The IMPEX 3.2 release is the first version of Impex where we have a network variant of the product. This release is bringing in a tech preview of our IMPEX Data Lock product, a network content scanner that can be used with data transfers and integration between systems. One example is to bring in files into a company red zone together with a complete audit trail. The Impex Data Lock works well together with diode solutions making sure files only go from outside to inside. The Impex Data Lock introduces new menus in the ICC that you will see but cannot use if you do not have any Data Locks installed. Please note that Impex Data Lock is a new, separate product, that runs on a server, but will integrate with the ICC and the repo servers similar to an Impex USB station. If you are interested in complementing your Impex environment with Impex Data Lock, please contact info@sysctl.se for more information.

The 3.2 release adds an interactive network configuration to the stations, where it before only was possible to view the configuration in a read-only fashion. This feature will make administration of stations easier when an Impex customer wants to install or move an existing station in a network.

The ICC also got a new view for viewing quarantined files. This feature allows a station to upload a copy of a detected malicious file to the ICC server. An administrator with ICC access can download the file to the local computer for further analysis or export to other parties for analysis. Worth noting is that it has a function for looking up all earlier scans that included the file which can be very good to know since it might not have been marked as malware before.

The new Anti Virus Engine Ikarus is now on by default for every customer who ran Sophos before. Ikarus is an Austrian security company specializing in protection against malware. We have integrated their SDK into Impex.

We also hardened cipher and TLS configurations on the ICC.

This release also contains various yara rules for policy based detection and blocking.

System software and application packages related to the underlying software stack have been updated to newer versions.

Platform and 3rd party packages

  • Operating system components and 3rd party packages has been updated to newer versions
  • Django got updated to 3.2.16 due to an existing CVE (which did not affect the ICC)

ICC Changes

  • Quarantine view added for downloading and investigating malware
  • Ikarus AV engine info now also contains signature db version and date and time of it
  • AV Engine info for six AV engines were shown even though there were more, that GUI limit was removed
  • Enhanced TLS configuration to only allow TLS1.2, removed support for TLS1.0 and TLS1.1
  • Stronger encryption and limited cipher list to only allow strong ciphers
  • Network Scanner view added for IMPEX Data Lock
  • System Settings view got a new card called ICC Signify which contains signed bundles that can be used to enable network edit mode on the stations which can be useful when moving IMPEX stations to another network
  • Another graph added to the overview page on the ICC showing number of files and total file size
  • bitlocker source/target status was added back to Scan view

ICC Fixes

  • The find-stations-using-this-config link from the configuration card was not working, fixed.

Station changes

  • Increased on-screen keyboard size to make it easier to input text
  • System Settings pages got a slight makeover
  • Added Network Edit Mode to System Settings. To enable it one need to download a signed network edit bundle from the ICC, unzip the bundle on an USB drive, insert it and click the new button that popups
  • Add “alt” key to some keyboard layouts missing it
  • The signed package mechanism got a fix for missing the file list when there was a signed package available for execution. It still worked, one could just not look at the file listing before
  • Added support for UTF8 labels on disk images
  • Fix yet another bug in utf8 where the station would say it found malware but it would not be marked red in the file listing

Scanner changes

  • There are more Yara rules for detection. These rules are more ‘policy oriented’ than the malware scanners, i.e. you can decide that you want to detect and block certain files based on policy instead of them being malicious. Some examples of detection rules included is: detect Office file types, detect zip files with passwords, detect zip files that only contain one office file, detect zip files that only contains a windows executable, etc

Documentation

  • The ICC documentation was updated with information about the Quarantine View, the Network Scanner view and a few screenshots and paragraphs were updated

Known issues

  • The Data Lock functionality is lacking a status/feedback page. In case the internal disk gets filled up, new connections will just be dropped until space has been freed up. This will improve in a future release.