Release Notes (Changelog)

Contents

Application versions

Version 2.0.0 (planned for 4th quarter of 2021)

New features:

  • Support for encryption at rest (needs to be enabled in Settings - Configuration - Encryption). Enables encryption of package files on the storage volume after finishing checks by detection engines. For details see documentation.
    • Support for individual package encryption by a key derived from a password set for the package by the sender (after finishing the encryption it is not stored anywhere). Without the knowledge of the password the package files cannot be decrypted and therefore downloaded, not even by the administrator.
  • Data integrity verification. It is possible to initiate a data integrity check for whole packages or single files, which computes the current checksums (SHA256) and compares them to the original ones from the time of their upload. The result is stored and displayed for both individual files and whole packages. If the integrity is compromised (file is corrupted), a notification can be sent, according to the settings. An admin can set, whether the check can be initiated even by users for their packages and files, or not. An admin can also schedule an automatic regular integrity check, in Settings – Configuration – Data integrity.
  • New antivirus supported in Detection settings – FortiClient (Fortinet antivirus).
  • Options to edit an existing package by its sender (author) and admin, specifically:
    • An admin can set, whether the author can add new files into his existing packages or delete them (both disabled by default).
    • An admin can delete files from existing packages and restore deleted files (by admin or user). A user cannot restore deleted files.
    • An admin can shred files from existing packages (and therefore free up the space on the storage volume).
    • When a new file is added to an existing package a new notification is sent to the package recipients, similarly, like for a new package.
  • Mass actions on packages. Multiple packages can be selected in the package lists and a mass action can be performed on all of those, for example delete them all at once.
  • Mass change of permissions for selected users. Multiple users can be selected in the list of users and their permissions changed for all at once.
  • An admin can manually run a (re)test of the whole package or individual files through the detection engines again. Useful for example to make sure, that after anti-virus signature update, the package/file is still safe or infected.
  • Support for automatic deactivation and deletion of inactive users (Settings – Configuration – User settings). Inactive users can be disabled (unable to log in) or deleted after configured time.
  • Temporary user accounts. An admin can set a user account expiration during the account creation. Such an account then expires after the set time and is automatically deleted.
  • Better support for different languages:
    • Separated setting of primary language for e-mail messages. (Until now, it was determined by the default language of the application.)
    • Optional setting of secondary language for e-mail messages. If set, the e-mails will be bi-lingual, secondary language appended below the primary.
    • Logged in user can set his preferred language in his profile. This language will then be used in e-mails addressed to him, overriding the global settings of primary and secondary language, as described above.
  • New notifications (written in audit log and optionally sent to e-mail) for events:
    • Error during a package check. Because of a failure of one of the detection engines when checking a package, it was skipped.
    • Detection engine not available. One of the detection engines stops being available. Can happen for example when an anti-virus licence expires, a sandbox connection fails, etc.
    • Disk space running low. Happens if the free space drops below 10% on one of the package storage volumes and select system paths (/, /var/log, /var/lib/pgsql, /var/lib/kafka).
  • An admin can move a package from active into quarantine. (Until now only the reverse was available, release from the quarantine.)
  • The option to block usage of a known leaked passwords ("have i been pwned?" service). Can be enabled in Settings - Configuration - Security.
  • When creating a new admin account, it is now possible to send an e-mail with the request to set a new password to the new admin, instead of setting the password directly. (Similarly like for users.)
  • A download counter for each file and the archive of a package. The number of downloads of each file and the archive is displayed in the package detail view (for anonymous users, logged in users and administrators). It counts only finished downloads (the end of the file was sent from the server to the client).

Minor changes:

