Security Analytics 7.2.2 Release Notes
Version: 7.2.2.44195 Software Release Date: 17 November 2016 Document Revision: 1.0 on 17 November 2016
Blue Coat Security Analytics is a sophisticated network security device that delivers full network visibility, advanced network forensics, and real‐time content inspection for all network activity. IMPORTANT
If you are upgrading from 7.2.1 to 7.2.2 follow the instructions in "Upgrading from 7.2.1" on page 4.
If you are upgrading from 7.1.x to 7.2.2, the following information will not be automatically preserved: •Saved reports • ThreatBLADE‐related reports, alerts, •CMC VPN and sensor entries actions, and favorites (including ThreatBLADE favorites customized by •Child alerts from Local File Analysis support services); remote notification, •Customized alert thresholds and URL unknown protocol, and endpoint Analysis verdict mappings protocol settings •Unmodified default actions and •Credentials and settings for third‐party favorites reputation providers such as FireEye •Custom favorites and actions created and Lastline via the CMC •Some RBAC settings for user groups •The Default Summary view •Actions associated with discontinued •Data‐enrichment file‐type filter settings providers (Bit9, NormanShark, Lastline •Customized YARA rules and custom Hash, Local File Analysis) hashes in Solera HashDB
To preserve information from 7.1.x and transfer it to version 7.2.2, you must follow the instructions in "Upgrading from 7.1.x" on page 6.
1 of 27 Security Analytics 7.2.2 44195 Release Notes
Release Notes Contents
"New in Security Analytics 7.2.2" on page 2 "7.2.2 Known Issues" on page 14 • "7.2.2 Fixes" on page 3 "7.2.1 Release Notes Summary" on page 15 "Upgrading from 7.2.1" on page 4 • "7.2.1 Fixes" on page 20 • "Upgrading a CMC Environment from 7.2.1" on • "7.2.1 CMC Fixes" on page 22 page 5 "All 7.2.x Known Issues" on page 23 "Upgrading from 7.1.x" on page 6 "Resources" on page 24 • "Upgrading a CMC Environment from 7.1.x" on • "Technical Support" page 11 • "Security Analytics Help Files" "Licensing Security Analytics" on page 12 • "BlueTouch Online"
New in Security Analytics 7.2.2 The following features are new in Security Analytics 7.2.2: Expanded support to manage Security Analytics over IPv6, including but not limited to: •Default gateway •DNS servers •CMC VPNs •Malware Analysis •Remote notifications •Firewall •LDAP authentication •NTP servers EULA accepted when retrieving the license key from the Blue Coat Licensing Portal instead of being accepted by each user ReversingLabs TitaniumScale integration provider •Four new reports to support TitaniumScale SCP File Mover and Local File Mover Option for viewing web UI in Japanese Notifications when /tmp, /ds, and /var reach 80% of capacity Timezone code accounts for Turkey remaining on summer time in fall 2016
2 of 27 7.2.2 Fixes
7.2.2 Fixes The following fixes are in Security Analytics 7.2.2: Deploying a proxy caused the following: •Sensors lost connection with the CMC. •The local Web Reputation Service database would not download. •OCSP requests failed. Extractions could not be downloaded from multiple sensors in a CMC environment. Anomaly‐detection logs filled up the filesystem. Scheduled indicator imports did not clean up files in /tmp. Users could not be successfully deleted. PCAP download to a CIFS server did not work. megacli data was not in the Customer Service Report. Malware Analysis configuration changes were not applied until after restarting malware_analysisd. Inconsistent alert count between CMC and sensors solera-openvpn service was not always set to start on boot. etherip packets were logged excessively. Data enrichment aborted when there were duplicate YARA rules. iptables6 did not start after setup. SCADA reports were not included by default. The application classifier segfaulted because of an RSYNC problem. Rules could be orphaned after a user was deleted. An irrelevant notification appeared after each boot on Fibre Channel‐ connected systems. Regex matches could not be written to the Indexing DB (Custom Analytics preview only) Failures in database migration using scm migrate did not notify the user. OpenVPN would not use customer‐deployed Certificate Authority. The stop button was unresponsive when running a long report. When signature‐based extraction was enabled, the indexer segfaulted because of a flaw in the application classifier. The Preserve Original Filename option for FTP File Mover was not honored. The extractor did not recognize TGZ files as archives. The extractor did not sanitize presented extensions. Anomaly detection was generating over‐large logs.The query handler failed when paths contained percent‐encoded character substrings. URL‐category anomalies had malformed pivot URLs. sunpack-n preview was not available from a CMC. Could not download CSV or PDF reports from a CMC.
3 of 27 Security Analytics 7.2.2 44195 Release Notes
Security Upgrades CVE‐2016‐5195 (“Dirty COW”) was addressed. Vulnerabilities in these Security Advisories were addressed in version 7.2.2: •SA113 (completed: see SA113 for details) • SA131 •SA128 • SA132 •SA129
Note: Go to bto.bluecoat.com/security-advisories to review vulnerabilities and fixes for Security Analytics.
