<> Trend Micro, Inc. August 1, 2006 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Network VirusWall(TM) Enforcer 2500 Version 2.0, GM build 1428 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------IMPORTANT------------------------------- Network VirusWall Enforcer 2500 is only compatible with Trend Micro Control Manager(TM) version 3.5. If you are using an earlier version, upgrade Control Manager to ensure communication between Control Manager and Network VirusWall Enforcer 2500. Contents ==================================================================== 1. About Trend Micro Network VirusWall Enforcer 2500 1.1 Overview of this release 2. What's New 3. Documentation Set 4. Recommended System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreements ==================================================================== 1. About Trend Micro Network VirusWall Enforcer 2500 ======================================================================== Trend Micro Network VirusWall Enforcer controls access to the corporate network to ensure that all devices-managed or unmanaged, local or remote-comply with corporate security policies before they connect. It prevents threats from entering the network by scanning devices for the most up-to-date security software and critical Microsoft patches. As an agent-less solution, it has minimal impact on client devices and requires no end user intervention. Non-compliant devices are immediately quarantined and sent through automatic remediation. As soon as a device is cleaned and meets the security requirements, it is allowed access to the network. Network VirusWall Enforcer also filters network traffic to detect and block network worms and BOTs-with zero false positives. The easy-to-manage appliance isolates infected areas from the rest of the network so threats cannot spread. Network VirusWall Enforcer 2500 supports the Trend Micro Enterprise Protection Strategy and can be managed by Trend Micro Control Manager(TM) 3.5. 1.1 Overview of this release ===================================================================== The following are the main features of Network VirusWall Enforcer 2500: - Purpose-built appliance: Product designed and implemented on a purpose-built appliance hardware platform that will serve as the secure platform for Network VirusWall Enforcer 2500. - High availability: Network VirusWall Enforcer 2500 provides fail open, port redundancy, and failover solutions to deal with network block issues. - Easy installation: Perform a preconfiguration procedure to configure device and network settings. When you connect Network VirusWall Enforcer 2500 to your network by simply attaching network cables to the ports, the device automatically registers with the Control Manager server. - Web and text based management consoles: Accessed using a Web browser or SSH, these consoles allow you to manage Network VirusWall Enforcer 2500 remotely and configure device settings. In addition, Network VirusWall Enforcer supports a serial console for local access. - Policy Enforcement: Provide multiple policy features that allow you to create a maximum of 128 policies. You can select to monitor, block, quarantine endpoint, drop packet, redirect to URL if the client violates the policy. - Manual or scheduled component updates: Network VirusWall Enforcer 2500 can obtain network virus pattern files, network scan engines, File Virus Engines, File Virus Patterns, Vulnerability/Damage Cleanup Engine, Vulnerability Patterns, Damage Cleanup Pattern and program files from the Trend Micro ActiveUpdate server or from a specified update source. - Network segmentation: If an outbreak occurs, Network VirusWall Enforcer 2500 isolates the infected part of the network, helping prevent the spread of infection. - Outbreak Prevention Policy support: Network VirusWall Enforcer 2500 receives Outbreak Prevention commands from the Control Manager server. Network VirusWall Enforcer 2500 can block the following: - IP addresses: a single destination IP address or a range of addresses - Protocols: TCP, UDP, and ICMP protocols - Ports: a single destination port or a range of ports - Instant Message channels: MSN Messenger(TM), and Yahoo! Messenger(TM) - File transfers: file names or extensions transferred via FTP, HTTP, and Windows network file-sharing protocols - Trend Micro(TM) Damage Cleanup Services(TM) support: Damage Cleanup Services (DCS) built into Network VirusWall Enforcer that repairs damaged systems and eliminates threats that may remain on the network. If an outbreak occurs, Network VirusWall Enforcer 2500 can request DCS to clean up any infected machines. - Virtual Local Area Network (VLAN) support: Create and edit VLAN tags that conform to the existing VLAN rules on your network. - Simple Network Management Protocol (SNMP) v2 support: Configure Simple Network Management Protocol notification settings to have Network VirusWall Enforcer 2500 send traps to a network management station. Also configure SNMP agent settings, which add security to SNMP communications. 