release notes for release 8.7support.seg.att.com/enterprise/releasenotes/release... · 2017. 6....

Proprietary and Confidential © 2017 – Proofpoint, Inc. June 2017 Rev G - of 12

Release Notes for Release 8.7.X

This document describes what is new in the Proofpoint Protection Server 8.7.X feature Release. The information applies to both on-premise and PoD deployments unless stated otherwise.

Contents

Release 8.7.10 .............................................................................................................................................. 2 Bugs Fixed in Release 8.7.10 .................................................................................................................. 2

Release 8.7.8 ................................................................................................................................................ 2 Bugs Fixed in Release 8.7.8 .................................................................................................................... 2

Release 8.7.6 ................................................................................................................................................ 2 Release 8.7.4 ................................................................................................................................................ 3

Change to Proofpoint Protection Server Certificates ............................................................................... 3 New Features and Enhancements in Release 8.7.4 ............................................................................... 3 Bugs Fixed in Release 8.7.4 .................................................................................................................... 3

Release 8.7.3 ................................................................................................................................................ 4 Bugs Fixed in Release 8.7.3 .................................................................................................................... 4

Release 8.7.2 ................................................................................................................................................ 4 Quarantine Bulk Operations .................................................................................................................... 4 New Features and Enhancements in Release 8.7.2 ............................................................................... 5 Bugs Fixed in Release 8.7.2 .................................................................................................................... 5

Release 8.7.0 ................................................................................................................................................ 6 Support for Office 365 Azure Active Directory (Azure AD) ...................................................................... 6 Impostor Display Names Repository ....................................................................................................... 6 Support for DKIM Policies and Rules ...................................................................................................... 6 New Rule Condition – Message Header From (Address Only) ............................................................... 7 New Rule Condition – Valid DKIM-Signature Signing Domain ................................................................ 7 New Operator – Is In Domain Set ............................................................................................................ 7 Enhancements to Smart Send Notifications ............................................................................................ 8 New W-2 Rule .......................................................................................................................................... 8 Advanced Setting for Quarantine Folders ................................................................................................ 9 Enhancements to Quarantine Management ............................................................................................ 9 Quarantine and DLP Incidents Folders – Expire by Message Behavior Change .................................. 10 Enhancement to the RADIUS Import/Auth Profile ................................................................................. 10 Smart Search Enhancement .................................................................................................................. 10 Additional Virtual Appliance Support ..................................................................................................... 10 New Variables for Resources ................................................................................................................ 10 Additional Digest Template .................................................................................................................... 10 Remote Backups Supported .................................................................................................................. 10 New Features and Enhancements ........................................................................................................ 11 Bugs Fixed in Release 8.7.0 .................................................................................................................. 11 Known Issues in Release 8.7.0 ............................................................................................................. 12


Release 8.7.10

Release 8.7.10 includes many resiliency improvements to Quarantine management features.

Bugs Fixed in Release 8.7.10

Reference Description

PPS-36167 Optimization of Digest generation for email aliases.

Release 8.7.8



PPS-36431 Unsuccessful login attempts into Proofpoint Encryption will now be logged as Warnings instead of Alerts so that administrators are not overwhelmed by these non-critical events.

PPS-36465 Properly-formatted HTML text in the messagereleased Global Resource now renders as expected in the user interface.

PPS-36467 Fixes an issue where administrators could not add a user to several groups at once while using the Membership tab when editing the attributes for the user.

PPS-36468 An issue where an intermittent, spurious logged message and dropped connection has been fixed.

PPS-36676 Fixes an agent update issue where a new configuration was used before the update had a chance to complete.

Release 8.7.6

Proofpoint did not distribute an 8.7.6 feature release.


Release 8.7.4

The following sections describe new features in release 8.7.4.

Change to Proofpoint Protection Server Certificates

Due to evolving security requirements, Proofpoint has replaced outdated certificates with up-to-date versions. See Knowledgebase article number 3778 or Proofpoint Customer Success Center article number 3318 for details.

New Features and Enhancements in Release 8.7.4


PPS-35546 Several new file types have been added to the list of file types scanned by the Attachment Defense Module: .docm, .hta, .ppsm, .ppsx, .pub, .wmv, and .xlsm.

PPS-35819

The System > SMTP Server Summary page now displays messages in the DSN (Delivery Status Notification) queue. The Queue drop-down menu on the System > SMTP Queue Summary page now has a choice for dsn so that administrators can delete or process messages in that queue.



