The following core documentation set is available for Version 8.4.0. In addition, they can be opened from the Management Console by clicking :
Installation and Setup Guide:
Management Console Reference Guide:
Security Policies In-Depth: http://www.finjan.com/objects/manuals/8.4.0/SecurityPoliciesIn-Depth8.4.0.pdf
Version 8.4.0 can be installed either as an Update which upgrades a previous version or as a new installation. Both procedures are detailed below.
1) Update as in previous versions: Customers with 8.3.5 or 8.3.6 can upgrade to 8.4.0 by using the Install Update button or by a local update site (FTP). It is recommended to perform this update when there are no users using the system. Updates time can vary based on database content size. This update should take approximately 45 minutes for an All-In-One appliance; Each scanning server update will take approximately 20 minutes of downtime. For more information on installing updates, please refer to the Management Console Reference Guide, page 131.
Recommended Update Procedure
If you are using an appliance with an All in One role, it is recommended to navigate to the Setup Console > Advanced Settings > Appliance Role and ensure that the appliance is set to the right role (either All in One or Policy Server) since earlier updates might have changed this setting. If the role is incorrect (e.g. Policy Server instead of All in One) you should reset it back before applying the new update.
Make a note of which ports you were using in Settings > Devices > Scanning Server > HTTP configuration screen > Restricted Ports in URI. Note that if you used any other ports besides 21, 80 and 443, you will need to remap these after installing this Update.
Define the Firewall to enable HTTPS connection from Policy Server to Scanners. Open port 443 for outgoing messages. (Optional - if this is not defined, HTTP will be used instead.)
On a distributed system with multiple devices, the update procedure will be executed only if all the devices in the device list are connected. This is in order to ensure that the procedure can be completed successfully. You can validate device connectivity and see the last connection time in the devices tree in the Management Console>Settings>Devices. It is recommended to verify that all devices are connected to the Policy Server before beginning the update installation.
Install 8.4.0 using the Install Update button in the updates screen (Settings > Updates > Available Updates)
During the update installation, the Scanning Servers and Policy Server will be automatically restarted.
After installing the update, check in the Log View to ensure that the Update succeeded.
After the Update, make sure to look in the Log View and remap any of the non-standard ports that you noted previously in the HTTP configuration screen if necessary (please refer to feature #20958 below).
In order to access the Limited Shell, you should reset the Setup Console password, so that the password for the Limited Shell will be set accordingly. For details on how to reset the Setup Console password, please refer to the Installation and Setup Guide, page 76.
2) New installation for both existing customers and new customers. An Installation CD is available for 8.4.0.
Check in the BIOS that it is set to Boot from
CD/Flash Device using USB2.0.
a. Navigate to Advanced BIOS features and press Enter.
b. Using the arrow keys and the Page Up/Page Down keys, select the required device to boot from (e.g., USB-CDROM).
c. To change the USB to 2.0, navigate backwards using the Escape key and select Integrated Peripherals.
d. Select Enabled on the USB2.0 Controller.
IMPORTANT! This release includes changes to the Default Security Policy, including new rules, new conditions, new condition items, and new rule order. Please look at the following sections below: Rule Condition Changes and MCRC Security Policy Changes.
Following either the Update or the New Installation procedure, Security Update #52 is used. Please retrieve and install the latest Security Update instead (Settings > Updates > Available Updates).
This feature allows the Vital Security NG Web Appliance to work in a transparent mode. This feature eases deployment in certain environments
For a detailed explanation of this feature and how to enable it, please refer to the Management Console Reference Guide, Page 118
The enhanced SNMP traps capabilities alerts the administrator with Just-In-Time traps. SNMP traps enable an agent to notify the administrator of significant events by way of an unsolicited SNMP message. As a result, the administrator can react to these events immediately. For a detailed explanation of this feature and how to enable it, please refer to the Management Console Reference Guide, Pages 103-104
A limited shell has been added to the Vital Security appliance in addition to the existing Setup Console and Management Console. The shell enables monitoring and viewing system values via a serial or SSH connection. For a detailed explanation of this feature and how to enable it, please refer to the Installation and Setup Guide, Appendix B
The Access List configuration screen enables increased port configuration abilities, which in turn tightens up security of the appliance. All unused ports are closed and you can prevent unauthorized client IPs from connecting to the Vital Security ports that must remain open. This feature is enabled via a new Scanning Server and a Policy Server module. Note that the Access List has been removed from the Setup Console. Before changing device IP, appliance Role or adding a device, make sure to disable the Access List first (via the Limited Shell). You can re-enable it after making the configuration change. For a detailed explanation of this feature and how to enable it, please refer to the Management Console Reference Guide, Pages 125-126
Spyware Blocking Information
With this enhancement, more information can be provided to both the administrator and the user on the blocked Spyware - such as its name and description. This will feature in Page Blocked messages via a new Placeholder entitled Spyware_name and also in the Components box in the Log View. For 8.4.0, you have to manually add the Spyware_name placeholder to the URA. This feature can be seen in the Block Known Spyware (CLSID) security rule. For more information, please refer to the Security Policies In-Depth, pages 30-31
An LDAP Servers screen has been added to the Users tab. For more information, please refer to the Management Console Reference Guide, pages 65-70
Vital Security can identify two new types of archive files: TAR and BZ2.
