LevelBlue Knowledge Base » Knowledgebase » Sophos for Marshal

Updates fail due to SSL certificate issues

Charles — Tue, 20 Aug 2024 22:30:01 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange 7.X
HTTPS Certificates for Internet Access
Blended Threats licensing
Maintenance Check
McAfee for Marshal
Sophos for Marshal
Bitdefender for Marshal

Symptoms:

Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
Logs show error Unable to get Local Issuer Certificate
Virus scanner updaters cannot perform updates or licensing checks
Error messages indicate SSL certificate validation errors
New installations may display a warning on installation
- Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system

Cause:

The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by LevelBlue websites cannot be validated.

LevelBlue uses certificates issued by several authorities, including Microsoft, DigiCert, and Let's Encrypt. All of the root certificates for these authorities are included by default in the Windows certificate store.

As of late 2024, Let's Encrypt certificates may be in use.

Currently supported Windows Servers that have the default set of root certificates already have the required certificates (ISRG Root X1). Windows 2012 servers may not have the required certificate.

As of mid 2023, DigiCert is issuing certificates from a new root certificate.

This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
Windows Servers that have automatically installed required updates should already have installed the required certificate.
All certificates currently in use are issued from the new root certificate.

Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/ and http://c.lencr.org) to allow SSL connections to be validated.

Resolution:

To resolve this issue in most cases, you can take one of the following actions:

You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
- Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate.
You can manually retrieve the ISRG Root X1 certificate from https://letsencrypt.org/certificates/.
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.

Once the root certificate is installed, all functions requiring web access should work.

Other possible causes:

Cause 2: Access through WebMarshal

If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services.

Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.

WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.

Resolution - WebMarshal certificate:

To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:

Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the certificate.

Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by LevelBlue products

Cause 3: Access through a third party proxy

If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.

Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.

The proxy server might not have the required CA certificates installed.
The certificate used for local re-encryption might not be installed on the MailMarshal servers.

Resolution - third party proxy:

To resolve this issue, consult the documentation for the third party proxy and ensure the following:

Verify that all CA certificates required are installed on the proxy server. See the list in resolution 1, above.
Verify that the certificate used for re-encryption (and any CA or intermediate certificates) are installed on the servers.
1. Obtain the certificate(s) required. See the list in the Manual Download section below.
2. On each server in the installation, run Microsoft Management Console (MMC.exe)
3. Choose to add a snapin and select the Certificates snap in.
4. Choose to manage certificates for the Computer account.
5. Import the certificate(s) to the appropriate locations. In most cases Windows will select the locations automatically.
Alternatively, you might choose to bypass the proxy completely for the update URLs required by LevelBlue products. See the documentation for the proxy server.

Additional technical details:

Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
- Windows Group Policy can be set to disable the on-demand downloads.

Manual download of certificates:

You can also manually download and install the required CA Certificates using the Windows Certificate Management console.

Install the certificates on Array Manager and Processing Node servers.

Download the root certificate
- DigiCert Global Root G2 (.pem) (right click, save as). See additional links and other formats at DigiCert Root Downloads.
- ISRG Root X1 (.pem) (right click, save as). See additional links and other formats at Let's Encrypt Chains of Trust.
- (Note: SecureTrust certificates that were previously used are no longer required.)
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the root certificate.

Notes:

Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.

If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.

What versions of Marshal Anti-Virus and reporting solutions are currently supported by LevelBlue Technical Support?

Charles — Sun, 26 Nov 2023 18:14:08 GMT

This article applies to:

Bitdefender for Marshal
Kaspersky for Marshal
McAfee for Marshal
Sophos for Marshal
Marshal Reporting Console

Question:

What versions of Anti-Virus for Marshal plug-ins are currently supported by LevelBlue Technical Support?
What versions of Marshal Reporting Console are currently supported by LevelBlue Technical Support?

Information:

The following tables show the currently supported versions, planned dates of termination of support, and support end dates for discontinued versions.

Note: In this article "supported" refers to full product support as defined in LevelBlue support policy for the Marshal Product Line.

For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.

If a reported problem requires remedial development work, LevelBlue will usually provide a fix only for the latest product version.

Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

All versions earlier than those listed are discontinued.

Bitdefender for Marshal

Notes:

The URL for Bitdefender signature updates changed as of March, 2022. Only version 1.2.0 can access the new update URL.

