Trustwave ECM Release Notes

Version: 7.2, Last Revision: February 24, 2017

These notes are additional to the Trustwave ECM User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20726.

New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 7.2.0

Support for additional environments:
- Exchange Server 2016
- SQL Server 2016 and SQL Express 2016, SQL Server 2014 and SQL Express 2014
Support for Bitdefender for Marshal anti-virus
Branding has been updated.

Features new in 7.1.5

Support for additional environments:
- Exchange Server 2013
- Windows Server 2012 and 2012 R2
- SQL Server 2012 and SQL Express 2012

Features New in 7.1

Processing speed/capacity enhancement: Due to the change in message flow, message throughput is greatly enhanced.
Message flow changes:
- A new method is used to return processed messages to Microsoft Exchange.
- With Exchange 2010, if the Engine is not running, messages awaiting processing are queued in Exchange rather than in the submission queue.
Rules structure: Email Policy is divided into Content Analysis Policy and Dead Letter Policy. Filtering order and behavior is not changed.
Dead Letter Rules: A new type of rule allows messages that cannot be processed to be passed through based on user matching and the text of the Dead Letter reason code.
PDF unpacking improvements: Images, attachments, and annotations are now unpacked from PDF documents. Supported images types are JPG, JPG 2000, TIF, and RAW. The PDF unpacker can be updated automatically through the MailMarshal Automatic Updates (SpamCensor updater). This improvement addresses numerous other issues with PDF unpacking. See change history for details.
Message Logs Change: Text log information for messages is now stored in each message (MML) file.
Additional improvements: Numerous message unpacking and stability updates have been included (as found in MailMarshal SMTP 6.9). See items prefixed MM in the release history.

Features New in 7.0

Array Architecture: MailMarshal Exchange now uses the same array architecture as MailMarshal SMTP 6.X.
MailMarshal SMTP features: MailMarshal Exchange has been updated with many rule elements and features found in MailMarshal SMTP 6.X.
No spam filtering functions: MailMarshal Exchange does not provide SpamCensor or other anti-spam functionality. The "known threats zero day" category is available and automatically updated.
New Reporting application: Reporting on MailMarshal Exchange activity is through Marshal Reporting Console (version 2.5 or above).

System Requirements

Software

Trustwave ECM is supported in the following environments:

Email processing nodes:
- 64 bit OS only
- Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2003 SP2, SBS 2008 SP2
- Exchange Server 2016; Exchange Server 2013; Exchange Server 2010 SP1 or above
- Active Directory
- Hub Transport Role
- 8.3 file name creation must be enabled
Array Manager:
- Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2003 SP2, SBS 2008 SP2
- 64 bit OS preferred (required for single-server installation or for use of SQL Server 2016)
Console and Configurator:
- Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2003 SP2, SBS 2008 SP2
- Windows XP Professional SP3 (32 bits only)
- Windows Vista SP2, Windows 7 RTM or SP1
- Windows 8 and Windows 8.1
- 64 bit OS preferred
Web Components:
- Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2003 SP2, SBS 2008 SP2
- 64 bit OS preferred
- .NET Framework 4
SQL Server (including SQL Express):
- SQL Server 2016
- SQL Server 2014
- SQL Server 2012
- SQL Server 2008 SP1, SQL Server 2008 R2
  - Note: Installation on Server 2012 and 2012 R2 requires SQL 2008 SP3 or SQL 2008 R2 SP2
- SQL Server 2005 SP3

Trustwave ECM is a 32 bit application.

Hardware

Hardware required is dependent on Microsoft Exchange Server. Follow Microsoft recommendations. Be aware that Trustwave ECM processing has a noticeable impact on email throughput.

You may require additional hard disk space depending on your archiving and quarantine retention policies. For default policies on a typical 1000 user server, Trustwave recommends you allow an additional 50 GB of free disk space for text logs, quarantine and archiving folders.

Installation recommendations

To help ensure smooth functioning of Trustwave ECM, Trustwave recommends the following:

Install Trustwave ECM on all Hub Transport servers to ensure that all messages are scanned.
For performance reasons, select a DLL integrated virus scanner. Do not use a command line scanner.
For performance reasons, do not install other roles on the servers (particularly, do not install the Unified Messaging role)
Although it is possible to add some Microsoft Edge Transport components to a Hub Transport server, Trustwave recommends you do not add these components.
Do not change the user for the Exchange Transport Service.
Do not manually adjust settings in the Exchange agents.config file, the transport agent priorities, or the default settings for the Replay directory.

