ServerDefender VP Release History

Changes in version 2.2.7 (1/2016):

  1. Resolved issue with insecure HTTP cookies being forwarded to HTTPS

Changes in version 2.2.6 (3/2015):

  1. Updated GeoIP library for improved country blocking
  2. Updated the JSON parser library
  3. Resolved issue where IP block counter was not incremented when the IP was temporarily blocked from an email alert
  4. Resolved issue impacted web summary reports when viewed on the host
  5. Added ability to edit blocked IP addresses from the LogViewer
  6. Resolved issue where file uploads would fail if renamed in the settings manager
  7. Resolved issue where naming convention for HTTP errors did not match in the Log Viewer and Log Viewer filter
  8. Resolved issue where an URL can be bypassed as well as added to a blocked list.
  9. Improved error logs for buffer overflow attacks
  10. Added functionality to sync site status with IIS configuration on apply
  11. Added input sanitization in the HTTP response for the ServerDefender response template
  12. Removed full control permission from ServerDefender install folder and child folders

Changes in version 2.2.4 (9/2014):

  1. Implemented Libinject for SQL Injection attack detection.
  2. Fixed issue of Images and CSS not loading in SharePoint 2007(due to read permission on folder).
  3. Data paths also checked for attacks in the URL string.

Changes in version 2.2.3 (9/2013):

  1. On Session Expiry set to Minimum, unnecessary session expiry template sent. Blank page is shown when session expires.
  2. SDVP GUI hangs on showing LogViewer balloon tip.
  3. Show GMT and Local date/time in Log Viewer.
  4. SDVP now sends logs to Syslog server and also TCP based alert messages.
  5. Added auto Purging of SDVP logs.
  6. Blank page when 404 error template is turned off. Bug: If 404 template is not enabled, then SDVP does not allow to enable 404template.

Changes in version 2.2.2 (5/2013):

  1. Added custom protection profiles for Joomla and WordPress.
  2. Added ability to import settings from another installation.
  3. Added rules to block JavaScript attack vector where query has no name.
  4. Updated headers to include Date/Expires headers and removing multiple cache-control headers.
  5. Improved performance with Smooth Streaming video application.
  6. Improved SDVP performance to prevent against slowing or hanging.
  7. Improved functionality with Japanese, Chinese, and Korean characters.
  8. Improved usability when file upload file is changed.
  9. Improved usability for sites that require Microsoft Office file uploads.
  10. Improved Log Collector tool to include selector to collect logs for specified dates only.
  11. Fixed issue where SDVP is bypassed in some situations where site has web directories with different application pools.
  12. Fixed issue where SDVP crashes due to Heap corruption.
  13. Fixed issue where logs incorrectly shows IP/country block in remarks column for some categories.
  14. Fixed issue where in some instances SDVP logs POST data without regarding log verbosity.
  15. Fixed issue where blank page is served when JavaScript is not enabled in web browser.
  16. Fixed issue where SDVP would use large amount of memory upon applying changes to large number of sites (100+) simultaneously.
  17. Fixed issue where unecessary data files are created in logs.
  18. Fixed issue where post limit is not reflected in IIS config file.

Changes in version 2.2.1 (11/2012):

  1. UI changes for Session Expiry Response Templates.
  2. Code optimized for for scenarios where many sites are present in IIS.
  3. Added functionality to allow for log collection for debugging purposes after SDVP has been uninstalled
  4. Fixes issue when adding new site in Windows 2008.
  5. Input exception fields no longer subject to miscellaneous checks.
  6. Fixes SESSION_EXPIRATION logging issue.
  7. Fixes issue where some log records were split into two lines in Log Viewer.
  8. Fixes GUI crash issue when site is costumized with Config Wizard running.
  9. Fixes minor issue in exception engine implementation.
  10. Fixes problem with log verbosity in buffer overflow cases.

Changes in version 2.2.0 (9/2012):

  1. Support for Windows 2012
  2. Improves profile for OWA
  3. Usability improvements to input exception dialog
  4. Adds bulk exceptions on 404s (redirecting)
  5. Makes redirect the default exception action for innocent 404s
  6. Resolves file upload blocking issue
  7. Resolves issue with country IP blocking
  8. Resolves issue for UI hang
  9. Resolves partial install issue

Changes in version 2.1.1 (7/2012):

  1. Windows 7 compatibility added
  2. Removed default local IP exceptions
  3. Directory browsing issues fixed
  4. Additional debug logging added for diagnosis of GUI issues

Changes in version 2.1.0 (6/2012):

  1. Added geographic IP blocking by country of origin
  2. Added a severity filter to the Filter Options in Log Viewer
  3. Added an informational severity classification and reclassified certain events as informational
  4. Allowed List in Resources tab now supports allowing default documents
  5. Updated documentation
  6. Numerous bug fixes

Changes in version 2.0.2 (3/2012):

  1. Removed dependence on IIS 6 Role Services for GUI Components
  2. Added ActiveAlert feature - ability to block and unblock IPs from alert emails
  3. Resolved shared memory cleanup issues, access violation on service restart
  4. Implemented fail-open pattern in event that SDVP Service becomes unavailable
  5. Minor UI improvements in LogViewer
  6. Minor UI fixes
  7. Improved default error templates
  8. Documentation update