PPS-34041 Security enhancement for Secure Reader when the Decrypt Assist feature is enabled for the Secure Reader Proxy.

PPS-35295 The Redirect command on the DLP Incidents page no longer produces an error message.

PPS-35367 The total uncompressed size of a .gz archive that contains text files is properly calculated by the filtering engines.

PPS-35813 When the authentication profile is set to Universal, users would see a “Service Unavailable” message when they tried to decrypt a message using the Secure Reader Decrypt Assist link. This has been fixed.

PPS-35818 Administrators will no longer see an error message when they delete multiple messages from the System > SMTP Queue Summary page.

PPS-35842 When Proofpoint Encryption is enabled, the Manage My Account link in the email Digest now works properly when the administrator resets the password for the user.

PPS-35843 Addresses an issue when handling improperly formatted received headers.

PPS-36062 Corrects issues in combining imported Certificate Authorities (CAs) for SMTP with the updated CA list.

PPS-36103 Based on customer feedback Proofpoint has removed the option to switch to Basic Mode view from the management interface. This improves the usability of the navigation pane.


PPS-36111 Fixed an issue with Azure imports that contain UTF-8 character encoding.

PPS-36121 Secure Reader no longer cuts off long Subject lines in some circumstances when encrypted messages are replied to or forwarded.

PPS-36122 Fixed an issue with Proofpoint Encryption when decryption notifications are enabled for messages that include the $ character in the Subject.

PPS-36146 Messages in the System > SMTP Server Summary DSN (Delivery Status Notification) queue page will now display header and source information.

PPS-36147 Smart Search retention times are maintained after restoring the Config Master from a backup.

Release 8.7.3



PPS-35829 Corrects issues in combining imported Certificate Authorities (CAs) for SMTP with the updated CA list.

Release 8.7.2


Quarantine Bulk Operations

On the Quarantine > Settings > General page, the parameter Allow Release Operations on All Messages has been enhanced and changed to Allow Operation on All Messages. This enhancement allows administrators to prevent all bulk operations to be applied to all of the messages in the Quarantine. When the setting is Off, the All check box is disabled. However, the select all check box in the table header for the list of messages in the Quarantine is still available if you indeed want to apply a bulk operation to all of the displayed messages on the Quarantine page.


The All check box in the Quarantine. Selects all of the messages in the Quarantine, whether or not they are displayed on the page.

The select all check box in the table header selects the displayed messages and messages returned from a query for a bulk action.

New Features and Enhancements in Release 8.7.2


PPS-31462

A new configuration option called Allow Operation on All Messages on the Quarantine > Settings > General page can be used to disable the All check box on the Quarantine > Messages page. This disables bulk operations on messages in the Quarantine and DLP incidents pages.



PPS-33151

This fix applies to Proofpoint Encryption if you have disabled the envelope splitting feature. If an encrypted message is sent to several recipients, and one recipient has an email address that does not exist, the legitimate recipients receive duplicate messages as the system keeps trying to send the message to the non-existent recipient. This limitation has been fixed.

PPS-34142 Fixed a mail loop issue that can be triggered by certain key words.

PPS-34649 Custom logos in Branding Templates are now retained during feature release updates.


Release 8.7.0


Support for Office 365 Azure Active Directory (Azure AD)

Administrators can now create an Import/Authentication profile to use Azure AD to populate the User Repository. With this feature, user and group data are pulled directly from the Azure AD cloud, without the need for an additional on-premise connector, on-premise Active Directory, or other synchronization tool. Support for this feature requires that the Azure AD administrator create an access point for the Proofpoint Protection Server, and that appropriate credentials are provided to the Proofpoint Protection Server administrator for configuration purposes. The Data Source list on the User Management > Import/Auth Profiles > Add page now includes a choice for Azure Active Directory.

Impostor Display Names Repository

This feature allows administrators to create a repository of display names and legitimate external or personal email addresses for users in their Organization who are most likely to be targeted for an impostor attack – for example, high-ranking executives. This feature requires a license for SCSS (the Stateful Composite Scoring Service).