  • Login names are no longer case sensitive. This is the same behaviour like for example in Active Directory. ("test" and "Test" is now the same user, unlike before)
  • An automatic refresh of displayed information occurs when viewing a package detail (for example encryption state, integrity check results, detection results, etc.).
  • Changed how a package password is remembered:
    • An admin can set the time the package password is remembered, in Settings - Configuration - Security: "Download JWT token lifetime".
    • If no user is logged in, the token is not stored in the browser (in LocalStorage).
    • If a user is logged in, a new option to "remember password for XX minutes" (according to settings) is offered and by defaulted is not enabled.
  • There is a new overview of enabled detection engines and and their related information displayed on the Dashboard.
  • The list of files inside a package can be ordered by name, type, date and size of the files.
  • The settings for password strength requirements is now separate for users and for admins.
  • The package lists can be filtered by package flags. So it is possible for example to display only packages set as persistent.
  • The filters above package lists can be colapsed into a single line bar, to preserve space on the screen if needed.
  • The list of files inside a package is now split into multiple separate lists for: normal files, quarantined files, deleted files, shredded files.
  • Search inside contacts and contact groups improved (can search for contained contacts or groups).
  • Package requests can be deleted.
  • The user can "delete" packages in his inbox. Technically they are only hidden in his view. Only the sender or admin can truly delete a package, or it is deleted automatically after expiration.
  • Even a user can now see the flag if a package is public or not (only admin did until now).
  • Changed the process for (re)setting a password by email with a password (re)set link. The email now contains a unique link with UUID, which when opened allows to (re)set the password directly. Unlike before, when it was necessarry to manually copy a token from the email into a form field before the password (re)set.
    • The related default email templates for these actions were updated accordinglly. If an installation xses customized templates, these must be also manually updated in the same way as the default ones were.
  • When activating TOTP multi-factor authentication, it is now required to input a valid code from the activated authenticator first, or the activation will not be done.
  • When changing expiration times in Settings - Configuration - Workflow it is now possible to optionally apply this change to existing packages, otherwise it only affects new ones.
  • Support for FQDN aliases. Besides the main FQDN the license can now contain additional domains and will work for all of them, so the application can run under multiple domains.
  • Support for alternative https port - the FQDN can now further contain a custom port specification, for example https://sofie.sonpo.cz:11443. Until now the application supported only native https port 443.
  • The API token can be copied to the clipboard by a mouse click.
  • Removed actions for shredded packages (like release from quarantine) as they are useless, the package content is already deleted.
  • The current password in detection engine settings (for sandboxes) is no longer displayed, it can be only changed to a new one.
  • Obfuscated the passwords contained in audit log records (replaced with *** string).
  • JWT tokens modified:
    • JWT tokens sent to and stored in browsers are now encrypted, so the client cannot read their contents. (Before the were only signed to prevent client manipulation.)
    • Default expiration of JWT authetication tokens shortened from 60 to 30 minutes (= idle logout timeout).
    • New setting intoduced (Settings - Configuration - Security) "Authentication JWT token absolute lifetime", which specifies after what time the user is logged out even when active.
    • New setting intoduced (Settings - Configuration - Security) "Download JWT token lifetime", which specifies how long the password for password protected package can be remembered.
  • Removed the final state of a package UPLOAD_CANCELED and replaced by a single common final state of "shredded" (CONTENT_DELETED).
  • Changed the looks of some parts of the application for better clarity.
  • New audit logs:
    • PACKAGE_SCAN_ENDS_WITH_ERROR, DETECTION_ENGINE_UNAVAILABLE, FILE_QUARANTINED, HIBP_QUERY_FAILED, TEMPORAL_USERS_DELETED, FILE_DELETED, FILE_UNDELETED, FILE_CONTENT_DELETED, PACKAGE_RECHECK_PLANNED, FILE_RECHECK_PLANNED, FILE_INTEGRITY_INVALID, CHECK_FILE_INTEGRITY_FAILED.
    • For details see: List and description of Audit Log event types.
  • Changed the severity of PACKAGE_DOWNLOAD_UNAUTHORIZED_ACCESS audit log from warning to info.

Fixes:

  • During a long package upload the logout timer is now regularly reset, so the automatic idle logout cannot happen during the upload and cause an upload failure.
  • Fixed the display of usernames and other strings in audit logs and other places, where the additional string of #timestamp was shown.
  • The list of detection engine check results for files in package detail is now orderd alphabetically by the column "Detection engine".
  • Fixed the color bar display for check results - yellow shoud now be consistent and always mean, that a detection did occur, but the result is not a quarantine, but just a notification (according to settings). Before it was sometimes red in such cases.
  • Changed the "ADFS error" message to " Login error", if a user is successfully logged in by the ADFS, but does not have an access to SOFiE application.
  • Fixed the license expiration parsing for Kaspersky 11.2 engine.
  • Fixed the missing license state attribute in LICENSE_INVALID audit logs.
  • The logo preview in Settings - Configuration - Appearance now better matches how it will look in the top bar.
  • Other various fixes of typos, texts, design, etc.

Version 1.6.0 (2021/04/23)

New features:

  • Support for Hungarian in the user interface and e-mail notifications (not in the admin interface).
  • Multifactor authentication (MFA / 2FA) supported even for logins of users using AD and ADFS (only for local users before).
  • In the package upload form the current configured limits for maximum sizes and number of files are shown.
  • Support for the password reset functionality even for the administrators. Using an e-mail with instructions and unique token, similarly like for users. The administrator must have an e-mail address filled in for this to work.
  • The PDF report with FortiSandbox check results can now be viewed directly in the browser window. It is no longer necessary to download, save and then open the file.
  • Showing all (including nested) MIME types for files (if the MIME module is enabled in the Detection settings). For example archives (zips, etc.), Office documents, PDFs and others may contain nested content and files of various MIME types inside. This is now shown in the file details.
  • Support for logging of the User Agent from the header of web requests into the audit logs. It can be enabled in Settings - Configuration - Logging - Log User-Agent header.