Changes in version 2.0.1 (12/2011):

  1. Fixed various usability issues in LogViewer.
  2. Updated SQL injection settings to account for a corner case.

Changes in version 2.0.0 (11/2011):

  1. New Standard View GUI option for easier adjustment of enforcement and logging levels.
  2. Numerous adjustments to default settings to improve security/usability trade-off.
  3. Consolidated multiple wizards into a single Configuration Wizard with Standard and Expert modes.
  4. Improved Daily Report, including new HTML verison.
  5. Improved email Alerts, including new HTML version.
  6. Added automatic synchronization of SDVP and ASP.NET sessions.
  7. Fixed install/uninstall issue triggered by slow W3SVC service stops.
  8. Provided work-around for OWA/Exchange 2007 hang issue triggered by ADSI bug.
  9. Numerous usability improvements and fixes.
  10. Updated documentation.

Changes in version 1.2.0 (8/2011):

  1. Added mechanism to distinguish between Suspect and Presumed Innocent 404 errors.
  2. Added option to exclude Low Severity errors from cumulative enforcement mechanisms.
  3. Rationalized Low and Medium Severity error classifications.
  4. Added performance optimization option: exclude static objects from security checks.
  5. Added automatic alert option for URL, 404 and IP exceptions.
  6. Added status/action bar to details pane (LogViewer).
  7. Added color coding of errors by severity to list view pane (LogViewer).
  8. Improved use of Remarks column in the case of Suspect 404 errors.
  9. Added ability to allow/deny resources directly from LogViewer.
  10. Added default exception for .Net anonymous user profile cookie.
  11. Modified alerting mechanism to reduce superfluous alerts by obeying log verbosity settings.
  12. Improved error recovery for installation issues due to slow IIS service restarts.
  13. Removed Cookie New errors from default logging configuration.
  14. Removed deprecated options from Settings Manager.
  15. Fixed Input Validation false positives for POST requests with XML payloads and missing Content-Type header (e.g, OWA 2007).
  16. Fixed issue of erroneous data in Remarks column for URL Denied errors.
  17. Fixed stability issue relating to clean up threads and IPSTATUS object.
  18. Added logging of SMTP errors in Windows Event Log.

Changes in version 1.0.7 (6/2011):

  1. Fixed uninstall issue with FileTypeDetector.exe.
  2. Made View in IIS Logs feature compatible with use of local time for IIS log naming and rollover.
  3. Fixed resource issues when loading large log files in LogViewer.
  4. Fixed issues with the SDVP entry in Control Panel's Add/Remove Programs.
  5. Made default Bot Policy setting for Allowed Requests Without Referer less restrictive.
  6. Fixed logging issue with inconsistent values in Severity column for Temporary IP Blocks.

Changes in version 1.0.6 (3/2011):

  1. Improved throughput by 25% at peak load.
  2. Added redirect option to 404 exceptions.
  3. Fixed issue with SDVP not receiving traffic when large number of sites are configured in IIS.
  4. Fixed problem with Daily Report email not showing data from previous 24 hour period.

Changes in version 1.0.5 (2/2011):

  1. Added full support for mixed-mode (64-bit and 32-bit) scenarios with 64-bit installer.
  2. Added check boxes in LogViewer to allow for persistent marking of individual errors.
  3. Added check box view options.
  4. Removed superfluous Message column from logs.
  5. Changed default column order to emphasize decision-critical log data.
  6. Numerous bug fixes.

Changes in version 1.0.4 (1/2011):

  1. Modified default error status codes for better suppression of information leakage (e.g., padding oracle vulnerability).
  2. Fixed localization issue to correctly support built-in User and Group names in non-English editions of Windows.
  3. Fixed issue causing LogViewer details pane to be populated with wrong Referer data.

Changes in version 1.0.3 (12/2010):

  1. Fixed problem in 64-bit uninstaller (interfering with Windows Update).

Changes in version 1.0.2 (11/2010):

  1. Fixed various installation issues.
  2. Fixed looping problem when SDVP service is stopped.
  3. Fixed spontaneous clearing of statistics on Site Status tab.
  4. Added trial expiration message to daily reports.
  5. Added support for logging/blocking loopback requests.
  6. Added option to disable daily reports.
  7. Added support for multi-parameter query strings in URL Allow/Deny list.
  8. Fixed Add/Edit functionality in directory browsing exceptions list.
  9. Fixed Save As problem in LogViewer (interrupting real time updating of data).
  10. Fixed problems with Data Type and Character Set fields on Input Excepton dialog.
  11. Fixed Restore Defaults feature (not restoring 404 Error Template).
  12. Fixed refresh issue on Blocked IPs tab.
  13. Fixed GUI crash following Config Wizard changes to newly added sites.
  14. Added ability for Config Wizard to remove modified sites from default profile.
  15. Fixed import settings/exception validation problem (missing sdvp.dtd).
  16. Fixed IIS Log Analyzer issue (not adding URL Exceptions properly).
  17. Fixed various cosmetic issues.

Changes in version 1.0.1 (10/2010):

  1. Fixed prerequisite check installer issue on Server 2008.

Changes in version 1.0.0 (6/2010):

  1. Initial Release.