Trustwave SEG 8.0 Release Notes

(Previously known as MailMarshal SEG)

Last Revision: June 11, 2018

These notes are additional to the SEG User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 8.0.1

SpamProfiler uses a new technology. The format of results is not changed. Required update URLs have changed. For more information about required URLs, see Knowledge Base article Q12992.

Features new in 8.0

Native 64-bit executables: Trustwave SEG is now compiled as a 64-bit application. Malware scanner plug-ins are also provided in 64-bit versions.
Default installation and Registry location:
- New installations default to the location %ProgramFiles%\Trustwave\Secure Email Gateway\
- New installations default to the Registry location HKey_Local_Machine\Software\Trustwave\Secure Email Gateway

Upgrades install the 64-bit software and move the Registry hive to the new location
Web Components are still a 32-bit application, and install by default to %ProgramFiles(x86)%\Trustwave\SEG Web Components\

Support for DMARC: Trustwave SEG now supports checking and reporting of DMARC information.
Enhancements to DKIM: DKIM Keys can be created and more easily managed in the Configurator.
Enhancements to TextCensor: TextCensor now supports regular expressions.
REST interface for configuration: Trustwave SEG now supports configuration update through a REST interface on the Array Manager.
IP Groups: Trustwave SEG now supports IP groups for rule matching.
Digesting for Outbound Messages: Digests of quarantined outgoing messages can now be sent to the internal sender.
Database Software Support: SQL Server 2008 and 2008 Express are no longer supported. SQL Server 2016 and 2016 Express are supported.
Operating System Support: Windows Server 2008 is no longer supported (note that Server 2008 R2 is supported).

Features new in 7.5.6

Bitdefender Anti-Virus Support: Trustwave SEG now supports integration with Bitdefender (Bitdefender for Marshal). Trial licenses support this package. For customer trial or purchase, contact Trustwave.

Features new in 7.5.5

TLS Delivery rule action: Delivery over TLS can be set for a message based on rule criteria (such as recipient domain)

Features new in 7.5

Operating System Support: Installation on Windows Server 2016 and Windows 10 is supported. Use of Windows 10 for server components is not recommended (as for all workstation operating systems).
New malware detection capability: SEG can now evaluate messages using the Yara Analysis Engine. Configuration scripts for this functionality are provided and updated by Trustwave SpiderLabs. Advanced users can create custom scripts.
New suspect URL detection capability: SEG can now evaluate URLs extracted from messages using a cloud based service. This service is available to customers with valid maintenance.
Enhanced unpacking and file type detection: For a list of updates in these areas, see the Unpacker Release Notes and File Type Release Notes linked from Trustwave Knowledge Base article Q20562.
Database Software Support: SQL Server 2005 and 2005 Express are no longer supported.

Features new in 7.3.6

Installation on Windows 10 Permitted: Trustwave SEG servers, Configurator, and Console can now be installed on Windows 10. Web Components installation on Windows 10 is not available in this release. Full validation will be performed in a later release.

Features new in 7.3.5

Support for Perfect Forward Secrecy: Trustwave SEG now supports PFS for TLS connections.
Improved Reputation Service provisioning: Retrieval of credentials for the IP Reputation Service is performed automatically by the Array Manager.
Database Software Support: SQL Server 2014 and 2014 Express are supported.
Enhanced File Type detection and unpacking: Additional file types are recognized, including encrypted and IRM protected Office documents, XFA forms in PDF, and ZixCorp Encrypted Mail. For more details see Trustwave Knowledge Base article Q20251. XPS Embedded fonts (ODTTF) are unpacked from XPS documents.

Features new in 7.3

Support for DKIM: Trustwave SEG now supports validation of messages using DKIM (DomainKeys Identified Mail).
Updated TLS support: TLS protocol versions 1.1 and 1.2 are now available. SSLv2 is disabled by default.
New SpamProfiler options: SpamProfiler uses a new technology. You can choose which sub-categories in the database trigger the condition.
Branding: The product is now known as Trustwave SEG.
Changes in hardware recommendations: The minimum recommended memory is 3GB (2GB available to SEG, 1GB for operating system), plus an additional 1GB if SQL Express is installed locally. This change reflects changes in typical email size and policy complexity.

System Requirements

The following system requirements are the minimum levels required for a typical installation of the Trustwave SEG Array Manager and selected database.

A full discussion of requirements for all supported configurations is available in the Trustwave SEG User Guide. See also Trustwave Knowledge Base article Q11358.

