WebMarshal 7.4 Release Notes

Last Revision: February 03, 2021

These notes are additional to the WebMarshal User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21117.

Table of Contents

New Features
System Requirements
Upgrade Instructions
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 7.4.5

Brotli compression support
WebMarshal supports decompression and compression of web requests using the Brotli compression format.
Header Matching
WebMarshal provides a rule condition to match or compare HTTP headers.

Features New in 7.4.1

Google Web Risk support
WebMarshal implements use of the Google Web Risk API as a scan engine.

Features and Changes in 7.4

Syslog Support
WebMarshal can deliver traffic logging to a Syslog server from processing nodes. See Trustwave Knowledge Base article Q21116.
Google Safe Browsing support disabled
The plug-in for Google Safe Browsing support is disabled due to a change in Google Terms of Service. For more information, see Trustwave Knowledge Base article Q21118. Trustwave plans to provide access to Google threat data through the Web Risk API in a future release.

Features New in 7.3.1

Improved Performance and Scalability
 Default settings are updated to take advantage of the performance gains available with 64 bit systems. Enhanced threading also improves performance.

Features New in 7.3

Supports TLS 1.3
WebMarshal client and server connections and rules support TLS 1.3.

Features New in 7.2

Header Rewrite
WebMarshal allows you to add or update one or more request headers with a Standard Rule action.
WebSockets Content Inspection
WebMarshal allows you to inspect content in a WebSockets connection.

Features New in 7.1

Google Safe Browsing support
WebMarshal implements Safe Browsing as a scan engine (similar to TRACEnet).
WebSockets support
WebMarshal supports proxying  of the WebSockets protocol with Connection Rules. Inspection of WebSockets content is not available in this version.
Additional Categories in Trustwave Web Filter Database
The WFDB now includes additional categories "Downloads", "Violence", and "Translation Services".
Additional Wildcards in FileFilter
FileFilter now accepts the * wildcard at the beginning and/or end of the domain part, in addition to the previous stemming behavior.
SSL Improvements
WebMarshal supports Elliptic Curve key exchange and enforces the strongest available cipher for SSL connections from clients.

Features New in 7.0

Native 64-Bit Architecture
All services are now compiled as 64-bit applications. Malware scanner plug-ins are also provided in 64-bit versions.
Full IPv6 Support
IPv6 addresses can be used in all product settings and filtering.
Enhancements to file typing and unpacking
The file type and unpacking functions have been extended. The functionality can be updated automatically.
Enhancements to TextCensor
TextCensor now supports regular expressions.
Enhancements to URL Categories
URLs in categories and FileFilter can now match on querystring text

Features New in 6.12

Large Address Aware
The Engine, Controller, and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Performance enhancement is expected (assuming adequate memory is available).
Supports Bitdefender for Marshal
The Bitdefender for Marshal malware scanner is included in the product installer and supported by the automatically generated trial key.
URL Category Entries for Individual Files
WebMarshal URL Categories and FileFilter entries can now include a specific file name as well as a folder path.
Supports checking of certificate revocation
WebMarshal HTTPS rules can now validate the revocation status of the certificate presented by a web server. For more information, see Trustwave Knowledge Base article Q20605.
Supports use of SQL Server 2014 and SQL Express 2014 for database logging
WebMarshal has been validated with these database engines.

Features New in 6.11

Supports TLS 1.1 and TLS 1.2
When HTTPS Content Inspection is enabled, these versions of TLS are used to negotiate connections by default, and can be selected in rule conditions.
SSLv2 and SSLv3 outbound connections blocked by default
When HTTPS Content Inspection is enabled, connections that use these versions of SSL protocol are blocked by default regardless of rule conditions. To configure the list of SSL and TLS protocols that will be negotiated and allowed, see Trustwave Knowledge Base article Q20067.
Optional unpacking limits
A new setting allows you to bypass unpacking for files larger than a specified size in specified URL categories.

Earlier Feature Enhancements

To review earlier feature enhancement history, see the release notes for earlier WebMarshal versions, available through the Trustwave Knowledge Base.