For example, if the user “Mary Smith” is added to the list because she is an executive who is likely to be targeted by an impostor, inbound messages from “Mary Smith” will be more likely to have a higher Impostor Spam score. Since Mary may also send legitimate messages to the Organization from her personal email addresses (for example, [email protected], or [email protected]), include those addresses for her in the repository so the detection engine is less likely to erroneously score those messages with a high Impostor Spam score. If you enter “Mary Smith” into the repository and no external email address for “Mary Smith,” inbound messages from “Mary Smith” are more likely to have a higher Impostor Spam score.

The Impostor Display Names repository provides input to the Impostor Spam classifier to pay more attention to inbound messages from names in the repository. Legitimate messages from “Mary Smith” will be less likely to be classified as Impostor Spam, and inbound messages from impostors of “Mary Smith” will be more likely to be classified as Impostor Spam. However, there are many other factors beyond the names in the repository that are considered to determine the Impostor Spam score.

Populating the Impostor Display Names repository is a two-step process: first identify the executives in your Organization who are likely to be targeted by impostors, and then add their display names and legitimate external email addresses to the list. Administrators can populate the repository on the Email Protection tab, under Spam Detection > Settings > Impostor Display Names.

Support for DKIM Policies and Rules

Like many other modules, administrators can now create unique DKIM Policies and add rules to each policy. This feature is especially useful to create rules for valid DKIM signing results with the Is In Domain Set operator. For example, you can create rules to accept messages with valid DKIM signatures from the domains included in the Domain Set that you created for your Organization’s business partners. The Email Authentication Rule Trends report now includes DKIM verification as well as DMARC and SPF rule trends.


New Rule Condition – Message Header From (Address Only)

The Envelope Sender does not always match the Message Header From in a message. For example, in previous releases, there was no way to create an Email Authentication rule to trigger for messages that failed DKIM authentication. The new Message Headers From (Address Only) condition solves this limitation.

The Message Header From (Address Only) condition is available for System Policy Routes, Email Authentication DKIM Module rules, and Spam Detection Module Organizational Safe Lists and Block Lists.

Existing customers will see the following changes in the Email Firewall Module rules and Bounce Management rules:

When you create a rule with Message Headers as a Condition, the word “Attribute” in the Add condition pop-up window has changed to “Header.”

A new choice has been added to the Value drop-down list: From (Address Only). So now administrators can select either From or From (Address Only) for the Message Header condition.

The From (Address Only) selection tests against the first address in the first From: header. It

does not include the phrase that follows the first From: header.

New Rule Condition – Valid DKIM-Signature Signing Domain

The Valid DKIM-Signature Signing Domain condition in the DKIM Email Authentication Module rule will test for a valid DKIM signature for messages from domains with DKIM verification capability.

This condition in conjunction with the Is In Domain Set operator gives you greater control over accepting messages with valid authentication from legitimate domains and rejecting messages that fail authentication.

New Operator – Is In Domain Set

Administrators can now create a set of domains, allowing administrators to create policies and rules that apply to a set of domains instead of entering each domain individually into the condition for the rule. First create a Domain Set, and then use that Domain Set as the operator for the condition in a rule.

Administrators can use the Is In Domain Set operator in Policy Routes, Spam Detection Safe/Block lists, and Email Firewall rules. The Is In Domain Set operator can be used in the Email Authentication Module for SPF and DMARC rules. Release 8.7.0 has also added support for DKIM policies and rules (see Support for DKIM Policies and Rules.

Use cases:

Apply DMARC authentication only to a set of inbound domains.

Apply DMARC authentication only to the domains that belong to the Organization’s business partners.

Use DKIM authentication results to apply an action to inbound messages from a set of domains – for example, add a header, reject the message, or tag it.


Changes to the management interface:

A new navigation link and page appear under System in the management interface: System > Domain Sets. Use this page to add, delete, import, or export the list of domains in a set.

If a Domain Set is used by a rule or list, you will not be able to delete it.

The domains on your existing System > Inbound Mail page will automatically be added to a new Domain Set named default_inbound. This Domain Set is read-only.

Any changes that you make to the System > Inbound Mail page will automatically be updated in the default_inbound Domain Set.

The Is In Domain Set operator is supported for the Envelope Recipient, Envelope Sender, and Sender HELO Domain conditions in the following modules:

System > Policy Routes

Email Firewall > Rules

Email Firewall > SMTP Rate Control > Rules

Email Firewall > Bounce Management > Rules

Spam Detection > Organizational Safe List

Spam Detection > Organizational Block List

A new default Domain Set named “partner” is included – to be used with DKIM rules. Populate the “partner” domain set with domains from partners who are known to sign messages.