Vital Security can now recognize packer files, i.e., files which have been compressed and merged with decryption / loading stub which 'unpacks' the program before execution.
Support for Microsoft Office Macros
Support has been added for Microsoft Office documents containing macros via a new rule.
Syslog - Audit Logs Support
Audit logs can now be sent to Syslog. This can be enabled via the Management Console interface.
McAfee new scanning features (#1538)
The McAfee Anti-Virus engine can now be used to enable scanning of macros and to enable heuristics. These options will be enabled by default in this Release. For details on how to enable this feature, please refer to the Management Console Reference Guide, Page 42
Support for Winzip 9 and 10 for archives (#20385)
Vital Security can now support Winzip 9 and 10 archive handling. This does not support self-extracting archives.
Scanning Time Limit added to Kaspersky
As with McaFee and Sophos, you can now enter a time limit for the Kaspersky Anti-Virus engine.
New options added for not activating a
Status Page (#19065)
New options have been added to the Settings > Miscellaneous > Status Page screen: Don't Activate on Extensions. The Finjan default extensions added are pdf and swf (Macromedia flash file format).
Support added for special characters when
creating Lists (#20676)
When creating lists, you can now add characters such as <>, *, & and "
Support for <Meta> tags in HTML (#20304)
Meta tags in HTML can now be detected.
DNS Cache changes
The DNS Cache has moved from nscd to pdnsd.
Log Server Interface changes (#20940)
The Log Relay IP field no longer displays if set correctly to 127.0.0.1. If, however, the IP address has been set to a non-local field in the previous Release, then it will display on the screen together with a warning to change it to 127.0.0.1. This reduces the risk of defining unsupported log relay topologies.
Vital Security can now scan CHM files
The appliance now supports scanning CHM files.
HTTP Port Configuration Changes (#20958)
The Restricted Ports in URI field has been removed from Settings>Devices>Scanning Server> HTTP configuration screen. In its place is a new feature entitled Allowed Server Ports in URI. All non-standard ports which were defined in the previous version as allowed must be manually remapped into this field. Standard ports such as 80 (HTTP), 443 (HTTPS) and 21 (Native FTP) will be automatically carried over - unless defined as restricted in previous versions. In addition, a message will appear in the System Log view, explaining which ports still need to be mapped.
Log View: Change Filter button added when
filter is used in log view (#19322)
If a filter is defined, then the Filter button at the top left is displayed as Change Filter. Once you delete all the fields in the Filter, the button returns to display as Filter.
New Types for Detection by True Type
(#18240, #18386, #18557, #18588, #2101, #18098, #1680, #19080, #19967,
#18949, #19835, #21120)
The following table comprises a complete list of all the file types that are in the True Type Rule Condition for this Release.
