The IMPEX 3.7.0 release

This release brings many different changes to all components in the Impex family.

One change we want to bring to your attention is a change in how the Impex stations connect to the repository server for updates. The stations used to connect directly to the repo server, but now they will always go through the ICC, which will act as a proxy if the repo server is not installed on the same server as the ICC. This architectural change allows for the Impex installation to better fit into a zone model architecture. It will also remove the problem of having out-of-sync credentials for the Repo servers on the stations. Thirdly, if the “test repo connection” test in the ICC Server Settings view is green and the stations can connect to the ICC, they can also connect to the Repo server. We believe this will reduce the number of support issues when deploying or moving stations inside customer networks.

Another change that will help both for new installations as well as for existing Impex customers that perform changes to their environment is extended services setup in ICC, something that previously required changes done via the command line. With this release, we added support for the configuration of DNS, NTP and Syslog settings directly in the ICC GUI. Another benefit is that this will help ICC system managers to apply settings without involving system administrators.

We have added support for LDAP authentication in Impex. With this release, the LDAP support is for the ICC application so that ICC users is checked against the LDAP catalog. The LDAP support in the 3.7 should be considered a technical preview feature, only to be used by advanced customers after consultation with Sysctl. The LDAP support in this release has only tested integrations with OpenLDAP, hence the label “technical preview feature”.

Customers ingesting ICC syslog into their SOCs should now be aware that ICC now supports a verbose JSON log format for reporting more information on found malware during scanning on stations. See Server Settings -> Syslog -> Syslog Format for changing this to json malware alert (only the malware log messages are json, the rest are in normal text format).

From this release we will not support upgrades from USBProtect running versions older than 2.7.0, which was released 2021-12-09.

ICC changes

  • The configuration of the repo server used by the station should now be done under “Server Settings”. There is also a test button so that one can test the connectivity of the configuration directly

  • It is now possible to configure the ICC’s time server, DNS and syslog servers in the Server Settings view

  • It is now possible to configure an explicit proxy for the upstream repository used by the ICC

  • Added a hide network information setting in the configuration card. When set, this makes the stations hide the network information to avoid giving away potentially sensitive information about the internal network infrastructure to end-users of the station

  • There is a new syslog format setting that makes the ICC server log every file found with malware in a scan together with checksum and malware information. It is in json format to facilitate SOC’s to ingest these logs into their systems

  • Technical preview of LDAP Support for the ICC application. The ICC can be configured to allow login using LDAP. This new feature has been tested with OpenLDAP/TLS. Read-only accounts mapping and further LDAP server integrations have not yet been tested. Also, some changes require a restart of the ICC service which is not done automatically in this release

ICC fixes

  • The ICC will now use itself as the update source if the repository service is installed on the same server

  • The ICC now sets HTTP caching headers to avoid having the browsers cache web content which in some cases have led to customers thinking their ICC was not updated although it was

Station changes

  • The station will always talk to the ICC to get its updates, not to the Repo server directly. Before the station would connect to the Repo server directly. This change reduces complexity and dependencies, and it will simplify network configs and firewall setup for networks with IMPEX stations.

  • Hiding network information when the setting is set on the ICC. Note however that if the station is offline for more than an hour, it will become visible again to help in debugging networking issues

  • The Antivirus view now has a button that can be used to trigger updating all the AV signatures immediately. This is useful if you want to force an update, instead of waiting until the next update cycle. This feature is usable if a station is reconnected to a network, or has been offline or powered down.

  • The Station tab view in the system settings now also has a button that can be used to check for updates immediately

  • The station used to save credentials after registering with an ICC in a file named after the server. That meant changing the server’s name or switching between IP and FQDN would require a re-registration. This has now been changed so the station will always try to use the credentials it has, even if the ICC server address/name changed

  • The ICC tab in the network view will now inform if the certificate of the ICC is not trusted. This should never be the case normally but in case an ICC certificate expires this will help in debugging connectivity issues

Station fixes

  • Changing the settings polling interval on the ICC now takes effect directly, before this change a restart of the station required

  • The “Is ICC Reachable” check did not obey the proxy setting and would try to connect directly and could thus show that the ICC was not reachable although everything else on the station could talk to the ICC. Note: it was only the test that was incorrect due to a bug in a third-party library used only in this test connectivity module

  • An issue in the station registration was fixed. If a station sent a registration request to an ICC and then lost network connectivity it would start over again. The ICC would say “already have a registration from you” and deny the registration. This could be fixed by deleting the registration request on the ICC but now it has been properly fixed so it will not happen in the first place

Offline station

  • The offline station’s settings no longer show network-related information since that is irrelevant

  • Offline software bundles were missing AV packages which made updates depending on AV packages fail to apply, this has been fixed

Datalock

  • A bug was fixed in the destination path flow check. If a new SSH key was uploaded to the ICC, the Datalock stations output queue process did not notice it until a restart or if the Flow information also was updated

  • A bug was fixed where if queued up scans ready for upload to remote got uploaded within one second, the remote folder name would be the same since it only had seconds resolution. The remote folder will from now on include microseconds. For example: 20231109131100 will become 20231109131100456869, that is year, month, date, hour, minute, second and microseconds

Documentation

  • DataLock section was updated to make it clearer that one needs to use the datalock@ username when uploading files for scanning. Examples were added as well

Security

  • Upgraded Django to 3.2.22 due to CVE-2023-43665 which is a denial of service vulnerability that did not affect the ICC but we always pull in security fixes

Operating system packages

  • As usual this new release also brings upstream operating system updates and fixes

Information

Portal

https://portal.sysctl.se is now available for Sysctl customers. Via the portal, we will distribute files and information that have restricted distribution. In this initial release, we provide specific program files for IMPEX customers, and especially those customers that have standalone or offline USB Protect. From the portal one can download offline updates and AntiVirus definitions updates. It is also possible to download installation media for

  • ICC server
  • Repository server
  • IMPEX USB Protect
  • IMPEX DataLock

Email SYSCTL support to get access to the portal.

Atom (RSS-like) feed

The feed includes sysctl news and release information

https://sysctl.se/feed.xml