Content Analysis System Version 1.2.4.

4 Release Notes

Version: 1.2.4.4
Build: 157593
Release Date: 5/15/2015
Document Revision: 2.0 on 5/18/2015

Introduction
These release notes apply to the Blue Coat Content Analysis appliance. For
release specific information, refer to the following:
p

Section A: "Content Analysis 1.2.4.4 Release"

Section B: "Content Analysis 1.2.4.3 Release"

Section C: "Content Analysis 1.2.4.2 Release" on page 5

"Content Analysis 1.2.4.2 Resolved Issues" on page 7

"Content Analysis 1.2.4.2 Known Issues" on page 7

Section D: "Content Analysis 1.2.3 Release" on page 9

"Content Analysis 1.2.3 Resolved Issues" on page 9

"Content Analysis 1.2.3 Known Issues" on page 9

Section E: "Content Analysis 1.2.1.3 Release" on page 10

Section F: "Content Analysis 1.2.1.2 Release" on page 11

Section G: "CAS 1.1.5.2 Release" on page 13

Section H: "CAS 1.1.5.1 Release" on page 14

Section I: "CAS 1.1.4.2 Release" on page 15

Section J: "CAS 1.1.4.1 Release" on page 16

Section K: "CAS 1.1.3.1 Release" on page 17

Before you install or configure Content Analysis, refer to the following

sections:
p

"How does Content Analysis System Work?" on page 2

"Initial Configuration" on page 8

"Content Analysis System Licensing" on page 8

"Support" on page 18

Blue Coat Content Analysis 1.2.4.4 Release Notes

Upgrade Notice
Upgrades to Content Analysis version 1.2 releases are only supported from version
1.1.5.2 or above.
If your appliance is running a release earlier than version 1.1.5.2, please upgrade to
1.1.5.2 prior to upgrading to 1.2 releases.

How does Content Analysis System Work?

Anti-virus, malware, and spyware scanning with multiple simultaneous anti-virus

vendors.

Whitelisting compares requested files hashes against a whitelist of specific files,

hosts, and destination addresses.

When a file is found to not be a virus and is not in the file whitelist, Content
Analysis can send the file to an external appliance (Blue Coats Malware Analysis
Appliance or FireEye appliance) to run the file in a virtualized Windows
workstation environment. The actions of the file (registry edits, requests to
malicious web sources),are identified and included in a detailed report sent to the
Content Analysis administrator.

Cached Responses can be used to speed up processing for files that have been
scanned previously.

The Blue Coat WebPulse service is an integral part of Content Analysis protection.
Users are protected by the BCWF database on the ProxySG appliance, and when
viruses and malware are discovered through scanning, those results can be shared
with Blue Coat to classify bad URLs for the benefit of all WebPulse users
worldwide.

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section A: Content Analysis 1.2.4.4 Release

Whats New?
No new features have been added to this release.

Content Analysis 1.2.4.4 Resolved Issues

This release resolves the following issues:
p

Upgrade failure on Content Analysis Virtual Appliance due to a timeout

while downloading the birth certificate (B#215250).

Slow browsing due to queued ICAP connections (B# 216223).

Content Analysis handles 301 HTTP response incorrectly (B# 217381).

Whitelisting file verification causes scanning latency (B# 217380).

Unknown reboot on Content Analysis running 1.2.4.1 (B# 216266).

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section B: Content Analysis 1.2.4.3 Release

Whats New?
No new features have been added to this release.

Content Analysis 1.2.4.3 Resolved Issues

This release resolves the following issues:

Sophos updates fail periodically with Content Analysis 1.2.4.1. (B#216003)

Slow browsing due to queued ICAP connections. (B#216223)

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section C: Content Analysis 1.2.4.2 Release

Whats New?
S200 Hardware Support
Content Analysis has added S200 hardware support to this release.

Dashboard Updates
Content Analysis has added increased visibility from the management console
into threats detected, scanned, and scanning as well as a system summary and
last antivirus pattern updates. The home page of the management console
includes the Last 5 Threats Discovered.