Upgrade Instructions
Browser Support Security Analytics 7.2.2 supports all of the latest browser versions.
Compatibility Issues Security Analytics management traffic (on eth0) cannot be subjected to SSL intercept. If your Security Analytics appliance is deployed behind SSL‐intercept devices such as Blue Coat SSL Visibility Appliance, Blue Coat ProxySG, or a next‐ generation firewall, you must configure those devices to exclude traffic from the Security Analytics management interface.
Upgrading from 7.2.1 IMPORTANT: Are you upgrading from 7.1.x to 7.2.2?
Yes—Follow the instructions in "Upgrading from 7.1.x" on No—Continue to the next page 6 to avoid losing data. question.
Are you upgrading a CMC environment?
Yes—Follow the instructions in "Upgrading a CMC No—Upgrade as usual. Environment from 7.2.1", below, to avoid losing CMC/ sensor connectivity
4 of 27 Upgrade Instructions
Upgrading a CMC Environment from 7.2.1 In a CMC environment, sensors and CMCs that are running different versions of 7.2.x cannot communicate with each other because of further upgrades to the cipher suite.
Recommended Upgrade Method Follow these steps to have the fewest disconnection issues while upgrading CMCs and their sensors from 7.2.1 to 7.2.2. 1. Upload the 7.2.2 upgrade to the CMC’s upgrade repository. 2. Push‐upgrade all of the sensors to 7.2.2. 3. After the sensors have finished upgrading, the CMC cannot connect to them. Upgrade the CMC to 7.2.2 to restore connectivity.
Staggered Upgrade Method Follow these steps if you cannot upgrade your entire CMC environment to 7.2.2 at once. By installing this script, CMCs and sensors that are running different versions of 7.2.x will maintain connectivity. 1. Log in to BlueTouch Online (BTO) and search the Knowledge Base for article 000032526 (include the leading zeros). Open the article. 2. Under Attachment click Download File. 3. Follow the instructions under Resolution to install the script on every CMC and sensor in your environment. 4. After the script has finished installing, you can upgrade the CMCs and their sensors according to your organization’s schedule; the CMCs and sensors will maintain connectivity across 7.2.x versions.
5 of 27 Security Analytics 7.2.2 44195 Release Notes
Upgrading from 7.1.x Are you upgrading a CMC environment from 7.1.x to 7.2.2?
Yes—Follow the instructions in "Upgrading a CMC No—Continue the procedure. Environment from 7.1.x" on page 11.
Before the Upgrade Verify that you have saved, exported, or noted the information in this section:
Information to Manually Record To preserve this information you must view it on the web UI and either take a screenshot or notate the information:
On Settings > Data Enrichment Individual settings for the FileThreat BLADE and WebThreat BLADE.
•Make a note of any remote notification, template, endpoint provider, and unknown protocols settings. Third‐Party On‐Demand Reputation Providers credentials and settings. •For providers that require authentication credentials (FireEye, FTP File Mover, Lastline, VirusTotal), note the account names and make sure you can locate the passphrases for the accounts. .Bit9 and NormanShark providers are discontinued in 7.2.1. •For FTP File Mover, note whether the Attachments Only option has been selected. Data Enrichment File Types selections. WebPulse Custom Update Location settings and credentials.
On Settings > Users and Groups RBAC permissions for the user groups, especially admin.
6 of 27 Upgrade Instructions
Information to Export from the Web UI The following data and settings can be downloaded from or altered in the web UI to preserve them on upgrade.
On Analyze > Summary The old Default View on the Summary page will be deleted, regardless of whether you have designated it as your default view.
•To preserve the current Default View, create a new view as a duplicate of Default View and give it a new name; user‐defined views will not be overwritten. Report data that is associated with the ThreatBLADES and Local File Analysis will be deleted. Download the reports that you want to save as CSV or PDF.
On Analyze > Saved Results For saved reports to keep, click View Report and then save the report as a CSV or PDF. (Saved extractions will be preserved on upgrade.)
On Analyze > Favorites Use the export function to preserve default favorites that you have not modified. Alternatively, you can change the name of a default favorite to preserve it.
Information to Copy from System Files This customized information must be copied from system files: YARA Rules—In /usr/lib64/python3.3/site-packages/derp/providers/third_party/yara_rules/ rules.yar ThreatBLADE Favorites—For assistance, consult the sales engineer who customized them. Alert Threshold—In /etc/solera/config/derp.conf as "derpd":{"threshold":x,} URL Category Verdict Mapping—In /etc/solera/config/threat_mapping.txt
Information That Cannot Be Saved The following information cannot be viewed on or exported from the Security Analytics appliance. You may be able to obtain some of this information elsewhere in your organization if you need to restore it to version 7.2.1: Custom hash blacklists Alerts generated by the ThreatBLADES Alerts generated by unmodified default actions Child alerts generated by Local File Analysis
7 of 27 Security Analytics 7.2.2 44195 Release Notes
After the Upgrade At this point, you may want to consult the Help Files to get more information on some of the changes mentioned in this section. Go to "Security Analytics Help Files" on page 24 for Help Files locations. In Security Analytics 7.2.1 some of the terminology has changed: •Favorites —> Indicators •Actions —> Rules •WebPulse —> Web Reputation Service • ThreatBLADES —> Blue Coat Intelligence Services. More than having a new name, the data‐enrichment process has been significantly retooled.