|7Z Archive||Diet compressed||Lzop compressed data||PKSFX Packer||URL File|
|ACE Archive||Documents||MIME content||PKZIP self-extract||UUEncoded Text|
|AFX compressed file||Excel Macro File||MNG video data||Packed Executables||UNIX Executable files|
|ARC Archive||GZIP Archive||MS Encoded Java Script||Png Image||UNIX compressed data|
|ARJ Archive||Gif Image||MS Encoded VB Script||Postscript File||Unscannable Data|
|ARJ self-extract||HPACK Archive||MS Windows HTML Help Data||Potentially Malicious Packers||Unscannable archives|
|Active Textual Web Content||Icon Image||MSI installation package||RAR Archive||Upload Data|
|ActiveX Control||INF File||Macromedia Freehand 9 Document||RAR self-extract||VB Script|
|Adobe Photoshop Image||Image||Mcrypt encrypted data||Real Audio||VRML File|
|Animated Cursor||Info-ZIP self-extract||Microsoft Access Database||Rich Text Format||Video Image|
|Archive||JAM Archive||Microsoft Office Document||SCR file||Web Form|
|Archived HTML||JNG Video Data||Microsoft Office Document with Embedded Files||Scannable Active Content||Web Page|
|Audio File||Java Class||Microsoft Office Document with Macros||Shockwave Flash||Winamp Plug-in|
|AutoCAD drawing||Java Script||Microsoft Office Scrap Object||Standalone Java Script||Windows Executable File|
|BZ2 Archive||Java serialization data||Microsoft Outlook MSG Document||Standalone VB Script||Windows Metafile|
|Bmp Image||Jpeg Image||Microsoft Word Document||Streaming||Windows help files|
|CAB Archive||LHA Archive||PCX Image Data||TAR Archive||Windows registry files|
|CSS File||LHA self-extract||PDF File||TIFF Image||Winzip Win32 Self-extracting Archive|
|Cap File||LZEXE packer||PGP Signature||Text File||XML File|
|DOS Executable File||Link file||PIF-Windows Program Information||Tgif Image Data||Zip Jar Archive|
|LZEXE compressed DOS exe||Lotus 1-2-3 document||PKLITE compressed DOS Executable||UPX compressed Win32 Executable||Zoo archive data|
New Rule Conditions in the Rule Editor box (#20885,
|Content Processors||Description||Further Information|
|Protocol||Defines a list of protocols used by Vital Security NG.||The new Protocol rule condition contains the
FTP over HTTP; HTTP; HTTP Tunneling (HTTPS); HTTP over SSL; Native FTP. This new condition is not currently used by any of the rules in the Security Policies but is available for inclusion in your customized policy rules.
|Spoofed Content||Defines potentially malicious content disguised as harmless files||The new Spoofed Content rule condition is used in the new Detect Spoofed Content rule.|
|New Header Fields Lists||Description|
|Firefox 1.0, 1.1, 1.2 and 1.3||Older versions of Firefox|
|Netscape 7.x||All Netscape versions beginning with 7|
|Older and Unsafe browsers||Browsers that rely on older and/or unsafe versions|
|SSL||Defines SSL Header Fields
NOTE: This option appears for for backwards compatibility only and should be replaced by the Protocol conditon: HTTP over SSL
|Media Players||Defines Media Player Header Fields.
NOTE: This appears for backwards compatibility only and should be replaced by the True Content Type condition: Streaming.
New rules added to Default Security Policy:
|New Rule Name||Description||Rule Condition|
|Block Microsoft Office Documents containing Macros and/or Embedded files||This rule blocks Microsoft Office Documents which contain macros or embedded files, which may contain malicious code.||
|Block Spoofed Content||This rule was designed to neutralize attacks in which a virus or malicious code spoofs itself as a harmless file in order to elude the anti-virus engine.||
|Block Potentially Malicious Packed Executables||This rule blocks packed executables which may be used to hide malicious content.||
Old rules deleted from Security Policy
|Deleted Rule Name||Explanation|
|Block Spoofed Executable Files||This rule has been replaced with the Block Spoofed Content rule.|
|Block Files Spoofed as Archives||This rule has been replaced with the Block Spoofed Content rule.|
New Rule Order
Changes in rule positioning
For detailed explanations on the new Security Rules and the new rule order, please refer to Security Policies In-depth.
Problems working with ICAP (#18731)
This problem occurred previously when a status page was activated through ICAP and the resulting URI with download parameters arrived through the HTTP protocol. This happened when a browser switched from ICAP to HTTP proxy and resent the request. This bug has been fixed.
Log Viewer: Block Transaction ID not
appearing in specific cases (#21685)
In certain cases of embedded VB Script blocking, the blocked transaction did not appear in log view and reports. Now, it appears as required.
URL List not blocked if it has "?" at the
end when adding to white list (#20056)
The URL List now supports this character at the end of the list of the address.
Overblocking: certain binary types detected
incorrectly and blocked (#1735)
Binary types with the following extensions: bmp. png, flash, ico, exe (all kinds), cab, b7, zip, gzip, rar, tar, ace, LHA are now detected correctly.
Internet Explorer (Service Package 1) crashes when using https and basic
This problem has been fixed.
Management Console: icons disappear when
scrolling down folders (#17347)
Within the tabs, the icons now remain fixed when scrolling down.