To drill down on any information in the home page, go to Statistics > Overview,
as shown in the following example:

Blue Coat Content Analysis 1.2.4.4 Release Notes

Email Day Report

An Email Day Report option has been added to the Statistics tab. The report
is available from Statistics > Overview, Cache Hits, Connections, CPU/
Memory Usage, ICAP Objects, Object Bytes, Sandboxing and Whitelisting.
Users have the option to schedule the day report:

SNMPv1 and SNMPv3 Support

SNMP v1 and SNMPv3 Support has been added to this release.

CLI command >access_list

The CLI command >access list has been added to this release. The command
enables the setup of network access for ICAP and web management.

Blue Coat Content Analysis 1.2.4.4 Release Notes

Content Analysis 1.2.4.2 Resolved Issues

p
p

Ghost Vulnerability (CVE-2015-0235) has been fixed in the COE. (B#214093)

Blocking AV File Types when using Kaspersky is not working as expected.
(B#211929)
Duplicate routes noticed after adding a network route to CAS device.
(B#214089)

Services are not restored after crash. (B#214522)

Unable to add routes with Netmask of 255.255.255.255 (B#214615)

Whitelisting (hours) is confused with Whitelisting (days). (B#212583)

MAA reports error, 'failed with HTTP code 404' when trying to send .zip
archives. (B#214286)

Unable to delete IP address on 2nd interface. (B#203507)

McAfee messages not going to remote syslog. (B#213634)

McAfee reports 'File within archive size exceeded' instead of 'MIFS' on

some files. (B#214038)
Front Panel LED is set to green before hardware configuration completes.
(B#213482)

Enable editable email and text alerts in the UI. (B#213447)

CAS does not block some JavaScript files. (B#210028)

Expose additional monitoring SNMP MIBs. (B#211579)

Received Server error: 500 Server error improperly instead of decode/

decompression error. (B#214281)
Whitelist results are reported as known bad instead of Whitelisted.
(B#214036)
Sophos is not blocking Java byte code. (B#215003)

Content Analysis 1.2.4.2 Known Issues

p

Email Day Report button is not documented. See "Dashboard Updates"

Blue Coat Content Analysis 1.2.4.4 Release Notes

Initial Configuration
1. Connect to the appliance through the Serial Console connection at the rear
of the appliance.
2. Launch a terminal application, such as hyperterm. Enter the following
connection settings:
BPS: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: none
3. To start the initial configuration wizard, select Initial Setup. This wizard
prompts you to define the following settings:
IP Address
Subnet Mask
Default Gateway
DNS Server
Alternate DNS Server
Administrator password

4. After you have defined the settings in Step 3, you can reach the CAS
management console via a web browser as follows:
https://x.x.x.x:8082 (replace x.x.x.x with the CAS appliance IP address
defined in the previous step)
5. Enter the administrative credentials to log in to the appliance:
username: admin
password: <defined in step 3>
6. On first access, Content Analysis prompts you to apply a license file. You
can obtain your license file by registering your appliance at https://
bto.bluecoat.com/licensing.

Web Browser Support

The following Web browsers are compatible with the CAS management
console:
p Microsoft Internet Explorer version 9 and later.
p Mozilla Firefox version 2 and later, including latest stable release.
p Google Chrome, latest stable release.

Content Analysis System Licensing

Your Content Analysis license defines the components to which your appliance
has access. The available components are:
p Content Analysis Base license - this is the appliance license and is included
with each subscription.
p Anti Virus vendor licenses from Kaspersky Labs, Sophos and McAfee.
p Sandboxing - this provides Content Analysis with the ability to analyze
suspicious files in an external sandbox environment
p Whitelisting - component that uses a hash to identify files and sources that
may appear suspicious but are trusted.

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section D: Content Analysis 1.2.3 Release

Content Analysis 1.2.3 Resolved Issues
p

Java script was not available as a data type to select in the UI to create
policy. (B#211586)
Note: Note: If the policy for CAS is to block or ignore java script files but
the web server sends the files compressed or otherwise encoded, CAS does
not recognize those files as java script and does not perform the expected
action (to block or ignore java script files).

