Release Notes for McAfee WebShield E50 HotFix 3 (c) 1998-2002 Networks Associates Technology, Inc. All Rights Reserved =============================================== HotFix Release: May 21st, 2002 This HotFix was developed and tested with: WebShield SMTP: E50 DAT Version: 4202 Engine Version: 4160 Make sure you have installed these versions or newer before using this HotFix. =============================================== Thank you for using McAfee WebShield SMTP software. This file contains important information regarding this release. We strongly recommend that you read the entire document. The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. Network Associates, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. HotFix files should be applied only on the advice of McAfee Technical Support, and only when you are actually experiencing the issue being addressed by the HotFix. HotFix files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of HotFix files. HotFix files are not a substitute nor replacement for product Service Packs which may be released by Network Associates, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from Network Associates, Inc. Further, posting of McAfee HotFix files to publicly available Internet sites is prohibited. Network Associates, Inc. reserves the right to refuse distribution of HotFix files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee HotFix files should be directed to McAfee Technical Support. _______________________________________________ WHAT'S IN THIS FILE - About This HotFix - Purpose - Known Issues - Resolved Issues - Files Included with This HotFix - Installation - Installation Requirements - Installation Steps - Testing Your Installation - Removing This HotFix - Contacting McAfee and Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement _______________________________________________ ABOUT THIS HOTFIX PURPOSE This HotFix includes one updated archive file for use with McAfee WebShield E50 software. This new file resolves the issues described in the section "RESOLVED ISSUES". Previous HotFixes do not need to be installed before you install this HotFix. This HotFix replaces all previous McAfee WebShield E50 HotFixes. New issues resolved by this HotFix, Items 53-62 KNOWN ISSUES 1. Defect number AYL00018619 WebShield e50 and SMTP MR1a are both vulnerable to TCP sequence prediction. To resolve this issue please download and apply the Microsoft Windows SP6a Security Rollup Package (SRP) from the following website. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q243835 2. Defect number AYL00018787 If a desktop Antivirus scanner is installed please ensure the \WebShield SMTP\Temp directory is exluded from On Access scanning. 3. Defect number AYL00017121 If a Dr Watson occurs when attempting to create a new Outbreak Manager Rule. In HotFix 4 a WSSMTPOb.ini file was shipped with a hard coded [PlugIn] reference to WSSMTPOB.DLL. D:\TVD\WebShield SMTP\WSSMTPOB.DLL Please change the Plugin section of the ini file to point to the corect instalation path location. This is by default: C:\Program Files\Network Associates\TVD\Webshield SMTP 4. Defect number AYL00020321 Under all previous versions of WebShield an e-mail with an invalid boundary marker may have been treated as OK if the boundary statement could not be decoded. Under HotFix 2 this behavior is changed to identify the e-mail as corrupt and is logged as "not scanned" and treated according to the GUI settings for corrupted e-mail. See also RESOLVED ISSUE 53. 5. Defect Number AYL00020321 Under all previous versions of WebShield an e-mail with non RFC compliant sections would be passed, after HotFix 2 or later this behavior is changed to identify the e-mail as corrupt and is logged as "not scanned" and treated according to the GUI settings for corrupted e-mail. See also CORRUPT.RTF. 6. Defect Number AYL00020765 If an-email is received from a machine that can't be resolved via a reverse DNS lookup then the IP address is logged as 0.0.0.0. The functions of Webshield that use the IP address for blocking or Anti-Spam prtection are unaffected, only the logging of the address is incorrect. RESOLVED ISSUES 1. This HotFix resolves an issue with the WebShield E50 deferral cycle. WebShield E50 uses the time (UTC) in UNIX time format as part of the file name for the mail. UTC time recently changed to a ten digit number. When the WebShield E50 deferral cycle happened, only the nine MSB (Most Significant Bytes) were being read. 2. This HotFix resolves an issue with Uuencoded mail. The Uuencoded mail handler has been reworked to detect and report multiple infections. 3. This HotFix adds a new feature where the WebShield SMTP software can now produce an alert when an SMTP error 421 occurs (This is optional). 4. This HotFix resolves a shutdown issue seen with shutdown requests. Mailscan now shuts down correctly under load. A five minute timeout has been added. 