Minor changes:

  • Added new columns "Created at" and "Last login" in the list of users, which can be used to sort the list. This helps when searching for unused or old accounts that can be deleted.
  • New audit logs for events: LICENSE_INVALID, LICENSE_VALID, APP_VERSION_CHANGED, PACKAGE_DOWNLOAD_UNAUTHORIZED_ACCESS, PACKAGE_DOWNLOAD_PACKAGE_NOT_FOUND, PACKAGE_DOWNLOAD_PACKAGE_EXPIRED. For details see: List and description of Audit Log event types.
  • Added the action to terminate the check in the package detail for packages in the queue (it already was available in the list, but not in the detail).
  • Automatic rotation of Kafka module log files, so their number and size does not grow excessivelly.
  • Improved the installer (updated components, LetsEncrypt certificate does not need e-email, fixed nginx version for CentOS8, OCSP stapling in nginx).
  • Modified the parameters in the e-mail templates. Replaced the ${appTitle} parameter with the parameters ${appName} and ${subjectPrefix} (those are related to Settings - Configuration - Appearance and Settings - Configuration - E-mail prefix). An automatic replacement will be done in the existing templates, according to if the parameter is used inside the subject (->subjectPrefix) or in the body (→appName). Updated the texts, previews, help and related accordingly. Increased the maximum size of the subject in the templates from 100 to 200 characters.
  • Modified the logging of changes (for better accuracy) of MIME types. Before it could happen twice, depending on if the change was done by "magic" or "content" MIME detector. Now it happens and is logged at most once, but with new attributes clarifying the change.
  • The application web server (Tomcat) now listens for connections only on the localhost address (it communicates with local nginx).
  • Multiple components updated (React, Ant Design, Tomcat, Meecrowave, etc.).
  • Minor changes in graphics, icons, etc.

Fixes:

  • Fixed the deletion of XSRF cookie when closing the browser, but not refreshing it after reopening again, unlike the login, which resulted in a logout after any performed action because of invalid XSRF cookie. Now it has the same lifetime as the login.
  • Fixed the "jumping" calendar when editing package expiration.  After a few seconds from the change of month it jumped back.
  • Fixed the content deletion from the field for maximum size in the DLP settings after a few seconds.
  • Other minor fixes of typos, texts, graphics, etc.

Version 1.5.5 (2021/03/18)

Minor changes:

  • Updated Apache Tomcat to version 9.0.43 and Apache Meecrowave to version 1.2.10.
  • Improved the script for sending of diagnostic logs - added an offline variant with manual handoff of logs.

Fixes:

  • Added compatibility with new ESET version 8. If auto-update is disabled (it is by default, if installed exactly as our install manual instructs), then the update can be performed by executing the command:
    /opt/eset/efs/bin/upd --perform-app-update

Version 1.5.4 (2021/02/25)

Minor changes:

  • Added a helper script "offline-license.sh" - useful for manual download and activation of a license from the command line.
  • Improved debug logging for problems with license activation.

Fixes:

  • Fixed the compatibility with FortiSandbox version 3.2.2+, which introduced changes to the API from Fortinet for upload of larger files.
  • Fixed the integration with AD using SSL (LDAPS). The appropriate certificate authority must be added to the system trusted authority store.
  • Updated sending of diagnostic logs - if the file with a license does not exist (it is created automatically during online license activation in the application), an attempt is made to read the license from the database - it contains information needed to send the logs.
  • Improved the handling of errors during the download of a detailed report from a FortiSandbox file scan. Now if the report download fails, the whole scan does not, it finishes correctly, the error is logged and the report is not available.

Version 1.5.3 (2021/02/22)

Fixes:

  • Fixed the behaviour when user deletes his sent package before all the content scans are finished. The remaining scans are canceled and if some mandatory ones failed, those are no longer repeating infinitelly.
  • Fixed the audit log message for some unexpected FortiSandbox errors. (INVALID_JSON_DATA, INVALID_REQUEST, UNSUPPORTED_VER)

Version 1.5.2 (2020/11/20)

Fixes:

  • Fixed minor issue with popup window size with additional information about FortiSandbox check results.

Version 1.5.1 (2020/11/20)

Fixes:

  • Fixed errors in the FortiSandbox API behavior, where for some zip achives (containing files with special characters in their names) it does not return correct results. Modified to query the results by the SHA fingerprint, which is a workaround for the API error. Recommended FortiSandbox version is 3.2.1+.
  • Fixed BitDefender integration, so it works again after the BitDefender update from aprox. 2020/11/12, which introduced incompatible changes.
  • Fixed reading and saving of the FQDN from the license.

Version 1.5.0 (2020/07/14)

New features:

  • Persistent packages. The admin can disable the expiration for a selected package, making it persistent, until the admin enables the expiration again.
  • Support for discovering the IP addresses of clients when running behind a proxy. The address of the proxy must be entered in Settings - Configuration - Security - Trusted proxies and the proxy must add a X-Forwarded-For header.
  • New permissions for users, specifying, whether they can send each type of the package (public, internal, private). Also new default setting for the package type, which is used for packages where the user does not change it.
  • New permission for users, specifying, whether they can download package contents without reentering their login password. (Without it, the user must reenter his login password before each download.)
  • Settings for default permissions of new users, in Settings - Configuration - User default settings.

Minor changes:

  • For datastores, that cannot be deleted (because of being used), the trashcan icon is inactive.
  • Administrator actions for packages moved to a sub menu, which can be displayed be clicking the ... icon.
  • Modified the display of flags in package lists.
  • New descriptions for package types are available to users directly inside the application.

Fixes:

  • The administrator can now change his own password even if he does not have permission for administrator management.
  • The audit log no longer displays empty "personalSettings" change when changing user's permissions.
  • Sending of packages using API did not take user's permissions into account. Now it is no longer possible to send packages using API, if the user does not have the send package permission.
  • Although a check of a package was canceled for a package in the queue, all the queued checks were performed anyway. Now the remaining checks, which are not already running, are correctly skipped.
  • Minor fixes of some texts and design.