Table 1: System Requirements
Category	Requirements
Processor	Core i5 or similar performance
Disk Space	20GB (NTFS), and additional space to support email archiving
Memory	4GB (3GB available to SEG plus 1GB for operating system). Allow an additional 2GB if SQL Express is installed locally.
Supported Operating System	Windows Server 2008 R2 (SP1), Server 2012, Server 2012 R2, Server 2016 (Standard or Enterprise versions) ; Small Business Server 2011 Windows 7 (SP1), Windows 8, Windows 8.1, Windows 10 (Installation of server components on these workstation operating systems is not recommended) Note: Trustwave SEG Client components (Configurator and Console) can also be installed on Windows Vista SP2.
Network Access	TCP/IP protocol Domain structure External DNS name resolution - DNS MX record to allow Trustwave SEG Server to receive inbound email
Software	Microsoft .NET Framework 3.5 SP1 Database server: SQL Server 2016, SQL Server 2014, SQL Server 2012, SQL Server 2008 R2 (SP3) Database server (free versions): SQL 2016 Express, SQL 2014 Express, SQL 2012 Express, SQL 2008 R2 Express (SP3) (Service packs listed are the minimum required for compatibility with all supported operating systems)
Port Access	Port 53 - for DNS external email server name resolution Port 80 (HTTP) and Port 443 (HTTPS) - for SpamCensor updates Port 1433 - for connection to SQL Server database and Reports console computers Port 19001 - between Array Manager and Processing Nodes Note: Additional ports are required by the Nodes for email and updates.

Upgrade Instructions

Please review the SEG User Guide before upgrading.

Trustwave SEG 8.0 supports a direct upgrade from Trustwave SEG 7.3.0 and later versions. This is a change from 7.5.X and earlier.

If your installed version does not support direct upgrade, you can upgrade in steps.

You should also consider performing a clean installation instead of an upgrade.

Database Prerequisites

SQL 2008 R2 is the minimum SQL Server version supported. See the System Requirements section for the latest list of supported SQL Server versions. If your database is hosted on a SQL 2008 or 2005 server, before upgrading you must move the database to a supported SQL Server. See Trustwave Knowledge Base article Q10410.
SEG supports Windows Authentication as well as SQL Authentication. Mixed Mode is no longer required.

You can access a supported SQL Express version from the Prerequisites tab of the SEG installation package. The "With SQL Express" version of the package also allows you to install SQL Express during the main SEG installation.

Upgrading a Single Server

To upgrade a single SEG server from any version supporting direct upgrade, install the new version on the existing server. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary.

Upgrading an Array of Servers

After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

For upgrades to version 8.X from 7.X, you must upgrade processing servers manually. The Configurator option to upgrade processing servers is not available for this upgrade due to the nature of the changes required.

Upgrading From Older Versions

To upgrade from a version prior to 7.3.0, first upgrade to version 7.3.0. Full details about upgrading to version 7.3.0 from older versions can be found in the documentation for the target version.

Notes on Upgrading

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

Read the notes for all versions newer than your installed version. This list only includes information about versions newer than 7.3.0. For earlier versions, see the release notes of each version.

8.0.3 RPC version change: SEG 8.0.3 components are not compatible with earlier 8.0 releases. When upgrading to 8.0.3 you must upgrade all components including the Array Manager, processing servers, and user interfaces.
8.0.0 64-bit Installation: Upgrade uninstalls the 32-bit software and installs the 64-bit software in the new default location (or a location you select).
- The Registry settings and configuration files are moved to the new location. All configuration settings are preserved.
- Quarantine folders are not moved. You can move quarantine folders after the upgrade is complete. To change the default quarantine folder location and automatically move messages, after upgrade of processing nodes is complete use the SEG Server Tool on each node. To change custom folder locations, see folder properties in the Configurator.
- Malware/Virus scanners must be manually installed. 64-bit versions of all "for marshal" virus scanners are available.
  - You must manually install the 64-bit scanners on each processing node and complete the engine and signature updates before starting the new SEG engine.
  - If no other 32-bit products are using the scanners (WebMarshal or Trustwave ECM), you can uninstall the 32-bit scanner packages.
  - At this release, the Symantec and SAVI (Sophos) scanners are not supported, as 64-bit interfaces are not currently available. Trustwave intends to support these scanners in a later release. Note that Sophos for Marshal is available and can be used as an alternative to SAVI. To license Sophos for Marshal, contact Trustwave.
- Web Components installation does not support upgrade. You must manually uninstall the previous version and install the new version. When configuring SQM, ensure you select the same authentication mode as was previously selected.
- External Command custom executables in the original install location are not moved. Where the command definition uses the {install} variable, the installer updates configuration as required to continue to reference the original location.
  - Note: In the rare case of an array where the installation location on the nodes is not the same as the location on the Array Manager, this reference update will not work. In that case you must move the custom executable and modify configuration to reference it correctly.
- CountryCensor is NOT supported in SEG 8.X. You must remove any CountryCensor rules before upgrading.
- Any custom credentials used to run SEG services are not applied to the 8.0 services after upgrade from 7.X. You must update the credentials manually.
8.0.0 Upgrade Policy Groups: Upgrade creates policy groups and rules to implement BEC Fraud checking and DMARC functions.
8.0.0 SQL Server support: SQL 2008 and SQL Express 2008 are no longer supported. If your database is hosted on a SQL 2008 server, BEFORE upgrading you must move the database to a supported SQL Server. See Trustwave Knowledge Base article Q10410.
8.0.0 TLS Cipher default: Upgrade changes the default TLS cipher setting to "Medium" if it was set to "Low." The "Low" setting is renamed to "insecure compatibility" and should only be selected if required to communicate with servers that do not meet current best practice recommendations for TLS.
8.0.0 TextCensor upgrade: Version 8.0 implements a new TextCensor with slightly changed functionality. See the User Guide for details of the features and matching behavior. In rare cases the small changes in matching behavior could affect the sensitivity of scripts triggering.
- The upgrade process checks existing scripts for compatibility with the new engine. If any scripts are incompatible, you must update them manually before upgrade can proceed. A standalone tool is available to check compatibility before you start the upgrade process. See the upgrade download page.
8.0.0 Engine thread optimization: On upgrade, if the server thread setting was configured for a "Small" or "Large" site, the Engine thread setting is optimized to number of processors plus 1 for each processing server. If the thread setting was customized, the selected number is not changed. You should consider enabling optimization to enhance performance.
7.5.5 SpamProfiler integration update: The SpamProfiler module has been updated. The first start of the Receiver is expected to take longer than usual as the SpamProfiler cache is re-initialized.
7.5 SQL Server support: SQL 2005 and SQL Express 2005 are no longer supported. If your database is hosted on a SQL 2005 server, BEFORE upgrading you must move the database to a supported SQL Server. See Trustwave Knowledge Base article Q10410.
7.3.5 SSL/TLS support: After upgrade, for installations that used the default settings, TLSv1.0, TLSv1.1 and TLSv1.2 are enabled. SSLv2 and SSLv3 are disabled. When upgrading from versions below 7.3.0, any custom settings are reset. If custom settings were configured, or if you want to change the new settings, see Trustwave Knowledge Base article Q19541.
7.3.5 Bare CR/LF change: On upgrade, if the behavior for "bare" CR or LF characters was set to "ignore", it is changed to "fix." This change helps to detect and block malware or spam messages with invalid formatting. Ignore was the default in earlier versions.

