LevelBlue Knowledge Base » Knowledgebase » Bitdefender for Marshal

Updates fail due to SSL certificate issues

Charles — Tue, 20 Aug 2024 22:30:01 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange 7.X
HTTPS Certificates for Internet Access
Blended Threats licensing
Maintenance Check
McAfee for Marshal
Sophos for Marshal
Bitdefender for Marshal

Symptoms:

Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
Logs show error Unable to get Local Issuer Certificate
Virus scanner updaters cannot perform updates or licensing checks
Error messages indicate SSL certificate validation errors
New installations may display a warning on installation
- Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system

Cause:

The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by LevelBlue websites cannot be validated.

LevelBlue uses certificates issued by several authorities, including Microsoft, DigiCert, and Let's Encrypt. All of the root certificates for these authorities are included by default in the Windows certificate store.

As of late 2024, Let's Encrypt certificates may be in use.

Currently supported Windows Servers that have the default set of root certificates already have the required certificates (ISRG Root X1). Windows 2012 servers may not have the required certificate.

As of mid 2023, DigiCert is issuing certificates from a new root certificate.

This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
Windows Servers that have automatically installed required updates should already have installed the required certificate.
All certificates currently in use are issued from the new root certificate.

Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/ and http://c.lencr.org) to allow SSL connections to be validated.

Resolution:

To resolve this issue in most cases, you can take one of the following actions:

You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
- Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate.
You can manually retrieve the ISRG Root X1 certificate from https://letsencrypt.org/certificates/.
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.

Once the root certificate is installed, all functions requiring web access should work.

Other possible causes:

Cause 2: Access through WebMarshal

If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services.

Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.

WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.

Resolution - WebMarshal certificate:

To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:

Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the certificate.

Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by LevelBlue products

Cause 3: Access through a third party proxy

If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.

Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.

The proxy server might not have the required CA certificates installed.
The certificate used for local re-encryption might not be installed on the MailMarshal servers.

Resolution - third party proxy:

To resolve this issue, consult the documentation for the third party proxy and ensure the following:

Verify that all CA certificates required are installed on the proxy server. See the list in resolution 1, above.
Verify that the certificate used for re-encryption (and any CA or intermediate certificates) are installed on the servers.
1. Obtain the certificate(s) required. See the list in the Manual Download section below.
2. On each server in the installation, run Microsoft Management Console (MMC.exe)
3. Choose to add a snapin and select the Certificates snap in.
4. Choose to manage certificates for the Computer account.
5. Import the certificate(s) to the appropriate locations. In most cases Windows will select the locations automatically.
Alternatively, you might choose to bypass the proxy completely for the update URLs required by LevelBlue products. See the documentation for the proxy server.

Additional technical details:

Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
- Windows Group Policy can be set to disable the on-demand downloads.

Manual download of certificates:

You can also manually download and install the required CA Certificates using the Windows Certificate Management console.

Install the certificates on Array Manager and Processing Node servers.

Download the root certificate
- DigiCert Global Root G2 (.pem) (right click, save as). See additional links and other formats at DigiCert Root Downloads.
- ISRG Root X1 (.pem) (right click, save as). See additional links and other formats at Let's Encrypt Chains of Trust.
- (Note: SecureTrust certificates that were previously used are no longer required.)
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the root certificate.

Notes:

Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.

If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.

What versions of Marshal Anti-Virus and reporting solutions are currently supported by LevelBlue Technical Support?

Charles — Sun, 26 Nov 2023 18:14:08 GMT

This article applies to:

Bitdefender for Marshal
Kaspersky for Marshal
McAfee for Marshal
Sophos for Marshal
Marshal Reporting Console

Question:

What versions of Anti-Virus for Marshal plug-ins are currently supported by LevelBlue Technical Support?
What versions of Marshal Reporting Console are currently supported by LevelBlue Technical Support?

Information:

The following tables show the currently supported versions, planned dates of termination of support, and support end dates for discontinued versions.