Version 1.4.4 (2020/06/24)

Fixes:

  • Fixed blocking / allowing of content based on a MIME type, where some types were shown differently in the package detail, than how they needed to be entered to the blacklist / whitelist. (ie. "application/x-dosexec" vs. "application/x-msdownload")

Version 1.4.3 (2020/06/05)

Minor changes:

  • Change in the installer: new installations have HSTS (HTTP Strict Transport Security) enabled by default. That means it is possible to access them only using https and with a valid certificate.

Fixes:

  • Fixed error in matching an e-mail address of a recipient, if the case of the characters did not match (Test@sofie.cloud vs. test@sofie.cloud). E-mail address matching is no longer case sensitive.
  • Fixed an error in the installer, which may caused new installations not to be able to start the remote diagnostic tunnel (missing /root/.ssh/authorized_keys file).
  • Fixed minor cosmetic issue in user's and administrator's profile menu, where the last used item stayed incorrectly highlighted.

Version 1.4.2 (2020/04/30)

Fixes:

  • Fixed an error when evaluating results of FortiSandbox detection engine checks, that might have occurred in some specific cases (like many files in an archive).
  • It is no longer required to fill in recipients for "Internal" type packages. Now the behavior, concerning recipients, is similar to "Public" packages, not "Private" ones.

Version 1.4.1 (2020/04/24)

Fixes:

  • Fixed TOTP multifactor key not working in some iOS apps (removed = character at the end).
  • Fixed display of unfulfilled package requests in shredded packages.
  • Fixed some typos in the texts.

Version 1.4.0 (2020/04/15)

New features:

  • Implemented support for multi-factor authentication (2FA) for users and administrator. The following factors are supported:
    • TOTP - supported for example by Google Authenticator
    • FIDO2 (Webauthn) - supported for example by Yubico 5
  • New application mode "by request only". Administrator can forbid upload of packages to anonymous (not logged in) users, unless they receive package upload request by logged in user. This mode can be set up in Settings - Configuration - Basic Settings.
  • New "internal" mode for package accessibility added to existing "private" and "public" modes. Access to internal packages is allowed for all logged in users, who have the link to the package.
  • Support for "blind copy" for logged in users. Like in e-mails, logged in users can send packages to hidden recipients, who will not be visible in the displayed package recipients.
  • New address book for users, including the support for groups and optional automatic saving of package recipients.
  • Support for editing of e-mail templates. Administrator can modify the contents of the notifications being sent out in Settings - E-mail templates.
  • Support for multiple data stores (disks/volumes). Administrator can configure them in Settings - Datastores. Enables easy addition of another disk or volume, in case the current is running out of space.
  • Administrator can grant (revoke) the following rights to the users:
    • login (without it, the user cannot log in)
    • receive packages (without it, a package cannot be sent to the user's address, like if he does not exist)
    • send packages (without it, the user cannot send packages, only receive them)
  • Remote application diagnostics support. The administrator can:
    • send application logs to the technical support (no user data or package data are sent).
    • enable / disable reverse SSH tunnel for remote SSH access of technical support.
  • Support for Check Point SandBlast appliance. (before, only cloud version was supported, now both are)
  • In FortiSandbox settings, it can be selected which of the results "high risk", "medium risk", "low risk", will be blocked.

Minor changes:

  • Link to documentation added to the right part of the top bar.
  • Official API documentation available here: https://docs.sofie.cloud/en/api/v1/user/
  • Added some functions to the API, see API documentation.
  • Administrator can restore the packages from the archive, similarly to restoring deleted packages (from trash).
  • ZIP archive can be created even for archived packages (accessible only to the administrator).
  • Added "severity" attribute to the audit logs, according to the syslog standard.
  • New design of the Dashboard screen for administrators, including graphs of datastore usage.
  • New loading page for the first opening of the application, so the anonymous part does not display briefly for logged in users.
  • New info screen, which is displayed, when the backend is not working (upgrade, restart, etc.) and automatically disappears, when backend starts working again.
  • Support for the new ESET version 7. Old ESET version 4 still works too, but will no longer be maintained and supported.
  • Administrator can allow downloading of clean files from quarantined packages, in Settings - Configuration - Basic settings.
  • If notifications to (registered) senders about their quarantined packages are enabled, they will also receive notifications when their packages are released from the quarantine.
  • All files in packages released from quarantine will be marked as clean. Both packages and files, which were originally not clean, but quarantined, will be flagged as released from quarantine.
  • List of files in package detail now shows the files with some detection, that cause the package to be quarantined, always on top of the list.
  • Modified administrator's menu with packages: added menu items for some package states, which were mixed together before, and all the states moved to be a sub menu under main menu item Packages.
  • FortiSandbox PDF report now also accessible under a magnifying glass icon, not just by double clicking.
  • FortiSandbox without a valid license now considered as available, if it works otherwise. It was considered not available without a license before, even though it worked.
  • Improved audit logs for forwarded packages, so it is easier to find the forwarded package origin and related logs.
  • Improved audit logs for quarantined packages: added new attribute "detectionResults", which contains array of all the reasons for quarantining the package or file.
  • Documented all audit log types, see: List and description of Audit Log event types
  • Added internal SID attribute to users, for better pairing of AD and ADFS accounts. Useful for example when renaming users.
  • The number of application users is sent to the license server during license verification and update.
  • Some texts and captions modified for better understanding and unified across the application.
  • Introduced 90 day application logs retention period. It was unlimited before and could fill up the disk in time.
  • Modified sofie yum repository - changed to disabled. The sofie script enables it in case of need. General yum update will not unexpectedly update the application now.
  • Modified (unified) the default values of detection engines after installation.
  • New setting in Settings - Configuration - E-mail: Ignore certificate errors. It allows e-mails to be sent using TLS/SSL even if the configured mail server does not have a valid certificate.
  • An Administrator can change his own password similarly like a user using the menu under the profile icon on the right side of the top bar.
  • Maximum file size in ZIP archive in Settings - Configuration - Package size limits can be set to unlimited value. It was limited to 1 GiB before.