Uninstalling

SEG can be installed in a variety of scenarios. For full information on uninstalling SEG from a production environment, see the Trustwave SEG User Guide.

To uninstall a trial installation on a single computer:

Close all instances of the SEG Configurator and SEG Console.
Use Add/Remove Programs from the Windows Control Panel to remove Trustwave SEG.
Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web components or the Marshal Reporting Console.
If you have installed any components (such as the Configurator, Console, Web components, or Marshal Reporting Console) on other computers, uninstall them.
If you have installed SQL Express specifically to support SEG and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave SEG (previously MailMarshal) listed.

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

8.0.7 (June 11, 2018)

MM-6365	The Receiver could stop unexpectedly when processing a malformed DMARC record. Fixed.
MM-6371	The version of Image Analyzer included in the installation has been updated to correct an issue with initialization on Windows 2016 servers.
MM-6373	DMARC message database logging could cause SQL deadlocks under heavy load. Fixed.
MM-6376	DMARC aggregate reports had an incorrect Content Type header. Fixed.
MM-6378	The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-6379	The version of OpenSSL used by SEG has been updated.
MM-6382	.XZ compressed files are unpacked.
MM-6393	Adding message users to groups could cause delays on a busy system with large groups. Fixed.
MM-6395	The customized version of 7zip (archive unpacker) included in the installation has been updated to address known vulnerabilities. This update was also released to SEG Automatic Updates for earlier supported versions.
MM-6396	User group pruning performance has been enhanced.
MM-6452	The DKIM key text field on the DKIM window now includes a scrollbar to allow the full key to be viewed, and the ability to copy to the Clipboard.

8.0.6.10796 (March 6, 2018)

MM-4120	Folder names entered in the Configurator could include invalid characters. Fixed.
MM-6209	Domain and route entries could not contain the underscore character. Fixed.
MM-6261	For SEG Service Provider Edition installations, the sender no longer attempts to deliver messages to domains that resolve to loopback entries.
MM-6296	Default values used for message unpacking limits in the controller did not match the engine settings. Fixed.
MM-6298	Certain characters in email addresses caused DMARC validation to fail. Fixed.
MM-6300	The DMARC Report Service could stop when dealing with corrupted or large DMARC reports. Fixed.
MM-6301	Loading of IPv6 addresses in IP groups during array manager startup could fail under certain circumstances. Fixed.
MM-6302	The Array Manager did not always use the "preferred server for notifications" when it was available. Fixed.
MM-6315	The sender DNS cache could incorrectly return permanent DNS failures after two consecutive temporary failures. Fixed.
MM-6317	For SEG Service Provider Edition installations, the "Send a copy of the message to host" action no longer requires TLS when TLS is required for the recipient domain.
MM-6320	For SEG Service Provider Edition installations, retrieval of queue information through REST is more efficient.
MM-6321	The REST API could consume a large amount of CPU resource. Fixed.
MM-6323	In earlier 8.0 releases, message details could not be viewed in consoles if the message had been released for all recipients. Fixed.
MM-6331	The receiver now enforces TLS cipher strength ordering (strongest preferred) by default.
MM-6333	Minor improvements and corrections are made to REST API functionality.