Note: In this article "supported" refers to full product support as defined in LevelBlue support policy for the Marshal Product Line.

For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.

If a reported problem requires remedial development work, LevelBlue will usually provide a fix only for the latest product version.

Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

All versions earlier than those listed are discontinued.

Bitdefender for Marshal

Notes:

The URL for Bitdefender signature updates changed as of March, 2022. Only version 1.2.0 can access the new update URL.

Software Version

Release Date
Support Status
Discontinued Date

1.2.0.1680
(64 bit only)

August 3, 2021
Active

1.1.2.1623
(64 bit only)

August 22, 2019
Discontinued
March 20, 2022

1.1.1.1564

November 9, 2017
Discontinued
March 20, 2022

Kaspersky for Marshal

END OF LIFE November 22, 2023: Kaspersky for Marshal is no longer sold or supported. The embedded license key has expired. This plugin cannot be initialized. Attempting to use it will cause the MailMarshal or WebMarshal product engines to stop.
Note that Sophos for Marshal is included in all subscriptions for MailMarshal and WebMarshal. For customers who desire a second virus scanner, the recommended option going forward is Bitdefender for Marshal.
- Customers with contracts for Kaspersky for Marshal extending beyond November are entitled to use Bitdefender for Marshal for the balance of the contract term. Contact your sales representative for assistance

McAfee for Marshal

Software Version

Release Date
Support Status
Discontinued Date

6.1.2.1564

November 9, 2017
Active

Note: New McAfee Engine updates will not be provided for 32 bit versions (except to support ECM). Customers MUST use a 64 bit version of MailMarshal or WebMarshal to receive the latest Engine versions that have continuing support from McAfee.

Sophos for Marshal

Software Version

Release Date
Support Status
Discontinued Date

1.1.5.1710
(64 bit only)

March 15, 2022
Active

1.1.4.1679
(64 bit only)

August 3, 2021
Discontinued
September 1, 2022

1.1.3.1637
(64 bit only)

November 3, 2020
Discontinued
September 1, 2022

1.1.2.1564

November 9, 2017
Discontinued
March 22, 2022

Note: Release 1.1.5 includes significant updates for stability and performance. Customers are very strongly urged to upgrade.

Marshal Reporting Console

(previously known as MailMarshal Reporting Console)

Software Version

Release Date
Support Status
Discontinued Date

2.6.0.1469

September 13, 2018
Active

2.5.4.1263

December 5, 2013
Discontinued
September 1, 2022

Note:

Counterspy for Marshal and PestPatrol for Marshal have been discontinued. Signature updates for these scanners are no longer available.

Firewall Ports Required by Bitdefender for Marshal

Charles — Sun, 27 Feb 2022 19:57:38 GMT

This article applies to:

Bitdefender for Marshal

Question:

What ports need to be open in my firewall for Bitdefender for Marshal?

Information:

Bitdefender for Marshal requires Engine and signature updates to maintain current virus protection. BitDefender for Marshal also checks product licensing through a website.

By default, the Bitdefender for Marshal updater uses a direct HTTPS connection to download these updates.

You can also use a proxy server.

For more information about the options, see Help for the Bitdefender for Marshal configuration tool.

The table below details the various ports used by Bitdefender for Marshal for direct connections. These ports must be available on every processing server where the Bitdefender for Marshal package is installed.

If you use an active web filtering device upstream of the processing server (such as WebMarshal), you must configure it to pass this traffic.

