starts. 7.55. Schedule update components fail to be inserted into cron table -------------------------------------------------------------------- If a user observes that a Network VirusWall Enforcer 1200 device did not start scheduled update, please deselect all components under schedule update, and click Save. Then select the components you want to update and save again. Others ===================================================================== 7.56. Reboot may take a few minutes ----------------------------------- When there are more than 30 policies, it may take a few minutes to reboot the device. 8. Release History ======================================================================== Visit the following Web site for more information about this product: http://www.trendmicro.com/download 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2007, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Network VirusWall, Control Manager, Damage Cleanup Services, and Trend Micro Vulnerability Assessment are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 11. License Agreements ======================================================================== Information about your license agreement with Trend Micro can be viewed at: www.trendmicro.com/en/purchase/license/ Third-party licensing agreements can be viewed: - By referring to the "License.txt" file in the Production CD - The license agreement on the Trend Micro