Usage Notes

To view the Trustwave ECM performance counters in Windows Server 2008 (64 bits), you must run the MMC in 32 bit mode. Use the following command line to start Performance Monitor:
MMC /32 perfmon.msc

Upgrade Instructions

Upgrading from version 7.X

Direct upgrade is supported from ECM (MailMarshal Exchange) 7.0 and above.

Upgrading a Single Server:
To upgrade a single Trustwave ECM server from version 7.X, install the new version over your existing version. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary. Your Product Key remains the same.
Upgrading an Array of Servers:
After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

Notes on Upgrading

7.2 Exchange version support: Exchange 2007 is no longer supported.
7.1 Deadletter Folder Retention: Upgrade resets the retention period for deadletter folders to 7 days. Any changes that you previously made using the method described in Knowledge Base article Q10260 will be lost. After upgrading, use the Configurator to set the desired values.
7.1 Policy changes: On upgrade, existing Standard rules are moved to the Content Analysis Policy container. Filtering order and behavior is not changed.
7.1 File Type Identification: Version 7.1 identifies the following as executable files:
- Plain text files with extension .CMD or .BAT
- Binary unknown files with extension .COM or .EXE
- Previous versions identified these files as "text" or "binary unknown". You may wish to review and adjust your rules.
7.1 Message Logs: If you have selected the "copy message log file" feature for quarantined or archived messages, you should consider unselecting this option. Log information is stored in the message files and is always available in the Console.
7.1 .NET version requirement: The Web Components now require .NET 4.0.
7.1 database upgrade: To resolve an issue with reporting of IP addresses, the upgrade rewrites some existing data. This process can take significant time to complete for large databases. The upgrade installer provides an estimate of the time required.

Migrating from version 5.X

Direct upgrade from MailMarshal Exchange (ECM) 5.X is not supported. Trustwave ECM version 7.X uses a different architecture to version 5.X.

To assist with migration, Trustwave ECM 7.X can be installed on the same server as MailMarshal Exchange 5.3 or Trustwave SEG (MailMarshal SMTP).
When upgrading from version 5.X, you must obtain a new product key. You can request a key from the Configurator after installing the product.
The Trustwave ECM 7.X and 5.3 Agents CANNOT both be used to process messages on the same server.
If the Trustwave ECM 7.X Agent is enabled on an Exchange Server where MailMarshal Exchange 5.3 is running, the version 5.3 Agent will be uninstalled. You must not enable the 5.3 and 7.X Agents at the same time, because significant problems with email processing would result.
You can release messages quarantined by version 5.3, using the 5.3 Console.
Best practice for the upgrade is to stop the Microsoft Exchange Transport service and allow queues to clear before enabling the Trustwave ECM 7.X Agent.
In some cases, when you uninstall version 5.3 after installing version 7.X, you must restart the system.
If you wish to return to version 5.3, uninstall the 7.X Agent before you install the 5.3 Agent.

Uninstalling

Trustwave ECM can be installed in a variety of scenarios. For full information on uninstalling Trustwave ECM from a production environment, see the User Guide.

To uninstall a trial installation on a single computer:

Stop and disable the Trustwave ECM Agent for all Exchange servers.
Close all instances of the Trustwave ECM Configurator and Trustwave ECM Console. Stop the websites of Web Components.
Use Add/Remove Programs from the Windows Control Panel to remove Trustwave ECM.
Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web Components.
If you have installed any components (such as the Configurator, Console, or Web Components) on other computers, uninstall them.
If you have installed SQL Express specifically to support Trustwave ECM and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave ECM listed. To check for any later information, please see Trustwave Knowledge Base article Q20726.

7.2.0 (February 24, 2017)

MEX-912	Office 2003 documents containing embedded OLE object containers were deadlettered. Fixed.
MEX-952	When installing in a custom location or changing folder locations in the Server Tool, permissions were not correctly set on the folders. Fixed.
MEX-975	The Exchange Agent has been updated to use the Exchange 2010 version of the SDK. This change resolves an informational/best practice event that was logged by Exchange in earlier versions.
MEX-977	In some cases content extracted from Office documents was incorrectly identified as EMF instead of WMF, resulting in a dead lettered message. Fixed.
MEX-978	Handling of SQL database partitioning has been improved.
MEX-980	Product branding has been updated to Trustwave ECM throughout. Install and Registry locations are not changed. The default virtual directory name for the Web Admin Console has been updated (for new installations only).
MEX-981	The installer checks for the Trustwave root certificate and attempts to install it if necessary.
MEX-982	Earlier versions of the product could not access the automatic update server due to use of updated SSL signing on the server. Fixed.
MEX-984	Certain binary RTF message bodies could cause the Engine to stop. Fixed.
MEX-985	The versions of web access and TLS/SSL libraries used have been updated.
MEX-986	In some cases where an attachment was an Office 2003 document containing an embedded Office 2007/2010 document, the message was deadlettered due to an unpacking problem. Fixed.
MEX-987	The Agent now installs with Set-TransportService as per Microsoft best practice.
MEX-996	The version of SQL Express included with the installer is updated to SQL 2016.
MEX-999	Installation with Exchange 2007 is no longer supported.
MEX-1001	MSXML4 is no longer used or installed.
MEX-1002	The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MEX-1008	Signing of executable files now uses a SHA256 certificate.