Port	Direction	Destination	Required for Versions	Explanation
tcp/80	Outbound	CRL distribution points	All	HTTPS connection validation for the licensing and download sites requires access to the Certificate Revocation Lists over HTTP. Currently, LevelBlue and Digicert certificates/CRLs are used. Certificate issuers and IP addresses are subject to change without notice.
tcp/443	Outbound	bitdefender.marshal.com Within the block 20.81.78.232/29	All	Bitdefender for Marshal checks licensing information from this website using HTTPS. This website must be accessible for virus protection to be current. The IP address information provided is correct at the date of this article, but it is subject to change. LevelBlue will attempt to provide advance notice of any change.
tcp/443	Outbound	agent-av-mirror.trustwave.com 204.13.202.54 upgrade.bitdefender.com (CDN, from March 2022)	All	Bitdefender for Marshal retrieves Engine and signature updates from this website using HTTPS. This website must be accessible for virus protection to remain current. From March 2022 Bitdefender for Marshal will access the Bitdefender website to retrieve these updates. The agent-av-mirror site will be decommissioned. Customers MUST upgrade to the latest Bitdefender for Marshal release (1.2.0) as soon as possible to assure access to the signatures.
udp/53 tcp/53	Outbound	DNS servers specified in OS configuration	All	The Bitdefender for Marshal updater requires external DNS access to resolve the server names listed above.

Additions to Release Notes for Bitdefender for Marshal 1.X

Charles Creegan — Thu, 24 Feb 2022 14:20:30 GMT

This article applies to:

Bitdefender for Marshal 1.1 and 1.2

Question:

What are the Release Notes for Bitdefender for Marshal 1.X?

Information:

The Release Notes included with Bitdefender for Marshal 1.X are accurate as of the date of publication.

The current release of Bitdefender for Marshal is:

64 bit: 1.2.0.1680 (August 3, 2021)

This article provides any additional information generated after that date.

Upgrade required:

In March 2022 the URL used to retrieve signatures will change. Bitdefender for Marshal 1.2.0 installations will retrieve the new URL automatically. Earlier releases cannot retrieve the new URL automatically.

Customers must upgrade to release 1.2.0 to assure continued scanning coverage.

Operating System Support:

Bitdefender for Marshal is tested and supported on all Windows versions where the MailMarshal/SEG or WebMarshal products are supported. The scanner and updater are tested as part of testing the base product on additional versions.

64-bit support:

A 64-bit version of Bitdefender for Marshal is available to support MaiMarshal (SEG) 8.0 and above, and WebMarshal 7.X.
Future upgrade or issue fix releases are only provided for the 64 bit version.

32-bit version withdrawn:

The 32-bit version of Bitdefender for Marshal has been withdrawn. 32-bit versions of MailMarshal or WebMarshal are no longer supported.

Scanning Exclusions

With Bitdefender for Marshal 1.1.1, if you are using a virus scanner for real time protection or daily scans on the server, exclude the \temp subfolder of the Bitdefender for Marshal installation from scanning.

Bitdefender for Marshal 1.0

A pre-release of Bitdefender for Marshal (version 1.0) was provided as part of some WebMarshal installers. This version will not receive updates and cannot be used for scanning, because a license included in the code has expired. Any installations of version 1.0 must be updated to the latest released version.

Files with Unicode names not processed correctly

Charles Creegan — Thu, 28 Jan 2021 18:55:42 GMT

This article applies to:

Bitdefender for Marshal
Sophos for Marshal
MailMarshal (SEG) 6.5

Symptoms:

Email attachment names contain text outside of the English character sets
Attachment names do not display correctly
Email attachments fail to unpack with errors such as "Error in file type identification"
Virus scanning fails with "unexpected error"

Causes:

Regional Settings on the server (processing node) are set to a language other than English.
File names with Unicode characters are not correctly handled by the named products when Regional Settings use extended characters.

Workaround:

To work around this issue, set the locale for the server to an English language locale (in an array, set the locale on all processing node servers). You can do one of the following:

Log on to the server using an account such as Administrator. Use the Windows Regional and Language Options control panel to change the locale for the account, and then configure the MailMarshal services to run using that account. If you change the locale, you must restart the services to apply the change.
Change the locale for service accounts:
- In Windows 2012, 2016 or 2019, set the locale on the Administrative tab of Region options. Restart the server to apply the change.
- In Windows Server 2008 or Windows Vista, use the "Copy to reserved accounts" function. Restart the server to apply the change.
- In Windows Server 2003 or Windows XP, log on as an administrator. Change the regional options for the account. Then, on the Advanced tab of Regional and Language Options, select the box under Default user account settings. Restart the server to apply the change to service accounts.

Notes:

This issue applies to all versions of the named virus scanners.
The issue does not affect basic attachment unpacking in supported versions of SEG.

Supported Releases Policy for the Marshal Product Line

Charles Creegan — Fri, 01 May 2020 00:00:00 GMT

This article applies to:

MailMarshal Secure Email Gateway (SEG)
WebMarshal
MailMarshal ECM (MailMarshal Exchange)
MailMarshal Service Provider Edition
Virus Scanner plug-ins
Marshal Reporting Console

Question:

What is the supported releases policy for SEG, ECM, WebMarshal, and virus scanner plug-ins?
What is the policy on End of Support for the LevelBlue Marshal Product Line?

Information:

Definitions:

Major release: A release containing many new features or a change in architecture (for example, SEG 8.0).
Feature release: A release containing some new features and enhancements (for example, SEG 8.1.0).
Point release: A release containing maintenance updates and small enhancements to existing features (for example, SEG 8.1.3).
Supported: Full product support as defined in LevelBlue support policy for the Marshal Product Line.
- For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.
- Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

Policy:

LevelBlue will support each product release for two years, or until the release of the second following feature release, whichever is shorter.

For the current feature release, normally all point releases are supported.
For a previous feature release, only the last point release is supported.
When a major release is issued, LevelBlue may support the last two feature releases of the previous major release for an extended period.

LevelBlue will publish the dates of end of support of each release at least two months in advance of the effective date. For lists of supported versions and end of support, see the related articles linked below.

Hotfixes:

If a customer encounters an issue with a point release that is older than the latest point release for that version, they will be required to upgrade to the latest point release before a hotfix is issued.

Examples:

With the release of WebMarshal 6.12.3:

LevelBlue will continue to support 6.12.1 and 6.11.2.
LevelBlue will announce end of support for 6.11.1.

With the release of WebMarshal 7.0.0:

LevelBlue will continue to support WebMarshal 6.11.2 as well as 6.12.3 until further notice.
LevelBlue will announce end of support for 6.12.1 and 6.12.2.

Notes:

Customers should plan for a yearly upgrade cycle to take advantage of new features and to ensure their software is supported.

Folders to exclude from on-access virus scanning with Bitdefender for Marshal

Charles Creegan — Mon, 16 Dec 2019 19:29:14 GMT

This article applies to:

Bitdefender for Marshal

Question:

What folders must be excluded from resident anti-virus scanning when Bitdefender for Marshal is installed?

Information:

Temporary files

Bitdefender for Marshal 1.1 and above creates temporary files as part of processing.

If you perform virus scanning on the server using another anti-virus product, exclude the Bitdefender for Marshal temp folder from scanning.

For version 1.1.1 and above, by default this folder is located as follows:

64 bit installation: C:\Program Files\Trustwave\Bitdefender for Marshal\temp
32 bit installation : C:\Program Files (x86)\Trustwave\Bitdefender for Marshal\temp

Signature database

Some customers have also reported the SEG or WebMarshal engine stopping due to inability to load the Bitdefender scanner. To avoid this issue, exclude the Bitdefender for Marshal Database folder from scanning.

Notes:

Release 1.1.0 uses the Windows temporary location for the temporary files. LevelBlue strongly recommends that any customers using Bitdefender for Marshal 1.1.0 should upgrade to release 1.1.1.

Enabling TLSv1.1 and TLSv1.2 for Bitdefender updates

Charles Creegan — Wed, 12 Sep 2018 23:47:05 GMT

This article applies to:

Bitdefender for Marshal

Question:

How do I ensure that Bitdefender updates can use TLSv1.1 or above?

Background:

The mirror server for Bitdefender for Marshal update will soon stop accepting SSL requests over TLSv1.0. TLSv1.0 is a deprecated older version of TLS.