Fixes:

  • Removed duplicated lines of encrypted content detection in some ZIP archives.
  • Fixed error in internal detection engines when checking some types of archives (error in used library: https://issues.apache.org/jira/browse/COMPRESS-479).
  • Fixes and improvements of the installer and its documentation.
  • Fixes and changes in the package filters for users (if no state is selected, states are ignored by the filter, correct filtering of requests).
  • Added missing texts and display corrections for FILE_CHECK_REPORT_ADDED audit log.
  • Fixed swapped audit log messages for FILE_ARCHIVE_ADDED and FILE_ARCHIVE_UPDATED.
  • Fixed diskusage in sofie script, so it works even when data directory is a symlink.
  • Fixed very long time when rebooting the server (added missing dependencies in systemd scripts).
  • Fixes in parallel task processing implementation (AV scans for example). Parallel processing is not used by default.
  • Fixes in helper AV scripts (used by detection engines) for some specific situations. Added debug application logs for AV detection engines.
  • Fixed unhandled exception if datastore is not writable.
  • Fixed exception blocking login, if the protection against repeated login failures had been disabled, multiple invalid logins were attempted and then the protection was enabled again.
  • Fixed various minor bugs in some forms (not working closing cross, contents of filled in form field being deleted, etc.).
  • Added some missing texts and fixed errors in existing ones.
  • Other minor fixes in design and formatting.

Version 1.3.10 (2019/12/10)

Fixes:

  • Fixed the failure of some file checks on FortiSandbox (usually in case the file name contained certain national or special characters).
  • Fixed publishing of package by admin not working for packages from anonymous users (not logged in). The package looked like public, but was not.

Version 1.3.9 (2019/11/20)

Minor changes:

  • Added the following to the API for third party applications:
    • get details about a package (including results of package's checks, i.e. which viruses were found in files)
    • when sending a package using the API a new flag "delete after check" can be set, which causes that immediately after finishing the checks the package's files will be deleted - useful for third party applications using SOFiE only for file security checks (document management and archival applications, etc.)
  • API documentation updated - available here: https://docs.sofie.cloud/en/api/v1/user/

Version 1.3.8 (2019/11/15)

Fixes:

  • Fixed validation of typed in recipients' emails (national characters in e-mail addresses).
  • Recovery from a state, where a package was stuck in the queue because of an invalid recipient's address.

Version 1.3.7 (2019/11/15)

Fixes:

  • Fixed incorrect behavior, when downloading a report from FortiSandbox - handling of PDF_REPORT_NONEXIST state.
  • Fixed logging for very long file names (limit increased from 100 to 255 characters).

Version 1.3.6 (2019/11/07)

Minor changes:

  • Improved logging of FortiSandbox communication for better tracing and debugging of problems.

Fixes:

  • Fixed a problem resulting in infinite repeating of file checks against FortiSandbox in some specific cases, where FortiSandbox returned unexpected error.
  • Added recognition of a new possible error code returned by a FortiSandbox.

Version 1.3.5 (2019/11/06)

Fixes:

  • Fixed parsing of output from BidDefender AV, which changed its output in the last update. So reading of information about the detection engine in Settings - Detection settings - BitDefender is now working again.

Version 1.3.4 (2019/10/25)

Minor changes:

  • Improved logging for better tracing of some potential problems.

Version 1.3.3 (2019/10/17)

Minor changes:

  • Changed authentication of users in Active Directory, so the membership in groups is now checked recursively. User now no longer needs to be direct member of the entered group, but can be in a sub-group which is in the group, at unlimited nesting depth.

Fixes:

  • Added missing audit log text for FILE_CHECK_REPORT_ADDED.

Version 1.3.2 (2019/10/16)

Minor changes:

  • New setting in Settings - Configuration - Security for turning off the protection against repeated guessing of passwords, which delays each further login attempt.

Fixes:

  • Fixed user authentication when using Active Directory and modified the form for its configuration (added default domain).
  • Fixed display of user UI for sending of package and package request in a very narrow windows and other minor UI optimizations.