Software Version

Release Date
Support Status
Discontinued Date

1.2.0.1680
(64 bit only)

August 3, 2021
Active

1.1.2.1623
(64 bit only)

August 22, 2019
Discontinued
March 20, 2022

1.1.1.1564

November 9, 2017
Discontinued
March 20, 2022

Kaspersky for Marshal

END OF LIFE November 22, 2023: Kaspersky for Marshal is no longer sold or supported. The embedded license key has expired. This plugin cannot be initialized. Attempting to use it will cause the MailMarshal or WebMarshal product engines to stop.
Note that Sophos for Marshal is included in all subscriptions for MailMarshal and WebMarshal. For customers who desire a second virus scanner, the recommended option going forward is Bitdefender for Marshal.
- Customers with contracts for Kaspersky for Marshal extending beyond November are entitled to use Bitdefender for Marshal for the balance of the contract term. Contact your sales representative for assistance

McAfee for Marshal

Software Version

Release Date
Support Status
Discontinued Date

6.1.2.1564

November 9, 2017
Active

Note: New McAfee Engine updates will not be provided for 32 bit versions (except to support ECM). Customers MUST use a 64 bit version of MailMarshal or WebMarshal to receive the latest Engine versions that have continuing support from McAfee.

Sophos for Marshal

Software Version

Release Date
Support Status
Discontinued Date

1.1.5.1710
(64 bit only)

March 15, 2022
Active

1.1.4.1679
(64 bit only)

August 3, 2021
Discontinued
September 1, 2022

1.1.3.1637
(64 bit only)

November 3, 2020
Discontinued
September 1, 2022

1.1.2.1564

November 9, 2017
Discontinued
March 22, 2022

Note: Release 1.1.5 includes significant updates for stability and performance. Customers are very strongly urged to upgrade.

Marshal Reporting Console

(previously known as MailMarshal Reporting Console)

Software Version

Release Date
Support Status
Discontinued Date

2.6.0.1469

September 13, 2018
Active

2.5.4.1263

December 5, 2013
Discontinued
September 1, 2022

Note:

Counterspy for Marshal and PestPatrol for Marshal have been discontinued. Signature updates for these scanners are no longer available.

What versions of Marshal Security products are currently supported by LevelBlue Technical Support?

Charles Creegan — Sun, 26 Nov 2023 18:02:27 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
MailMarshal SES
Marshal Reporting Console
WebMarshal
Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal
Other Products
- MailMarshal Appliance e10000
- MailMarshal Management Pack for MOM
- MailMarshal Management Pack for SCOM
- Marshal EndPoint Security
- Security Reporting Center
- Firewall Suite
- imMarshal for MSN
- Counterspy for Marshal
- Kaspersky for Marshal
- PestPatrol for Marshal

Question:

What versions of Content Security (Marshal) products are currently supported by LevelBlue Technical Support?

Information:

For full details about supported versions of current products, see the articles linked below:

Premises Email Security

Article Q20961 covers the following products:
- MailMarshal (SEG)
- MailMarshal ECM/MailMarshal Exchange
- Secure Email Server (SES)

Web Content Security

Article Q20962 covers WebMarshal.

Service Provider Email Security

Article Q20963 covers MailMarshal SPE.

Anti-Virus and Reporting

Article Q20964 covers the following products:
- Bitdefender for Marshal
- McAfee for Marshal
- Sophos for Marshal
- Marshal Reporting Console

Deprecated and Discontinued Products

e10000 (MailMarshal Node Appliance): End of support: March 31, 2011
EndPoint Security: End of support: May 1, 2013
MailMarshal Management Pack for MOM: End of support: May 1, 2013
MailMarshal Management Pack for SCOM: End of support: May 1, 2013
Security Reporting Center (Windows Version): End of support: December 31, 2009
Security Reporting Center (Solaris Version): Withdrawn
Firewall Suite: Withdrawn
imMarshal for MSN: Withdrawn
Counterspy for Marshal: End of support: January 1, 2014
Kaspersky for Marshal: End of support: November 22, 2023
PestPatrol for Marshal: End of support: January 1, 2014

This article was previously published as:: NETIQKB33882

Folders to exclude from on-access malware scanning with Sophos for Marshal

Charles Creegan — Thu, 21 Apr 2022 01:28:52 GMT

This article applies to:

Sophos for Marshal

Question:

What folders must be excluded from resident anti-virus scanning when Sophos for Marshal is installed?

Information:

Sophos for Marshal signatures could trigger detection as malicious by other virus scanners.

If you perform on-access or periodic virus scanning on the server, exclude the Sophos for Marshal Engine folder from scanning.

For current supported (64 bit) versions, by default this folder is located as follows:

C:\Program Files\Trustwave\Sophos for Marshal\Engine

Additions to Release Notes for Sophos for Marshal 1.1

Charles — Mon, 14 Mar 2022 19:04:21 GMT

This article applies to:

Sophos for Marshal 1.1

Question:

What are the Release Notes for Sophos for Marshal 1.1?