2. What's New ======================================================================== - Remote access console support: This version provides a Web console that allows you to configure settings from a Web browser, and SSH console access for remote text mode console. - Multiple policy enforcement: Administrators can create different policies for endpoint clients. - ActiveDirectory service support for client authentication - Multiple policy creation based on different targets - CIDR - Network Port - VLAN - Support for three bypass cards: - Silicom Dual Port Fiber (SX) Gigabit Ethernet PIC-X Bypass Server Adapter - Silicom Dual Port Fiber (LX) Gigabit Ethernet PCI-X Bypass Server Adapter - Silicom Dual Port Copper Gigabit Ethernet PCI-X Bypass Server Adapter - Service: A policy can consist of one or more services. Each service can have different actions for endpoint violations. Endpoint security - Antivirus detection: Detects more than 99 antivirus products - Pattern detection: Detects the endpoint pattern version and if the version is the latest one. - System thread scan: Quickly scans the endpoint system folder - Vulnerability scan: Identifies vulnerable endpoints on the network. Network VirusWall Enforcer 2500 can find out which endpoints are vulnerable to attacks or virus infections and block or pass traffic from these endpoints. - Registry scan: Specify registry keys or values to detect in endpoint computers and specify an action to perform if the required or prohibited registry key is missing or present. Network Thread detection - Network Virus detection. Network management service - Protocol management: Allows you to monitor, reject, or drop TCP\UDP\ICMP packets. - IM management: Allows you to create a policy to manage instant messaging (IM). Configure settings to allow clients to chat using IM, while blocking file transfer activity. - File transfer management: Allows you to quarantine a file transfer in CIFS network and helps you block specific file names that you do not want transferred in your CIFS network. Agent - One time agent (valid until reboot) using ActiveX - for non-administrated clients - Persistent agent via ActiveX - for administrated endpoints Policy Features - Comprehensive report function support for the effectiveness of policy enforcement: Administrators can install Control Manager version 3.5 to query Network VirusWall Enforcer 2500 policy violation reports such as: - Violation by service - Violation by policy - Flexible Assessment method: Agentless - Remote login for administrated endpoints (Administrator rights required) - Endpoint status assessment via ActiveX download for non-administrated endpoints 3. Documentation Set ======================================================================== In addition to this readme file, the documentation set for this product includes the following: - Quick Start Guide -- quick overview of product information. - Getting Started Guide -- product overview, installation planning, installation and preconfiguration instructions, and basic information intended to get you "up and running." - Administrator's Guide -- product architecture details, configuration, troubleshooting, and FAQs. - Upgrade Guide -- takes you through the upgrade procedure. - Online help -- context-sensitive help screens that provide guidance for performing a task. - Knowledge Base -- a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://kb.trendmicro.com/solutions/ 4. Minimum System Requirements ======================================================================== Network VirusWall Enforcer requires the following: - Ethernet cables (standard CAT-5 cables with RJ-45 connectors) Use multiple cables to connect to segments of the network that Network VirusWall Enforcer 2500 will protect. - A terminal communications program (for example, HyperTerminal) to connect to the console port through a serial cable This program is required if you want to perform Network VirusWall Enforcer 2500 preconfiguration through the preconfiguration console. TIP: Always refer to the Getting Started Guide when performing preconfiguration. - Requirements for endpoint computers where the "Endpoint installation method" is "ActiveX" Requirements: Operating system: Windows 98, ME, 2000, XP, 2003 Web browser: Internet Explorer 5 or above with the "Download signed ActiveX controls" security setting enabled - Requirements for endpoint computers where the "Endpoint installation method" is "Remote login, ActiveX" Required operating system: Windows 2000, XP, 2003 for Remote login 5. Installation ======================================================================== Network VirusWall Enforcer 2500 can easily connect to your existing network. Please refer to the Network VirusWall Enforcer 2500 Getting Started Guide for detailed instructions. 6. Post-Installation Configuration ======================================================================== There are no post-installation requirements for Network VirusWall Enforcer 2500 2.0. Trend Micro Control Manager is not required to manage Network VirusWall Enforcer 2500. 7. Known Issues ======================================================================== The following are the known issues for this release: Services - Endpoint Security ===================================================================== 7.1. Redirect URL ----------------- - HTTPS traffic cannot be redirected to the redirect URL. - If you use capital letters such as "WWW.YAHOO.COM" instead of "www.yahoo.com", the redirect URL will not work as expected and the Web page will always be blocked. Always ensure that the "caps lock" functionality is not enabled. 7.2. Exception URL List ----------------------- HTTPS cannot be added to the exception URL List. 7.3. Double Byte Characters (DBCS) URL not supported ---------------------------------------------------- Network VirusWall Enforcer does not support Double Byte Characters (DBCS) URL in Redirect URL or URL Exception. 7.4. Antivirus Detection in boot status --------------------------------------- When the endpoint is in boot status and sends packets to Network VirusWall Enforcer 2500, the device assumes the endpoint does not have any antivirus product installed. 