p
p

Selecting an MAA plugin to use (for sample detonation) was not available
in the CAS UI. (B#211585)
Files within archives were not being passed to MAA sandbox for
detonation. (B#211584)
CAS sends host name rather than FQDN (fully qualified domain name) on
SMTP connection. (B#210884)
(SR 2-1003787288) 10G Fiber NIC card does not support bypass mode.
(B#209707)
(SR 2-929566911) Added the ability to disable SNMP (B#209256)
(SR 2-989676102) Some MP3 files were being treated as executables.
(B#209301)
CAS was not properly checking content length of headers when scanning.
(B#208796)
In some circumstances when ICAP Preview is enabled, CAS will return 400
bad requests. (B#208498)
After pattern updates, under some circumstances some files will return an
error. (B#206570)
AVWatchdog aggressively restarts SNMP server. (B#205414)

Content Analysis 1.2.3 Known Issues

p

CRC errors on sending .rar file to MAA. (B#211270) MERGED WITH Files
inside a .rar archive not being sent to MAA. (B#211302)

CAS HAS LIMITED RAR SUPPORT: Libachive has limited support for
reading RAR archives. Currently, Libarchive can read RARv3 format
archives which have been either created un-compressed, or compressed
using any of the compression methods supported by the RARv3 format.
Libarchive can also read self-extracting RAR archives.
p

Files are passed to the MAA sandbox (maximum allowed: 5 archive layers)
for detonation. (B#211584)

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section E: Content Analysis 1.2.1.3 Release

Content Analysis 1.2.1.3 Resolved Issues
p

10

This release resolves the security vulnerability CVE-2014-6271. For more

information on this vulnerability, please see Blue Coat security advisory
SA82 at https://kb.bluecoat.com/index?page=content&id=SA82.
When the file size exceeded 10MB it was sent to disk, which was closed
when the hash was computed. This fix reopens the file before sending the
response. (B#208423)
When the Content Analysis receives updated AV patterns or configuration
elements changed, the ISTag was not updated. (#B209492)

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section F: Content Analysis 1.2.1.2 Release

Whats New?
p

Sandboxing service configuration improved to allow for multiple Blue Coat

Malware Analysis appliances, load balanced based on system health and
emulation and IntelliVM queues.
Support for multiple MAA IntelliVM file execution profiles, as well as
SandBox VM emulation on each configured MAA.
Antivirus, Sandbox and Whitelisting caches can now be cleared from the
management console.

Content Analysis 1.2.1.2 Resolved Issues

The following issues are resolved in Content Analysis 1.2:
p

Blue Coat Support Service Request (SR) numbers higher than 2-xxxxxxxxx
are now supported (B#200992).
Sophos fails to block a file when it is larger than the defined Maximum
Inividual File Size (MIFS) (B#201706).
McAfee incorrectly identifies Maximum Individual File Size as File Within Archive
Size Exceeded (B#201707).
Anti-virus setting for Allow generated a File Blocked message but served the
file (B#201361).
McAfee update fails with the error, Incremental resolver failed
(B#201197).

Syslog latency hangs the anti-virus service (B#201223).

LCD should display appliance IP address and appliance name (B#201563).

p
p

Sandboxing returns an error, MAA::Pool::GetNext() called, no valid

hosts found (B#201608).
Sandboxing fails with :SendGetRequest:failed with HTTP code 401
(B#201610).
Unable to change DNS addresses in the Management Console (B#201035).
Error in catalina.out, Could not parse date::Unparseable date:
(B#201067).
Logs filling with Error:Semaphoe::Wait:Timed Out error messages
(B#201384).
Email alerts should prefix the location of known bad file with hxxp://
rather than http:// as documented, for safety (B#201565).
Pattern download status not displayed (B#202023).

