Trustwave SEG 8.0 Release Notes

(Previously known as MailMarshal SEG)

Last Revision: June 11, 2018

These notes are additional to the SEG User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

Table of Contents

New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 8.0.1

Features new in 8.0

Features new in 7.5.6

Features new in 7.5.5

Features new in 7.5

Features new in 7.3.6

Features new in 7.3.5

Features new in 7.3

System Requirements

The following system requirements are the minimum levels required for a typical installation of the Trustwave SEG Array Manager and selected database.

Table 1: System Requirements
Category Requirements
Processor Core i5 or similar performance
Disk Space 20GB (NTFS), and additional space to support email archiving
Memory 4GB (3GB available to SEG plus 1GB for operating system). Allow an additional 2GB if SQL Express is installed locally.
Supported Operating System
  • Windows Server 2008 R2 (SP1), Server 2012, Server 2012 R2, Server 2016 (Standard or Enterprise versions) ; Small Business Server 2011
  • Windows 7 (SP1), Windows 8, Windows 8.1, Windows 10 (Installation of server components on these workstation operating systems is not recommended)
    Note: Trustwave SEG Client components (Configurator and Console) can also be installed on Windows Vista SP2.
Network Access
  • TCP/IP protocol
  • Domain structure
  • External DNS name resolution - DNS MX record to allow Trustwave SEG Server to receive inbound email
Software
  • Microsoft .NET Framework 3.5 SP1
  • Database server: SQL Server 2016, SQL Server 2014, SQL Server 2012, SQL Server 2008 R2 (SP3)
  • Database server (free versions): SQL 2016 Express, SQL 2014 Express, SQL 2012 Express, SQL 2008 R2 Express (SP3)

    (Service packs listed are the minimum required for compatibility with all supported operating systems)

Port Access
  • Port 53 - for DNS external email server name resolution
  • Port 80 (HTTP) and Port 443 (HTTPS) - for SpamCensor updates
  • Port 1433 - for connection to SQL Server database and Reports console computers
  • Port 19001 - between Array Manager and Processing Nodes
Note: Additional ports are required by the Nodes for email and updates.

 

Upgrade Instructions

Please review the SEG User Guide before upgrading.  

Trustwave SEG 8.0 supports a direct upgrade from Trustwave SEG 7.3.0 and later versions. This is a change from 7.5.X and earlier.

If your installed version does not support direct upgrade, you can upgrade in steps.

Database Prerequisites

You can access a supported SQL Express version from the Prerequisites tab of the SEG installation package. The "With SQL Express" version of the package also allows you to install SQL Express during the main SEG installation.

Upgrading a Single Server

To upgrade a single SEG server from any version supporting direct upgrade, install the new version on the existing server. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary.

Upgrading an Array of Servers

After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

Upgrading From Older Versions

To upgrade from a version prior to 7.3.0, first upgrade to version 7.3.0. Full details about upgrading to version 7.3.0 from older versions can be found in the documentation for the target version.

Notes on Upgrading

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

Read the notes for all versions newer than your installed version. This list only includes information about versions newer than 7.3.0. For earlier versions, see the release notes of each version.

Uninstalling

SEG can be installed in a variety of scenarios. For full information on uninstalling SEG from a production environment, see the Trustwave SEG User Guide.

To uninstall a trial installation on a single computer:

  1. Close all instances of the SEG Configurator and SEG Console.
  2. Use Add/Remove Programs from the Windows Control Panel to remove Trustwave SEG.
  3. Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web components or the Marshal Reporting Console.
  4. If you have installed any components (such as the Configurator, Console, Web components, or Marshal Reporting Console) on other computers, uninstall them.
  5. If you have installed SQL Express specifically to support SEG and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave SEG (previously MailMarshal) listed.

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20562.