System Requirements

Hardware required is dependent on the number of concurrent web users and the rules in use. Use of Filtering Lists improves performance. Heavy use of TextCensor decreases performance. Be prepared to adjust specification as required.

Typically a computer with the following specifications is adequate as a processing server for 250-500 concurrent users.

WebMarshal Array Manager, processing servers, and Console require the following software:

Note: Install Windows using the English language version.

Upgrade Instructions

Upgrade from 7.X is a standard in-place upgrade. Upgrade/migration from 6.X uninstalls the 32-bit software and installs the 64-bit software.

To upgrade from a WebMarshal 6.11 or later release, run the product installer on each server where WebMarshal components are installed (including the Array Manager, and any additional processing node servers and Console installations). 

To upgrade from versions prior to 6.11, you must first upgrade to at least 6.11.0.

See the upgrade notes below for version-specific information. For upgrade notes relating to versions prior to 6.11, please see earlier Release Note documents available through the Trustwave Knowledge Base.

Upgrade Notes

For upgrade notes relating to versions prior to 6.11, please see earlier Release Note documents available on the Trustwave website.


WebMarshal can be installed in a variety of scenarios. For full information on uninstalling WebMarshal from a production environment, see the WebMarshal User Guide.

To uninstall a trial installation on a single computer:

  1. Close the WebMarshal applications including the Console and Reports on all workstations.
  2. On the WebMarshal server(s), use the Windows Add/Remove Programs control panel to remove WebMarshal.
  3. If you selected a location outside the WebMarshal install folder for files created by WebMarshal (such as Proxy Cache or Configuration Backup), the uninstallation will not remove the files. Delete these files manually if required.
  4. On any other workstations where WebMarshal components were installed, use the Windows Add/Remove Programs control panel to remove them. These components can include WebMarshal console software and older versions of WebMarshal Reports.
  5. You can drop the WebMarshal database from the SQL server by using the SQL Express administration tools.

Release History

The following additional items have been changed or updated in the specific build versions of WebMarshal listed.

7.4.5 (February 03, 2021

WM-5344 The Remote Console (ClickOnce) did not work on client systems with UAC enabled. Fixed.
WM-5510 In release 7.2.0 and above, IP authentication did not work under HTTPS for entries manually created by computer name. Fixed.
WM-5542 Blocked Upload requests were not logged. Fixed.
WM-5676 Brotli compression is supported.
WM-5677 Header Matching and comparison are supported as rule conditions.
WM-5683 Configuration was committed each time the WebMarshal Console was opened. Fixed.
WM-5685 WebMarshal did not correctly validate a HTTPS certificate chain when the original root certificate was expired but another valid chain existed. Fixed.
WM-5686 The policy tester did not work for uploads. Fixed.
WM-5703 A possible memory leak related to certificate handling was identified. Fixed.
WM-5704 When no trusted certificate chain was available, the WebMarshal block page was not served. Fixed.
WM-5705 Ajax requests with very large content in response headers failed. This issue is addressed with an increase in default permitted header size and ability to set allowed header size over all components.
WM-5715 Validation of certificate chains is improved using additional OpenSSL functionality.

7.4.1 (February 4, 2020)

WM-5602 The version of Libtet (PDF unpacking) included in the install is updated.
WM-5635 The Google Safe Browsing Scan Engine plug-in is removed. The Google Web Risk Scan-Engine plug-in is added.

7.4.0 (November 19, 2019)

WM-5499 In earlier 7.X releases, console connections required the permission "Modify Policy". Fixed: the minimum permissions required are "Console Connect" and "View Policy"
WM-5522 In earlier 7.X releases, adding many URLs to a category concurrently could cause the Controller service to stop. Fixed.
WM-5538 Where no virus scanners were present, the Engine could fail to start due to an uninitialized value. Fixed.

7.3.2 (July 4, 2019)

WM-5511 In release 7.3.1 when upgraded from a previous version, the Engine could encounter failures in the Scan Engine plugins. Fixed.
WM-5518  Traffic Logging now includes the IP address of the remote server or chained proxy (in WELF format, "dst="; in W3C format, "r-ip").
WM-5519  On a very busy processing system, random file generation for temporary files could fail. Fixed: more attempts and a longer file name format are used.