5. This HotFix resolves an issue seen with the SMTP connection test (HELO). This test now accepts multiple responses. 6. This HotFix adds functionality to content filter attachment names inside MS-TNEF encoded mail messages. 7. This HotFix resolves an issue with cleaning MIME encoded messages that do not contain the usual MIME disclaimer message for non MIME compliant mail programs. 8. This HotFix resolves an issue with the use of user variables (e.g. %VIRUSNAME%) in sender notification messages. 9. This HotFix resolves an issue with attempting to use a quarantine directory with more than 83 characters in the quarantine path. 10. This HotFix resolves an issue with the ALT + B keys highlighting the phrase "Between 2,000 and 10,000 e-mail messages per hour" and not the radio button. 11. This HotFix resolves an issue with a Dr. Watson error occurring when adding more than 64 content filters. 12. This HotFix resolves an issue with the WebShield SMTP E50 configuration wizard allowing non-numeric port information to be entered. 13. This HotFix resolves an issue with the CTRL + O, CRTL + A and F1 keys not correctly displaying the help pages. 14. This HotFix resolves an issue with the scanning of email, and with delivery of email stopping when insufficient disk space was available. 15. This HotFix resolves an issue with Outbreak Manager (OBM) repeatedly writing Events into the event log when the OBM feature is not installed. 16. This HotFix resolves an issue with the reporting of items that were infected more than once. The scanner now reports the correct actions for each infection. 17. This HotFix resolves an issue with wildcard usage with Anti-Spam domains. You can now use supported wildcards with the Anti-Spam feature of WebShield SMTP. 18. This HotFix adds new functionality to WebShield SMTP E50. A registry value named BannerText is now recognized. This allows WebShield to offer a customizable connection banner of up to 506 characters (512 character buffer less the initial "220" and "CRLF"). In order to use this new functionality you will need to create a new string value called "BannerText" in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\WebShield SMTP\MailScan\ 19. This HotFix resolves an issue with SMTP error codes not being handled correctly. This resulted in mail being deferred rather than an alternative delivery method being attempted. 20. This HotFix resolves an issue with the Mail Transport Logging feature not properly recording all failures. 21. This HotFix resolves an issue with large numbers of messages in the IN/OUT and DEFERRED folders causing MAILSCAN.EXE to consume all available CPU cycles. 22. This HotFix resolves an issue with the number of characters allowed in the Rcp. When the Rcp. line exceeded 400 characters the Mailscan service failed. 23. This HotFix resolves an issue with the handling of s/mime attachments which were being treated as corrupt. 24. This HotFix resolves an issue with the order of direct-send domains. If a sub-domain was listed before the parent domain then direct-send would ignore the parent domain. 25. This HotFix resolves an issue when content scanning certain mail formats. Content filters were not reacting to attachments in a particular mail format. If that mail format is detected with an attachment a more thorough check is performed. 26. This HotFix resolves an issue with the handling of SMTP 5xx error codes. In this HotFix, if a 5xx error code is received the "all other domains" relay will not be used. If configured, DNS will be attempted. If the mail remains undelivered, it will be deferred on any 4xx, 551 or 554 error code received or if the mail server cannot be contacted, otherwise it will be returned to the sender. 27. This HotFix resolves an issue with the IP address logging of detected SPAM. The IP address is now reported correctly. 28. This HotFix resolves an issue with direct send mail delivery. A mail servers hostname that begins with a number will now be resolved correctly. 29. This HotFix resolves an issue with encoded subject lines and attachment names. Mailscan now decodes these lines correctly prior to content filtering. 30. This HotFix resolves an issue with Fully Qualified Domain Names. Mailscan was distinguishing between FQDN's and domain names without a trailing dot. 31. This HotFix resolves an issue with the security mechanism of the configuration console. Access is now denied to unresolvable IP addresses. 32. This HotFix resolves an issue with apostrophes in attachment names. 33. This HotFix resolves an issue with large recipient lists causing a buffer overun when written to the mail log or virus log files. 34. This HotFix resolves an issue when content filtering is enabled a Dr. Watson can be generated. 35. This HotFix increases the limit on the number allowable active Content Filter rule to 256. 36. This HotFix increases the number of allowable AntiSpam IP ranges to 2000. 