8.0.5.10552 (December 7, 2017)

MM-5981	DKIM keys could not be replicated if the Array Manager and processing server were in unrelated domains. Fixed: It is possible to use a generic credential to connect. For details, contact Trustwave Technical Support.
MM-6166	DMARC reports were sent with a blank MAIL FROM. Fixed: reports are sent "from" the DMARC organizational address for the domain.
MM-6210	Messages could not be viewed in the Console if a custom file type was invoked, in some cases. Fixed.
MM-6211	The REST API now provides the ability to list, add, get, and edit TextCensor scripts.
MM-6235	In earlier 8.0 releases, stripping of attachments within archives did not work as expected. Fixed.
MM-6236	In earlier 8.0 releases, setting folder retention to an explicit value longer than 68 years caused unexpected deletion of all messages in the folder. Fixed.
MM-6238	Additional information about DKIM signing and verification is logged.
MM-6256	In earlier 8.0 releases, opening the Database tab of the server tool caused the tool to stop. Fixed.
MM-6258	In earlier 8.0 releases, TLS certificate expiry notifications were not sent from separate processing nodes. Fixed.

8.0.4.10434 (November 7, 2017)

MM-6134	In a database under heavy load, the user summarization stored procedure could time out. Fixed.
MM-6135	For SEG Service Provider Edition installations, queued messages can now be retrieved by customer ID.
MM-6136	The REST API now provides a check for availability of a remote delivery server.
MM-6152	In earlier 8.0 releases, the REST interface could fail to find a message. Fixed.
MM-6161	Configuration import failed when processing some valid combinations of nested user groups. Fixed.
MM-6163	In earlier 8.0 releases, Web Console installation did not present the option of Forms or NTLM authentication. Fixed.
MM-6164	Web Console installation did not enable Windows authentication on the virtual directory when NTLM authentication was specified. Fixed.

8.0.3.10302 (September 20, 2017)

MM-5999	On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-6005	Message stamping has been made more efficient.
MM-6030	The Configurator now shows the date created, date modified, and user names for each rule and policy group.
MM-6031	In earlier 8.0 releases, exceptions in the Yara module could cause the SEG Engine to stop. Fixed.
MM-6045	In earlier 8.0 releases, policy group schedules were not honored. Fixed.
MM-6090	The DMARC dashboard menu for domain selection did not honor the period selected. Fixed.
MM-6118	On upgrade from 7.X, the custom file type list (filetype.cfg) was not copied to all required locations. Fixed.
MM-6120	Changing the retention period on the DMARC Reports folder caused some other properties of the folder to be unset. Fixed.
MM-6121	DMARC Dashboard views in the Console can now be filtered by DMARC alignment status.
MM-6122	The version of Libtet (PDF unpacking) that is included in the installation has been updated.

8.0.2.10224 (August 11, 2017)

MM-3812	The SEG variables `{ServerAddressSender}` and `{ServerAddressRecipient}` were not correctly used when sending notification messages from templates. Fixed.
MM-5882	Receiver performance could be affected during a configuration reload. Fixed.
MM-5980	In earlier 8.0 releases, requests to upgrade nodes from the Configurator did not succeed. Fixed.
MM-5907	In earlier 8.0 releases the Hash module of Yara was not supported. Fixed. In addition, the version of the Yara Analysis Engine is updated to 1.0.4.
MM-5977	The Console RSS functionality has been improved.
MM-5979	Upgrade is blocked if CountryCensor rules or files are present.
MM-5993	Upgrading to earlier 8.0 releases could fail due to a lock on previous SpamProfiler executable files. Fixed.
MM-5995	On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-5996	Upgrade from 7.X did not check for a supported operating system version (Server 2008 R2 or above) before beginning to copy Registry keys. Fixed.
MM-5997	The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5998	On upgrade from 7.X, if the upgrade failed the manager listening port was set to 0. Fixed: the port is reverted to the previous value.
MM-6002	When a DMARC disposition was set on a message and the message was not quarantined, it was not delivered. Fixed.
MM-6004	Message stamping at the top of a HTML message did not always correctly identify the beginning of the HTML body. Fixed.
MM-6006	SpamProfiler scores and analysis are always logged to the Receiver log.
MM-6007	The TLD Difference evaluation for domain similarity matched on other local domain names. Fixed.
MM-6008	Items with a SpamProfiler score between 96 and 99 inclusive are tagged as "Spam-Suspect".
MM-6009	Console Audit logs now record opening the message detail.
MM-6010	Header matching now decodes headers (such as UTF-8 encoded headers) if required, and checks both raw and decoded text.
MM-6013	The Edit Distance evaluation for domain similarity could match on other exact local domain names. Fixed.
MM-6023	Cleanup of long paths in the unpacking directory has been improved.
MM-6024	The customized version of 7zip (archive unpacker) included with SEG has been updated.

8.0.1.10124 (July 10, 2017)

MM-5902	The customized version of 7zip (archive unpacker) included with SEG has been updated with long filename support.
MM-5904	Receiver socket buffer size is now set dynamically by default to enhance performance.
MM-5906	SPF Fail records can be viewed in the DMARC dashboard.
MM-5909	Calls to message repacking commands are now fully quoted.
MM-5914	In release 8.0.0, category scripts might not be run for all attachments. Fixed.
MM-5915	SpamCensor scanning of parent message and all attached messages has been improved.
MM-5917	On upgrade from versions below 8.X, the destination folder could not be chosen in some cases. Fixed. Also, some 32-bit DLLs are deleted on upgrade as not required.
MM-5918	XML files that were not category scripts could cause upgrade from versions below 8.X to stop. Fixed.
MM-5919	SpamProfiler technology has been updated. For upgrades from version below 7.5.8, the update URLs have changed. For more information about required URLs, see Knowledge Base article Q12992.
MM-5920	The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5961	On upgrade the SpamProfiler service is updated to the new technology as required.

