Blog

Athena: 30.0

30.2.3

New Features and Enhancements
Item Details
YouTube Cache Added support for IE11 on Windows 7.
Problem Resolutions
Webmail Added support for larger numbers of email folders.
Firewall New 1:1 NAT rules could not be created in 30.2.x releases.
Proxy Logs Proxy logs appear truncated. This was caused by incorrectly formatted log entries preventing any subsequent log entries from being displayed.
Performance Possible issues caused by malicious traffic.
Quotas Free sites list not correctly applied to certain connections.

30.2.2

New Features and Enhancements
Item Details
RoamSafe for iOS RoamSafe for iOS is an “Always on VPN” solution for iOS 9 (and above) devices in supervised mode. This solution integrates with most MDM solutions and Apple DEP and provides support for web filtering, application control, firewalling and ClearView social media management. Please refer to the CyberHound appliance Help function for details of RoamSafe VPN configuration.
Internet Quota Permissions for Internet Authentication and Internet Quota configuration are now separate and provide better control of which groups are allowed to access these features.
Firewall Added an option Configuration > Advanced > Allow Asymmetric Routing. On most sites, this should be set to “no” in order to ensure that packets with LAN source addresses are properly blocked from being sent out the internet interface, but it will be set to “yes” on existing sites to avoid blocking legitimate traffic on sites which require asymmetric routes.
YouTube Restricted Mode Added support for forcing YouTube Restricted Mode using DNS instead of cookies. This method is harder to circumvent but cannot be used with group exclusions.
Web Filtering Incorporated real time updates of URL categorization.
YouTube Cache Improved playback of embedded YouTube videos in Safari on iOS.
Web proxy Improved the handling of custom certificates for HTTPS inspection.
ClearView Improved handling of Twitter direct messages.
Problem Resolutions
Administration The Proxy Statistics page now shows the web proxy performance information correctly.
Configuration Port forward changes are now correctly applied when clicking the Apply button in Advanced Firewall.
Configuration The RoamSafe Agent > General > Force Login option is now enforced correctly.
Configuration Local interface names are now restored correctly when restoring from a backup.
Email Monitoring Email scanning failures can no longer impact performance of the appliance.
Email Monitoring Resolved an issue where some emails were not quarantined properly.
Web Filtering The WhatsApp web application definition in Access Policies > Web Applications has been corrected.
Webmail Fixed an issue that prevented old mail to be deleted as configured.
Webmail Fixed an issue where mailboxes were not deleted properly.

* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat

30.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
Reporting Resolution Some web links in reports were pointing to a page that no-longer exists. This has been resolved.
Configuration Enhancement Existing settings for network configuration and the RoamSafe* agent will be migrated to our unified configuration framework during the upgrade. This will enable better integration with third-party products in future releases.
IPsec Resolution The IPsec backend has been replaced; the new backend improves stability and interoperability with other IPsec endpoints.
Web Filtering Enhancement Significantly enhance the performance of custom URL filtering lists.
Web Filtering Enhancement New Feature: Lesson Override. See the Lesson Override product page for more details. Please note that this feature is currently not available for the RoamSafe agent.
Large Object Cache Enhancement Enhancements to YouTube caching to improve robustness and broaden device support. The YouTube cache now also provides logs in the web interface.
Web Interface Enhancement Increase resource limits based on available RAM to improve performance and reliability, particularly when there are large numbers of users and requests per second to the web interface and/or reverse proxy.
ClearView Enhancement Improved handling for Facebook user details in ClearView events.
Time zones Resolution Errors that could prevent time zone changes from being applied correctly have been resolved.
Web proxy Enhancement Non-ASCII Unicode characters are now supported in custom proxy.pac files.
Operating System Enhancement In some configurations full file-system checks could be triggered even when not needed. This has been resolved, allowing faster boot times.
CONNECT Proxy Enhancement Detect invalid configurations and warn the user in the web interface.
Internet Quota Resolution Users of the direct proxy could sometimes exceed their quota allocation, this has now been resolved.
Webmail Resolution Changing the sort order in webmail (including email quarantine) was not working, this has now been resolved.
Reporting Resolution Links to web filtering categories in email reports were invalid, this has now been resolved.
Performance Enhancement Database parameters have been changed to improve performance and reduce system load.
ClearView Enhancement Improved support for scanning Google Hangouts messages.
RoamSafe Agent* Enhancement Improved hardware compatibility support for UEFI Secure Boot in Windows 10. This may be needed depending on the manufacturer of the hardware.

* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat

30.1.10.3.1

Item Type Details
Web Proxy Resolution Reduce proxy memory usage and improve stability when free memory is low. Affected sites should request an upgrade from the support team.

30.1.10.2

Item Type Details
Backup Restore Resolution Fix an issue that prevented restoring configuration backups onto a freshly-imaged box.

30.1.10.1

Item Type Details
Proxy Enhancement Include X-Forwarded-For and Via headers in HTTP requests to notify remote servers that the source IP address is shared among many users.

30.1.10

Item Type Details
Database Upgrade Enhancement Upgrade database backend for increased performance and reliability. Existing customer data will be migrated automatically to the new backend as part of the upgrade process.

30.1.9.9

Item Type Details
Web Filtering Enhancement Add support for enforcing Google Safe Search via DNS. This allows google to be excluded from HTTPS inspection as a temporary work around to avoid the Google Captcha while providing search safeguards.

Customers should upgrade to this release if their users experience redirection to Google captcha pages when executing a Google search.

Safe Search can be enabled by selecting “moderate” or “strict” from the Enforce SafeSearch? dropdown in Access Policies > General.

30.1.9.5

Item Type Details
HTTPS inspection Resolution When a HTTPS inspection certificate expires, flush all site certificates that were issued using the old certificate and regenerate with the new one.
SafeChat Archive Resolution When archiving Microsoft Lync messages, provide better error reporting when the Lync database server refuses connections due to low memory.
SMTP server Resolution Make sure internal services running on the CyberHound Solution can still access the SMTP server even when all connections from outside are blocked.
802.1X Pass-Through Authentication Enhancement Default to ignoring 802.1X stop records, to improve compatibility with wireless vendors. Existing settings will not be changed.
BIC Agent (Windows) Enhancement Add workarounds for compatibility with OneDrive.

30.1.9.4

Item Type Details
Internet Auth Resolution Fix errors affecting certain SSH pass-through authentication configurations.

30.1.9.3

Item Type Details
Internet Auth Enhancement Support for SSH pass-through authentication on Mac OS X 10.11 (El Capitan).
Large Object Cache Enhancement Support for Magic Software eTextbook caching.

30.1.9.2

Item Type Details
Firmware Enhancement The latest Firmware for the IBM M4 series platforms is included in this release. The firmware update is applied post the update, and will be activated upon the following reboot.

30.1.9.1

Item Type Details
Kernel Enhancement Upgrade operating system kernel to enhance performance and reliability.
Agent Enhancement Add support for Mac OS X 10.11 (El Capitan).
Network Monitoring Resolution Correctly report data usage of YouTube videos when the YouTube Video Cache is enabled.
YouTube Video Cache Enhancement Add support for a new video format.
YouTube Video Cache Enhancement Better support for Safari on iOS devices.
SSH Pass-Through Authentication Enhancement Work-around for browsers that incorrectly fill out the username and password field in the Pass-Through Authentication configuration screen.
Web Proxy Resolution Proxy IP address access list now only applies to direct proxy mode (similar functionality is provided for transparent proxy users via Access Policies).

30.1.8

Item Type Details
NGFW Enhancement Improvements to the memory handling and performance for the network application detection, allowing tracking and identification of even more connections at once.
SafeChat Enhancement Detailed logging for Yieldbroker capture, providing for easier debugging should the need arise.
Traffic Shaping Enhancement Update the statistics view to remove redundant / inaccurate columns.
Online Help Enhancement A number of improvements and enhancements to the online help.
Email Scanning Resolution Address an issue where some global quarantine folders would not automatically have older emails removed.

30.1.7.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement Official release of the BIC agent for release 30. It’s recommended that this BIC update be rolled out slowly as with all major upgrades to ensure full compatibility with all programs in your environment.

30.1.7.1

Item Type Details
Web Categorization Resolution It was found that in situations where the categorization was too fast at returning results, the requester assumed it was invalid, and retried, causing unnecessary delays when performing categorization, this release resolves this issue.

30.1.7

Item Type Details
Internet Auth Enhancement Continuing further back end changes to improved the performance and robustness of the internet auth service.
Archiving Emails Enhancement Use a trick to prevent browsers auto-filling the username and password field on the archive emails screen, making it more obvious when it’s currently blank.
Suggested Policies Enhancement An updated set of suggested policies for SafeChat for commercial and government customers.