The Is In Domain Set operator is supported for the Valid DKIM-Signature Signing Domain condition for Email Authentication > DKIM > Rules.

Enhancements to Smart Send Notifications

Administrators now have greater control over the Smart Send notifications sent to users when a DLP (Data Loss Prevention) violation is detected by the Proofpoint Protection Server.

The following enhancements have been included in release 8.7.X:

Two Smart Send notification templates are available – Basic and Detailed. The Detailed version lists which violations were detected in the message. Up to 10 violations of each type will be displayed. The Basic version does not list the violations.

Administrators can choose whether or not to mask the violations in the Detailed template. For example, when masking is enabled, a credit card number could appear as “1234 **** **** ****”.

Administrators have granular control over the masking feature for each Smart Identifier – they can choose the placement for the masking, how many characters to mask, and which character to use for masking purposes.

Smart Send Actions – administrators can control which actions users are allowed to apply to messages from the Smart Send notification: Send, Block, or Send Encrypted.

Administrators can control the content of the footer in the Smart Send notification by changing a resource value.

New W-2 Rule

A new W-2 Regulatory Compliance rule has been added to release 8.7.0. This rule is disabled by default and applies only to outbound Policy Routes – to protect a user in your Organization from accidentally sending an outbound message that includes a large number of W-2s in it. Messages that trigger the W-2_impostor rule are discarded and copies are sent to the Quarantine > Impostor folder. The w2_impostor rule is located on the Information Protection tab under Regulatory Compliance > Rules.


Advanced Setting for Quarantine Folders

The Impostor folder is a system folder located under Quarantine > Folders on the System tab. Since rules can trigger for impostor email across Email Protection and Information Protection modules, the Impostor folder must be available for selection in rules in all of the modules under Email Protection and Information Protection. To satisfy this requirement, a new Advanced tab setting is available for the default system folders and any folders you create on the Quarantine > Folders page. This advanced setting is not necessary for the folders on the DLP Incidents > Folders page. When you enable the Available for all rules parameter on the Advanced tab for a Quarantine folder, the folder is added to the list of available folders for any rule in the Email Protection and Information Protection modules. When you view message details for a quarantined message, the View menu will display Email DLP instead of Regulatory Compliance.

Administrators who create custom reports can also select folders with this advanced setting from the Folder Name list under Report Options.

Enhancements to Quarantine Management

An enhancement was made to prevent administrators from accidentally generating an email Digest for the entire email community when the intention was to generate an email Digest for one user or a few users at a time.

If you have selected a message in the Quarantine and are viewing the message details, if you do not select the checkbox for the message, or do not select the All check box, and then select Generate Digest from the Options menu, you will be prompted to make a selection before the Digest generation takes place.

An enhancement was made to prevent administrators from accidentally releasing all of the messages in the Quarantine at once.

The Quarantine > Settings > General page has a new parameter - Allow Release on All Messages. The default setting is Off. This prevents the administrator from selecting the All checkbox in the Quarantine and releasing all messages. However, if the administrator selects the select all check box in the table header for the list of messages in the Quarantine, all selected messages can be released.

The All check box in the Quarantine The select all check box in the table

header


Quarantine and DLP Incidents Folders – Expire by Message Behavior Change

Folders that have an Expiration Mode set to Expire by Message (Quarantine) or Expire by Entry (DLP Incidents) will automatically switch to Expire by Table when 5000 or more messages are stored in the folder. This enhancement improves quarantine database performance and storage efficiency.

Enhancement to the RADIUS Import/Auth Profile

The RADIUS import/authentication profile can now use an administrator’s email address to authenticate administrators when they log in to the Proofpoint Protection Server management interface. Some RADIUS servers support only email addresses for authentication. For example, when this feature is enabled, if the administrator enters “joe” to log in to the management interface, the Proofpoint Protection Server will use “[email protected]” to authenticate the administrator. See Proofpoint Help for details on how to enable this feature for RADIUS profiles.

Smart Search Enhancement

A new Final Action field has been added to the Smart Search > Search form. The default selection (null) will search for all Final Action types.

Additional Virtual Appliance Support

Proofpoint has added support for VMware ESXi 5.5 Update 3 and ESXi 6.5 hosts.