8.0.0.9997 (June 20, 2017)

MM-1678	SEG variables can be used in Engine Header Rewrite rules.
MM-3142	A domain route can be explicitly marked as "down". Messages that would be delivered through this route will be held without retry or timeout until the route is marked as "up".
MM-3323	Server Properties, General page now shows correct server and time zone information for currently supported Windows versions.
MM-3391	The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MM-3841	The Receiver connection count could display an incorrect very high number. Fixed.
MM-3905	Regular Expression checking of attachments in Category Scripts now searches over line breaks in the content by default.
MM-4293	Invalid date formatting in templates was not correctly handled. This issue could cause services to stop. Fixed: variables with invalid date formatting are not substituted.
MM-4386	Blended Threat rewriting incorrectly affected schema names in TNEF attachments. Fixed.
MM-4590	Installers and executables include manifests, as per Microsoft certification requirements.
MM-4836	The Sender service could stop unexpectedly in rare cases related to deadlettering of multiple messages. Fixed.
MM-4890	Server Thread settings can be configured for each processing server. Engine default settings are optimized by default, based on the number of processors on the individual server. On upgrade, customized settings are not changed.
MM-5128	URL rewriting for Blended Threat analysis uses a HTTPS link to the scanner if the original link is a HTTPS link.
MM-5214	Logging of TLS certificates to disk did not save the entire chain. Fixed.
MM-5248	When a message exceeds the maximum size for SpamProfiler evaluation, the truncated message is now evaluated.
MM-5253	CRL Distribution Points could not be extracted from certificates with a single v3 extension distribution point entry. Fixed.
MM-5273	DKIM library initialization is more efficient.
MM-5406	URL rewriting for Blended Threat analysis did not correctly handle links with @ characters in the path or query string. Fixed.
MM-5408	SPF evaluation supports IPv6.
MM-5409	URL rewriting for Blended Threat analysis passed an incorrectly escaped version of the URL to the scanner. Fixed.
MM-5420	All functions that require a list of Top Level Domains now use a copy of the Mozilla TLD file, which will be updated as required. The listing is used by Blended Threat rewriting, DMARC, and SpamSURBL functions.
MM-5446	SpamCensor Types evaluation could fail to trigger as expected because scoring was not summed correctly. Fixed.
MM-5447	When a message had invalid header format (no line breaks), the Receiver dropped the connection with no message. Fixed: the connection is terminated with a SMTP 554 response.
MM-5453	On upgrade, TextCensor scripts are checked for compatibility with the new version of the TextCensor engine.
MM-5474	Memory used for CRL list retrieval in the Receiver/OpenSSL was not fully released. Fixed.
MM-5478	The version of Libtet (PDF unpacking) that is included in the installation has been updated to 5.0.0.13
MM-5516	For SEG Service Provider Edition installations, if a connection was denied due to relaying restrictions, some other criteria were still checked to no purpose. Fixed.
MM-5517	TLS certificate manager in the Controller service has more efficient threading.
MM-5523	The Receiver service could stop due to problems in OpenSSL routines. Addressed with improvements in OpenSSL.
MM-5542	SpamCensor now scans a parent message and all attached messages.
MM-5565	On installation, logging when setting the MaxUserPort value is improved.
MM-5569	Digesting could fail when the SQL server default collation was Case Sensitive, due to inconsistent capitalization in a stored procedure. Fixed.
MM-5596	Management of DKIM keys and selectors has been enhanced. DKIM keys can be created directly in the Configurator.
MM-5623	The Controller could stop when importing a signed certificate with a blank password. Fixed.
MM-5624	The Yara functionality could not be completely updated through automatic updates. Fixed.
MM-5626	The version of the Yara Analysis Engine is updated to 1.0.3 (Yara codebase 3.5.0).
MM-5627	An incorrectly formatted or corrupt certificate or private key file could cause the Receiver or Sender service to stop. Fixed.
MM-5629	The Sender only loads a client certificate if it is requested by the remote server.
MM-5633	Loading of certificates in the Sender is improved.
MM-5642	The Receiver service could stop in specific cases due to an issue in TLS negotiation. Fixed.
MM-5643	Web Components installation on Windows Server 2016 did not check prerequisites. Fixed.
MM-5652	TextCensor could add blank lines to the Engine log. Fixed.
MM-5661	The version of OpenSSL used by SEG has been updated.
MM-5670	The default setting for minimum TLS cipher strength is set to "Medium" for new installations, and also on upgrade if the setting was "Low".
MM-5672	If a message processed through SEG does not include a Message-Id header, SEG adds this header to allow better tracking of any issues with onward delivery.
MM-5675	Loading and initialization of virus scanners has been made more efficient.
MM-5685	Default SSL cipher strings have been updated to disable "Diffie Hellman Authentication" ciphers, for compatibility with Exchange 2003 defaults.
MM-5696	Automatic updates now provide the ability to set parameters for file unpacking components.
MM-5717	When scanning a message with attached child messages, SpamCensor stops scanning at the first message that triggers and returns information about that message.
MM-5728	Email between local domain addresses that is checked by SpamProfiler is now validated with the Outbound SpamProfiler configuration.
MM-5777	GeoLite2 is used to provide geographical information for DMARC reports. GeoLite2 database updates are provided as part of the Automatic Updates to the Array Manager.
MM-5782	Business Email Compromise fraud detection is enhanced with the ability to enter and match local executive user names and addresses, and to check for domain similarity.
MM-5786	Category Script evaluation can now check SEG Envelope properties. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5793	Re-packing of a message could be unnecessarily triggered by the Blended Threat functionality if all URLs found were exempt from re-writing. Fixed.
MM-5807	The SpamProfiler executables have been updated.
MM-5808	Changes in TLS configuration are now applied to messages in the Sender retry queue.
MM-5812	Email addresses with certain invalid domain formats could cause the Sender to stop. Fixed: the affected messages are deadlettered.
MM-5813	A REST API call is available to delete messages from all queues based on search criteria.
MM-5826	Notification messages created by rule action are now identified by message name in the service logs.
MM-5829	If a CAB file contained a single file, the extracted file was incorrectly named. Fixed.
MM-5835	Category Script evaluation can now be used to check values in the headers of a message. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5836	Checking of free disk space has been made more efficient to avoid possible issues with slow disk access.
MM-5844	Category Script evaluation can now check for domain similarity (to enhance fraud detection). For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).