8.0.7 (June 11, 2018)

MM-6365 The Receiver could stop unexpectedly when processing a malformed DMARC record. Fixed.
MM-6371 The version of Image Analyzer included in the installation has been updated to correct an issue with initialization on Windows 2016 servers.
MM-6373 DMARC message database logging could cause SQL deadlocks under heavy load. Fixed.
MM-6376 DMARC aggregate reports had an incorrect Content Type header. Fixed.
MM-6378 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-6379 The version of OpenSSL used by SEG has been updated.
MM-6382 .XZ compressed files are unpacked.
MM-6393 Adding message users to groups could cause delays on a busy system with large groups. Fixed.
MM-6395 The customized version of 7zip (archive unpacker) included in the installation has been updated to address known vulnerabilities. This update was also released to SEG Automatic Updates for earlier supported versions.
MM-6396 User group pruning performance has been enhanced.
MM-6452 The DKIM key text field on the DKIM window now includes a scrollbar to allow the full key to be viewed, and the ability to copy to the Clipboard.

8.0.6.10796 (March 6, 2018)

MM-4120 Folder names entered in the Configurator could include invalid characters. Fixed.
MM-6209 Domain and route entries could not contain the underscore character. Fixed.
MM-6261 For SEG Service Provider Edition installations, the sender no longer attempts to deliver messages to domains that resolve to loopback entries.
MM-6296 Default values used for message unpacking limits in the controller did not match the engine settings. Fixed.
MM-6298 Certain characters in email addresses caused DMARC validation to fail. Fixed.
MM-6300 The DMARC Report Service could stop when dealing with corrupted or large DMARC reports. Fixed.
MM-6301 Loading of IPv6 addresses in IP groups during array manager startup could fail under certain circumstances. Fixed.
MM-6302 The Array Manager did not always use the "preferred server for notifications" when it was available. Fixed.
MM-6315 The sender DNS cache could incorrectly return permanent DNS failures after two consecutive temporary failures. Fixed.
MM-6317 For SEG Service Provider Edition installations, the "Send a copy of the message to host" action no longer requires TLS when TLS is required for the recipient domain.
MM-6320 For SEG Service Provider Edition installations, retrieval of queue information through REST is more efficient.
MM-6321 The REST API could consume a large amount of CPU resource. Fixed.
MM-6323 In earlier 8.0 releases, message details could not be viewed in consoles if the message had been released for all recipients. Fixed.
MM-6331 The receiver now enforces TLS cipher strength ordering (strongest preferred) by default.
MM-6333 Minor improvements and corrections are made to REST API functionality.

8.0.5.10552 (December 7, 2017)

MM-5981 DKIM keys could not be replicated if the Array Manager and processing server were in unrelated domains. Fixed: It is possible to use a generic credential to connect. For details, contact Trustwave Technical Support.
MM-6166 DMARC reports were sent with a blank MAIL FROM. Fixed: reports are sent "from" the DMARC organizational address for the domain.
MM-6210 Messages could not be viewed in the Console if a custom file type was invoked, in some cases. Fixed.
MM-6211 The REST API now provides the ability to list, add, get, and edit TextCensor scripts.
MM-6235 In earlier 8.0 releases, stripping of attachments within archives did not work as expected. Fixed.
MM-6236 In earlier 8.0 releases, setting folder retention to an explicit value longer than 68 years caused unexpected deletion of all messages in the folder. Fixed.
MM-6238 Additional information about DKIM signing and verification is logged.
MM-6256 In earlier 8.0 releases, opening the Database tab of the server tool caused the tool to stop. Fixed.
MM-6258 In earlier 8.0 releases, TLS certificate expiry notifications were not sent from separate processing nodes. Fixed.

8.0.4.10434 (November 7, 2017)

MM-6134 In a database under heavy load, the user summarization stored procedure could time out. Fixed.
MM-6135 For SEG Service Provider Edition installations, queued messages can now be retrieved by customer ID.
MM-6136 The REST API now provides a check for availability of a remote delivery server.
MM-6152 In earlier 8.0 releases, the REST interface could fail to find a message. Fixed.
MM-6161 Configuration import failed when processing some valid combinations of nested user groups. Fixed.
MM-6163 In earlier 8.0 releases, Web Console installation did not present the option of Forms or NTLM authentication. Fixed.
MM-6164 Web Console installation did not enable Windows authentication on the virtual directory when NTLM authentication was specified. Fixed.