Follow these instructions to re‐import or re‐enter the information that you recorded.
Information to Manually Input This information must be manually input to the web UI. Remote Notifications and Endpoint Providers are now associated with rules instead of ThreatBLADES. Go to Analyze > Rules and edit the File Reputation Service or Web Reputation Service rules to re‐enter the information. To restore the Unknown Protocols setting, add application_id=unknown to an indicator. Consult the Help Files for more information on how the function of the unknown protocol setting changed in 7.2.1.
Read More: In the Help Files under Data Enrichment > Extractions > Artifact Extraction > Signature-Based Extraction.
Re‐enter the Third‐Party On‐Demand Reputation Provider settings and credentials on Settings > Data Enrichment. •The default port for Cuckoo has changed to 8090.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Integration Providers.
•The Attachments Only setting for the FTP File Mover has been replaced with the per‐provider data enrichment filters: clear the Email Bodies file type to send only email attachments.
Read More: In the Help Files under Data Enrichment > Data Enrichment Filters and Data Enrichment > Enrichment Providers > Integration Providers > Configure Integration Providers.
The new data‐enrichment file‐type filters comprise one default filter set (that you can apply to any file/file hash provider) and per‐provider filters that you can customize. On Settings > Data Enrichment, manually input the file‐type filter settings as desired.
Read More: In the Help Files under Data Enrichment > Data Enrichment Filters.
8 of 27 Upgrade Instructions
Delete and then re‐add any Malware Analysis entries. The Web Reputation Service Custom Update Location and credentials is on Settings > Data Enrichment, as before. On Settings > Users and Groups, validate the RBAC settings for all groups.
Information to Upload to the Web UI The new default landing page is the Alerts Management Dashboard instead of the default Summary page. Select Analyze > Summary to verify that the old Default View has been preserved under its new name. • ThreatBLADE‐related report widgets and their data have been removed. •The Local File Analysis report widget from 7.1.x was deleted along with its data, but it has been replaced by a new report widget with the same name. If you used the Export function on Analyze > Favorites to save your favorites, go to Analyze > Indicators to import them again. On Analyze > Rules, reactivate any rules that may have been deactivated. •Actions (rules) that you created or customized should have been transferred to the new Rules list intact, with the following exceptions: .Data‐enrichment actions that specified providers that do not exist in 7.2.2 (Bit9, NormanShark, Lastline Hash) are deactivated and can be manually deleted. .Custom actions with Local File Analysis as the provider are converted into rules with ClamAV selected as the provider. .The Local File Analysis and Local File Analysis ‐ Live Exploits actions are deleted and replaced by their 7.2.2 counterparts.
Information to Copy to System Files This customized information can be copied to the new system files: YARA Rules—To /usr/share/solera/yara_rules/rules.yar Alert Threshold—To /etc/tonic.d/alerting.conf URL Category Verdict Mapping—To /etc/solera/config/threat_mapping.txt
Inputting Custom Hashes The new Custom Hash List provider is populated by using the lhr_flat_to_qdb utility. Instructions are in the Help Files.
Read More: In the Help Files under Data Enrichment > Enrichment Providers > Custom Hash List.
9 of 27 Security Analytics 7.2.2 44195 Release Notes
Settings to Verify Check these settings to make sure they still suit your needs. If your Security Analytics appliance connects to the Internet through a proxy, configure the proxy for the new Blue Coat Intelligence Services: • Web Reputation Service—sp.cwfservice.net:443 • File Reputation Service—Port 8443 at the following URLs: .*.es.bluecoat.com:8443 .185.2.196.204 .8.28.16.233 .199.116.169.204 .103.246.38.204
Note: The URL for the File Reputation Service will usually be frs.es.bluecoat.com; Blue Coat recommends that you create a firewall rule for all of the listed IP addresses. Future Engineering Services resources will also be provided from the *.es.bluecoat.com domain.
Read More: In the Help Files under Appliance Security > Ports and Protocols.
If you already had at least one ThreatBLADES subscription, you are automatically entitled to both Blue Coat Intelligence Services. •The new Blue Coat Intelligence Services are not enabled by default. You must activate them first on the Data Enrichment Settings page and then go to Analyze > Rules to enable the corresponding rule. •Enabling the File Reputation Service rule at the same time as the Malware Analysis rule (with FRS pre‐filtering) will trigger duplicate alerts. The Help Files contain recommendations for avoiding duplicates.
Read More: In the Help Files under Data Enrichment > Alerts > Blue Coat Malware Analysis Alerts.
Favorites that you have created or customized should have been transferred to the new Indicators list except for ThreatBLADE‐related attributes such as standard_blade_verdict and web_blade_malware_verdict; obsolete filter attributes may need to be manually deleted from transferred favorites.
