Impex release information

Information about the IMPEX release 5.7.0

Release Type: general

The IMPEX 5.7.0 release

This release brings a new revamped USBProtect interface with new clearer buttons. It also fixes encrypted 7zip archive detection for some 7z archives that were previously not detected as encrypted. The Datalock sftp service got locked down further with among other the new sandbox technology Landlock.

This release is the initial one with a new AI-powered file type detection engine. We plan to expose this to our file filters so that one can write rules blocking for example executable files or only allow text documents. This new engine will work within the current architecture, i.e. still work with on-prem components and does not offload anything externally.

Station changes

  • Station GUI has gotten a design revamp; new shiny buttons and a more compact scanning view making room for upcoming new engines
  • The “encrypted_7z” yara rule did not work with 7z archives with encoded headers (which happens when an archive contains more than one file). We fixed this by adding a new “Identify Encrypted 7z” engine that parses the 7z file, uncompress the headers and then checks for encryption. This engine is automatically activated if the “encrypted_7z” yara rule is enabled. Customers do not have to do anything and the only effect this has is to make the Yara rule “encrypted_7z” appear to work as intended.
  • A new File Meta Engine will run automatically on all scans. It uses an AI-powered file type detection tool that has been trained on 100+ millions of files. Currently it adds file type information and class to each file entry. We plan to expose this to our file filters so that one can write rules blocking for example exe files or only allow text documents.
  • Added audit logging on USB port mapping events
  • Signify bundle logging was improved to be more verbose in the station frontend view on what is going on while running the bundle

Station fixes

  • Unzipping/unlocking archive files which contained filenames with emojis did not work correctly, this has been fixed.
  • The quarantine upload mechanism could fail to upload on slower networks due to timeout settings not being applied correctly.

Datalock changes

  • impex-check-upload services no longer runs as a high privileged user
  • SELinux: datalock user is now SELinux confined
  • SELinux: datalock sftpd now runs in a restricted domain. Previously it ran unprivileged chrooted but now it also wrapped in SELinux confinement
  • Datalock sftpd service is now using a Landlock sandbox enforcing chroot for each sftp session on the kernel side
  • A new File Meta Engine will run automatically on all scans. It uses an AI-powered file type detection tool that has been trained on 100+ millions of files. Currently it adds file type information and class to each file entry. We plan to expose this to our file filters so that one can write rules blocking for example exe files or only allow text documents.

Datalock fixes

  • The quarantine upload mechanism could fail to upload on slower networks due to timeout settings not being applied correctly.

Repo changes

  • Changed the number of Sysctl Linux Repos to keep from two to three. This is helpful if a station was offline for a long time so it can catch up by upgrading itself instead of requiring a new install from an ISO. This increases the required disk space on REPO servers with about 8GB.
  • The reposervice and the repo standalone tool has been extended so it can create archives of the entire software and AV repos which is useful for customers operating REPO servers that do not have external network connectivity.
  • Added an endpoint that is used by ICC to disable and remove deprecated CentOS repositories if ICC does not have any connected legacy CentOS stations

ICC changes

  • ICC now detects if it has no connected legacy CentOS stations and informs its Repository server, if it has any, to disable and remove CentOS repositories

ISO installation media

  • The automatically generated hostname on USBProtect and Datalock install has been fixed to be randomized on each install

Documentation

  • Added more documentation on USB port side mapping

Information

Operating system packages

All system components have been updated to their latest respective version.

Online Documentation

Further details and configuration guidance are available in the official documentation:

https://sysctl.se/impex/documentation/

SBOM

Each ISO and VHD release has a software bill of materials (SBOM), to make introspection of the release easy to integrate with a number of security tools.

Update Instructions

For networked Impex stations this release will be automatically installed as part of the regular update process. No manual steps are required from administrators or users. The system will apply the update seamlessly in the background, ensuring that the latest fixes are in place without any interruption to normal operations.

For standalone Impex stations, your organisation needs to download the update from portal.sysctl.se in accordance with the update instructions in chapter “USBProtect in offline mode” in the Impex USB Protect user manual.

Sysctl portal

https://portal.sysctl.se/

Documentation for offline patching

https://sysctl.se/impex/documentation/usb-protect-user-manual/#updates-and-patching

Sysctl rss/atom

https://sysctl.se/feed.xml