8.0.3.10302 (September 20, 2017)

MM-5999 On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-6005 Message stamping has been made more efficient.
MM-6030 The Configurator now shows the date created, date modified, and user names for each rule and policy group.
MM-6031 In earlier 8.0 releases, exceptions in the Yara module could cause the SEG Engine to stop. Fixed.
MM-6045 In earlier 8.0 releases, policy group schedules were not honored. Fixed.
MM-6090 The DMARC dashboard menu for domain selection did not honor the period selected. Fixed.
MM-6118 On upgrade from 7.X, the custom file type list (filetype.cfg) was not copied to all required locations. Fixed.
MM-6120 Changing the retention period on the DMARC Reports folder caused some other properties of the folder to be unset. Fixed.
MM-6121 DMARC Dashboard views in the Console can now be filtered by DMARC alignment status.
MM-6122 The version of Libtet (PDF unpacking) that is included in the installation has been updated.

8.0.2.10224 (August 11, 2017)

MM-3812 The SEG variables {ServerAddressSender} and {ServerAddressRecipient} were not correctly used when sending notification messages from templates. Fixed.
MM-5882 Receiver performance could be affected during a configuration reload. Fixed.
MM-5980 In earlier 8.0 releases, requests to upgrade nodes from the Configurator did not succeed. Fixed.
MM-5907 In earlier 8.0 releases the Hash module of Yara was not supported. Fixed. In addition, the version of the Yara Analysis Engine is updated to 1.0.4.
MM-5977 The Console RSS functionality has been improved.
MM-5979 Upgrade is blocked if CountryCensor rules or files are present.
MM-5993 Upgrading to earlier 8.0 releases could fail due to a lock on previous SpamProfiler executable files. Fixed.
MM-5995 On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-5996 Upgrade from 7.X did not check for a supported operating system version (Server 2008 R2 or above) before beginning to copy Registry keys. Fixed.
MM-5997 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5998 On upgrade from 7.X, if the upgrade failed the manager listening port was set to 0. Fixed: the port is reverted to the previous value.
MM-6002 When a DMARC disposition was set on a message and the message was not quarantined, it was not delivered. Fixed.
MM-6004 Message stamping at the top of a HTML message did not always correctly identify the beginning of the HTML body. Fixed.
MM-6006 SpamProfiler scores and analysis are always logged to the Receiver log.
MM-6007 The TLD Difference evaluation for domain similarity matched on other local domain names. Fixed.
MM-6008 Items with a SpamProfiler score between 96 and 99 inclusive are tagged as "Spam-Suspect".
MM-6009 Console Audit logs now record opening the message detail.
MM-6010 Header matching now decodes headers (such as UTF-8 encoded headers) if required, and checks both raw and decoded text.
MM-6013 The Edit Distance evaluation for domain similarity could match on other exact local domain names. Fixed.
MM-6023 Cleanup of long paths in the unpacking directory has been improved.
MM-6024 The customized version of 7zip (archive unpacker) included with SEG has been updated.

8.0.1.10124 (July 10, 2017)

MM-5902 The customized version of 7zip (archive unpacker) included with SEG has been updated with long filename support.
MM-5904 Receiver socket buffer size is now set dynamically by default to enhance performance.
MM-5906 SPF Fail records can be viewed in the DMARC dashboard.
MM-5909 Calls to message repacking commands are now fully quoted.
MM-5914 In release 8.0.0, category scripts might not be run for all attachments. Fixed.
MM-5915 SpamCensor scanning of parent message and all attached messages has been improved.
MM-5917 On upgrade from versions below 8.X, the destination folder could not be chosen in some cases. Fixed. Also, some 32-bit DLLs are deleted on upgrade as not required.
MM-5918 XML files that were not category scripts could cause upgrade from versions below 8.X to stop. Fixed.
MM-5919 SpamProfiler technology has been updated. For upgrades from version below 7.5.8, the update URLs have changed.  For more information about required URLs, see Knowledge Base article Q12992.
MM-5920 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5961 On upgrade the SpamProfiler service is updated to the new technology as required.