10 of 27 Upgrade Instructions
Upgrading a CMC Environment from 7.1.x Because Security Analytics 7.2.x has upgraded the API calls and the Central Manager’s VPN ciphers and keys, CMC networks that were created in previous versions are incompatible with version 7.2.2.
Important: 7.2.x CMCs cannot manage 7.1.x or 6.6.x sensors, and 7.2.x sensors cannot be managed by 7.1.x or 6.6.x CMCs, even though it may appear as though the CMC and sensors are still connected.
Before the Upgrade 1. On the CMC: •Go to the Manage Sensors page and make a note of all the sensor IDs, names, and authorizations.
Note: Instead of taking notes manually, you can select the entire screen, copy it, and then paste it to Microsoft Word (to preserve the table structure) or to another text editor.
•On the Settings tab, note the Protocol, Subnet, Netmask, and Port.
Important: When you reset the CMC VPN, all of the favorites and actions that were created via the CMC will be deleted, because the user that is associated with those items is the cmc_proxyX user, which is always deleted when the CMC VPN is reset.
2. To save favorites (but not actions), go to Analyze > Favorites on the CMC, select any favorites that you would like to save, and export them. On the sensors: •Consult "Upgrading from 7.1.x" on page 6 to preserve information that will be overwritten or deleted upon upgrade.
Upgrading the CMC and Sensors 1. Download version 7.2.2 to the CMC’s upgrade repository. 2. Push‐upgrade all of the sensors to 7.2.2 first, and then upgrade the CMC. •If you do not want to upgrade all of your sensors at once, you can go to Settings > Upgrade on the sensor and download the upgrade file from the CMC. Until you click Initiate Upgrade, the sensor will remain on its current version. After the CMC has been upgraded to version 7.2.2, however, you cannot download the upgrade file to the sensor in this manner.
11 of 27 Security Analytics 7.2.2 44195 Release Notes
After the Upgrade After the CMC finishes upgrading: 1. On the CMC select Settings > Central Management > Settings and click Reset Settings. 2. When the VPN has finished deleting, you can input the same Subnet, Netmask, and Port as before or you can specify new ones. •The VPN subnet is now set up with 2048‐bit keys. For this reason, creating the new VPN and connecting sensors may take longer than usual over high‐latency connections. 3. On the Manage Sensors page, create all of the sensor entries and download the new authorization key files. If desired, you can add labels to the sensors, or you can add the labels at a later time. See "New on the 7.2.1 Central Manager Console (CMC)" on page 18 for more information. 4. On each sensor delete the old CMC entry on the Central Management Settings page and then create the new CMC entry.
Read More: In the Help Files under Central Manager > CMC Initial Settings and Central Manager > Connect Your First Sensor to the CMC.
5. If you exported favorites from the CMC, you must re‐import them on each individual sensor. (If you re‐import them to the CMC, they will not be visible on the CMC.) •If you ran the scm script or the manual command before the upgrade, the favorites (indicators) and actions (rules) should still reside on each sensor. The CMC will automatically aggregate all identical indicators and rules
Licensing Security Analytics Security Analytics license keys are now available on the Blue Coat Licensing Portal. Follow these instructions to retrieve a key and license a new Security Analytics appliance or CMC. 1. Go to BlueTouch Online (BTO): bto.bluecoat.com 2. Click the Licensing tab. 3. Click License Your Blue Coat Products. 4. Enter your user ID and password, as provided in the eFulfillment email that Blue Coat sent to you. 5. Retrieve your license key. 6. Log in to the web UI with these credentials: admin|Solera 7. On the Initial Configuration page, input the requested information and click Save.
12 of 27 Licensing Security Analytics
8. The License Details dialog is displayed. Does your Security Analytics appliance have access to the Internet (license.soleranetworks.com port 443)?
Yes—Follow the instructions in "Appliance No—Follow the instructions in "Appliance with Internet Access", below. without Internet Access" on page 13.
Appliance with Internet Access Follow these steps if your appliance has access to the Internet. 1. Under Retrieve License, input the License Key and click Send Request. 2. As applicable, select the desired license type. 3. The appliance sends the license key and the license seed file to the license server, which generates the appropriate license file (license.tgz) and returns it to the appliance, which automatically reboots. 4. Once the system has rebooted, select Settings > About > License Details to verify that the items are correct. 5. Click Download to create an archive copy of the license file (solera-license.dat). Store this file in a safe location that is not on the appliance.
Appliance without Internet Access Follow these steps if your appliance does not have access to the Internet. 1. Click Download DS Seed to download the seed file (dsseed.tgz) to your workstation. 2. On a workstation that has Internet access, go to license.soleranetworks.com. You can also access this site from the BTO Licensing tab by clicking License Server for Security Analytics. 3. Type your license key, upload dsseed.tgz, and click Update. 4. As applicable, select the desired license type and click Update. 5. Save the license file (license.tgz) to your workstation. 6. Return to the License Details dialog. 7. Click Browse and select license.tgz. 8. The license is uploaded and the appliance automatically reboots. 9. Once the system has rebooted, select Settings > About > License Details to verify that the items are correct. 10. Click Download to create an archive copy of the license file (solera-license.dat). Store this file in a safe location that is not on the appliance.