Log view: blocked zip files not displaying
in Log view (#18023)
Log view now displays the transactions correctly.
Redirection from HTTP to HTTPS fails
The problem was fixed by not adding sfgdata to HTTPS on links.
ICAP client weights not enforced (#19090)
The ICAP Server now checks the maximum connections limitation for each client (according to its weight) with about 10% deviation.
URA does not support certain xml characters
which in turn causes problems with logs (#19292)
Xml characters are now supported in the User Response Action message, effectively solving this problem.
URA does not support odd number of % signs
This is now supported. However in general, it is recommended that the administrator use the available Placeholders with the %% sign when composing a URA message.
List created by administrator in a language
other than English not displayed correctly after being Imported
This type of list is now displayed correctly.
Underblocking: Non-HTML files with UTF-16/32
encoding without BOM are not blocked (#19834)
This problem has been fixed.
Underblocking: Files with COM extensions
aren't blocked using FTP native (#19978)
This problem has been fixed.
LDAP Import does not work when adding a
Cycling group (#20648)
LDAP now supports Cycling groups (groups included in other groups).
Uploaded malicious content not blocked via
This problem has been fixed.
Unscannable active content not added to the
Auto-Generated List (#17639)
Unscannable active content can now be added to the Auto-Generated List.
Possible to bypass URL list rule by adding
port number to URI (#17798)
It is no longer possible to access a blacklisted URL list in this manner.
No Block Action shown in Log View after file
is blocked (#17960)
The Action now shows correctly as Blocked.
This bug has been fixed.
Content Size scanning for files equal to the
value listed as well as greater than (#18716)
Content Size rule now only scans for files greater than the value listed.
Content Size scanning not exact for big
Content Size rule now correctly identifies file size.
Blue Coat connections from Vital Security Appliance (#18873)
Blue Coat now considers the max-connection value per server correctly. For those customers who have added a dummy ICAP client in the Vital Security Web Appliance configuration - please make sure to delete it.
Password protected Multi-volume RAR archives
are not detected correctly (#19721)
This bug has been fixed.
NTLM Authentication not working correctly
with "Require NTLMv2 session security" client setting
Customers previously using non-default settings for NTLM were experiencing problems. This problem has been successfully fixed.
Block Pages received
while using X-Ray Policy (#19279)
While browsing using an X-Ray Policy, block pages are no longer displayed.
Log filter - "not equal
to" field not producing correct results (#20352)
This bug has been fixed.
No distinction between
PKLITE & SFX-PKZIP (#20397)
The administrator can now distinguish between PKLITE compressed executables (files that can be executed immediately) and SFX PKZIP archives.
Lost connection when
downloading a file from the update site (#20576)
Downloading files from the Update site no longer causes problems.
update site are not received by mailing list if there is an invalid address
in list (#20670)
This bug has been fixed.
selection from Use chart to Do not use chart causes Error message (#20692)
This bug has been fixed.
Import: Same item
included in several conditions in a Policy displays several times under the
Policy after import (#20740)
An item is only displayed once for each Policy after an import.
Context Scanning List cannot be successfully
This list can now be successfully imported.
blocked if its extension has been renamed (#20775)
Generic Block Page does
not contain Transaction ID (#20286)
The generic block page chosen in the Block Reason (as empty line) now displays the Transaction ID in the block page.
No Notification - Block
Page received for specific file type even with No Notification selected
The No Notification feature is now working correctly for all file types.
JAR Applets not fully
scanned in rare circumstances (#20197)
JAR Applets are now fully scanned.
JAR/ZIP files not being
blocked by their extensions in certain circumstances (#20796)
This bug has been fixed.
files not handled by the Scanning engine (#20329)
This referred to zip files not created with Winzip 9 or 10 - and has been successfully fixed.
Connection Status Not
Active does not cause Server to display as red (#19728)
Previously, only if the Activity Status was Not Active, then the relevant Server was displayed as red. Now, this holds true if the Connection Status is Not Active.
Valid characters such
as "&" not supported in URLs (#17295)
These characters are now supported.
Internal Bug Fixes: #18248, #19348, #19744,
#20005, #20517, #20766, #20772, #1987, #2210, #17206, #17981, #18080,
#18648, #18897, #18809, #19345, #20617, #20632, #2755, #18987, #19827,
When using Transparency, authentication should be disabled. Currently, both features cannot work together.
FTP in transparent mode: Cannot modify Page Block messages
When using the browser for ftp access in transparency mode, block messages are generated by the client-side browser and cannot be modified.