8.0.0.9997 (June 20, 2017)

MM-1678 SEG variables can be used in Engine Header Rewrite rules.
MM-3142 A domain route can be explicitly marked as "down". Messages that would be delivered through this route will be held without retry or timeout until the route is marked as "up".
MM-3323 Server Properties, General page now shows correct server and time zone information for currently supported Windows versions.
MM-3391 The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MM-3841 The Receiver connection count could display an incorrect very high number. Fixed.
MM-3905 Regular Expression checking of attachments in Category Scripts now searches over line breaks in the content by default.
MM-4293 Invalid date formatting in templates was not correctly handled. This issue could cause services to stop. Fixed: variables with invalid date formatting are not substituted.
MM-4386 Blended Threat rewriting incorrectly affected schema names in TNEF attachments. Fixed.
MM-4590 Installers and executables include manifests, as per Microsoft certification requirements.
MM-4836 The Sender service could stop unexpectedly in rare cases related to deadlettering of multiple messages. Fixed.
MM-4890 Server Thread settings can be configured for each processing server. Engine default settings are optimized by default, based on the number of processors on the individual server. On upgrade, customized settings are not changed.
MM-5128 URL rewriting for Blended Threat analysis uses a HTTPS link to the scanner if the original link is a HTTPS link.
MM-5214 Logging of TLS certificates to disk did not save the entire chain. Fixed.
MM-5248 When a message exceeds the maximum size for SpamProfiler evaluation, the truncated message is now evaluated.
MM-5253 CRL Distribution Points could not be extracted from certificates with a single v3 extension distribution point entry. Fixed.
MM-5273 DKIM library initialization is more efficient.
MM-5406 URL rewriting for Blended Threat analysis did not correctly handle links with @ characters in the path or query string. Fixed.
MM-5408 SPF evaluation supports IPv6.
MM-5409 URL rewriting for Blended Threat analysis passed an incorrectly escaped version of the URL to the scanner. Fixed.
MM-5420 All functions that require a list of Top Level Domains now use a copy of the Mozilla TLD file, which will be updated as required. The listing is used by Blended Threat rewriting, DMARC, and SpamSURBL functions.
MM-5446 SpamCensor Types evaluation could fail to trigger as expected because scoring was not summed correctly. Fixed.
MM-5447 When a message had invalid header format (no line breaks), the Receiver dropped the connection with no message. Fixed: the connection is terminated with a SMTP 554 response.
MM-5453 On upgrade, TextCensor scripts are checked for compatibility with the new version of the TextCensor engine.
MM-5474 Memory used for CRL list retrieval in the Receiver/OpenSSL was not fully released. Fixed.
MM-5478 The version of Libtet (PDF unpacking) that is included in the installation has been updated to 5.0.0.13
MM-5516 For SEG Service Provider Edition installations, if a connection was denied due to relaying restrictions, some other criteria were still checked to no purpose. Fixed.
MM-5517 TLS certificate manager in the Controller service has more efficient threading.
MM-5523 The Receiver service could stop due to problems in OpenSSL routines. Addressed with improvements in OpenSSL.
MM-5542 SpamCensor now scans a parent message and all attached messages.
MM-5565 On installation, logging when setting the MaxUserPort value is improved.
MM-5569 Digesting could fail when the SQL server default collation was Case Sensitive, due to inconsistent capitalization in a stored procedure. Fixed.
MM-5596 Management of DKIM keys and selectors has been enhanced. DKIM keys can be created directly in the Configurator.
MM-5623 The Controller could stop when importing a signed certificate with a blank password. Fixed.
MM-5624 The Yara functionality could not be completely updated through automatic updates. Fixed.
MM-5626 The version of the Yara Analysis Engine is updated to 1.0.3 (Yara codebase 3.5.0).
MM-5627 An incorrectly formatted or corrupt certificate or private key file could cause the Receiver or Sender service to stop. Fixed.
MM-5629 The Sender only loads a client certificate if it is requested by the remote server.
MM-5633 Loading of certificates in the Sender is improved.
MM-5642 The Receiver service could stop in specific cases due to an issue in TLS negotiation. Fixed.
MM-5643 Web Components installation on Windows Server 2016 did not check prerequisites. Fixed.
MM-5652 TextCensor could add blank lines to the Engine log. Fixed.
MM-5661 The version of OpenSSL used by SEG has been updated.
MM-5670 The default setting for minimum TLS cipher strength is set to "Medium" for new installations, and also on upgrade if the setting was "Low".
MM-5672 If a message processed through SEG does not include a Message-Id header, SEG adds this header to allow better tracking of any issues with onward delivery.
MM-5675 Loading and initialization of virus scanners has been made more efficient.
MM-5685 Default SSL cipher strings have been updated to disable "Diffie Hellman Authentication" ciphers, for compatibility with Exchange 2003 defaults.
MM-5696 Automatic updates now provide the ability to set parameters for file unpacking components.
MM-5717 When scanning a message with attached child messages, SpamCensor stops scanning at the first message that triggers and returns information about that message.
MM-5728 Email between local domain addresses that is checked by SpamProfiler is now validated with the Outbound SpamProfiler configuration.
MM-5777 GeoLite2 is used to provide geographical information for DMARC reports. GeoLite2 database updates are provided as part of the Automatic Updates to the Array Manager.
MM-5782 Business Email Compromise fraud detection is enhanced with the ability to enter and match local executive user names and addresses, and to check for domain similarity.
MM-5786 Category Script evaluation can now check SEG Envelope properties. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5793 Re-packing of a message could be unnecessarily triggered by the Blended Threat functionality if all URLs found were exempt from re-writing. Fixed.
MM-5807 The SpamProfiler executables have been updated.
MM-5808 Changes in TLS configuration are now applied to messages in the Sender retry queue.
MM-5812 Email addresses with certain invalid domain formats could cause the Sender to stop. Fixed: the affected messages are deadlettered.
MM-5813 A REST API call is available to delete messages from all queues based on search criteria.
MM-5826 Notification messages created by rule action are now identified by message name in the service logs.
MM-5829 If a CAB file contained a single file, the extracted file was incorrectly named. Fixed.
MM-5835 Category Script evaluation can now be used to check values in the headers of a message. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5836 Checking of free disk space has been made more efficient to avoid possible issues with slow disk access.
MM-5844 Category Script evaluation can now check for domain similarity (to enhance fraud detection). For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).