13 of 27 Security Analytics 7.2.2 44195 Release Notes
7.2.2 Known Issues On Virtual Machines with small /ds partitions, a disk‐space notification may appear. To clear the notification, delete the ISO file from /ds/upgrade. Upgrades from 7.1.x to 7.2.x require that Malware Analysis entries be deleted and re‐added. Freshclam updates fail when using Google’s IPv6 DNS address. It is not currently possible for a CMC to push‐upgrade its sensors over an IPv6 VPN. To upgrade sensors over an IPv6 VPN, follow these steps to create the upgrade server on the sensors and do a pull‐upgrade from the sensors: 1. Add the upgrade file to the Upgrade Repository on the CMC. 2. On each sensor to upgrade, add the following upgrade server on Settings > Upgrade: .Host—Global IPv6 address for eth0 on the CMC .Path—/upgrades/ .File Name—Manifest.xml .Username—admin (or equivalent) .Password—
7.2.2 Discontinuation These features are no longer available in Security Analytics 7.2.2: Reports and primary‐filter attributes in the packets namespace (except packet_length). The hash (#) character is no longer supported for indicators. Anomaly detector for high distinct count of initiator port over responder IP These Web Services APIs will be discontinued in the next major release of Security Analytics:
WSAPI APIv6 Replacement
/ws/pcap?method=deepsee GET: /pcap/download/deepsee
/ws/pcap?method=merge_path GET: /pcap/download/merge_path GET: /pcap/download/merge
/ws/pcap?method=raw GET: /pcap/download/raw
14 of 27 7.2.1 Release Notes Summary
7.2.1 Release Notes Summary Following is a summary of the 7.2.1 release notes. Get the complete version on BTO: bto.bluecoat.com/documentation/security-analytics-release-notes
New in Security Analytics 7.2.1 Alerts Management Dashboard—New default landing page Anomaly Detection—Provides visibility into abnormalities in your traffic patterns.
Note: Anomaly detection requires an appliance or VM with at least 64GB RAM to function properly. Less memory will result in degraded performance and missed anomalies. To disable anomaly detection, consult the Help Files under Data Capture > Data Availability > Data Enrichment Profiles.
Data Enrichment—The Security Analytics data‐enrichment subsystem has undergone a comprehensive rewrite so that you can deploy the enrichment providers more independently, in terms of both configuration and prioritization. The new system also provides improved data‐enrichment performance and scalability. • Real‐Time Enrichment Providers—All of the real‐time enrichment providers can be selected individually for any rule .File Reputation Service .Web Reputation Service .ICAP—Send ICAP service objects to Blue Coat Content Analysis. .Malware Analysis—No longer dependent on ThreatBLADES for real‐ time enrichment, Malware Analysis can operate in conjunction with— or independently of—the File Reputation Service. .Calculate and Store Hashes—Calculate MD5, SHA1, and SHA256 hashes for files that match the rule and write them to the indexing database. Fuzzy hashes can be enabled as well. .ClamAV®—File scanning for known viruses. .Custom Hash List—Replacing Solera HashDB, this provider contains only the MD5, SHA1, or SHA256 blacklist hashes that you upload. .jsunpack‐n—On‐board analysis of JavaScript, PDF, HTML, and SWF files. .YARA—These rules help detect live exploits before they are known to Blue Coat GIN. • File‐Type Filters—Changes to the data‐enrichment file‐type filter include: .Filters—Binaries, Code, JAR Archives, Debian® Packages .File Types—BZIP, GZIP, CPP, BIN, MP3, RTF .MIME Types—text/x-msdos-batch (EXE), application/x-httpd-php3 (PHP), application/cgi (CGI), and binary/octet-stream, multipart/byteranges (BIN)
15 of 27 Security Analytics 7.2.2 44195 Release Notes
Real‐Time Extraction—The new data enrichment rules (“actions” in 7.1.x) offer each real‐time enrichment provider as a separate entity in the Send to list. •Indicators—The robust new set of indicators in version 7.2.1 includes: .Live‐Feed Indicators—Leveraging public resources such as abuse.ch and rules.emergingthreats.net, these indicators can be updated at a regular interval to instantly apply filters for the latest threats as they emerge. Optionally, you can create your own live‐feed indicators. .Ransomware Tracker—By http_server, ipv4_address, or http_uri .Presented MIME Type—mime_type from packet headers .Detected File Type—file_type from the magic number .File Transfer Activity—To detect SMB, FTP, TFTP, and FTP Data traffic .Non‐Alphabetic Server Name—For http_server=[IPv4 address] • Rules—Instead of activating ThreatBLADE rules on the Data Enrichment Settings page, the rules for the Blue Coat Intelligence Services, Malware Analysis, and Local File Analysis are listed on the Rules page. By default, the following rules are active immediately after you upgrade to version 7.2.1: .Heartbleed Attack Attempt Alert .Non‐Standard SSH Alert .Shellshock Webserver Exploit Attempt Alert .Local File Analysis ‐ Live Exploits (YARA rules) • On‐Demand Reputation Providers—The on‐demand reputation providers give you instant visibility into individual report and artifact attributes. Improvements to existing third‐party on‐demand reputation providers include: .Support for FireEye AX‐series .Team Cymru Malware Hash Registry replaces SANS ISC Hash .Option to preserve the original filename for FTP File Mover .User‐configurable Lastline location Data Enrichment Profiles—For more control over how Security Analytics uses system resources, you can select one of three Data Enrichment Profiles: • Full Data Enrichment with Anomaly Detection—All services are active, including the new anomaly detection system. • Full Data Enrichment (no Anomaly Detection)—All services are active but the anomaly detector is idle. • Packets Only—Indexing and anomaly‐detection services are disabled; all system resources are dedicated to writing packets to the capture drive at the highest possible rate. Dynamic Filters—Use a dynamic filter rule to detect streaming media, encrypted, or other unwanted flows. Reports—The new Report Status pages display reports that are running or that have completed.