Version 1.3.1 (2019/10/03)

Fixes:

  • Fixed an error when deleting users with very long user name.
  • Fixed display of an icon for PDF reports from FortiSandbox checks (on the line with details about file checks under each file).
  • Availability status of FortiSandbox in Detection settings is no longer affected by license state of the FSA (even FSA without a valid license may perform checks).
  • Fixed typo in texts.

Version 1.3.0 (2019/10/01)

New features:

  • Installer and install manual for self installations on own dedicated server. 
    • Documentation available HERE.
    • New installations automatically obtain a 30 day and 50 user trial license.
  • Detection engines have a new feature for status discovery. The status shows, whether the detection engine is working in particular application installation and therefore can be used. For example if AV ESET is not installed, the status will be not available and so it cannot be enabled and used. A set of information about each detection engine is also displayed to the administrator (ie. license expiration, last signature update, etc.).
  • New AV detection engine supported: BitDefender.
  • New API for third party usage available, which enables automated sending of packages. API documentation can be viewed here: http://sofie-api-docs.s3-website.eu-central-1.amazonaws.com

Minor changes:

  • For FortiSandbox file check results a PDF report with details can be downloaded.
  • ReCaptcha score threshold and results logging can be set in Settings - Configuration - Security.
  • In Settings - Configuration - Notifications it can now be set, whether to send notifications about a package placed in quarantine to the recipient and/or the sender (registered only) of the package. Notification messages are different for each.
  • For better clarity, the detection engines in Settings - Detection settings are now split into categories: "Internal nodules", "Antiviruses" and "Sandboxes".
  • Message-ID in generated e-mails now contains @FQDN. May lower a chance of e-mails being tagged as spam.
  • File MIME type refinement when using MIME detection engine is now recorded in audit log.
  • Changes and improvements in the UI (package recipients, sliding side windows with details, recipients in audit log, etc.).
  • sAMAccountName attribute from Windows AD added to audit log messages concerning users, if available (AD/ADFS integration active and attribute being passed on).
  • User password reset notifications split into three different cases, where each has a different text contents: 
    1. user himself requests password reset
    2. administrator requests password reset for the user
    3. administrator creates a new user and requests initial password setup
  • Notification e-mail templates now contain separately the original default text and optional modified version for each installation (in preparation for future template edit UI for admins).
  • Modified display of valid license expiration. The date up to which the licence is really issued by the license server is now displayed. In case of subscription licenses, the license may expire sooner, if it is not possible to contact the license server for more than 30 days.
  • License information is now also display on administrator's "Dashboard".
  • Public packages are marked by an icon in package lists.
  • Admin may change the package from private to public.
  • Support for parallel processing of multiple file checks (ie. AV file scans) at the same time. Enabled by a special setting parameter in configuration file only.
  • Removed the FQDN setting, which is now automatically taken from the license / installer, because it must match the license.
  • Added check for used FQDN in (Host) header of an http request. If it does not match the license, application behaves as in a demo mode (mostly read only).
  • Removed audit log record for LICENSE_CACHED changes (which occur automatically and regularly and filled the audit log).
  • The shell script "sofie update" prints out the result of a successful update.
  • Raised the limit for a maximum open files (descriptors) by the application in the system from default value (4 thousand) to 32 thousand. Reaching this limit during normal application run should not happen now.

Fixes:

  • Fixed detection of MIME types containing a charset in the name (ie. ffc.bat=application/x-bat; charset=ISO-8859-1).
  • Fixed mangled filenames during saving, if the filenames contained national characters.
  • Fixed various UI glitches and text errors.
  • If the declared file size during file upload differs from the real uploaded size, error is returned (was not checked before).
  • Increased the time messages can wait in internal processing queue, which should prevent lock ups in the wrong state in some special cases.
  • Fixed results in case of AV error.
  • Fixed malformed JSON output from AV scripts in some specific cases.
  • Fixed execution of post-install script "sofie.sh".
  • Added missing dependencies of sofie rpm package.
  • Database migration should no longer skip any steps during update to a new version.
  • Fixed access rights checking when downloading files from package.
  • Fixed possible error during upload of files to the package under specific circumstances (combination of canceling of upload at a certain point and retrying again).
  • Added closing of files after finishing MIME checks, so it no longer continuously exhausts open file handles.

Version 1.2.3 (2019/06/28)

Fixes:

  • Fixed migration to version 1.2, where the newly introduced setting of own email prefix is taken from the custom application title. Result of which is that after the migration to version 1.2 the email prefix is not changed, if own custom application title was being used.

Version 1.2.2 (2019/06/26)

Fixes:

  • Fixed user access control check when accessing a package, where in specific cases (whole domain allowed in settings and recipients containing not yet existing user) it resulted in exception and en error message "500 Internal server error" being displayed to the user.

Version 1.2.1 (2019/06/21)

Fixes:

  • Fixed migration of administrator rights, where in version 1.2.0 only administrator "admin" had all the rights and other admins had none. Now all the admins have all the rights (which means same behavior as before version 1.2).
  • Fixed parsing of boolean value "disallowedAdminDataAccess" from the license.
  • Modified Check Point API - handling of exceptions.
  • Fixed minor errors in texts and added some missing EN texts.