7.5.7.9061 (October 4, 2016)

MM-5521 For SEG Service Provider Edition installations, the SMTP relay denied response did not include any details of the source IP or recipient. Fixed.
MM-5524 Additional functions required for BTM rewriting have been moved to the file retrieved through automatic updates, to better support automatic updating.
MM-5541 For SEG Service Provider Edition installations, IP Relay source matching could function incorrectly where ranges entered by multiple customers and the Service Provider overlapped. Fixed.
MM-5548 For SEG Service Provider Edition installations, Marshal IP Reputation Service unlicensed notifications could be sent in error. Fixed.
MM-5568 The SEG Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems.
MM-5599 BTM rewriting was unnecessarily rewriting links in signed messages, resulting in deadletters. Fixed.
MM-5609 The Engine could fail to restart because anti-virus DLLs did not exit completely before reporting as stopped to the Service Control Manager. Fixed.
MM-5610 For SEG Service Provider Edition installations, SpamProfiler now ignores certain checks for messages between SPE customers.
MM-5620 The OpenSSL library that SEG uses has been updated to version 1.0.2h.
MM-5622 The customized version of 7zip (archive unpacker) included with SEG has been updated to support newer decompression methods (version 16.02).
MM-5630 User group membership could be incorrectly updated (members could be missing) if an error occurred while refreshing a sub-group. Fixed.
MM-5640 For SEG Service Provider Edition installations, in certain cases IP based relay restrictions were not applied. Fixed.