7.5. Real-time scan not installed if resources are unavailable -------------------------------------------------------------- Real-time scan does not install if the CPU usage reaches 100%. Real-time scan cannot start the service in this environment. 7.6. No antivirus product detected ---------------------------------- During a pattern update on a endpoint with Real-time scan installed, an error message displays. If you are transferring information, a TCP_Error displays. 7.8. Antivirus product detection issues --------------------------------------- - If the endpoint has more than one antivirus product installed, only the first product is detected. - Antivirus product detection only supports detection of English version antivirus products installed on Windows 9x platforms - The antivirus product detection function may not work if a very large number of concurrent endpoints connect at the same time. If you use network protocols to detect antivirus products on endpoints, and more than 128 endpoints connect through the device at the same time, there may be a few endpoints that will not be able to connect. Browsers on these endpoints should be closed and then reopened. Services - Network Threat Detection ===================================================================== 7.9. Damage Cleanup Services (DCS) deployment through Remote login (not ActiveX) ------------------------------------------------------------------ DCS can only be deployed through Remote login (not ActiveX) if the "Network Virus Detection" service action is set to "Drop" (drop packet). Services - Network Management Service ===================================================================== 7.10. FTP and HTTP blocked files may be transferred --------------------------------------------------- Blocked FTP and HTTP files may be transferred after 10 minutes. 7.11. Not all file transfers can be blocked ------------------------------------------- If a connection already exists prior to enabling the policy, file transfers cannot be blocked. 7.12. IM activities limitation ------------------------------ Network VirusWall Enforcer cannot block Instant Messaging activities with Socks4 and Socks5. 7.13. HTTP files not blocked ---------------------------- When a user uploads an HTTP file and the file name is listed on the quarantine page, Network VirusWall Enforcer will not block the file. 7.14. Stateful function for FTP not supported --------------------------------------------- Stateful function for FTP is not supported in an environment where: - The first policy accepts packets for FTP transfer from A to B - The second policy requires User Authentication This means that A can establish a connection with B, but B cannot establish a data connection with A. The connection from B to A will match a different policy than the connection from A to B. 7.15. FTP files not blocked --------------------------- In the "Services" tab of the Edit Policy screen, FTP files are not blocked when double-byte characters (such as Chinese, Japanese or Korean characters) are typed in the "File to access" text box. Management Consoles ===================================================================== 7.16. Resizing the SSH application window ----------------------------------------- When you resize the SSH application window, the Preconfiguration Login screen displays. 7.17. Log on issue ------------------ After three unsuccessful attempts to log on to the Preconfiguration console, a black dialog box displays on the Preconfiguration log on screen and Syslog and the network do no respond to requests for about 30 seconds. This means that the user must wait for 15 seconds before logging on again. 7.18. Configuring the IP address using the LCM ---------------------------------------------- When you configure the IP address using the LCM, a prompt will display for registering the device to Control Manager. However, Network VirusWall Enforcer does not need to register to Control Manager. 7.19. Windows XP SP2 issue -------------------------- Pop up messages do not work properly on Windows XP with SP2 installed because the Messenger Service is disabled and the Firewall is enabled by default. 7.20. IP address issue ---------------------- Users cannot login to the Web console or SSH console if the Management IP address is the same as the Bridge IP address. 7.21. Summary Page Issues ------------------------- If there are a large number of endpoints in the Network VirusWall Enforcer endpoint database, the Web browser will display an internal error. 7.22. Issues with the Policies page on the Web console ------------------------------------------------------ In the "Policy Enforcement > Policies" page, you need to click the "Copy" button only once to create a new policy based on an existing policy. If you do not see the new policy at once and you click the button again, another policy will be added. Network-Related Issues ===================================================================== 7.23. Network VirusWall Enforcer Preconfiguration ------------------------------------------------- Garbage characters are displayed on the Preconfiguration console when exporting the configuration file. 7.24. Network VirusWall Enforcer Interface Grouping --------------------------------------------------- If you have created a port redundant deployment, enable the Spanning Tree Protocol to allow the device to connect to network switches. Ensure that the Spanning Tree Protocol is enabled in the network switches. 