Libraesva ESG v4.7: Release Notes

Libraesva ESG

Changes in v4.7.10 (Jul 7)

Security

  • Fix SQL injections in Report page

Bug Fixes

  • Distributed Setup: fixed push of SMTP Policy Quota configurations

Changes in v4.7.9 (May 12)

Security

  • URLSand replace of URL in text part has been highly optimized (at least 10x faster)
  • Quicksand recognise a new branch of XML Macros

Improvements

  • Improved UI for Authentication results protocols in messages details (i.e. SPF, DKIM, DMARC, SMTP-Auth, Trusted networks)
  • Relay test improved to test Dynamic verification
  • More efficient disaster-recovery procedure on quarantine disk full
  • Quarantine replica monitor will promply notify admin of anomalies
  • Improved whaling functionality description

Bug Fixes

  • Relay test honor the MX flag in configuration
  • Delivery of quarantine reports correctly handles email address with special chars (e.g. multiple @ signs)
  • Anti-spam optimizer supports rules with special/invalid UTF-8 sequence
  • Resoved an issue with rebalancing of Adaptive Trust Engine which prevented some message release
  • Summary report add missing SMTP reject types (e.g. DNS Recipients)
  • Regression in report filtering by MCP has been solved

Changes in v4.7.8 (Apr 21)

Security

  • Fix SQL Injection in Attachment Filters page (thanks to Eng. Basim Alabdullah for the responsible disclosure)
  • Intercept new branch of encrypted Microsoft documents
  • Quicksand integration with antispam is now able to block email with encrypted documents
  • TLS policy are correctly saved for route like [mail.srv.test]

Improvements

  • Block email with attachment blocked can now be overridden by single email relay
  • Submit as Good/Bad report includes JSON+LD data and use the quarantine digest template
  • Added more logging and benchmark for Quarantine digest report
  • Balance upper limit for MTA processes on small systems

Bug Fixes

  • Fix duplicate license count with O365 when username and primary email address are different
  • API: restore backward compatibility for addLdapSet

Changes in v4.7.7 (Mar 19)

Security

  • Blocks IQY files by default
  • UI: Remove dangerous and superseded action “Delete ALL” from queue management
  • UI: authenticate user before serving image caches

Improvements

  • Notify user about the delayed reload of the license after upload
  • Improve web UI for mailbox usage page
  • Don’t notify cluster minor issues when auto-recovery is successful
  • API: added new filters subject, from and quarantined to message list call
  • Refactored many rsyslog messages, most notably QuickSand and Whaling
  • Remote support: new debug mode allows for deeper inspection of mail engine analysis

Bug Fixes

  • Report: fix saving and restore when there are multiple filter conditions on the same datasets
  • Prevent PID file cleanup by spurious MailScanner service check
  • URLSand: avoid very long line after HTML substitution
  • Remove spurious snmpd logging when outgoing queues are empty
  • Don’t overwrite let’s encrypt cert when migrating to wildcard certificate
  • Add benchmarks for quarantine reports in cron logs
  • Logwatch: add QuickSand, Whaling, TNEF and improve ClamAV and SpamAssassin
  • Licensing: only count the main address as mailbox in O365
  • API: properly initialize message properties for URLSand and Quicksand

Changes in v4.7.6 (Mar 10)

Security

  • Adaptive Trust Engine use per domain history size, to increase security in MSP appliance
  • Bayes engine track originating username in audit log instead or generic “system”
  • Uniform bayes learning capabilities across domain admins
  • Autoban IP trying to brute force O365 JWT authentication

Improvements

  • Adaptive Trust Engine learn known senders from release actions
  • Log all fail2ban actions in remote syslog
  • Faster dashboard loading time for cluster and queue status
  • Improve ESG self-updating script to be more responsive when handling incident response

Bug Fixes

  • Properly configure OEM antivirus after license change
  • Recover Let’s Encrypt certificate renew under some configuration
  • Use simpler (and slower) LDAP queries for LDAP “OTHER” types, to increase compatibility
  • Prevent configuration errors, when all TLS policies are removed

Changes in v4.7.5 (Mar 3)

Security

  • Quicksand intercept new category of autostart macro in Microsoft Documents

Improvements

  • Use CIDR notation in SMTP Check Override
  • distributed setup monitor all configuration changes in web UI
  • Adaptive Trust Engine web UI huge speed improvements (up to 90% faster)
  • LDAP/O365 import jobs only run on master nodes
  • O365 import use parallel requests to improve import times

Bug Fixes

  • recover ability to disable Graymail plugin
  • avoid slow replication on huge valid recipients import
  • distributed setup monitor properly show queue out values
  • distributed setup monitor show UI indication on successful propagation
  • correctly restore rsyslog configuration in distributed setup
  • disable automatic start of Account Takeover Protection if included in license
  • prevent duplicates domain in SPF exception

Changes in v4.7.4 (Feb 21)