37. This HotFix resolves an issue with error 250 being written to the log files. A more accurate description is now used. "No error code recieved, possible time-out occured" 38. This HotFix resolves an issue with Return To Sender messages being destroyed. When an RTS is now generated it is placed in the IN queue and will cycle as a normal e-mail message. 39. This HotFix resolves an issue with user-defined fields within content headers, previously treated as corrupt. The e-mail messages are now scanned correctly. 40. This HotFix resolves an issue with Return To Sender messages being logged as Cannot be scanned. 41. This HotFix resolves an issue with WebShield not using the attachment name for scanning. 42. This HotFix resolves an issue with zero byte files not being replaced by WARNING.TXT. 43. This HotFix adds a mail loop detection facility. Please read the accompanying TechNote, TNMAILFLOW.RTF for details on enabling and controlling this facility. For customers using Microsoft Windows NT4.0 they can import/use the file LOOP.REG. 44. This HotFix adds an exception handling layer for MAILSCAN.EXE. E-mail is treated as corrupt and is dealt with according to the GUI settings. 45. This HotFix resolves an issue with ".com" content filter rule blocking messages it shouldn't. 46. This HotFix resolves an issue with nested mime content scanning causing an access violation. 47. This HotFix resolves several issues with UUencoded messages. 48. This HotFix resolves an error with incorrect error codes being logged. 49. This HotFix resolves an issue with .TMP files not being cleaned up after a file is scanned. 50. This HotFix allows an administrator to change the default SMTP delivery behaviour. If the registry key Defer_When_Relay_Unavailable is non zero then messages will be deferred and no DNS delivery will be attempted after a valid relay attempt has failed. 51. This HotFix resolves an issue with Subject lines that contain characters other than US-ASCII. 52. This HotFix resolves an issue with the monitor not working if the mail logging is disabled. 53. This HotFix resolves an issue seen with HotFix 2 failing to decode a boundary marker and interpreting mails as corrupt which were previously not treated as corrupt. 54. This HotFix resolves an issue with WebShield boundary checker attempting to validate inside speech mark encapsulated e-mail address local part. "user name"@domain.com Even though the username contains an non RFC compliant character since it is encapsulated in speech marks it is acceptable under the RFC. This is now accepted as a valid e-mail address. 55. This HotFix resolves an issue with a message being written to the Event logs every time an RTS message was generated. 56. This HotFix resolves an issue with infected UUEncoded e-mail that contained a cleanable infected item. These e-mails are now cleaned correctly 57. This HotFix resolves an issue with an e-mail attachment that has a name longer than 200 characters. These attachments are now scanned correctly. 58. This HotFix resolves an issue with UUEncoded e-mail messages that have embedded END strings not triggering content filters. These items are now content filtered correctly. 59. This HotFix resolves an issue with UUencoded e-mail messages that contained very long attachment filenames. The filename is now checked. 60. This HotFix resolves an issue with MAILSCAN.EXE causing 100% processor utilization with e-mail messages that do not contain a termination line. 61. This HotFix resolves an issue with malformed Mime and UUEncoded e-mail resulting in a .TMP file being left in the TEMP directory. 62. This HotFix resolves an abnormal termination issue when content filtering message subject lines that contained non-ASCII characters. FILES INCLUDED WITH THIS HOTFIX This HotFix consists of one compressed file WSE50HF3.ZIP. This is an archive file that consists of the following files: BANNER.REG CONFLT.DLL CORRUPT.RTF DEFER.REG EVENTLOGMSG.DLL FRONTEND.EXE HOTFIX1.REG INVCLN32.DLL LOOP.REG MAILCFG.EXE MAILSCAN.EXE MBS.REG OLUS0409.DLL OLUSCONF.DLL OLUSLIB.DLL PREFERENCES.DLL TNMAILFLOW.RTF VALIDATE.TXT WSE50HF3.TXT WSHMR1ATN4.RTF WSSMTPOB.DLL _______________________________________________ INSTALLATION The McAfee WebShield E50 software must be installed on your system before installing this HotFix. It is also recommended that this HotFix is applied onto a clean installation of the McAfee WebShield E50 software. INSTALLATION REQUIREMENTS The account used to install the HotFix must have the Change right to the temporary location used for expanding the WSE50HF3.ZIP file. INSTALLATION STEPS 1. Unzip the file WSE50HF3.ZIP to a temporary location on your system. 2. Check the extracted files using the results from VALIDATE.EXE against the values in VALIDATE.TXT to ensure the files are not corrupted. 3. Ensure that the WebShield E50 Configuration Console and the WebShield E50 Status Monitor are both closed. 