New Variables for Resources

These new variables are especially useful when administrators enable Decrypt Assist for Email

Encryption. The %SENDEREMAIL% and %SENDERNAME% variables will display the sender email address

and header From: address in the secure message notification. For example, if you go to the System >

End User Services > Resources > Per Brand page and modify the templates.encrypt.info resource to This is a secure message from %SENDEREMAIL%, the recipient will see This is as secure message from [email protected].

Additional Digest Template

A new Responsive HTML template is included in the list of email Digest templates. This template is optimized for multi-platform support.

Remote Backups Supported

This feature applies only to on-premise deployments. Administrators can now send a backup of the Proofpoint Protection Server to a remote server on the network. You will find the Remote Backup settings on the System > Backup and Restore page.


New Features and Enhancements


PPS-32361 Folders that have an Expiration Mode set to Expire by Message (Quarantine) or Expire by Entry (DLP Incidents) will automatically switch to Expire by Table when 5000 or more messages are stored in the folder.



PPS-25906 PoD deployments only – improvements to Quarantine message retention and expiration.

PPS-25925 The Email Firewall Module can now handle archives within archives properly to trigger the Maximum Message Size rule.

PPS-25926 A warning has been added to the Email Firewall > Settings page to discourage administrators from disabling the Email Firewall Module.

PPS-25929 Applies only to PoD deployments. The View as HTML parameter on the System > Settings > Security page works as expected.

PPS-25958 Cloning a rule in the Spam Detection Module now works as expected.

PPS-26208 An Incident Status that you create on the DLP Incidents > Settings > Incident Status page is now retained during a Feature Release update as expected.

PPS-26248 URL Defense improvements to better handle messages or attachments with an extremely large URL.

PPS-27831 Administrators who disable an Import Profile will see a warning that users will not be able to authenticate with that profile once it is disabled.

PPS-31882 An LDAP import from the command line that used the –debug or –verbose flags would retain those flags even if you removed them in the next manual import. This has been fixed.

PPS-31966 A message that is quarantined with an “X-Proofpoint-Sentinel” header added will now have this header stripped when it is re-directed from the Quarantine to a new recipient.

PPS-32034 Japanese annotations to 7-bit ASCII messages are no longer corrupted.

PPS-32271 Newly-created SPF policies which were not cloned from an existing policy no longer defer mail when there is a transient DNS problem (temperror rule).

PPS-32313

In previous versions, if you entered .example.com into the Inbound Mail

Routes table, that domain would be ignored. Now the filtering engines will

match [email protected] but not [email protected] for the .example.com

entry – this allows the filtering engines to obey the sendmail conventions for domains in the Inbound Mail Routes table.

PPS-32366 Improvements to default database retention settings.


PPS-32426 The filtering engines now properly handle malformed attachment headers on zip files containing malware.

PPS-32461 Feature Release updates that are scheduled within 4 hours of midnight will now take place at the correct time.

PPS-32469 The Email Firewall Module Maximum Message Size rule now triggers as expected for messages with attached archives within archives.

PPS-32569 Documents in international languages no longer produce an error when added to the Digital Assets Module.

PPS-32649 Group names with a space in the name can now be removed from scheduled Digest generation on the End User Services > Digest Schedule page as expected.

PPS-33015

Secure messages now include metadata tags to prevent them from being archived and indexed. This will help protect customers who have chosen the No Authentication Data Source for the user community and have also enabled Decrypt Assist for Secure Reader.

PPS-33029 The Allow Relay from Microsoft Office 365 IP Addresses parameter on the System > Outbound Mail > Allow Relay page now works as expected by processing the entire contents of the Allow Relay table.

PPS-33245 Adding the same previously-deleted Mail Filtering Agent back to a cluster now works as expected.

PPS-33279

If a Sub-Org had entries in its Safe Senders or Blocked Senders lists, and the administrator changed the Branding Template for the Sub-Org by going directly to the Services attribute tab for the Sub-Org, the entries on the Safe Senders or Blocked Senders lists would be lost. This has been fixed.

PPS-33543 Group Based Routing domains are now propagated to the agents in a cluster as expected.

Known Issues in Release 8.7.0


PPS-34170

This issue applies only if your deployment is licensed for Secure Share and you use the Microsoft Edge browser to log in to the Proofpoint Protection Server. Administrators cannot upload a custom logo on the Secure Share tab when adding a new Branding Template or editing an existing Brand Template.