11

Blue Coat Content Analysis 1.2.4.4 Release Notes

Content Analysis 1.2 Known Issues

The following issues are known in Content Analysis 1.2:
p

12

When processing a request modification ICAP scan, Content Analysis does

not block file types set in the Global Options file type list (B#193352).
Workaround: Define blocked file types for ICAP requests in Kaspersky or
Sophos anti-virus settings directly.
When processing a request modification ICAP scan, Content Analysis
blocks all files if unknown is set in Kaspersky anti-virus settings
(B#191055).
Workaround: Do not set the Unknown file type to block.
The error, Failure occurred when requesting a log rotation is produced when
system logs are rotated. The log rotation does take place, but the error
suggests that it did not (B#202088). No workaround required.
Downgrading from Content Analysis 1.2 to 1.1.5.2 with LDAPS configured
causes an exception when trying to authenticate as an LDAP user
(B#201922). Workaround: In this scenario, administrators should log in with a
local user account.
Issues are caused by exporting and importing a configuration file when
extended characters are present at the end of the Content Analysis system
hostname (B#196562).
Workaround: Refrain from using extended characters when defining system
hostnames.
The screen does not automatically refresh the page after the administrator
clicks the Reset All Historical Statistics button (B#196688)
Workaround: Manually refresh the screen to see a refreshed view of the
statistics report.
Setting a blank LDAP Role Attribute will cause an exception and can lead to
unpredictable results (B#198357).
Workaround: Do not set a blank LDAP Role Attribute.
Whitelisting and Sandboxing threats are not detected in files that are
uploaded via forms encoded in MIME (B#202393).
Workaround: None.

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section G: CAS 1.1.5.2 Release

CAS 1.1.5.2 Resolved Issues
The following issues are resolved in CAS 1.1.4.2:
p

In previous versions, CAS was vulnerable to OpenSSL 1.0.1. TLS/DTLS

heartbeats are vulnerable to buffer over-read that discloses information
kept in process memory. For specific information regarding Security
Advisory 79, see:
https://kb.bluecoat.com/index?page=content&id=SA79

For all Blue Coat Security Advisories, refer to:

https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS

13

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section H: CAS 1.1.5.1 Release

Whats New?
p

CAS 1.1.5.1 is being released as a virtual appliance for general availability.

Support for up to 4 NICS on the S400 Platform.

CAS 1.1.5.1 Resolved Issues

The following issues are resolved in CAS 1.1.5.1:
p

ICTM wasnt immediately dropping slow connections (B#199784).

Whitelisting performance optimization (B#199388).

MAA traffic is no longer routed through the explicit proxy (B#199375).

CAS 1.1.5.1 Known Issues

The following issues are known in CAS 1.1.5.1:
p

14

If you are changing explicit proxy settings, you must restart the ICAP
service, in order for whitelisting traffic to use the new settings (B#199781).
Premature failed update alerts are sent on pattern download failures even
though the server recovers automatically (B#199019).

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section I: CAS 1.1.4.2 Release

CAS 1.1.4.2 Resolved Issues
The following issues are resolved in CAS 1.1.4.2:
p

In previous versions, CAS was vulnerable to a command injection attack

from the CLI (B#199318). For specific information about Security Advisory
78, see:
https://kb.bluecoat.com/index?page=content&id=SA78

For all Blue Coat Security Advisories, refer to:

https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS

15

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section J: CAS 1.1.4.1 Release

CAS 1.1.4.1
Content Analysis System (CAS) 1.1.4.1 is the initial general availability release.

CAS 1.1.4.1 Known Issues

Issue: The Management Console permits saving an invalid network route
(B#198738).
Workaround:

Provide a network address for a route, not a host address.

Issue: DNS cache is not cleared automatically when you change the DNS server
addresses (B#198569).
Workaround:

Reboot the appliance after changing DNS settings.

Issue: Upon initial boot or after restoring the appliance to a factory default
state, the Onboard Diagnostics tab may display no data (B#198178).
Workaround:

Reboot the appliance.

Issue: The Quick Start Guide Addendum Step #1 indicates that there is a default

password.

Workaround: This is no longer valid: you can set the default password. For more
information, see previous section within these Release Notes.

16

Blue Coat Content Analysis 1.2.4.4 Release Notes

Section K: CAS 1.1.3.1 Release

CAS 1.1.3.1
Content Analysis System (CAS) 1.1.3.1 an initial limited availability release.