7.5.7.9061 (October 4, 2016)

MM-5521	For SEG Service Provider Edition installations, the SMTP relay denied response did not include any details of the source IP or recipient. Fixed.
MM-5524	Additional functions required for BTM rewriting have been moved to the file retrieved through automatic updates, to better support automatic updating.
MM-5541	For SEG Service Provider Edition installations, IP Relay source matching could function incorrectly where ranges entered by multiple customers and the Service Provider overlapped. Fixed.
MM-5548	For SEG Service Provider Edition installations, Marshal IP Reputation Service unlicensed notifications could be sent in error. Fixed.
MM-5568	The SEG Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems.
MM-5599	BTM rewriting was unnecessarily rewriting links in signed messages, resulting in deadletters. Fixed.
MM-5609	The Engine could fail to restart because anti-virus DLLs did not exit completely before reporting as stopped to the Service Control Manager. Fixed.
MM-5610	For SEG Service Provider Edition installations, SpamProfiler now ignores certain checks for messages between SPE customers.
MM-5620	The OpenSSL library that SEG uses has been updated to version 1.0.2h.
MM-5622	The customized version of 7zip (archive unpacker) included with SEG has been updated to support newer decompression methods (version 16.02).
MM-5630	User group membership could be incorrectly updated (members could be missing) if an error occurred while refreshing a sub-group. Fixed.
MM-5640	For SEG Service Provider Edition installations, in certain cases IP based relay restrictions were not applied. Fixed.

7.5.6.8438 (May 31, 2016)

MM-5271	Proxy port entry for internet access allowed only four digits. Fixed: five digits are allowed.
MM-5274	CRL distribution points were not extracted from certificates with v3 extensions. Fixed.
MM-5277	Suspect URL detection did not correctly normalize some URLs before querying the service. Fixed.
MM-5278	TextCensor memory usage has been improved.
MM-5390	In release 7.5.5, top-level message attachments were not scanned by TextCensor. Fixed.
MM-5391	The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners.
MM-5392	Certain malformed RTF message bodies caused the engine to stop. Fixed.
MM-5399	Text log files are better formatted for 5 digit thread IDs.
MM-5400	The customized version of 7zip (archive unpacker) included with SEG has been updated to address recently reported vulnerabilities in 7zip.
MM-5404	The SEG product version is no longer present in the SMTP greeting string by default.
MM-5405	TextCensor evaluation is no longer single-threaded.

7.5.5.8150 (March 3, 2016)

MM-5195	In recent releases, the message viewer did not provide information about message components for delivered messages. Fixed: this information is retrieved from the database if a full message file is not present on disk.
MM-5196	If a message was marked temporarily undeliverable during a configuration reload, it would not be retried until the Sender was restarted. Fixed.
MM-5198	Whitespace at the start or end of plain text message stamps is no longer trimmed when edited and saved. Blank lines can be added for formatting.
MM-5208	TextCensor now does not check sub-components when the parent has already been scanned or excepted from scanning.
MM-5209	Attempts to retrieve CRLs from a location that could not be reached caused the Controller to stop. Fixed.
MM-5210	In previous 7.5 releases, Libcurl did not correctly process gzip encoded web responses. Fixed. In addition, the version of libcurl included with the product is updated to 7.46.0.
MM-5211	The header Reply-To field is now available as a template variable {Header-Reply-To}. The message return path is used if Reply-To is not set.
MM-5212	The OpenSSL library that SEG uses has been updated to version 1.0.1q.
MM-5218	Signing of executable files now uses a SHA256 certificate.
MM-5220	YAE scripts now support the Hash function of Yara.
MM-5238	The SpamProfiler integration SDK has been upgraded.
MM-5240	For SEG Service Provider Edition installations, RBL license notification emails are not sent if the installation is not licensed.
MM-5242	Uninstallation of the SQM site did not de-register the interface DLL. Fixed.
MM-5247	Logging of quarantine release actions to the service text logs has been improved.
MM-5251	For new installations, the Malware - AMAX folder is included in the virus reporting group.