Version 1.2.0 (2019/06/12)

New features:

  • Licensing integration. Since this version the application requires a valid license. License is issued for FQDN of specific installation. Without valid license application runs in limited mode (demo, mostly read only).
  • Protection from "phishing" by anonymous users - anonymous user can no longer enter existing e-mail address of registered user as his own, or e-mail address from domain added in settings.
  • Added minimum password strength requirements to the settings.
  • New sandboxing detection engine added: Check Point SandBlast Cloud (through cloud API).
  • New AV detection engine added: Sophos.
  • Private and public packages - registered user can choose, whether the package he is sending is private (accessible only to listed recipients) or public (accessible to anyone who has the link). Packages from anonymous users are automatically private.
  • Introduced roles and rights for administrators. Each administrator can have any of the following rights granted or removed:
    • "administrator management" = can create, modify and delete administrators, including changing their passwords and righs - default administrator "admin" always has this right granted and it cannot be removed.
    • "user management" = can create, modify and delete users.
    • "access to list of packages and it's metadata" = can list all the packages and view details for each one, but cannot download their contents
    • "access to files of packages" = can download package contents (files) - requires the above right (access to packages)
    • "package management" = can remove the packages from quarantine, delete and undelete packages, and all other actions related to packages - requires the above right (access to packages)
    • "access to logs" = can view audit logs and modify the syslog settings
    • "application settings" = can perform all remaining actions except those mentioned in the above rights, that means especially all the remaining settings
  • New mode, in which no administrator has access to package contents (files) and it also cannot be granted in any way. This special mode is activated by a license attribute from licensing server (= after arrangement with Sonpo).
  • Package "forwarding" - package can be forwarded, similarly to e-mails. No new files can be added to the forwarded package.
  • Packages waiting for scan results have a new expiration in settings and also can be removed from the queue manually by administrator. The package is then moved forward (clean or quarantined) according to already completed scan results and detection engine settings (mainly according to if the detection engine is mandatory). Also added new admin view "Queued packages", where these waiting packages can be seen.
  • New search field in user list - admin can search the list of users.
  • New encapsulating rpm package "sofie" (other rpm packages, like "sofie-web", "sofie-worker", "sofie-scheduler", are its dependencies) - it contains a systemd skript for managing the application and services (can start, stop, restart, show status, show version, do backup, perform update to latest version, etc.). It simplifies the installation or update of the application directly by the customer or partner.

Minor changes:

  • Improved handling of administrator logout in the background (displays "loading").
  • If the number of users exceeds the licensed amount, application switches into limited mode (demo, mostly read only).
  • Added option to set own e-mail subject prefix in e-mail settings, so it can now be different than own title of windows in appearance settings.
  • Added option to set own optional text header, which will be shown in the middle of the top application bar.
  • When administrator is creating a new local user, an e-mail containing link for setting up user's initial password is sent by default to the user. This can be disabled by the administrator in the user creation dialogue.
  • New settings: expiration times for password reset tokens sent during new user creation and also sent by administrator's request.
  • Actions from list of packages are now also available in package detail view (in the top right corner).
  • It is now possible to remove recipients from private packages, which revokes their access to the package.
  • Administrator with granted package file access right can now download a package contents in all package states.
  • Administrator with granted package management right can now delete a package in all states - which for example enables him to free up the space occupied by a large package.
  • Total size of a package and a number of files in a package is shown in package lists.
  • Validation of length of text fields, so the web UI will not allow a longer string to be entered, than which is correct for each of the fields.
  • Administrator can create and download ZIP archives for deleted clean packages ("in trashcan").
  • Added time zone setting for e-mails. Times included in the e-mail messages (ie. password reset token expiration) will be in this time zone and not in UTC like before.

Fixes:

  • Fixed text in settings for clean package expiration.
  • Fixed display of long "change log" records in audit log.
  • Added limit on message length in application log for very long configuration parameters (ie. logo).
  • Fixed audit log message for failed file checks.
  • Fixed ordering of files in package detail - files are now ordered alphabetically.
  • Fixed/added messages for unexpected errors of server backend (including timeouts) in web interface.
  • Forbidden iframe insertion.
  • Reworked/fixed how size values with units are entered in form fields.
  • Fixed MIME, DLP and encrypted content detection - advanced parser error (ie. doc file not containing real doc structure) is no longer considered as failed check.
  • The fonts are now integral part of the application and are not downloaded online from the Internet. Web interface will therefore work well even if opened in a browser without internet connectivity.
  • Passwords entered and saved in settings can no longer be displayed again during next edits.
  • Fixed package upload form, so that if some proxy in the path blocks the upload, the upload will not get stuck indefinitely and an error will be displayed to the user.
  • Changes to the upload form, so it works faster and better even with very large number of files in one package.
  • Fixed failed checks in some cases, where large files were sent to FortiSandbox and waiting for the result timed out.
  • Fixed failed checks of large files on FortiSandbox because of low memory.
  • Removed invalid actions for AD/ADFS user accounts (password change, sending password reset token).
  • Fixed incorrect behavior in case of combined settings of detection engine not mandatory and disabled treat oversize as clean (fixed package being treated as clean when exceeding the size limit).
  • Change in syslog setting will be in effect immediately and not until after a restart. Too long strings (>1000) are shortened for syslog, so reasonable message size will not be exceeded.
  • Various fixes and changes in texts, including e-mails.
  • Suppressed creation of audit log records for changes, when actually no change has happened (ie. during editing, when the new saved values are are the same as the old ones).
  • User does not need to enter a password for a package or package request, he himself created.
  • Fixed sending of multiple duplicate notification emails and audit logs about package check results.
  • Some fixes when adding recipients.
  • Removed setting of admin URL path. This setting was not enough for changing the admin access URLs, some nginx configuration is still needed. So by changing it, admin cloud have broken the application. The modification is still possible, but it is an advanced manual process which should be consulted with Sonpo.
  • Fixed password reset token expiration being 5 minute shorter than advertised (technically expiration is now 5 minute longer than advertised, to compensate for some delays or time inconsistencies).