Information:

The Release Notes included with Sophos for Marshal 1.1 are accurate as of the date of publication. Any later updates are noted at the end of this article.

The current release of Sophos for Marshal is 1.1.5.1710 (released March 15, 2022). This is a 64-bit release only.

Note significant improvement in MailMarshal or WebMarshal engine restart performance with 1.1.5. Customers are urged to upgrade.
The last 32-bit release is 1.1.2 (November, 2017).

Operating System Support:

Sophos for Marshal is tested and supported on all Windows versions where the SEG, ECM, and WebMarshal products are supported. The scanner and updater are tested as part of testing the base product on additional OS versions.

64-bit support:

A 64-bit version of Sophos for Marshal 1.1 is available to support MailMarshal/SEG 8.X and 10.X, and WebMarshal 7.X.
Future upgrade or issue fix releases are only provided for the 64 bit version.
The 32-bit version of Sophos for Marshal 1.1 supports SEG 7.X, ECM 7.X, and WebMarshal 6.X in both 32-bit and 64-bit environments.

What ports need to be open in my firewall for Sophos for Marshal?

Charles — Sun, 27 Feb 2022 20:07:21 GMT

This article applies to:

Sophos for Marshal

Question:

What ports need to be open in my firewall for Sophos for Marshal?

Information:

Sophos for Marshal requires Engine and IDE updates to maintain current virus protection.

By default, the Sophos for Marshal updater uses a direct HTTP or HTTPS connection to download these updates from Marshal.

You can also use a proxy server.

For more information about the options, see Help for the Sophos for Marshal configuration tool.

The table below details the various ports used by Sophos for Marshal for direct connections. These ports must be available on every processing server where the Sophos for Marshal package is installed.

If you use an active web filtering device upstream of the processing server (such as WebMarshal), you must configure it to pass this traffic.

Port	Direction	Destination	Required for Versions	Explanation
tcp/80	Outbound	crl.trustwave.com	1.1 and above	HTTPS connection validation for the download site requires access to the Certificate Revocation List over HTTP. This site is hosted on a CDN. IP addresses will differ by geographical location and are subject to change without notice.
tcp/80 tcp/443	Outbound	sophos.marshal.com	All	All Engine and IDE updates are retrieved from the website listed. This site must be accessible for virus protection to remain current. HTTPS (port 443) is required with SfM 1.1 and above As of 28 February 2022, the IP address of this server is within the block 20.81.78.232/29 Note that the IP address could change. LevelBlue will attempt to provide advance notice of any change.
udp/53 tcp/53	Outbound	DNS servers specified in OS configuration	All	The Sophos for Marshal updater requires external DNS access to access the website listed above. The Sophos LiveProtection service (present in version 1.1 and above) performs DNS-based queries and must have access to a DNS server that can forward DNS queries to the Internet.

Files with Unicode names not processed correctly

Charles Creegan — Thu, 28 Jan 2021 18:55:42 GMT

This article applies to:

Bitdefender for Marshal
Sophos for Marshal
MailMarshal (SEG) 6.5

Symptoms:

Email attachment names contain text outside of the English character sets
Attachment names do not display correctly
Email attachments fail to unpack with errors such as "Error in file type identification"
Virus scanning fails with "unexpected error"

Causes:

Regional Settings on the server (processing node) are set to a language other than English.
File names with Unicode characters are not correctly handled by the named products when Regional Settings use extended characters.

Workaround:

To work around this issue, set the locale for the server to an English language locale (in an array, set the locale on all processing node servers). You can do one of the following:

Log on to the server using an account such as Administrator. Use the Windows Regional and Language Options control panel to change the locale for the account, and then configure the MailMarshal services to run using that account. If you change the locale, you must restart the services to apply the change.
Change the locale for service accounts:
- In Windows 2012, 2016 or 2019, set the locale on the Administrative tab of Region options. Restart the server to apply the change.
- In Windows Server 2008 or Windows Vista, use the "Copy to reserved accounts" function. Restart the server to apply the change.
- In Windows Server 2003 or Windows XP, log on as an administrator. Change the regional options for the account. Then, on the Advanced tab of Regional and Language Options, select the box under Default user account settings. Restart the server to apply the change to service accounts.

Notes:

This issue applies to all versions of the named virus scanners.
The issue does not affect basic attachment unpacking in supported versions of SEG.

3510 - Fatal virus scanner error (MMEngine error)

Charles Creegan — Fri, 01 May 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
Malware scanner plugins

Symptoms:

Event ID: 3510
Type: Error
Source: MMEngine (MailMarshal SMTP) or MEXEngine (MailMarshal Exchange)
Description: Fatal virus scanner error

Causes:

The MailMarshal Engine is configured to use an integrated virus or malware scanner (such as McAfee for Marshal), but the integrated component is no longer licensed.