16 of 27 7.2.1 Release Notes Summary
• New Reports .Local File Analysis (local_file_analysis_verdict) .File Signature Verdict (file_signature_verdict) .Malware Analysis (malware_analysis_verdict) .URL Categories (url_categories) .URL Risk Verdict (url_risk_verdict) .DNS Answer Count (dns_ancount) .DNS Answer Name (dns_name) .DNS Autogenerated Name (autogenerated_domain) .DNS Autogenerated Domain Score (autogenerated_domain_score) .DNS IPv4 Name (dns_host_ipv4_addr) .DNS IPv6 Name (dns_host_ipv6_addr) .DNS Time‐to‐Live (dns_ttl) .Flow Duration (flow_duration) .Flow ID (flow_id) .Detected File Type (renamed) (file_type) .Presented MIME Type (renamed) (mime_type) .File Extension (file_extension) .SHA256 Hash (sha256_hash) .HTTP Content Length (http_content_len) .HTTP Location (redirect target) (http_location) .DLP3 Reports (dlp3_[X]; 29 total) .MODBUS Reports (modbus_[X]; 39 total) • Additional Metadata—Since version 7.1.6: .50 new report attributes: 437 total .298 new recognized applications: 2574 total • Encapsulation Reporting—The Tunnel Initiator and Tunnel Responder reports can display IP addresses for GRE encapsulation as well as IPv4‐in‐ IPv6 and IPv6‐in‐IPv4 tunnels. • Filters—Improvements to the primary, advanced, and PCAP download filters include: .Case‐sensitive searching is available for the keyword_utf8 attribute in the Extractions advanced filter. .Percent‐match supported in the primary filter for fuzzy_hash. .PCAP download filters can be saved for later use.
17 of 27 Security Analytics 7.2.2 44195 Release Notes
Extractor—Enhancements to the extraction process include: •Enable or disable hash calculation for MD5, SHA1, and SHA256 in the web UI • File‐transfer extraction for IRC, YMSG, Jabber, and Paltalk •Extractor handling special characters in the presented MIME type •Artifact entry showing exact byte size instead of rounding to a two‐place decimal for artifacts smaller than 999,999 bytes •Protocol carving and signature‐based extraction using Foremost signature scan • Artifact Preview—In the new artifact preview window, all preview types are available by default. Command‐Line Utilities—New command‐line utilities include: •User‐defined port‐to‐application mapping •SCM Migrator, to export and then import users and groups, rules, indicators, firewall settings, remote‐notification settings, system time, DNS, and geolocation subnet information. Web UI and More •Pagers have GOTO page number, Next, and Previous controls. •Default system installation pages have man pages. • Release Notes can be accessed from the Upgrade dialog (BlueTouch Online authentication required). •Up to 30 Geolocation internal subnets are supported. • Follow TCP Stream feature was added to the Packet Analyzer. •Packet Analyzer is integrated with the Encoder/Decoder tool. BIOS settings support the serial console on Dell hardware. Slot size was increased from 64MB to 256MB to increase jumbo frames performance. No Proxy field allows specified domains and subnets to bypass the proxy. New on the 7.2.1 Central Manager Console (CMC) •Support for 215 sensors per CMC •User‐defined sensor labels to organize sensors for viewing, upgrades, and configuration •Up to 400% improvement in report performance, especially under demanding conditions • Update button for deselecting sensors •Keys for the CMC VPN increased to 2048 bits •Mount points synchronized among multiple sensors • Report Status pages available for the CMC
18 of 27 7.2.1 Release Notes Summary
Security Upgrades—Vulnerabilities in these Security Advisories were addressed in version 7.2.1: •SA83 •SA117 •SA98 •SA120* •SA103 •SA121* •SA108 •SA123* •SA111 •SA126* •SA113 (partial: see SA113 for details) •SA128 * Omitted from the first version of the 7.2.1 release notes Note: Go to bto.bluecoat.com/security-advisories to review vulnerabilities and fixes for Security Analytics.