7.5.1.8064 (December 8, 2015)

MM-5200

In release 7.5.0, reporting a message as spam or not spam caused the Controller service to stop. Fixed.

7.5.0.8055 (November 24, 2015)

MM-4251	SEG now corrects headers that violate the RFC limit of 998 characters, "folding" the header onto multiple lines by default.
MM-4726	File name checking could fail for very long MIME encoded file names. Fixed.
MM-4727	Improved decoding of MIME Encoded-Word content has been implemented for message subject display (digests and console), Header Rewrite, and filename rules.
MM-4832	Multi-line content-disposition headers were not extracted correctly, so attachments with long file names might be incorrectly filtered. Fixed.
MM-4883	Libcurl is updated to use Visual Studio 2013.
MM-4909	Additional file types have been added to support anti-spam scanning. These types are not currently selectable in rules.
MM-4961	The default name of the product database for new installations is now TrustwaveSEG. Upgrading does not alter the database name.
MM-4999	A setting is available to control acceptance of multiple HELO commands within a session. For details of this advanced option, contact Trustwave Support.
MM-5038	For SEG Service Provider Edition installations, the From address for spam and not spam reports can be set as required.
MM-5049	Long-running Receiver threads could incorrectly log a low data transfer rate. Fixed.
MM-5054	URL rewriting for BTM incorrectly treated text with two consecutive dots as a URL if the text after the dots was a valid TLD. Fixed.
MM-5065	When a user selects SpamProfiler options with potential for higher false positives in the Configurator, an extra confirmation message is presented.
MM-5069	Default message template text and From addresses (for new installations) have been branded for Trustwave.
MM-5077	Some URLs containing escaped characters were not rewritten for Blended Threats inspection. Fixed.
MM-5085	Image Analyzer has been updated to version 6. This version offers 30%-60% fewer false positives for the same level of detection, depending on the sensitivity setting.
MM-5115	The OpenSSL library that SEG uses has been updated to version 1.0.1p.
MM-5124	A small memory cleanup issue in the Array Manager has been corrected.
MM-5135	The default Scams TextCensor Script is updated for new installations.
MM-5164	A new YAE based rule to detect malformed PDF documents is included on new installations and in the Upgrade Rules policy group for upgrades.
MM-5173	The version of libcurl included with the product is updated to 7.44.0.

7.3.6.7949 (September 10, 2015)

MM-5141	The Engine and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Larger rulesets can be loaded without issues and performance enhancement is expected.
MM-5143	The version of Libtet (PDF unpacking) that is included in the installation has been updated to 4.4.0.8
MM-5144	URL rewriting for BTM incorrectly treated some inline CSS declarations as URLs. Fixed.
MM-5145	Deletion of unpacked files with certain filenames could fail. Addressed by re-trying the deletion with no string parsing of the file name.

7.3.5.7612 (April 21, 2015)