30.1.6.1

Item Type Details
Internet Auth Resolution Address an issue where when a user exceeded quota, and logged in again within 15 seconds, the login for that IP would fail.

30.1.6

Item Type Details
Microsoft Lync Enhancement Increase the speed and robustness of the Lync capture service. This requires an upgrade to the server service.
HTTPS Inspection Resolution Accommodate null SSL data payloads, rather than treating this as an error, continue to leave the connection open. This is required for some very specific servers that send empty SSL payloads from time to time.
Internet Auth Enhancement Internal changes to the caching and storage of information to increase performance and reliability of the Internet Auth services.

30.1.5.1

Item Type Details
AD Auth Enhancement The AD Pass-through authentication service now has a lot less logging by default to the Event Viewer. This is interface compatible and is not a required upgrade, but is recommended for all customers using this service.
Net Auth Resolution Accommodate loosing connectivity and other transient errors more gracefully such that authentication continues to work in all situations.

30.1.4

Item Type Details
Web Proxy Enhancement Improved memory handling and more robust support when applying major changes that would require the service to restart.
IPSec Enhancement Update the UI to more accurately reflect the configuration options.

30.1.3.1

Item Type Details
YouTube Cache Resolution Due to recent changes in YouTube, an update has been made to the YouTube cache. This update will also enable the YouTube cache again which was automatically disabled to prevent problems accessing the platform.

30.1.3

Item Type Details
YouTube Restricted Mode Enhancement The text and wording in the CyberHound Solution interface has been updated to reflect the new name for YouTube Safety Mode, it’s now called YouTube Restricted Mode.
Filtering Changes Resolution In some situations clicking Apply Changes didn’t take effect when some changes to filtering and other options were changed, this has been addressed and changes will apply correctly without the need to reboot.
Large Object Cache Enhancement A new option has been added to rate-limit the Large Object Cache download speed. This is still experimental, and will not rate-limit in all situations, however will will to provide a level of control previously unavailable to this specific service.
802.1X Authentication Resolution When responding to packets from an NPS server, a specific response header is required, there was a regression in release 30 that meant this was no longer happening. This has been resolved, and the NPS server should again accept the response packets from the CyberHound Solution.
Internet Auth Enhancement Should there be issues with the internet auth service, more mechanisms have been put in place to identify this, and automatically resolve the issue before users notice.

30.1.2

Item Type Details
Microsoft Lync Archive Enhancement For servers that are very busy or otherwise slow, the connection to the CyberHound could time out during the creation of bundles. The internal timeouts have been increased to minimize the chance of them being hit, and ensure successful delivery.
Email Scanning Enhancement Detect and block another specific form of malformed headers, preventing these entering the network.
BIC Agent Enhancement The BIC Agent will now detect the production release of Windows 10, in preparation for it’s full release 30 build.
1:1 NAT Enhancement Previously a reboot was required on release 30 to apply 1:1 NAT changes, this update removes that need, and allows changes to be applied with the system running.
Email Aliases Resolution An issue was identified where a massive email alias list (typically over 100 recipients) would exceed internal limits, causing delivery to not complete. This has been addressed and the limit on email aliases removed.
Internal Services Enhancement A number of changes have been made to internal services to ensure they are more reliable, and notifications are sent should there be an unexpected issue.

30.1.1

Item Type Details
Internet Authentication Enhancement Some minor updates have been made to Internet Authentication to accelerate logins for users that are already active at an IP address, this can happen when users are roaming between access points and each AP is sending updates to the CyberHound Solution.
Connection Monitoring Resolution There was an issue that prevented the live connection monitoring feature working in all situations in the initial release 30, this has now been resolved.
Logs Resolution An issue with the large object cache logs was identified, this has now been resolved and logs can be viewed again for the large object cache, this includes logs prior to the update.
802.1X Integration Enhancement When receiving packets from AP’s, previously, invalid packets that were correctly signed would be ignored and no reply would be sent. Due to buggy AP’s the CyberHound Solutionwill now reply to a packet that is correctly signed, but then ignore it internally if it is invalid.