This event could occur if a license key that enables the plugin is replaced with a key that does not support this plugin. For instance, trial keys generated by the product installer support all scanners that are licensed through LevelBlue, but customer keys only support the scanners if they have been purchased.

Note:

Contact LevelBlue for licensing information, or change the configuration to stop using this scanner.

Supported Releases Policy for the Marshal Product Line

Charles Creegan — Fri, 01 May 2020 00:00:00 GMT

This article applies to:

MailMarshal Secure Email Gateway (SEG)
WebMarshal
MailMarshal ECM (MailMarshal Exchange)
MailMarshal Service Provider Edition
Virus Scanner plug-ins
Marshal Reporting Console

Question:

What is the supported releases policy for SEG, ECM, WebMarshal, and virus scanner plug-ins?
What is the policy on End of Support for the LevelBlue Marshal Product Line?

Information:

Definitions:

Major release: A release containing many new features or a change in architecture (for example, SEG 8.0).
Feature release: A release containing some new features and enhancements (for example, SEG 8.1.0).
Point release: A release containing maintenance updates and small enhancements to existing features (for example, SEG 8.1.3).
Supported: Full product support as defined in LevelBlue support policy for the Marshal Product Line.
- For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.
- Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

Policy:

LevelBlue will support each product release for two years, or until the release of the second following feature release, whichever is shorter.

For the current feature release, normally all point releases are supported.
For a previous feature release, only the last point release is supported.
When a major release is issued, LevelBlue may support the last two feature releases of the previous major release for an extended period.

LevelBlue will publish the dates of end of support of each release at least two months in advance of the effective date. For lists of supported versions and end of support, see the related articles linked below.

Hotfixes:

If a customer encounters an issue with a point release that is older than the latest point release for that version, they will be required to upgrade to the latest point release before a hotfix is issued.

Examples:

With the release of WebMarshal 6.12.3:

LevelBlue will continue to support 6.12.1 and 6.11.2.
LevelBlue will announce end of support for 6.11.1.

With the release of WebMarshal 7.0.0:

LevelBlue will continue to support WebMarshal 6.11.2 as well as 6.12.3 until further notice.
LevelBlue will announce end of support for 6.12.1 and 6.12.2.

Notes:

Customers should plan for a yearly upgrade cycle to take advantage of new features and to ensure their software is supported.

Marshal scanner plug-in compatibility with Microsoft "Meltdown" security patch

Charles Creegan — Wed, 10 Jan 2018 12:57:18 GMT

This article applies to:

Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal

Question:

Are the Marshal virus scanner plug-ins compatible with the Microsoft security update for "Meltdown" (January 3, 2018)?

Information:

Yes, the Marshal virus scanner plug-ins are safe to use on systems where the Microsoft security update is applied.

The four scanner manufacturers have confirmed their engines are compatible with the security update.
LevelBlue has performed basic testing of the scanner integration with SEG and WebMarshal. LevelBlue has not done any performance testing.

Notes:

To apply the Microsoft security update you might need to take manual action.

Windows Update only offers the security update to systems where a specific registry value is present.
The plug-ins do not set this registry value. If you have a resident virus scanner on the server, it might set the value.
Even when the value has been set, Windows Update might not install the update depending on the options you selected. You might need to select the update, or install it manually from the Microsoft Update Catalog.
For more information, see Microsoft KB 4056897 (Windows 2008 R2) or other related Microsoft articles.

Additions to Release Notes for Sophos for Marshal 1.0

Charles Creegan — Wed, 10 Nov 2010 19:44:01 GMT

This article applies to:

Sophos for Marshal 1.0

Question:

What are the Release Notes for Sophos for Marshal 1.0?

Information:

The Release Notes included with Sophos for Marshal 1.0 are accurate as of the date of publication.

The current release of Sophos for Marshal is 1.0.4 (released November 11, 2010).

This article provides any additional information generated after that date.

1.0.4 is a compatibility release for forthcoming major product releases. No fixes or new functions are included.
1.0.3 is primarily a compatibility release for forthcoming major product releases.
1.0.2 fixes a problem with engine file updates that affected some customers.

Software Version	Release Date	Support Status	Discontinued Date
1.2.0.1680 (64 bit only)	August 3, 2021	Active
1.1.2.1623 (64 bit only)	August 22, 2019	Discontinued	March 20, 2022
1.1.1.1564	November 9, 2017	Discontinued	March 20, 2022