MM-3499	Configuration import could fail due to incorrect case-sensitive comparison of user group members. Fixed.
MM-3509	Active Directory authentication for SQM failed for users with a text name containing [ ] characters. Fixed.
MM-4709	TLS can now be configured with specific lists of cipher suites, overriding the generic selections. For details of this advanced option, contact Trustwave Support.
MM-4823	A problem with group synchronization in the Controller could cause the Receiver to stop processing messages. Fixed.
MM-4837	Clean installations no longer install MSXML4.
MM-4857	The Receiver now supports ECDHE key exchange for PFS (TLS "Perfect Forward Secrecy").
MM-4862	Some utility files such as TextCensor2 DLLs might not be correctly updated on upgrade. Fixed: upgrade checks file version numbers instead of creation dates.
MM-4863	Links enclosed in round brackets and rewritten by the Blended Threats function incorrectly included the trailing round bracket in the rewritten link. Fixed.
MM-4864	For SEG Service Provider Edition installations, relay source checking was not limited to specific customer domains. Fixed.
MM-4866	Cleanup of OpenSSL sessions has been improved.
MM-4867	Service executable paths were not quoted. Fixed.
MM-4869	Notification messages created by the Engine are now DKIM signed if required.
MM-4872	TLS now disables SSLv3 by default as per recent security best practice.
MM-4873	TLS cipher lists now exclude Anonymous, MD5, RC4, and IDEA ciphers as per recent security best practice.
MM-4874	Text logging includes better thread information.
MM-4876	The FileType DLL is now replaceable through the automatic update process.
MM-4880	The OpenSSL DLLs are now replaceable through the automatic update process.
MM-4892	UUEncoded streams in the message body could be altered by the Blended Threats function. Fixed.
MM-4911	DKIM signing failed in some cases for email with headers longer than 2048 bytes. Fixed.
MM-4930	The version of Libtet (PDF unpacking) that is included in the installation has been updated to 4.4.0.1.
MM-4932	By default "bare" CR or LF characters in messages are changed to CRLF.
MM-4933	For SEG Service Provider Edition installations, some earlier versions allowed an incorrect entry of a hostname as the "forward to IP." Fixed: On upgrade the configuration is corrected to use these entries as hostnames.
MM-4935	Additional indexing is performed on the Message table in the database to enhance performance.
MM-4944	For SEG Service Provider Edition installations, SpamProfiler could apply the wrong direction for scanning. Fixed.
MM-4945	The Controller log now records DNS query responses that took over 1 second.
MM-4948	DKIM signing and verification incorrectly ignored whitespace at the top of the message body in text-only messages. Fixed.
MM-4951	Slow DNS responses could cause the Receiver to stop accepting messages. Addressed with changes to the process that updates lists of anti-relay and blocked hosts.
MM-4952	The version of libcurl included with the product is updated to 7.41.0.
MM-4960	SpamProfiler "valid bulk" classifications were not triggered due to unexpected format in data returned by SpamProfiler. Fixed.
MM-4965	URLCensor could perform unnecessary checks for incorrect URLs. Fixed.
MM-4968	SpamProfiler uses the same criteria for "inbound" and "outbound" messages that are used for other processing.
MM-4969	Full information about TLS negotiation is saved in the local message envelope.
MM-4979	Logging of DoS, DHA, relay, and other Receiver block events to the Event Log can be suppressed. For more information, see Trustwave Knowledge Base articles Q20228.
MM-4988	SpamProfiler responses were slow if IPv6 was enabled on the server. Fixed. The processing nodes MUST have a loopback adapter listening on the default IPv4 loopback address 127.0.0.1.
MM-4990	SpamProfiler responses were slow due to settings applied to the HTTP connection with the local SpamProfiler process. Fixed.
MM-5001	For SEG Service Provider Edition installations, Customer ID was not correctly determined for some Out Of Office messages. Fixed.
MM-5002	Blended Threats rewriting of subject lines added a space to the line. Fixed.
MM-5028	The OpenSSL library that SEG uses has been updated to version 1.0.1m.

7.3.0.7277 (October 10, 2014)

MM-3597	The last lines of the Receiver log were not captured into the message envelope as expected. Fixed.
MM-4514	Email notifications are sent to the SEG Administrator from the local server when maintenance is about to expire or has expired.
MM-4591	The file extension .cpl has been added to the default Suspect Attachments rules.
MM-4628	File components that do not trigger a rule condition now do not add a line in text logs by default.
MM-4629	Visual C++ 2013 redistributables are now included in the installation.
MM-4674	The "monitor only" installation option and policy group have been removed.
MM-4706	DNS results were truncated if they exceeded the UDP packet size (notably when a large number of PTR records existed). Fixed by enabling EDNS0 in the DNS resolver.
MM-4710	Unpacking of XML based Excel documents now gets text from additional tags.
MM-4711	Unpacking of XML based Office Documents uses a simpler and more efficient parser.
MM-4723	Extracted binary unknown files could cause the engine to stop in TextCensor2 analysis due to improper formatting of extracted filenames. Fixed.
MM-4725	Moving or inserting User Groups by drag and drop now prompts for confirmation by default.
MM-4727	Better support for decoding Quoted Printable strings is provided.
MM-4729	For SEG Service Provider Edition installations, group information is loaded more efficiently.
MM-4731	Deleting User Groups now prompts for confirmation by default (in addition to the check for groups used in policy).
MM-4748	The OpenSSL library that SEG uses has been updated to version 1.0.1i.
MM-4753	Calls to TextCensor2 did not correctly handle the case where the requested file could not be opened. Fixed.
MM-4760	The default theme of SQM has been updated to a Trustwave branded theme.
MM-4764	The Array Manager could encounter a database deadlock when manipulating folder records. Fixed.
MM-4766	If a message file was manually deleted from the queue, the sender service could become unresponsive. Fixed.
MM-4767	When releasing a message through a digest link, a text note about adding the sender to safe senders was displayed in error. Fixed.
MM-4773	Default values for suspicious compression and max header lines have been updated to reflect current email sizes. Additional unpacking space could be required. See Trustwave Knowledge Base articles Q10868 and Q11369.
MM-4774	Links with query parameters could be invalidated when processed by a Blended Threats rewriting rule. Fixed.
MM-4781	Utility DLL files used by TextCensor have been reverted to the version installed with SEG 7.2.2.
MM-4786	The product End User License Agreement has been updated.
MM-4789	The storage location for automatic configuration backups can be set. See Trustwave Knowledge Base article Q19556.
MM-4795	SMTP Authentication failed with some remote systems due to incorrectly encoded strings. Fixed.
MM-4797	TLS Certificate verification in Connection rules did not work when SMTP Authentication was enabled. Fixed.
MM-4799	When adding a new node to an array, the node controller service could fail on startup, due to a problem with IP whitelist retrieval. Fixed.
MM-4821	A record of the creation and last modification of rules and policies (by user and time) is now stored in the Registry.
MM-4834	Messages with malformed headers containing bare linefeeds could cause the Receiver to fail in some cases. Fixed.

To review Release History prior to version 7.3.0, please see the Release Notes for the specific versions.

Legal Notice

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.