•RSA key strength for various subsystems increased to 2048 bits or more •OCSP certificate‐chain validation for Blue Coat cloud‐based enrichment providers • SSL key and certificate files retaining custom names •TLS compatibility with LDAP •Inputs sanitized to prevent XSS vulnerability •Group Name Attribute was hard‐coded as cn for OpenLDAP and name for Active Directory; now user‐configurable. •Firewall interface in the web UI better represents iptables substructure. •APIv6 keys not visible on the web UI by default: created by user action in web UI and displayed only once • Role‐Based Access Control—Capture permissions are broken out into: .Stop and start capture .Stop and start playback .Initiate reindexing .View capture rate and system statistics • Import PCAP is now broken out as: .Import PCAP from browser .PCAPs without access restrictions (with BPF filters) .Analyze PCAPs .Download PCAPs • Analyze pages are broken out into: .View Summary page .Generate reports .Download and preview artifacts .View artifact metadata .View Geolocation page .Create, edit, and delete rules and alerts .Create, edit, and delete edit indicators
19 of 27 Security Analytics 7.2.2 44195 Release Notes
•Restricted‐shell access to the CLI: .Base Permissions—Read‐only commands .Tier 1 Permissions—Networking and file‐system management .Tier 2 Permissions—File system and admin utilities, process and drive management
7.2.1 Fixes The following fixes are in version 7.2.2. Also see "7.2.1 CMC Fixes" on page 22.
Indexing and DPI IRC was misclassified as FTP. File modification events were not extracted as metadata for SMB2 client/ server traffic. VLAN IDs were not indexed correctly in the context of VLAN trunking. Thunderbird client IMAP emails were not being classified. Long‐lived flows were not reindexed properly. Some HTTP traffic was classified as unknown. Synflood traffic was classified as unknown. The characters in some URIs and filenames were improperly rendered. HTTP POST data was missed by indexing and extraction.
Reports and Filters The WSAPI method=deepsee did not convert a single time value into the specified time range. Downloading a CSV report for 14TB of metadata took longer than an hour. All intermediate records are processed instead of only the last 500 slots. API error message for querying report data was improved. Multiple ORs in a /pfs/flows path did not return data. A session resolution <100%, combined with a processed slot with fewer than 10 records, caused an infinite loop in the report handler. The advanced filter protocol=ftp_data could not be created from an artifact’s web UI entry.
Data Enrichment and Extraction Some WHOIS results were missing from the web UI Reputation Report. FTP File Mover in active mode was exporting 0‐byte files. Manual extractions (web UI‐initiated) sometimes crashed during the cleanup phase of a canceled manual extraction. APK files were misclassified and not sent to the Malware Analysis MobileVM. Incorrect value types were submitted to some reputation providers. Extracted files were being corrupted by FTP File Mover.
20 of 27 7.2.1 Release Notes Summary
Pivoting from a Malware Analysis task to the Security Analytics Summary view sometimes produced no data. ClamAV was upgraded to 98.7 to improve malware recognition. Freshclam update service did not honor system proxy settings. Redundant extractions were sometimes sent to Malware Analysis. Filenames with special characters were not sent to Malware Analysis. Email preview did not render the HTML aspects of an email message.
Authentication, Permissions, and Remote Access dsadduser could not create an account in the admin group. Custom LDAP certificates were not preserved during upgrade from 6.6.x to 6.6.x+1. Invalid email settings could prevent login for all users. RBAC was not applied to PCAP Download and Packet Analyzer.
Logging and Remote Notification PostgreSQL log files contained too many errors. Reindexer job sent excessive email alerts. Could not remove
Web UI The wrong error message was displayed when the appliance could not download the upgrade file from the Internet. Web page preview did not render base64‐encoded images. Log showed wrong PCAP download size. Widget records could not be sorted by attribute name. IP address source/destination appeared as initiator/responder in artifact display. PCAP download estimator showed inaccurate size. Help link did not work in IPv6 environment. Default port for SNMP inform traps was incorrect. Capture Summary Graph did not use units specified in preferences. Alerts counter did not refresh after clearing alerts.
21 of 27 Security Analytics 7.2.2 44195 Release Notes
Initial configuration screen did not indicate errors clearly. Non‐interface data was not cleaned up for Capture Summary Graph. Initial configuration page did not notify that Save was required.
System and Miscellany Slot‐corruption handling was improved. Indexer surpassed more slots when there was one fast and one slow interface. SQL errors were produced when cleaning up abandoned reports. Temporary files were not deleted after running a Geolocation report. Data cleanup from large manual extractions was improved. dszap appeared to hang because verbose messages were not displayed. Old CSR files were not cleaned up.
7.2.1 CMC Fixes Remote groups could not be deleted. Internal Server Error occurred on login when a sensor was not available. Sharding and cleanup were not working on the capture summaries table. scotus start did not complete. Capture summary and sensor‐selector pages were blank after a sensor was disconnected. Central Manager did not delete PCAP and ZIP files after download. Scheduled reports on the CMC would never finish.