7.3.1 (May 14, 2019)

WM-5500 Filtering performance and scalability is significantly improved with an update to the Controller and new default settings.

7.3.0 (January 29, 2019)

WM-5477 WebMarshal supports TLS 1.3.

7.2.0 (December 18, 2018)

WM-5207 The WebMarshal HTTPS certificate was not saved when HTTPS inspection was not enabled. Fixed.
WM-5348 On upgrade WebMarshal replaces the TextCensor DLL with the copy from the install package.
WM-5357 Checking of OCSP stapled validity replies did not check the expiry time. Fixed.
WM-5360 Traffic Logging now includes the Bytes Sent (in WELF format, "Sent="; in W3C format, "cs-bytes").
WM-5365 File paths longer than 255 characters were not correctly decoded in some cases. Fixed.
WM-5375 In release 7.1.0, the Engine could fail to start after upgrade if the default URL category "[Exclude from HTTPS inspection]" did not exist. Fixed.
WM-5379 Logging of missing policy elements in the configuration file is improved.
WM-5401 The version of TextCensor that is included in the installation has been updated for improved reliability and performance. Features are not changed.
WM-5417 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
WM-5418 Some third party modules did not correctly handle files when the file name ended with a space or fullstop. Fixed.
WM-5455 Matching of SAN entries in certificates was case sensitive, causing validation failure in rare cases. Fixed.
WM-5458 The warning message "Token position data not available" has been removed from TextCensor test results and log entries. This event does not affect TextCensor results.
WM-5473 In earlier 7.X releases, installation of the Visual C++ 2015 runtime returned an error if Visual C++ 2017 was already installed. Fixed: Visual C++ 2017 is recognized as a valid runtime version.

7.1.0 (June 20, 2018)

WM-3758 In the Server Tool, stopping or restarting the Proxy service affected all services. Fixed.
WM-4978 SSL certificate checking could incorrectly cache session state when sites shared an IP address and port using SNI. Fixed.
WM-5007 Caching failed to create folders for top level domains shorter than three characters. Fixed.
WM-5105 SSL negotiation was not retried where SSL could not be negotiated due to timeouts. Fixed.
WM-5195 The Proxy service could stop responding if Proxy Cache log files could not be created. Fixed.
WM-5215 Trustwave domains are added to the default Business Related URL category on new installations.
WM-5234 Computer accounts can be imported from Active Directory. For details of the setting to enable this functionality, see Trustwave Knowledgebase article Q20103.
WM-5248 Requesting URLCensor categorization of URLs over 256 characters in length returned an error. Fixed.
WM-5302 Proxy thread cleanup logic has been improved.
WM-5304 Obsolete server certificate keys have been removed from the installation.
WM-5316 A new default rule is created to exclude URLs in the "[Exclude from HTTPS inspection]" category from HTTPS inspection.
WM-5338 WebMarshal can use the MSOLEDBSQL database driver to allow connection to SQL servers that require TLSv1.2 connections. For more information, see Trustwave Knowledge Base article Q21019.
WM-5339 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
WM-5340 The version of the TextCensor processor that is included in the installation has been updated to improve performance. Script functionality is not changed.
WM-5341 In earlier 7.X versions, the Array Manager stopped unexpectedly when refreshing groups from the NT Connector. Fixed.
WM-5345 The customized version of 7zip (archive unpacker) included with WebMarshal has been updated to address known vulnerabilities.
WM-5346 WebMarshal automatic updates now include the 7-zip archive unpacker.
WM-5349 WebMarshal now supports Elliptic Curve key exchange for SSL connections from clients.
WM-5351 WebMarshal now enforces the strongest available cipher for SSL connections from clients.
WM-5352 In earlier 7.X releases, it was not possible to connect to the database using a machine name or "localhost". Fixed.
WM-5355 In earlier 7.X releases, certain OCSP responses caused the Proxy to stop unexpectedly. Fixed.

Note: To review change history for earlier versions, please see the Release Notes for the specific version of WebMarshal. All Release Notes are available through the Trustwave Knowledge Base.

Legal Notice

Copyright © 2021 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.