Version 1.1.7 (2019/06/06)

Minor changes:

  • New setting in Appearance section: choice of a welcome page content between anonymous upload form and a login form.
  • Login form modified.

Version 1.1.6 (2019/05/01)

Minor changes:

  • The notification email informing about a new received package for users from ADFS now contains a modified link, which triggers auto-redirect of the user through ADFS login.

Fixes:

  • Fixed redirect of the view to package details after opening a link for a package without being logged in and then logging in.
  • Fixed error text in a dialog informing about package inaccessibility for anonymous users. Added hint about required login and a link to login form.

Version 1.1.5 (2019/04/23)

Minor changes:

  • Added an eye icon which triggers the visibility of entered passwords.

Fixes:

  • Fixed the UI design of the form for package request (on narrow displays, like mobile, it did not show up correctly).

Version 1.1.4 (2019/04/23)

Fixes:

  • Fixed the generated link for ADFS login (which some times used http instead of https).

Version 1.1.3 (2019/03/20)

Fixes:

  • Fixed the change of logo picture not working.

Version 1.1.2 (2019/03/17)

Minor changes:

  • Removed option to check user existence only and not password during login in AD configuration.
  • Better design of fields for setting of sizes (introduced units kiB, MiB, GiB).
  • Added missing sender of package request to email notification and to web form of opened package request.

Fixes:

  • Fixed ZIP archive download not working in new installations.
  • Fixed package archive enabled/disabled setting.
  • Fixed validation messages when invalid values are entered in settings.
  • Check if package expiration ("Valid For") is between min and max value allowed in settings.
  • When editing a package, it is possible to set the expiration up to to maximum value allowed in settings, counting from the original package send date.
  • Fixed display and processing of notes, including the possibility of a package being stuck in a waiting for checks state under specific circumstances.
  • Forced logout of both user and admin on the server side, if the account was deleted in settings.
  • Fixed design of table with package list in admin view.
  • Fixed the first and last bar being cut out in the graph on the admin Dashboard.
  • Fixed missing audit log messages for some unsuccessful user logins.
  • Oprava vyrovnávací paměti hodnot nastavení, kdy nové nastavení se díky ní nějakou dobu neprojevilo.
  • Fixed cache of setting's values, causing that the new settings may have not been applied for some time.
  • Fixed new settings of size values with units not working in IE11.
  • Other minor UI design fixes.
  • Fixed other minor bugs in settings.

Note: First fully tested version since the start of the versioning and therefore suitable for production use. (which should hold true for all future versions from this point)


Version 1.1.1 (2019/03/08)

Fixes:

  • Fixed sending a package not working correctly.

Version 1.1.0 (2019/03/07)

New features:

  • Reworked "Settings" for the administrators so it has better usability and can be understood without extensive documentation study.

Minor changes:

  • UI design changes - packages are marked with flags for different states.
  • Version number integrated (in Settings - Basic settings).

Fixes:

  • Fixed possible harvesting of existing accounts during login.
  • Fixed possibility to upload empty package, or files with negative size, by using REST API directly.
  • Oprava stavu, kdy chybná přihlášení uživatelů z AD nebyla omezena na množství v čase, jako ostatní.
  • Fixed number of login attempts of users from AD not being limited in time, like for other users.
  • Fields in reCaptcha settings are not mandatory but optional.
  • Modified configuration default values.
  • Added missing user in some audit logs.
  • Fixed audit logging of some not performed actions during failed logins.
  • Fixed some texts and translations.
  • Other minor fixes.

Version 1.0.0 (2019/02/25)

First version marked with version number. Was never publicly released. Used as a starting mark for version changes. Not suitable for production deployment.

How to find out current version of the application

The administrator can see the current running version of the application in: Settings → Configuration (former Settings) → Basic settings → Application version: 1.2.2-545.

The version tag is also present in the header of all pages (can be displayed by showing the page source code) in the meta tag with name Build, like: <meta name="Build" content="1.2.2-545 (2019-06-26 11:32:20)"/>.

Info about versioning

The version number is composed of three numbers separated by dot: X.Y.Z (ie. 1.28.5). Each number has the following meaning:

  • The last number (Z) is incremented during fixes or minor changes in already released production version (so called hotfix).
  • The middle number (Y) is incremented during release of new version with new features from development. (so called release).
  • The first number (X) is rarely incremented and is reserved for special occasions (major changes).