4. Open the Services Control Panel and stop the following services: Network Associates WebShield SMTP MailCfg Network Associates WebShield SMTP MailScan 5. Copy the extracted files from the temporary location to the installation directory. The default location is: C:\PROGRAM FILES\NETWORKASSOCIATES\TVD\WEBSHIELD SMTP 6. Start the following services: Network Associates WebShield SMTP MailCfg Network Associates WebShield SMTP MailScan * Optional Installation Step * 7. To enable the alert on SMTP error 421, double click on HOTFIX1.REG file. This will merge the contents of the file with your registry. This feature is disabled by default. To enable the feature, set the following key to value "1". HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\WebShield SMTP\MailScan\SMTP_ALERT_421 You may need to use REGEDT32 to modify this value. TESTING YOUR INSTALLATION The EICAR Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation: 1. Copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. 2. Next, send an e-mail message through the McAfee WebShield E50 server with the EICAR.COM file as an attachment. The McAfee WebShield E50 software should detect and either delete or quarantine the e-mail message. NOTE: that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. NOTE: E-mail messages that are in the IN folder when the service starts will not be recorded as received in the Status Monitor, but will be recorded in the delivered section. REMOVING THIS HOTFIX To remove this HotFix from your computer, remove the product using the Add/Remove programs option in the Windows NT Control Panel. If you wish to save your current configuration, open the WebShield E50 Configuration Console and choose File, Next, Save To File, and specify a name for your configuration file. NOTE: McAfee recommends that you do NOT remove the HotFix file from your WebShield E50 installation once you have installed it. If you reinstall your WebShield E50 software, McAfee recommends that you also reinstall the HotFix. _______________________________________________ CONTACTING MCAFEE AND NETWORK ASSOCIATES Technical Support http://knowledge.nai.com McAfee Beta Program Beta Web Site www.mcafeeb2b.com/beta/ E-mail avbeta@nai.com AVERT Anti-Virus Research Site www.mcafeeb2b.com/avert Download Site www.mcafeeb2b.com/naicommon/download/ DAT File Updates www.mcafeeb2b.com/naicommon/download/dats/find.asp Product Upgrades www.mcafeeb2b.com/naicommon/download/upgrade/login.asp Valid grant number required. Contact Network Associates Customer Service On-Site Training Information www.mcafeeb2b.com/services/mcafee-training/default.asp Finding a Reseller www.mcafeeb2b.com/naicommon/partners/tsp-seek/intro.asp Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: www.nai.com www.mcafeeb2b.com For additional information on contacting Network Associates and McAfee, including toll free numbers for other geographic areas, see the documentation that accompanied your original product release. _______________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS (c) 1998-2002 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960. TRADEMARKS Active Security, ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Building a World of Trust, Certified Network Expert, Clean-Up, CleanUp Wizard, Cloaking, CNX, CNX Certification Certified Network Expert and design, CyberCop, CyberMedia, CyberMedia UnInstaller, Data Security Letter and design, Design (logo), Design (Rabbit with hat), design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Enterprise SecureCast, EZ SetUp, First Aid, ForceField, Gauntlet, GMT, GroupShield, Guard Dog, HelpDesk, HomeGuard, Hunter, I C Expert, ISDN TEL/SCOPE, LAN Administration Architecture and design, LANGuru, LANGuru (in Katakana), LANWords, Leading Help Desk Technology, LM1, M and design, Magic Solutions, Magic University, MagicSpy, MagicTree, MagicWord, McAfee Associates, McAfee, McAfee (in Katakana), McAfee and design, NetStalker, MoneyMagic, More Power To You, MultiMedia Cloaking, myCIO.com, myCIO.com design (CIO design), myCIO.com Your Chief Internet Officer & design, NAI & design, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetRoom, NetScan, NetShield, NetStalker, Network Associates, Network General, Network Uptime!, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PC Medic 97, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerLogin, PowerTelNet, Pretty Good Privacy, PrimeSupport, Recoverkey, Recoverkey International, Registry Wizard, ReportMagic, RingFence, Router PM, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SniffMaster, SniffMaster (in Hangul), SniffMaster (in Katakana), SniffNet, Stalker, Stalker (stylized), Statistical Information Retrieval (SIR), SupportMagic, TeleSniffer, TIS, TMACH, TMEG, TNV, TVD, TNS, TSD, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted MACH, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NAI OR THE PLACE OF PURCHASE FOR A FULL REFUND.