7.1.7.7380 (January 12, 2015)

MEX-920	A message addressed to multiple distribution groups could be delivered to a recipient twice when released from quarantine. Fixed.
MEX-958	The URL for the Trustwave RSS feeds in the Console was incorrect. Fixed.
MEX-963	If the Controller service could not retrieve the location of the Exchange Replay directory, it could stop unexpectedly. Fixed.
MEX-965	The End User Licensing Agreement included in the product has been updated to the latest version.

7.1.6.6835 (May 8, 2014)

MEX-955

The product installer would not run on Server 2012 R2 and Windows 8.1 due to incorrect detection of the OS version. Fixed.

7.1.5.4301 (December 17, 2013)

MEX-914	Locations of the Incoming, ProcessedOK, DeadLetter, and Sending directories set in the Server Tool were not honored by the Agent. Fixed. Note: If you move the Queues folder (parent of the Incoming, ProcessedOK, and Sending directories), you must grant full control over the new folder to the Network Service account used by the Exchange Agent.
MEX-915	In earlier versions installation with Marshal Reporting Console could fail due to a problem with prerequisite checks. Fixed.
MEX-918	Message files could not be opened in the Console for processing node IDs greater than 9, due to a file naming error. Fixed for newly created files. Incorrectly named existing files must be renamed manually.
MEX-921	On nodes with ID greater than 9, MML files were incorrectly named. Fixed for newly created files.
MEX-923	Notification message sending could fail if the Replay folder was not in the default location. Fixed: the Controller service now periodically verifies the location of this folder.
MEX-925	The Unpacker has been updated to the version supplied with SEG 7.1.
MEX-926	The PDF unpacker DLL provided has been updated to 4.1.0.8 (this version was already provided through automatic updates).
MEX-927	The File Type DLL has been updated to the version supplied with SEG 7.1.
MEX-928	Messages with recipient address user parts over 64 characters in length could not be released from the Console. Fixed.
MEX-941	The installer did not correctly detect clean installations of Exchange 2010. Fixed.
MEX-942	Email sent by Exchange 2013 Health Check Monitors is not processed by default. For details and settings, see Knowledge Base article Q16478.
MEX-943	The check for excessive numbers of header lines is not performed due to Exchange 2013 behaviors that can result in large numbers of header lines.
MEX-944	The version of SQL Express included in installers has been updated to 2008 R2 SP2.
MEX-946	The Replay directory path could not be determined correctly if more than one Exchange server was present in the AD environment. Fixed.
MEX-950	New installations of Web Components bind the website to port 82 (because Exchange 2013 uses port 81). Upgrading does not change the existing binding.
MEX-951	Messages affected by the issue described in MEX-883 are now processed normally by default.

7.1.1.4301 (March 14, 2012)

MEX-902	The check for email files orphaned by a system halt was checking an incorrect folder. Fixed.
MEX-903	The PDF unpacker DLL provided has been updated from 4.0 (in version 7.1.0) to 4.1.
MEX-904	In version 7.1.0, PDF attachments with Unicode characters in the filename were not unpacked and scanned. Fixed.
MEX-908	In version 7.1.0, a message with duplicate email addresses (addressed to the same recipient more than once) would not be delivered in some cases. Fixed.