7.5.6.8438 (May 31, 2016)

MM-5271 Proxy port entry for internet access allowed only four digits. Fixed: five digits are allowed.
MM-5274 CRL distribution points were not extracted from certificates with v3 extensions. Fixed.
MM-5277 Suspect URL detection did not correctly normalize some URLs before querying the service. Fixed.
MM-5278 TextCensor memory usage has been improved.
MM-5390 In release 7.5.5, top-level message attachments were not scanned by TextCensor. Fixed.
MM-5391 The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners.
MM-5392 Certain malformed RTF message bodies caused the engine to stop. Fixed.
MM-5399 Text log files are better formatted for 5 digit thread IDs.
MM-5400 The customized version of 7zip (archive unpacker) included with SEG has been updated to address recently reported vulnerabilities in 7zip.
MM-5404 The SEG product version is no longer present in the SMTP greeting string by default.
MM-5405 TextCensor evaluation is no longer single-threaded.

7.5.5.8150 (March 3, 2016)

MM-5195 In recent releases, the message viewer did not provide information about message components for delivered messages. Fixed: this information is retrieved from the database if a full message file is not present on disk.
MM-5196 If a message was marked temporarily undeliverable during a configuration reload, it would not be retried until the Sender was restarted. Fixed.
MM-5198 Whitespace at the start or end of plain text message stamps is no longer trimmed when edited and saved. Blank lines can be added for formatting.
MM-5208 TextCensor now does not check sub-components when the parent has already been scanned or excepted from scanning.
MM-5209 Attempts to retrieve CRLs from a location that could not be reached caused the Controller to stop. Fixed.
MM-5210 In previous 7.5 releases, Libcurl did not correctly process gzip encoded web responses. Fixed. In addition, the version of libcurl included with the product is updated to 7.46.0.
MM-5211 The header Reply-To field is now available as a template variable {Header-Reply-To}. The message return path is used if Reply-To is not set.
MM-5212 The OpenSSL library that SEG uses has been updated to version 1.0.1q.
MM-5218 Signing of executable files now uses a SHA256 certificate.
MM-5220 YAE scripts now support the Hash function of Yara.
MM-5238 The SpamProfiler integration SDK has been upgraded.
MM-5240 For SEG Service Provider Edition installations, RBL license notification emails are not sent if the installation is not licensed.
MM-5242 Uninstallation of the SQM site did not de-register the interface DLL. Fixed.
MM-5247 Logging of quarantine release actions to the service text logs has been improved.
MM-5251 For new installations, the Malware - AMAX folder is included in the virus reporting group.

7.5.1.8064 (December 8, 2015)

MM-5200 In release 7.5.0, reporting a message as spam or not spam caused the Controller service to stop. Fixed.

7.5.0.8055 (November 24, 2015)

MM-4251 SEG now corrects headers that violate the RFC limit of 998 characters, "folding" the header onto multiple lines by default.
MM-4726 File name checking could fail for very long MIME encoded file names. Fixed.
MM-4727 Improved decoding of MIME Encoded-Word content has been implemented for message subject display (digests and console), Header Rewrite, and filename rules.
MM-4832 Multi-line content-disposition headers were not extracted correctly, so attachments with long file names might be incorrectly filtered. Fixed.
MM-4883 Libcurl is updated to use Visual Studio 2013.
MM-4909 Additional file types have been added to support anti-spam scanning. These types are not currently selectable in rules.
MM-4961 The default name of the product database for new installations is now TrustwaveSEG. Upgrading does not alter the database name.
MM-4999 A setting is available to control acceptance of multiple HELO commands within a session. For details of this advanced option, contact Trustwave Support.
MM-5038 For SEG Service Provider Edition installations, the From address for spam and not spam reports can be set as required.
MM-5049 Long-running Receiver threads could incorrectly log a low data transfer rate. Fixed.
MM-5054 URL rewriting for BTM incorrectly treated text with two consecutive dots as a URL if the text after the dots was a valid TLD. Fixed.
MM-5065 When a user selects SpamProfiler options with potential for higher false positives in the Configurator, an extra confirmation message is presented.
MM-5069 Default message template text and From addresses (for new installations) have been branded for Trustwave.
MM-5077 Some URLs containing escaped characters were not rewritten for Blended Threats inspection. Fixed.
MM-5085 Image Analyzer has been updated to version 6. This version offers 30%-60% fewer false positives for the same level of detection, depending on the sensitivity setting.
MM-5115 The OpenSSL library that SEG uses has been updated to version 1.0.1p.
MM-5124 A small memory cleanup issue in the Array Manager has been corrected.
MM-5135 The default Scams TextCensor Script is updated for new installations.
MM-5164 A new YAE based rule to detect malformed PDF documents is included on new installations and in the Upgrade Rules policy group for upgrades.
MM-5173 The version of libcurl included with the product is updated to 7.44.0.