As of October 1, 2018, organizations that must consider the PCI DSS guidelines are required to remove TLSv1.0 from their servers. This date reflects a grace period for a new standard that came into force after June 30, 2018.
This requirement includes LevelBlue.
All organizations should be minimizing use of TLSv1.0.
If you have not enabled TLSv1.1 and TLSv1.2 you may find that other services are unable to connect.

Procedure:

This article outlines the basic requirements and procedures. Note that these are Windows system configuration items. LevelBlue has provided this article in good faith but LevelBlue is not responsible to provide support for Windows configuration issues.

For All Windows Servers:

Ensure that TLSv1.1 and TLSv1.2 are enabled for client communications.

You must make Registry changes and restart the server to apply them.
A helpful free application is IISCrypto by Nartac Software.

For Older Windows Servers:

This information applies to Windows 2008, Windows 2008 R2, and Windows 2012.

Bitdefender updates use the WinHTTP component. You must ensure this component is updated, and then make a registry entry.

Ensure that the server has the latest Service Pack and all Windows Updates applied. Check manually until no further updates are available.
Ensure that the installed updates include the TLS update. If this update is not applied then apply it manually.
- For Windows 2008 R2 and 2012, see Q3140245.
  - Follow the instructions in Q3140245 to apply the "default secure protocol" registry flags required
  - For TLSv1.1 and TLSv1.2 only, the value is 0x00000A00
  - For TLSv1.0 through TLSv1.2, the value is 0x00000A80
- For Windows 2008, see Q4019276. Microsoft does not state that the "default secure protocol" flags are required on this operating system.

FAQ:

Why does the Bitdefender for Marshal updater require these system changes to connect over newer TLS?
- The Bitdefender update component (provided by Bitdefender) uses the WinHTTP component for Web access. WinHTTP is part of the Windows operating system. Older Windows versions and older versions of WinHTTP did not enable use of TLSv1.1 or above.
Do other LevelBlue updaters require any changes?
- No, current supported versions of SEG, WebMarshal, and LevelBlue anti-virus plugins will not require changes. These products support TLSv1.1 and TLSv1.2 using third party components for Web access and are not affected by the WinHTTP issue.
- Some customers may be using older versions of the products. Customers may need to upgrade to the latest version. Known minimum versions are:
  - SEG: Any supported version (7.5.5 and above when this article was reviewed)
  - WebMarshal: 6.12 or above (as previously communicated)
  - ECM: 7.2 or above.
  - Sophos for Marshal: 1.1.1 or above
  - McAfee for Marshal: 6.1.1 or above
  - Kaspersky for Marshal: any release

Notes:

The above process may require multiple system restarts.

Marshal scanner plug-in compatibility with Microsoft "Meltdown" security patch

Charles Creegan — Wed, 10 Jan 2018 12:57:18 GMT

This article applies to:

Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal

Question:

Are the Marshal virus scanner plug-ins compatible with the Microsoft security update for "Meltdown" (January 3, 2018)?

Information:

Yes, the Marshal virus scanner plug-ins are safe to use on systems where the Microsoft security update is applied.

The four scanner manufacturers have confirmed their engines are compatible with the security update.
LevelBlue has performed basic testing of the scanner integration with SEG and WebMarshal. LevelBlue has not done any performance testing.

Notes:

To apply the Microsoft security update you might need to take manual action.

Windows Update only offers the security update to systems where a specific registry value is present.
The plug-ins do not set this registry value. If you have a resident virus scanner on the server, it might set the value.
Even when the value has been set, Windows Update might not install the update depending on the options you selected. You might need to select the update, or install it manually from the Microsoft Update Catalog.
For more information, see Microsoft KB 4056897 (Windows 2008 R2) or other related Microsoft articles.

Software Version	Release Date	Support Status	Discontinued Date
1.2.0.1680 (64 bit only)	August 3, 2021	Active
1.1.2.1623 (64 bit only)	August 22, 2019	Discontinued	March 20, 2022
1.1.1.1564	November 9, 2017	Discontinued	March 20, 2022