Information about the IMPEX release 4.1.0

Do you use password-protected archives in your organization or do you regularly receive such files? Then you might be happy to know that we have added the possibility to add archive password lists to the ICC. These passwords are then used by the Ikarus scanning engine to scan within password-protected files on the fly. The password list gets copied to the Impex stations so they work independently of the ICC. When it is saved to local disk, it gets encrypted to protect the sensitive passwords. In upcoming releases, more engines will use this feature.

Another request is “dark mode”. We have added “dark mode” to ICC. This changes the color scheme from light or white tones to dark or black tones. When dark mode is enabled, dark background colors and light text colors are used instead of the traditional light background with dark text.

A third customer request is to “never store scanned files on the device”. This is a setting one can enable in the ICC which forces the scans to be performed on the source device. The normal process is that Impex copies files to the fast internal drive, to have them cached, to speed up the scanning performance. With this mode, you do not use the cache, but you also do not make copies of files away from the source media, hence have better control of where the information gets stored. This is a classic trade-off between performance vs security.

Other customer-requested features added in this release are adding the scan report and file listing as attachments to the malware alert email being sent out and improved JSON syslogging. This change allows customers to write better rules in SIEM for matching Impex alarms and logs. More details are sent in the logs and key/values make it easier to filter and match content.

Some customers with a large number of very active stations could have some problems with the ICC using a lot of CPU. A simple change has made the load go down on the ICC. Read about cookie-based authentication below.

This is the last planned release of the 4.x versions of Impex software. A major change to the platform is scheduled by Sysctl where we migrate from using CentOS as our operating system for the Impex family of products. The next planned release, scheduled for august timeframe, will be called 5.0.

ICC changes

  • The scan report type setting on the config card now also applies to malware alert emails being sent. I.e. a PDF report and/or CSV zip file will be attached to the malware alert email as well
  • Scan report emails now also include the target USB device information
  • It is now possible to download the ICC and system logs directly from the Syslog card on the Server Settings page. This is especially convenient in Support cases with SYSCTL
  • ICC GUI now also comes in dark mode
  • More details in the syslog JSON-format, now includes all station-related information on malware-alerts and a JSON-formatted operations log
  • Better feedback on login failures
  • Engine Settings view; this is a new settings view where we will collect exposed scanning engine settings. In this release, we add a password list for encrypted files so that the scanning engines can unpack them and scan them inside. Note: Ikarus is the only scanning engine that has support for this at the moment so it must be enabled if you want to use this feature.

Station changes

  • The station now uses cookie-based auth against the ICC which dramatically reduces load on the ICC if you have many stations connected to it polling for changes often
  • It is now possible to see information about the server certificate in the network view which should help considerably when debugging connection issues
  • The station will no longer be trying to switch to the ICC server specified in the configuration card it gets from the ICC. This has caused a lot of problems for customers and has not been used to switch ICC servers as far as we know. The new reasoning is that if a station has been configured correctly and has been registered to an ICC, it will never try to connect to another. We believe this behavior is better than the previous behavior.
  • Ikarus now has support for using the encrypted archive password list from the ICC when scanning. The list is encrypted on disk using the TPM so that it is encrypted at rest. It gets decrypted, using the TPM, at runtime for use by Ikarus.

Station fixes

  • The identities completion step was not limiting the matching identities to 5 which meant if too many identities matched, they could cover the keyboard, making it difficult to continue typing
  • If the connection went down between the station and the ICC the station stopped checking for configuration updates until it rebooted. This has been fixed so that it starts polling for configuration changes again after going online again.
  • It did not work to scan drives with char devices because it was not allowed in our hardening rules (SELinux), this has been relaxed

Datalock changes

  • Bump default bit length of the SSH RSA host key used for uploading scanned files to a remote host from 2048 to 3072. This makes the key compliant with CIS benchmarks. Contact SYSCTL support if you want your current Datalock installation to regenerate its key with this new default.

Third-party updates

  • The IKARUS engine was updated to the 6.3 branch which, among others, contains improved detection for OneNote, RTF, Nuitka, Powershell, ARM executables, PYInstaller and 74c files

Documentation

Security

Operating system packages

  • As usual, this new release also brings upstream operating system updates and fixes

Known issues

Station

  • The format and shred buttons become visible before the files on an inserted drive have been parsed. If either is pressed before the files have been fully read, an error will occur. To avoid this error, wait until all files have been read. The error is due to the drive being used when the format/shred process tries to unmount it. This will be handled better in the next release.
  • XFS and ext4 filesystems created on very recent Linux systems are not recognised. This will be solved by the planned platform change for Impex.

Information

Impex 5.0

This will be the last planned release of the 4.x versions of Impex software. A major change to the platform is planned by Sysctl, where we migrate from using CentOS as our operating system for the Impex family of products. We will introduce Sysctl Linux as our base for our future products.

The next planned release, scheduled for august time frame, will be called 5.0.

Portal

https://portal.sysctl.se is now available for Sysctl customers. The portal is used to distribute files and information that have restricted distribution. In this initial release, the portal provides specific program files for IMPEX customers, especially those customers that have standalone or offline USB Protect. From the portal customers can download offline updates and AntiVirus definitions updates. It is also possible to download installation media for

  • ICC server
  • Repository server
  • IMPEX USB Protect
  • IMPEX DataLock

Email SYSCTL support to get access to the portal.

Atom (RSS-like) feed

The feed includes sysctl news and release information

https://sysctl.se/feed.xml