7.3.6.7949 (September 10, 2015)

MM-5141 The Engine and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Larger rulesets can be loaded without issues and performance enhancement is expected.
MM-5143 The version of Libtet (PDF unpacking) that is included in the installation has been updated to 4.4.0.8
MM-5144 URL rewriting for BTM incorrectly treated some inline CSS declarations as URLs. Fixed.
MM-5145 Deletion of unpacked files with certain filenames could fail. Addressed by re-trying the deletion with no string parsing of the file name.

7.3.5.7612 (April 21, 2015)

MM-3499 Configuration import could fail due to incorrect case-sensitive comparison of user group members. Fixed.
MM-3509 Active Directory authentication for SQM failed for users with a text name containing [ ] characters. Fixed.
MM-4709 TLS can now be configured with specific lists of cipher suites, overriding the generic selections. For details of this advanced option, contact Trustwave Support.
MM-4823 A problem with group synchronization in the Controller could cause the Receiver to stop processing messages. Fixed.
MM-4837 Clean installations no longer install MSXML4.
MM-4857 The Receiver now supports ECDHE key exchange for PFS (TLS "Perfect Forward Secrecy").
MM-4862 Some utility files such as TextCensor2 DLLs might not be correctly updated on upgrade. Fixed: upgrade checks file version numbers instead of creation dates.
MM-4863 Links enclosed in round brackets and rewritten by the Blended Threats function incorrectly included the trailing round bracket in the rewritten link. Fixed.
MM-4864 For SEG Service Provider Edition installations, relay source checking was not limited to specific customer domains. Fixed.
MM-4866 Cleanup of OpenSSL sessions has been improved.
MM-4867 Service executable paths were not quoted. Fixed.
MM-4869 Notification messages created by the Engine are now DKIM signed if required.
MM-4872 TLS now disables SSLv3 by default as per recent security best practice.
MM-4873 TLS cipher lists now exclude Anonymous, MD5, RC4, and IDEA ciphers as per recent security best practice.
MM-4874 Text logging includes better thread information.
MM-4876 The FileType DLL is now replaceable through the automatic update process.
MM-4880 The OpenSSL DLLs are now replaceable through the automatic update process.
MM-4892 UUEncoded streams in the message body could be altered by the Blended Threats function. Fixed.
MM-4911 DKIM signing failed in some cases for email with headers longer than 2048 bytes. Fixed.
MM-4930 The version of Libtet (PDF unpacking) that is included in the installation has been updated to 4.4.0.1.
MM-4932 By default "bare" CR or LF characters in messages are changed to CRLF.
MM-4933 For SEG Service Provider Edition installations, some earlier versions allowed an incorrect entry of a hostname as the "forward to IP." Fixed: On upgrade the configuration is corrected to use these entries as hostnames.
MM-4935 Additional indexing is performed on the Message table in the database to enhance performance.
MM-4944 For SEG Service Provider Edition installations, SpamProfiler could apply the wrong direction for scanning. Fixed.
MM-4945 The Controller log now records DNS query responses that took over 1 second.
MM-4948 DKIM signing and verification incorrectly ignored whitespace at the top of the message body in text-only messages. Fixed.
MM-4951 Slow DNS responses could cause the Receiver to stop accepting messages. Addressed with changes to the process that updates lists of anti-relay and blocked hosts.
MM-4952 The version of libcurl included with the product is updated to 7.41.0.
MM-4960 SpamProfiler "valid bulk" classifications were not triggered due to unexpected format in data returned by SpamProfiler. Fixed.
MM-4965 URLCensor could perform unnecessary checks for incorrect URLs. Fixed.
MM-4968 SpamProfiler uses the same criteria for "inbound" and "outbound" messages that are used for other processing.
MM-4969 Full information about TLS negotiation is saved in the local message envelope.
MM-4979 Logging of DoS, DHA, relay, and other Receiver block events to the Event Log can be suppressed. For more information, see Trustwave Knowledge Base articles Q20228.
MM-4988 SpamProfiler responses were slow if IPv6 was enabled on the server. Fixed. The processing nodes MUST have a loopback adapter listening on the default IPv4 loopback address 127.0.0.1.
MM-4990 SpamProfiler responses were slow due to settings applied to the HTTP connection with the local SpamProfiler process. Fixed.
MM-5001 For SEG Service Provider Edition installations, Customer ID was not correctly determined for some Out Of Office messages. Fixed.
MM-5002 Blended Threats rewriting of subject lines added a space to the line. Fixed.
MM-5028 The OpenSSL library that SEG uses has been updated to version 1.0.1m.