ICAP Protocol FTP over HTTP Transaction not logged as such
when working with Blue Coat
FTP over HTTP transactions via Bluecoat appear as ICAP/HTTP in the Logs instead of ICAP/FTP over HTTP.
LDAP - Working with Kerberos Authentication
in different Time Zones
In order to work correctly with Kerberos, you must reset the time zone first.
Coaching does not work for secure sites
The coaching action for Security Rules does not work over https.
Rollback: Must click Refresh after applying
Settings to check they are correct (21688)
In the Rollback screen, after you have configured your settings and clicked Apply, press Refresh to check that the settings are correct. An error message will appear if they are incorrect.
Problem when trying to download a large file from
windowsupdate using ICAP (#19539)
This is an ICAP Client issue. The suggested workaround is to put windowsupdate site in the ICAP client bypass sites list.
Using NetCache as
an ICAP client results in problems with Windows Update (#19713)
This is a known bug in NetApp Support (Bug ID 147838).
To fix this problem:
Access NetCache's command line interface
Type the following command: config.icapv1.incl_cont_len = on
Block page not sent when attaching files in gmail (#20004)
When an end-user attempts to attach files containing suspected viruses in gmail, the action is blocked but a block page is not sent to the user. However, the transaction is marked as logged in the Log View.
currently of WebDav (#18857)
WebDav and HTTP 0.9 protocol are currently unsupported.
Need to add information when configuring Kerberos
When navigating to Users > LDAP Servers, click on Add. The Add Directory appears. In this dialog box, if you choose the Kerberos authentication option, via the Setup Console you must make sure to add the following to the /etc/hosts file on the Policy Server: <machine FQDN> and <domain name>.
License after duplicating policy renders AV rules inactive
Any Anti-Virus rules on a User-defined Policy will be rendered inactive following a change in Evaluation Licensing. Please note that if you change your evaluation licensing, make sure to review all the rules in any new Security Policies created previously.
Reports: Some extremely long Reports Cause Temporary
When running some Reports, the administrator's computer might consume 100% of the CPU resources. Please note that this situation is short-lasting and the Reports will run normally after a few minutes.
Activity possibly fails after selecting "Apply Network Setting"
When navigating to Setup Console > Advanced Settings > Network Settings > Apply Network Setting, in certain rare cases the network connectivity to the appliance might fail. Please note, manually restarting the appliance restores both connectivity and the modified settings.
If, in a policy, both X-Ray and non X-Ray rules were activated, only the last triggered rule will be reported.
No Distinction between Java Script and VB Script Behaviors
NTLM Negotiation is slow when the Scanning Server is between the Client
and the ISA Server
When the Scanning Server is situated between the client and an upstream proxy server and NTLM
authentication has been configured for the upstream proxy server, the NTLM negotiation process is slow, causing a degradation in Web-surfing performance.
Scanning Server Does Not Respond to Basic and NTLM Proxy
When a chain of Web proxies has been established between the Scanning Server and an upstream proxy and proxy authentication is configured, the client receives a request for basic authentication from the Scanning Server, instead of the Scanning Server handling the response itself.
Server Must be Restarted for Changes to be Applied
Changes made to the default gateway will take effect only once the load balancer has been restarted.
User Receives Blank Page during Forbidden Download
Attempt When the
Status Page is Disabled
When disabling the status page and trying to download forbidden active content, the user
sees a blank page instead of a page explaining that the download has been blocked.
Large Numbers of Log Entries may Cause Delays when
Issues regarding the Log Viewer delay have been resolved. However, there may be still delays when using filters which results in large number of entries.
Delays When Using the Scanner
Accessing the Management Console via the Scanning Server may result in system delays. To avoid this, the browser should be configured in the proxy settings to bypass the proxy when trying to access the appliance IP.
Automatic refresh of Devices and Updates screens in
Settings tab does not work on rare occasions
The use of F5 (the Browser Refresh button) is necessary to refresh the Devices and Updates screens when automatic refresh does not occur.
Time Periods when defining Monthly/Weekly Reports
Settings > System > Logging > Report Database Granularity: Changing between the granularity will create an overlap in dates between databases.
ISR VSNG.SYSRN1 5-November-06 EN
© Copyright 1996-2006. Finjan Software Inc. and its affiliates and subsidiaries. All rights reserved.
All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968 and 7058822 and may be protected by other U.S. Patents, foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan Software Inc., and/or its subsidiaries. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners.