Tip |
---|
Version 2.0.0 (2022/01/10) |
New features: - Support for encryption at rest (needs to be enabled in Settings - Configuration - Encryption). Enables encryption of package files on the storage volume after finishing checks by detection engines. For details see documentation.
- Support for individual package encryption by a key derived from a password set for the package by the sender (after finishing the encryption it is not stored anywhere). Without the knowledge of the password the package files cannot be decrypted and therefore downloaded, not even by the administrator.
- Data integrity verification. It is possible to initiate a data integrity check for whole packages or single files, which computes the current checksums (SHA256) and compares them to the original ones from the time of their upload. The result is stored and displayed for both individual files and whole packages. If the integrity is compromised (file is corrupted), a notification can be sent, according to the settings. An admin can set, whether the check can be initiated even by users for their packages and files, or not. An admin can also schedule an automatic regular integrity check, in Settings – Configuration – Data integrity.
- New antivirus supported in Detection settings – FortiClient (Fortinet antivirus).
- Options to edit an existing package by its sender (author) and admin, specifically:
- An admin can set, whether the author can add new files into his existing packages or delete them (both disabled by default).
- An admin can delete files from existing packages and restore deleted files (by admin or user). A user cannot restore deleted files.
- An admin can shred files from existing packages (and therefore free up the space on the storage volume).
- When a new file is added to an existing package a new notification is sent to the package recipients, similarly, like for a new package.
- Mass actions on packages. Multiple packages can be selected in the package lists and a mass action can be performed on all of those, for example delete them all at once.
- Mass change of permissions for selected users. Multiple users can be selected in the list of users and their permissions changed for all at once.
- An admin can manually run a (re)test of the whole package or individual files through the detection engines again. Useful for example to make sure, that after anti-virus signature update, the package/file is still safe or infected.
- Support for automatic deactivation and deletion of inactive users (Settings – Configuration – User settings). Inactive users can be disabled (unable to log in) or deleted after configured time.
- Temporary user accounts. An admin can set a user account expiration during the account creation. Such an account then expires after the set time and is automatically deleted.
- Better support for different languages:
- Separated setting of primary language for e-mail messages. (Until now, it was determined by the default language of the application.)
- Optional setting of secondary language for e-mail messages. If set, the e-mails will be bi-lingual, secondary language appended below the primary.
- Separated setting of the language for syslog. (Until now, it was determined by the default language of the application.)
- Logged in user can set his preferred language in his profile. This language will then be used in e-mails addressed to him, overriding the global settings of primary and secondary language, as described above.
- New notifications (written in audit log and optionally sent to e-mail) for events:
- Error during a package check. Because of a failure of one of the detection engines when checking a package, it was skipped.
- Detection engine not available. One of the detection engines stops being available. Can happen for example when an anti-virus licence expires, a sandbox connection fails, etc.
- Disk space running low. Happens if the free space drops below 10% on one of the package storage volumes and select system paths (/, /var/log, /var/lib/pgsql, /var/lib/kafka).
- An admin can move a package from active into quarantine. (Until now only the reverse was available, release from the quarantine.)
- The option to block usage of a known leaked passwords ("have i been pwned?" service). Can be enabled in Settings - Configuration - Security.
- When creating a new admin account, it is now possible to send an e-mail with the request to set a new password to the new admin, instead of setting the password directly. (Similarly like for users.)
- A download counter for each file and the archive of a package. The number of downloads of each file and the archive is displayed in the package detail view (for anonymous users, logged in users and administrators). It counts only finished downloads (the end of the file was sent from the server to the client).
Minor changes: - Login names are no longer case sensitive. This is the same behavior like for example in Active Directory. ("test" and "Test" is now the same user, unlike before)
- An automatic refresh of displayed information occurs when viewing a package detail (for example encryption state, integrity check results, detection results, etc.).
- Changed how a package password is remembered:
- An admin can set the time the package password is remembered, in Settings - Configuration - Security: "Download JWT token lifetime".
- If no user is logged in, the token is not stored in the browser (in LocalStorage).
- If a user is logged in, a new option to "remember password for XX minutes" (according to settings) is offered and by defaulted is not enabled.
- There is a new overview of enabled detection engines and and their related information displayed on the Dashboard.
- The list of files inside a package can be ordered by name, type, date and size of the files.
- The settings for password strength requirements is now separate for users and for admins.