7.3.0.7277 (October 10, 2014)

MM-3597 The last lines of the Receiver log were not captured into the message envelope as expected. Fixed.
MM-4514 Email notifications are sent to the SEG Administrator from the local server when maintenance is about to expire or has expired.
MM-4591 The file extension .cpl has been added to the default Suspect Attachments rules.
MM-4628 File components that do not trigger a rule condition now do not add a line in text logs by default.
MM-4629 Visual C++ 2013 redistributables are now included in the installation.
MM-4674 The "monitor only" installation option and policy group have been removed.
MM-4706 DNS results were truncated if they exceeded the UDP packet size (notably when a large number of PTR records existed). Fixed by enabling EDNS0 in the DNS resolver.
MM-4710 Unpacking of XML based Excel documents now gets text from additional tags.
MM-4711 Unpacking of XML based Office Documents uses a simpler and more efficient parser.
MM-4723 Extracted binary unknown files could cause the engine to stop in TextCensor2 analysis due to improper formatting of extracted filenames. Fixed.
MM-4725 Moving or inserting User Groups by drag and drop now prompts for confirmation by default.
MM-4727 Better support for decoding Quoted Printable strings is provided.
MM-4729 For SEG Service Provider Edition installations, group information is loaded more efficiently.
MM-4731 Deleting User Groups now prompts for confirmation by default (in addition to the check for groups used in policy).
MM-4748 The OpenSSL library that SEG uses has been updated to version 1.0.1i.
MM-4753 Calls to TextCensor2 did not correctly handle the case where the requested file could not be opened. Fixed.
MM-4760 The default theme of SQM has been updated to a Trustwave branded theme.
MM-4764 The Array Manager could encounter a database deadlock when manipulating folder records. Fixed.
MM-4766 If a message file was manually deleted from the queue, the sender service could become unresponsive. Fixed.
MM-4767 When releasing a message through a digest link, a text note about adding the sender to safe senders was displayed in error. Fixed.
MM-4773 Default values for suspicious compression and max header lines have been updated to reflect current email sizes. Additional unpacking space could be required. See Trustwave Knowledge Base articles Q10868 and Q11369.
MM-4774 Links with query parameters could be invalidated when processed by a Blended Threats rewriting rule. Fixed.
MM-4781 Utility DLL files used by TextCensor have been reverted to the version installed with SEG 7.2.2.
MM-4786 The product End User License Agreement has been updated.
MM-4789 The storage location for automatic configuration backups can be set. See Trustwave Knowledge Base article Q19556.
MM-4795 SMTP Authentication failed with some remote systems due to incorrectly encoded strings. Fixed.
MM-4797 TLS Certificate verification in Connection rules did not work when SMTP Authentication was enabled. Fixed.
MM-4799 When adding a new node to an array, the node controller service could fail on startup, due to a problem with IP whitelist retrieval. Fixed.
MM-4821 A record of the creation and last modification of rules and policies (by user and time) is now stored in the Registry.
MM-4834 Messages with malformed headers containing bare linefeeds could cause the Receiver to fail in some cases. Fixed.

To review Release History prior to version 7.3.0, please see the Release Notes for the specific versions.

Legal Notice

Copyright © 2018 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.