7.2.1 Discontinuation These features are no longer available as of version 7.2.1: •NormanShark and Bit9 as third‐party integration providers •Manual reputation requests to the Global Intelligence Network without a Blue Coat Intelligence Services subscription •Default support for TLS v1.0. (It can be manually enabled during the upgrade transition; contact Blue Coat Support for details.) •Support for Security Analytics APIv5 These Web Services APIs will be discontinued in the next major release of Security Analytics, most likely version 7.3.1: • /ws/pcap?method=deepsee—Replaced by GET: /pcap/download/deepsee in APIv6 • /ws/pcap?method=merge_path—Replaced by GET: /pcap/download/merge_path and GET: /pcap/download/merge in APIv6 • /ws/pcap?method=raw—Replaced by GET: /pcap/download/raw in APIv6s
22 of 27 All 7.2.x Known Issues
All 7.2.x Known Issues This table tracks all 7.2.x known issues.
Found Issue Fixed
7.2.1 IPv6 addresses are not supported for default gateway, Malware Analysis 7.2.2 appliances, the CMC VPN, and NTP.
7.2.1 Adding remote notification to an already‐enabled rule requires that you disable then re‐enable the rule for the change to take effect.
7.2.1 Rules with autogenerated_domain_score as the indicator do not produce results.
7.2.1 Importing PCAPs from multiple watch folders with the same check interval fails.
7.2.1 The update interval for the Web Reputation Service database is not honored.
7.2.1 When a manually typed timespan in the web UI is missing a colon, the start date is reset to 12/31/1969.
7.2.1 SCADA reports should be available with the base license. 7.2.2
7.2.1 Disabling one CMC entry on a sensor disables all of the CMC entries. 7.2.2
7.2.2 Cannot push‐upgrade over IPv6 CMC VPN
23 of 27 Security Analytics 7.2.2 44195 Release Notes
Resources Consult these resources as needed.
Technical Support To contact Blue Coat Support you have these options: Log on to BlueTouch Online (BTO) (bto.bluecoat.com) and open a case at the Cases link. Contact Support & Services at bluecoat.com/support-services.
Security Analytics Help Files You can find the Help Files for Security Analytics in the following places: In the web UI select Settings > Help. • Click English under Online Help Files. Go to BTO (bto.bluecoat.com) and click the Documentation tab. •From the Product list select Security Analytics. • Click View for the Security Analytics WebGuide 7.2.2. To subscribe to update notifications consult "Product Documentation" on page 26.
BlueTouch Online BTO is Blue Coat’s online repository for: Downloads—Software upgrades, release notes Documentation—All product documentation, including the latest version of this document Cases—Open and manage support cases Forums—Ask questions and share information with other Blue Coat users as well as Blue Coat support staff Knowledge Base—Product‐specific solutions and technical issues Security Advisories—Latest vulnerabilities that affect Blue Coat products Training—Webcasts, fee‐based instructor‐led courses, virtual classrooms, and complimentary videos Recommended Releases—Recommendations for long‐term support by software or hardware version. RSS Feeds—Notifications of knowledge‐base releases
To access BlueTouch Online: Log in to bto.bluecoat.com.
Note: To request login credentials for BTO, go to bluecoat.com/forms/contact.
24 of 27 Resources
Subscribe to Content Blue Coat recommends that you subscribe to RSS feeds, user documentation, or security advisories to receive notifications when documents are added or updated.
Specific Security Advisories Follow these steps to subscribe to specific advisories:
1. On the BlueTouch Online main page click Security Advisories. 2. Optional—Select a product name in the Select Products list and click Apply. 3. Optional—Click a column heading to sort the list of advisories. 4. Select an advisory that is in Interim status, which means that further updates are expected. 5. Click Subscribe.
All Security Advisories Follow these steps to subscribe to all security advisories: 1. On the BlueTouch Online main page click the RSS Feed icon.
2. Under Content Feeds, click Security Advisories. 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader.
Knowledge Base Articles Follow these steps to subscribe to knowledge‐base feeds: 1. On the BlueTouch Online main page click the RSS Feed icon.
25 of 27 Security Analytics 7.2.2 44195 Release Notes
2. Under Knowledge Base Feeds, click one or more of the following: • Content Types—Select from among the four article types: .Solution .Cloud Announcement .Product Information .Technical Alert • Products—Select from among Blue Coat products • Software—Select from among Blue Coat software • Topics—Select from among general topics 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader.
Product Documentation 1. On the BlueTouch Online main page click the Documentation tab. 2. Select the appropriate product from the Product drop‐down list.
3. Place your cursor over the document you would like to subscribe to and click Subscribe.
26 of 27 Resources
Copyright © 2016 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED ʺAS ISʺ AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON‐INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE‐EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Rest of the World: Symantec Corporation Symantec Limited 350 Ellis Street Ballycoolin Business Park Mountain View, CA 94043 Blanchardstown, Dublin 15, Ireland
27 of 27