Security

  • Domain-admin cannot release potentially spoofed email (i.e. sent from his domain but from untrusted source)
  • Bayes learning manual actions from UI require admin level
  • Introduce a timeout in Quicksand pre-analysis
  • Hide scheduled reports from read-only administrators

Features

  • New user type: Quarantine Admin
  • New user type: Read-only Multi-domain Admin
  • New user type: Quarantine Multi-domain Admin
  • New user type: Quarantine Domain Admin

Improvements

  • Speedup Quicksand analysis of macros
  • Speedup Quicksand analysis of PDF with many links
  • Submit as Bad/Good cannot be made by read-only administrators
  • Hide unauthorized actions in message detail page
  • Add more detail to quarantine test page
  • Allow quarantine digest for read-only adminstrators
  • Reduce default number of Engine core to 2 * n-CPU
  • Enable O365 groups synchronization
  • Reduce logging of SNMPd sent via rsyslog
  • Default date ranges in search page is a day or a week depends on database size

Bug Fixes

  • Prevent SQL syntax errors in user manager page
  • Limit TLS logging to normal or verbose level
  • Message recall from Exchange 2010 SP3 no longer returns XML validation error
  • Disable VM-resize of Libraesva cloud appliances
  • Don’t show “already released” warning on first release action
  • Validate hostname with numbers in First Install Wizard
  • License count doesn’t fail on duplicate utf-8 records

Changes in v4.7.3 (Feb 12)

Security

  • Fix ownership check of whitelist and blacklist when SafeLearn is enabled
  • Prevent named anchor in email to trigger URLSand warning

Improvements

  • Show a more friendlier message when login is rejected by unauthorized network login
  • Allow to set quarantine enabled in bulk digest option changes
  • List mail in active queue as outgoing
  • More reliable text import of valid recipients
  • Bayes engine changs are applied in batches and nicely
  • Remote support is kept up on reboot, unless stopped by WebUI
  • Remove dangerous delete all options from valid recipient list from text import
  • Pause Incoming Mail exception for 127.0.0.1
  • Properly log dictionary rules as such (not as generic MCP)

Bug Fixes

  • Fix delete message in Email Continuity
  • Check service scripts use locking mechanism
  • Fix output results on WebUI and log properly the user
  • EWS: removed check to limit one TR connector per domain
  • properly check FQDN hostname in wizard
  • Remote support connection not working in some circumstances
  • Cleanup temporary data after FTP backup
  • API addLdapSet – align mandatory params with WebUI
  • UI: Hint for default External Warning exceptions

Changes in v4.7.2 (Feb 6)

Security

  • Phishing highlight use faster Libraesva CDN
  • Intercept new macro malware variant as suspicious in Quicksand
  • Disable insecure TLSv1 TLSv1.1 on HTTPS

Improvements

  • Timeout for password reset reduced from 1 day to 1 hour
  • Improved auditing and internal logging for passwordless authentication
  • Add URLSand Whitelabel in Email Continuity

Bug Fixes

  • Workaround LDAP filters limitation on Domino servers to recover user import
  • Passwordless authentication preserve target page on login
  • External Warning duplicate check
  • Fix Spam action convert to attachment
  • Properly use quarantine host URL instead of hostname for some release links
  • Preserve user source from Check parameters in User Class setters
  • UI: dashboard memory gauge now is accurate even with fractions of GB
  • UI: minor fix javascript actions in detail pages for IE11
  • API: allow API login when password contains special chars
  • Deprecated user API: restore editing of whitelist and blacklist

Changes in v4.7.1 (Jan 23)

Security

  • Whaling Protection: handle non-standard From headers containing Whale-name in mixed case

Improvements

  • Asynchronous bayesian learn after message release from digest report
  • Better interface for Bounce messages in the Details page
  • Update Logwatch rules

Bug Fixes

  • License Count: properly ignore address of deleted domains
  • User Management: fixed bug in detection of duplicated usernames
  • User Management: column sorting by username restored
  • Whaling Protection: fixed bug in web UI that prevent new Whale creation
  • URLSand: fixed bug which prevented the service to be disabled

Changes in v4.7.0 (Jan 3)

Features

  • Adaptive Trust Engine: analyze sender/recipient trust and relationship
  • User Management: Support Read-Only administrator and domain administrator
  • Impersonation Protection: new “External Warning” banner to identify external first time senders
  • Cofense (PhishMe) Triage integration: submissions of false-positive and false-negative, will auto-train the engine
  • Outlook Add-In: completely rewritten, available as native Microsoft Add-In
  • Outlook Add-In: toolbar button to directly submit false-negatives to Esvalabs
  • Mobile App: completely rewritten, available for IOS and Android, added Email Continuity
  • Email Continuity: URLSand protection is active for each shown email
  • Email Continuity: allow sending of new email
  • Email Continuity: full scan of email generated on the WebUI
  • URLSand: support for white-labelling of scan pages (license needed)
  • LDAP configuration: main address used for quarantine report and licensing is now freely configurable
  • Email notification: new HTML templates for many automated notifications (license, services status, …)
  • Account Takeover Protection: new “Access Control” policies allow more fine-grained sender/recipient rejection policy
  • New Remote Support: give feedback on connection enabled, and allow for connection on port other than 25
  • Hyper-V: automatic updates of guest tools
  • SNMP: in cluster environment, allow for distinct configuration on each node