7.1.0.4102 (Limited availability February 7, 2012)

MEX-831	Return of messages from the Engine to the Agent (and to Microsoft Exchange) now uses a new, faster process.
MEX-848	Some information has been removed from the standard (not debug) view of service text logs, to enhance readability.
MEX-850	Category Scripts that searched the message body using Regular Expressions (RegExpBody) did not check TNEF bodies. Fixed.
MEX-863	Messages with attached Office 2003 documents that contained embedded Office 2007/2010 documents were deadlettered. Fixed.
MEX-864	When services failed unexpectedly, some service logging information was not correctly cleaned up on restart. Fixed.
MEX-883	In rare cases a message was wrongly reported as corrupt when sent between Exchange hub servers in the same domain with different Exchange versions and separate MailMarshal Exchange arrays. Fixed: Contact M86 Support for a setting to allow these messages.
MEX-892	Messages with attached Office 2003 documents that contained embedded Office 2007/2010 documents were deadlettered. Fixed.
MM-108	Many images are now extracted from PDF documents.
MM-1567	PDF unpacking now handles Unicode.
MM-2236	Some PDF files caused recursion in the Engine and could not be unpacked. Fixed.
MM-2363	The version of the archive unpacker included with MailMarshal has been updated. This version handles additional compression formats.
MM-2834	PDF files with limitations on printing and other functions were incorrectly identified as Encrypted PDF. Fixed.
MM-2837	The image analysis library is updated.
MM-2859	Binary files are now better recognized as type COM or EXE.
MM-2977	PDF Xref detection is improved.
MM-3332	Engine logs for each message are now stored in the message file. The Console message viewer displays the available information in a separate tab.
MM-3367	Certain Office 2007 documents were not recognized due to internal structure. Fixed.
MM-3387	SQL code for database creation and upgrade is now within a transaction to allow easier rollback if problems are encountered.
MM-3410	DBlog files now correctly handle larger content.
MM-3419	Office 2007 files generated through the OpenXML SDK were not correctly unpacked. Fixed.
MM-3422	PDF unpacking has been improved, notably for Unicode and some encodings of images.
MM-3427	The MailMarshal database now supports index partitioning if installed on SQL Server Enterprise Edition (for new databases only).
MM-3456	User Defined and custom document properties are now unpacked and scanned in Word 2003 and Word 2007 documents.
MM-3472	The Server Tool now checks the validity of the configured database on startup (this allows the database to be re-created when the SQL server has been rebuilt).
MM-3494	Word documents encrypted with IRM in Word 2007 (2003 compatibility mode) were deadlettered. Fixed: these documents are correctly recognized.
MM-3513	Messages quarantined with a default release action of "skip remaining rules" were not reprocessed as requested upon release. Fixed.
MM-3514	Console Dashboard data was never purged from the database. Fixed.
MM-3538	The certificate used to sign executable files has been updated.
MM-3539	The message parking feature logged redundant messages when a message was unparked. Fixed.
MM-3550	Logging of low disk space warnings has been enhanced for readability.
MM-3551	The Array Manager could stop unexpectedly if a new database was created and configuration was not synchronized. Fixed.
MM-3598	PDF unpacking has been enhanced. Images, attachments, and annotations are unpacked.
MM-3604	Deadlettered messages can be passed through to users by rule action.
MM-3612	The integration with Norman Endpoint Protection is updated.
MM-3613	Retention and permissions for Deadletter folders are now set through the Configurator.
MM-3628	EMF files are now correctly unpacked and the contents are scanned. See also MM-3725.
MM-3649	Additional logging has been added in the Engine service for Dead Letter rule processing.
MM-3684	Error messages logged to the Event Log could cause issues due to recursive substitution of variables. Fixed.
MM-3696	PDF unpacking has been improved. Incorrect character strings are no longer present.
MM-3697	PDF unpacking now supports "linearized" PDF.
MM-3699	Selecting the default message digest template for new digests loaded additional incorrect characters. Fixed.
MM-3705	The Console and Configurator now use the terms "Content Analysis Policy" or "Content Analysis Log".
MM-3712	A more descriptive logging message is written by the Array Manager on shutdown when the SQL database is unavailable.
MM-3725	Files unpacked from EMF files (MM-3628) are only saved and scanned if they are of a recognized type. Type BIN (unknown) files are not saved.
MM-3770	Upgrade now provides more user friendly information about status during database upgrade.
MM-3771	Upgrade now provides more user friendly information about status while calculating time required for database upgrade.

7.0.2.2288 (July 14, 2011)

MEX-810	Upgrade required a restart to replace the Transport Agent. Fixed - no restart will be required.
MEX-817	Installation could fail because it did not correctly check that the local Exchange Server was configured with the Hub Transport role. Fixed.
MEX-819	Out of Office messages and other messages with a blank Sender field could result in a .BAD file in the Replay directory. Fixed.
MEX-827	Exchange Server did not generate delivery reports because MailMarshal Exchange did not copy recipient DSN data to the message envelope. Fixed.

7.0.1 (March 21, 2011)

Initial release of new architecture.

Legal Notice

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.