7.25. Reset to factory default to change the type of deployment --------------------------------------------------------------- After registering the device to Control Manager using a failover deployment, the two devices cannot register to Control Manager in a non-failover deployment. 7.26. Network VirusWall Enforcer Hardware Integration ----------------------------------------------------- The interface speed auto-negotiation function is incompatible with some network switches (such as D-Link and SMC Gigabit switches). As a workaround, use the Preconfiguration console > "Configure Interface Speed and Duplex Mode Setting" to specify the interface speed for incompatible switches. 7.27. Network disconnection --------------------------- A 10-second network disconnection occurs when resetting Network VirusWall Enforcer. 7.28. Dropping of ICMP fragment packets --------------------------------------- ICMP fragment packets may not always pass through Network VirusWall Enforcer. The device may drop ICMP packets. 7.30. No differentiation between protected and non-protected network -------------------------------------------------------------------- In this version, there is no differentiation between a protected and non-protected network. 7.31. Reflashing the ARP table when disabling a port ---------------------------------------------------- When you disable a port, clearing the ARP table is necessary to ping the device. Use "arp -d" to clear the ARP table and you should be able to ping the device. 7.32. Reflashing the ARP table when inserting a fiber card ---------------------------------------------------------- Reflashing the ARP table is necessary to ping the device after installing a fiber card. After using the "arp -d" command to reflash the ARP table, you should be able to ping the device using the same copper port connection from before installing the fiber card. 7.33. Reflashing the ARP table when specifying the Management port ------------------------------------------------------------------ If you specify the Management port, reflashing the ARP table is necessary to ping the device. Use the "arp -d" command to reflash the ARP table. 7.34. Network VirusWall Enforcer policy enforcement --------------------------------------------------- Enforcement may not be performed properly when there is an HTTP proxy server installed between the device and your network. If you enable HTTP messages to display on quarantined and blocked endpoints, the blocking pages may not display. 7.35. Looping in PEAgent Deployment ----------------------------------- The following conditions may cause looping in the deployment of PEAgent: - Endpoints and Network VirusWall Enforcer are not on the same segment. - Traffic from endpoint machines is configured to pass through a router after passing through Network VirusWall Enforcer. 7.36. Asymmetric Route Issue ---------------------------- In an HSRP environment where the asymmetric route feature is enabled and VLAN is used as the policy trigger setting, any policy that uses VLAN may not be triggered. Update ===================================================================== 7.37. Other drivers required ---------------------------- The default win2000 of 3COM 3c905c, Broadcomm 440x series driver will not complete firmware updates. LDAP Authentication ===================================================================== 7.38. User authentication screen not displaying ----------------------------------------------- Windows 98 users will not see the user authentication screen which uses an HTTPS connection if Microsoft Internet Explorer 6 Service Pack 1 is not used. 7.39. Different requirements for authentication ----------------------------------------------- If simple authentication for Microsoft Active Directory Server is enabled, type Domain\account or account@domain for the account. However, if Kerberos authentication is enabled for Microsoft Active Directory Server, the domain information should not be included. 7.40. Specifying the LDAP server's hostname if using OpenLDAP ------------------------------------------------------------- Using an IP address instead of a hostname for the LDAP server and KDC server is acceptable. However, if the LDAP server is OpenLDAP, specifying the hostname is required. Deploying the PEAgent using Remote Login ===================================================================== 7.41. Windows versions not supported for deploying the PEAgent -------------------------------------------------------------- The Remote Login deployment is not available for Windows XP Home Edition, Windows ME, Windows 98, and earlier versions. 7.42. Endpoint setting restriction -------------------------------- The Remote Login deployment is not available if the endpoint user checks "Simple files sharing". 7.43. Network segment restriction --------------------------------- If the endpoint is in a NAT network segment different from Network VirusWall Enforcer, Remote Login deployment may not be successful. 7.44. Privileges required for Remote Login accounts --------------------------------------------------- Remote Login accounts should have the privileges to start services, create folders, and copy files. 7.45. Access Control Issue -------------------------- If you save a blank access control item from the Web or Preconfiguration console, you won't be able to configure access control from the terminal or remote terminal consoles. To resolve this issue, perform the following tasks: 1. Select Access Control from the Administration menu in the Web console. 