Security

  • New authentication and authorization system, with support fine grained capabilities and roles
  • Login: CSRF protection on all logins
  • Password Recovery: integrate with passwordless-authentication when applicable
  • Password Recovery: use one-time-password for recovery
  • Passwordless Authentication: rewritten to seamlessly integrate in the WebUI
  • Passwordless Authentication: only use HTTPS to increase security
  • Transport Layer Security: Let’s encrypt auto-renewing certificate can now be used also for SMTPS
  • DNS: primary DNS is no longer editable, to avoid common misconfiguration which results in severe security issues
  • Antispam Engine: spam check can now be applied to the whole email, honoring MTA limits in all circumstances
  • Quicksand: dangerous email can now be flagged as infection to prevent users accidental release
  • Libraesva Update: new distribution system, which support transactions and CDN deployments
  • Quicksand: maintain distinct categorization for ZIP archives and contained sanitized PDF.
  • WebUI: separate session for HTTP and HTTPS to improve cookie security
  • URLSand: refactored code to support replacements of all text-links in HTML
  • Attachment Filters: blocks many new extensions by default (e.g. crt, perl, python, …)
  • User interface: user capabilities on a message are checked for every action in quarantine and WebUI
  • Recall action now shows whether the user has read the email before it was recalled

Improvements

  • DKIM: allow to export public keys
  • Maillog viewer: allow downloading of previously rotated logs
  • SMTP Policy Quota: renamed to Account Takeover Protection for consistency
  • Impersonation Protection: incorporate “Whaling” protection and “Phishing Highlight”
  • HTTPS: automatically enable “force SSL” option after Let’s Encrypt certificate generation
  • Reports: allow filtering by Trusted source
  • Dashboard: new gauges shows all system resources and usage
  • Dictionary: find triggered words in message details
  • Spam Report: find domain which trigger malware or graymail rules
  • HTTPS: show relavant certificate details
  • SMTP TLS: show all relavant certificate details
  • UI: modernize button styling
  • Dangerous Content Release Override removed (superseded by user capabilities)
  • Passwords: require that password are at least 8 chars
  • Advanced settings: full-whitelist can now be configured as “antivirus only”
  • Improved database performance and reliability of: whitelist, blacklists, user manager, geolocation, user tokens, quarantine delivered, first time senders.
  • License: use incremental counting to speedup nightly jobs
  • SPF: updated deamon to latest version and added diagnostic page spf.libraesva.com
  • New internal monitor for HTTPS service availability and recovery
  • Mail Encryption: sensitivity header detection is off by default
  • Message Details: added many rules descriptions
  • Message Details: highlight email received from trusted sources (network or SMTP-Auth)
  • Message Details: show whaling rule at top in spam reports
  • Message Details: add link to search attachments hash on VirusTotal
  • Message Details: improve mail details header
  • Message Details: shows signatures validation and notable headers
  • New quarantine disk monitor with better prevention of disk exhausted
  • Whitelabel: remove Libraesva prefix from user pages
  • Whitelist/Blacklist: automatic initialization of “Check Only From Envelope” based on user context and permissions
  • Authentication test: clear output from authentication logs
  • Web UI: added templates for HTTP exceptions
  • API: searchMessage supports more types
  • API: add userId and/or email to ReleaseMsg

Bug fixes

  • Whitelist/blacklist: cleanup empty data from DB which may interfere with analysis
  • Attachment warnings: implemented workarounds for Apple Mail visualization bugs
  • Attachment Filters: allow longer filename extensions
  • Distributed Setup: fix DKIM keys permissions on replication
  • Domain import: initialize URLSand/QuickSand configuration
  • Score Normalization: fix counting of normalization history
  • Message Details: better highlight for GRBL and URI_DOMAIN rules
  • UI: refer to “Infection” instead of “Virus” where appropriate
  • Quarantine: permission monitor scans quarantine multiple times per hour
  • MTA advanced: myhostname validation make sure that simple domain name are not used
  • Valid Recipient List: better cleanup and validation of email address
  • LogWatch: mail from and mail to are aligned with system preferences
  • Custom spam rules: prevent creating rules with invalid names
  • SMTP Auth: remove warnings about duplicate records
  • Rsyslog: increase rate limiting to prevent packed drops
  • SMTP Reject: properly log dynamic verification failures as recipient unknown
  • SMTP Reject: properly log some new SPF failures log
  • Cluster monitor: when resetting make sure to flush all isolated hosts
  • Firewall Checks: add more return codes analysis to improve reliability
  • User import: honor white labelling in email template
  • SystemHealth: properly check for ClamAV signatures updates
  • URLSand: skip domains .local and .intranet
  • LocalRBL: removed debug logs
  • Branding: aligned the product name to Libraesva ESG
  • API: stabilization of getmaillog and getspamlog