- The package lists can be filtered by package flags. So it is possible for example to display only packages set as persistent.
- The filters above package lists can be collapsed into a single line bar, to preserve space on the screen if needed.
- The list of files inside a package is now split into multiple separate lists for: normal files, quarantined files, deleted files, shredded files.
- Search inside contacts and contact groups improved (can search for contained contacts or groups).
- Package requests can be deleted.
- The user can "delete" packages in his inbox. Technically they are only hidden in his view. Only the sender or admin can truly delete a package, or it is deleted automatically after expiration.
- Even a user can now see the flag if a package is public or not (only admin did until now).
- Changed the process for (re)setting a password by email with a password (re)set link. The email now contains a unique link with UUID, which when opened allows to (re)set the password directly. Unlike before, when it was necessary to manually copy a token from the email into a form field before the password (re)set.
- The related default email templates for these actions were updated accordingly. If an installation uses customized templates, these must be also manually updated in the same way as the default ones were.
- When activating TOTP multi-factor authentication, it is now required to input a valid code from the activated authenticator first, or the activation will not be done.
- Repeated password guessing protection (against bruteforce attacks) extended also to repeated multi-factor authentication (MFA) attempts.
- When changing expiration times in Settings - Configuration - Workflow it is now possible to optionally apply this change to existing packages, otherwise it only affects new ones.
- Support for new license states. The original "demo mode" is split into a new "no license" mode (new installs without even a trial license) and the now modified "demo mode" (special demo license) for demonstration purposes only.
- Support for FQDN aliases. Besides the main FQDN the license can now contain additional domains and will work for all of them, so the application can run under multiple domains.
- Support for alternative https port - the FQDN can now further contain a custom port specification, for example https://sofie.sonpo.cz:11443. Until now the application supported only native https port 443.
- The API token can be copied to the clipboard by a mouse click.
- Removed actions for shredded packages (like release from quarantine) as they are useless, the package content is already deleted.
- The current password in detection engine settings (for sandboxes) is no longer displayed, it can be only changed to a new one.
- Obfuscated the passwords contained in audit log records (replaced with *** string).
- JWT tokens modified:
- JWT tokens sent to and stored in browsers are now encrypted, so the client cannot read their contents. (Before the were only signed to prevent client manipulation.)
- Default expiration of JWT authentication tokens shortened from 60 to 30 minutes (= idle logout timeout).
- New setting introduced (Settings - Configuration - Security) "Authentication JWT token absolute lifetime", which specifies after what time the user is logged out even when active.
- New setting introduced (Settings - Configuration - Security) "Download JWT token lifetime", which specifies how long the password for password protected package can be remembered.
- Minor security improvements according to a pentest results, including:
- Better protection against session hijacking. Added IP address and User-Agent to the JWT token and if those do not match the current ones (they changed), the request is denied and logged.
- Added headers: Cache-Control "no-store", Pragma "no-cache", X-Content-Type-Options "nosniff" a Referrer-Policy "same-origin" to all responses.
- When an unexpected internal error/exception occurs, the java class details are no longer displayed, but a custom error page without unnecessary internal details is shown.
- Removed the final state of a package UPLOAD_CANCELED and replaced by a single common final state of "shredded" (CONTENT_DELETED).
- Changed the looks of some parts of the application for better clarity.
- New and modified audit logs, for details see: List and description of Audit Log event types.
Fixes: - During a long package upload the logout timer is now regularly reset, so the automatic idle logout cannot happen during the upload and cause an upload failure.
- Fixed the sometimes strange behavior of the form when setting the administrator's permissions.
- Fixed the display of usernames and other strings in audit logs and other places, where the additional string of #timestamp was shown.
- The list of detection engine check results for files in package detail is now ordered alphabetically by the column "Detection engine".
- Fixed the color bar display for check results - yellow should now be consistent and always mean, that a detection did occur, but the result is not a quarantine, but just a notification (according to settings). Before it was sometimes red in such cases.
- Changed the "ADFS error" message to " Login error", if a user is successfully logged in by the ADFS, but does not have an access to SOFiE application.
- Fixed the license expiration parsing for Kaspersky 11.2 engine.
- Fixed the missing license state attribute in LICENSE_INVALID audit logs.
- Fixed possible duplication of audit logs when the license state changes.
- The logo preview in Settings - Configuration - Appearance now better matches how it will look in the top bar.
- Other various fixes of typos, texts, design, etc.
|