2. Click the delete icon (garbage can) next to the blank access control item to remove the blank access control item. 3. Add another new access control item with a new IP address and a comment. 4. Click Save. 5. Logon to the Preconfiguration console after automatic log off. You can now configure the access control list from the Preconfiguration console. 7.46. UID LED Issue ------------------- After you turn on the UID LED from the Web console and restart the device, you are unable to turn off the UID LED from the Web console or by pressing the LED button on the device. To resolve this issue, change the Network VirusWall Enforcer 2500 IP address, register to Control Manager, or configure a High Availability setting to update the status. ActiveX Deployment ===================================================================== 7.47. Internet Explorer version supported ----------------------------------------- Internet Explorer 5.0 and above is required. 7.48. "Download signed ActiveX controls" required ------------------------------------------------- In your Internet Explorer Security settings, ensure that "Download signed ActiveX controls" is enabled or select to install the ActiveX control from the prompt. In addition, ensure that the account you use has administrator privileges and can download ActiveX controls. 7.49. Policy Enforcement Agent (PEAgent) not running on certain operating systems --------------------------------------------------------------- - Policy Enforcement Agent cannot download on endpoints using Windows 2003 Server R2 if the Internet Explorer security settings is set to "High". The message "Error while running on current page" displays while the Policy Enforcement Agent is downloading. - Policy Enforcement Agent does not run on Windows NT 4 or Vista (64-bit) environments. 7.50. Policy Enforcement Agent (PEAgent) menu --------------------------------------------- If Network VirusWall Enforcer 2500 updates the pattern file before deploying the endpoint pattern, the menu in the Policy Enforcement Agent (PEAgent) on the endpoint does not display the correct RTS pattern version. Detection Web page ===================================================================== 7.51. Unable to stop background services ---------------------------------------- When PEAgent cannot stop background services like Real-time scan and Vulnerability Assessment, the Web page that shows the detection notice will hang. A user needs to reboot the computer to enforce the service stop and resolve the issue. Logs ===================================================================== 7.52. System Logs ----------------- Different times are displayed on the Syslog application display for logs sent by the Kernel and logs sent by the User application. Trend Micro Control Manager (TMCM) integration ===================================================================== 7.53. Trend Micro Control Manager Integration --------------------------------------------- There is no setting to configure the time interval to send logs from Network VirusWall Enforcer 2500 to Control Manager 3.5. 7.54. Trend Micro Control Manager (TMCM) Registration Incompatibility --------------------------------------------------------------------- Network VirusWall Enforcer may not be able to register to the Control Manager server if there are multiple Network Interface Cards (NICs) or IP addresses on the Control Manager server. 7.55. Default port number used ------------------------------ The default port number for Network VirusWall Enforcer to communicate with TMCM is port 443. There is no setting in the Web console to configure the port number. Therefore, in the machine where the TMCM server is installed, a user needs to enable port 443 on the IIS settings window to allow Network VirusWall Enforcer 2500 to register to TMCM successfully. 7.56. Patch file installation ----------------------------- A patch file is included in the Network VirusWall Enforcer Solutions CD to fix the pattern release history component. The patch file name is "CM35B1280_en.exe". After successfully installing TMCM 3.5, execute the patch file on the same directory where the TMCM 3.5 installation file is located. You can find the patch file in [CD drive]:\Programs\TMCM3\patch Others ===================================================================== 7.57. Port 5 LED may remain on ------------------------------ When link-state failover is enabled, the Port 5 LED may still be on and provide incorrect state information for switches. To avoid this issue, use other ports. 7.58. Reboot may take a few minutes ----------------------------------- When there are more than 30 policies, it may take a few minutes to reboot the device. 8. Release History ======================================================================== Visit the following Web site for more information about this product: http://www.trendmicro.com/download 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2006, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Network VirusWall, Control Manager, Damage Cleanup Services, and Trend Micro Vulnerability Assessment are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 11. License Agreements ======================================================================== Information about your license agreement with Trend Micro can be viewed at: www.trendmicro.com/en/purchase/license/ Third-party licensing agreements can be viewed: - By referring to the "License.txt" file in the Production CD - The license agreement on the Trend Micro Web site