30.1

Major BIC Agent Update, Device Reboot Required

Item Type Details
Authentication Enhancement Better manage a subset of users on a massive AD servers (i.e.: more than 10,000 users), by providing a filter for desired users for a specific location by security group. Desired groups for a site can be set under Configuration > Authentication in the AD plugin, there is a new field titled “Active Groups”, which is an optional group filter applied to all lookups.
Web Proxy Enhancement The logging for the web proxy has been enhanced to include a lot more data on each request, including categories, user agent, and matching policy for allow rules. A new detailed log option is available for the Web Proxy logs to access all of this information.
Note: If using automated log parsing tools, these will need to be updated to support this new format.
NGFW Enhancement Decide if HTTPS inspection should be done on a specific request based on the SNI header only (not the IP address) this provides more accurate and faster categorization for “Bypass HTTPS Inspection” policies.
NGFW Enhancement Allow the use of custom domain categories for “Bypass HTTPS Inspection”. This includes the matching of subdomains (e.g.: .example.com to match example.com and all subdomains). This is now the preferred method for HTTPS exclusions, and some of these will be automatically migrated from the configuration screen.
NGFW Enhancement On the Block Activity report, introduce a new protocol column to match what is available in Network Monitoring.
NGFW Enhancement Block the use of the non-standard QUIC protocol by default for all traffic, enforcing the use of standards based web traffic. This option can be set under Access Policies > General.
NGFW Enhancement A new permission level has been introduced to allow for “Test policies and recategorization”. This means users can be given the ability to request a recategorization, without the ability to change policies.
Pipe Plus Enhancement If DNS servers have been configured for a specific link, and force route is now automatically added for each of the DNS servers to push the traffic out that link, removing the need to do this manually.
HTTPS Inspection Enhancement If an upstream SSL certificate changes or is temporarily broken, more rapidly detect this and generate a new local certificate.
Redirection Enhancement For captive portal logins and other redirected pages on HTTPS, use SNI for the certificate generation.
BIC Agent Enhancement Enhanced memory management for big local uploads, minimizing the use of local memory.
BIC Agent Enhancement Better handle the corruption of settings on the agent side, and use a different format to prevent leakage of corruption of settings should this occur.
BIC Agent Enhancement In some instances on Mac OS X, the agent is not notified that the system has come back from sleep, causing traffic to be block for extended periods, use a secondary method to detect this, and more quickly recover when coming back from sleep.
BIC Agent Enhancement Use the newer SHA256 when generating HTTPS inspection certificates.
BIC Agent Enhancement If a reboot is required on the agent, more regularly notify the user that a reboot is required to encourage this to happen sooner.
BIC Agent Resolution When testing policies for the BIC agent under Access Policies, more closely match what would happen on the BIC Agent to provide an accurate representation of the policies that would be applied.
Reporting Resolution When displaying user generated content in a report, if the content is HTML, correctly escape it to prevent display issues.
BYOD Installer Enhancement A new MSI BYOD certificate installer is now available, this is ideal for sites that wish to distribute the certificate installer via group policy. This same installer can run as either a local machine account or a domain admin account, depending on your AD configuration.
Archive Emails Enhancement For archive emails and Symantec EV integration, provide more detailed logs on both success and failure.
Direct Proxy Enhancement Provide the ability to exclude local networks and IP’s from authentication on the direct proxy (in addition to remote servers).
Direct Proxy Enhancement If using automatic proxy configuration, a new field is now available to create a custom proxy.pac file, at the bottom of the Configuration > Web Proxy screen. If this is set, the automatic proxy.pac file is not generated, and the custom one is use instead.
Web Mail Resolution In some views, the ordering by date was not working correctly, this has been addressed.

30 / 30.0.1

This release is a rebuild of the CyberHound Solution core OS to the latest generation enterprise platform. This includes everything from the kernel to the userspace environment.

Item Type Details
CyberHound OS Enhancement A complete rebuild of the core OS, from the base kernel upwards. Providing improved boot times (now 3 times faster), more rapid service restart (50%-95% faster), and support for the latest network technologies.
Web Proxy Enhancement Support for SNI (Server Name Identification) for outbound HTTPS requests. This will provide compatibility for those clients and servers utilizing these extensions.
HTTPS Inspection Enhancement Using the SNI header, the ability to exclude hosts from HTTPS inspection is now possible using wildcards, providing the ability to exclude an entire domain, and all its subdomains in a single rule. This requires the clients to be using SNI to get this benefit.
POP3 Server Enhancement The POP3 server now supports multiple simultaneous logins. Although technically a violation of the RFC, the implementation provides each client with a point in time view, that is then merged at the end of the transaction. This allows for the use of multiple devices that keep the connection open without interference.
DNS Server Change The DNS server will no longer automatically provide forward and reverse DNS lookups for local IPs. For example the reverse of a LAN IP of 1.1.1.1 would yield ip-1-1-1-1.lan, and there would be a forward lookup for the same.