CAS 1.1.3.1 Known Issues

Issue: When diagnostic data is uploaded to a Blue Coat Service Request, the
appliance may report errors.
Workaround: The error messages can be ignored.
Issue: When a secondary interface on the CAS appliance is configured,
removing the IP address and subnet mask has no effect (B#197138).
Workaround: If a second interface is not required for your CAS deployment,
leave this option blank. If no cable is connected to the secondary interface, this
value can be ignored.
If you have configured the second interface and need to clear the value, restore
the appliance to a default state and only configure the primary interface.
Issue: The Test option on Sandboxing doesn't work until you save changes
(B#196510).
Workaround: Save any changes to the sandboxing configuration before testing.
Issue: Reset All Historical Statistics button does not immediately reset all graphs.
The graphs clear at the next 30 second update interval (B#196688).
Workaround: After clicking Reset All Historical Statistics on the CAS home page,
wait as much as 30 seconds for the graphs under Statistics to clear.
Issue: When modifying TLS and Cipher ICAP settings, the ICAP service
restarts. ICAP scanning is then unavailable for the next 30 seconds or so. Future
releases of CAS will include a warning after committing a change to these
values (B#196736).
Workaround: Wait 30 seconds after making a change to TLS and Cipher settings
before scanning ICAP traffic. Note, ICAP scanning logs report failures for this
interval.
Issue: Administrators can add duplicate local users with conflicting roles. After
refreshing the CAS management console, the duplicate user entry replaces the
initial user entry (B#195635).
Workaround: Avoid creating multiple accounts with the same user name.
Issue: When processing a request modification ICAP scan, the CAS appliance
blocks all files if unknown is set to block (B#191055).
Workaround: Deployments that use the CAS appliance to scan requests should
avoid setting the unknown file type to block.
Issue: When processing a request modification ICAP scan, the CAS appliance
does not block files set in the Global Options file type list (B#193352).
Workaround: Define blocked files for ICAP requests in Kaspersky or Sophos settings directly.
Issue:

The CAS management console does not report the SNMP version being
used for SNMP messaging (B#195459).
Workaround: The CAS appliance uses SNMP version 3 for traps.
Issue: Audit logs shows enable/disable, serve/block as 0 and 1 when setting
file behavior (B#190807).

17

Blue Coat Content Analysis 1.2.4.4 Release Notes

Workaround:

When examining CAS appliance logs, note that 0 represents

enabled or serve and 1 represents disabled or block.
Issue: Deleting packet capture does not prompt you to confirm the action or
refresh the page (B#195591).
Workaround:

Use caution when using Troubleshooting > PCAP, as the delete button
provides no warning.
Issue: After committing a change to the appliance configuration, a message
appears at the bottom of the CAS UI to advise that the change was successful.
This message does not clear from AV Scanning Behavior (B#195266).
Workaround:

Log out of the CAS management console or use a hard browser

refresh, (CTRL+F5) for the success message to clear.

Issue: Using HTTPS for image or license downloads from an internal HTTPS
server requires that the server have a trusted certificate installed. Self-signed
certificates are not supported.
Workaround:

If your HTTPS server does not have a trusted certificate, use an

internal HTTP server for local image and license downloads.

Support
For general information about Blue Coat: bcs.info@bluecoat.com.
Direct support questions regarding this release to Blue Coat Support. For more
information, visit: http://www.bluecoat.com/support/contactsupport

Blue Coat Knowledge Base

Blue Coat has a Knowledge Base, which contains information about this
product that might not be available in the documentation or Release Notes. The
Knowledge Base contains information in the following categories:
p Solutions
p FAQs
p Alertsincluding security alerts
p Technical field information
Blue Coat recommends that you regularly search the Knowledge Base for latebreaking information that might not be included in the documentation or
release notes.
To view articles in the Knowledge Base:

1. Enter the following URL in your browsers address or location field:

https://kb.bluecoat.com
2. Do any of the following:
To get an answer to a specific question, enter the question in the Ask a
question field, and click Ask.
To view a specific set of articles, click a selection in the horizontal
navigation bar (Solutions, FAQs, and so on).
All of the sections enable you to browse by product, operating system,
type of deployment, or topic.
3. Follow the prompts on your screen to locate the desired information.

18

Blue Coat Content Analysis 1.2.4.4 Release Notes

Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, CAS, MAA, WEBPULSE, SOLERA NETWORKS,
DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS
BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other
countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not
a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks
mentioned in this document owned by third parties are the property of their respective owners. This
document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY
OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT
CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT
TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY
WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE
THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE
REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER
DELIVERY TO YOU.

Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085

Rest of the World:

Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland

19

Blue Coat Content Analysis 1.2.4.4 Release Notes

20