Trustwave ECM Release Notes

Version: 7.2, Last Revision: February 24, 2017

These notes are additional to the Trustwave ECM User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20726.

Table of Contents

New Features
System Requirements
Upgrade Instructions
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 7.2.0

Features new in 7.1.5

Features New in 7.1

Features New in 7.0

System Requirements


Trustwave ECM is supported in the following environments:

Trustwave ECM is a 32 bit application.


Hardware required is dependent on Microsoft Exchange Server. Follow Microsoft recommendations. Be aware that Trustwave ECM processing has a noticeable impact on email throughput.

You may require additional hard disk space depending on your archiving and quarantine retention policies. For default policies on a typical 1000 user server, Trustwave recommends you allow an additional 50 GB of free disk space for text logs, quarantine and archiving folders.

Installation recommendations

To help ensure smooth functioning of Trustwave ECM, Trustwave recommends the following:

Usage Notes

Upgrade Instructions

Upgrading from version 7.X

Direct upgrade is supported from ECM (MailMarshal Exchange) 7.0 and above.

Notes on Upgrading

Migrating from version 5.X

Direct upgrade from MailMarshal Exchange (ECM) 5.X is not supported. Trustwave ECM version 7.X uses a different architecture to version 5.X.


Trustwave ECM can be installed in a variety of scenarios. For full information on uninstalling Trustwave ECM from a production environment, see the User Guide.

To uninstall a trial installation on a single computer:

  1. Stop and disable the Trustwave ECM Agent for all Exchange servers.
  2. Close all instances of the Trustwave ECM Configurator and Trustwave ECM Console. Stop the websites of Web Components.
  3. Use Add/Remove Programs from the Windows Control Panel to remove Trustwave ECM.
  4. Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web Components.
  5. If you have installed any components (such as the Configurator, Console, or Web Components) on other computers, uninstall them.
  6. If you have installed SQL Express specifically to support Trustwave ECM and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave ECM listed. To check for any later information, please see Trustwave Knowledge Base article Q20726.

7.2.0 (February 24, 2017)

MEX-912 Office 2003 documents containing embedded OLE object containers were deadlettered. Fixed.
MEX-952 When installing in a custom location or changing folder locations in the Server Tool, permissions were not correctly set on the folders. Fixed.
MEX-975 The Exchange Agent has been updated to use the Exchange 2010 version of the SDK. This change resolves an informational/best practice event that was logged by Exchange in earlier versions.
MEX-977 In some cases content extracted from Office documents was incorrectly identified as EMF instead of WMF, resulting in a dead lettered message. Fixed.
MEX-978 Handling of SQL database partitioning has been improved.
MEX-980 Product branding has been updated to Trustwave ECM throughout. Install and Registry locations are not changed. The default virtual directory name for the Web Admin Console has been updated (for new installations only).
MEX-981 The installer checks for the Trustwave root certificate and attempts to install it if necessary.
MEX-982 Earlier versions of the product could not access the automatic update server due to use of updated SSL signing on the server. Fixed.
MEX-984 Certain binary RTF message bodies could cause the Engine to stop. Fixed.
MEX-985 The versions of libcurl and OpenSSL used have been updated.
MEX-986 In some cases where an attachment was an Office 2003 document containing an embedded Office 2007/2010 document, the message was deadlettered due to an unpacking problem. Fixed.
MEX-987 The Agent now installs with Set-TransportService as per Microsoft best practice.
MEX-996 The version of SQL Express included with the installer is updated to SQL 2016.
MEX-999 Installation with Exchange 2007 is no longer supported.
MEX-1001 MSXML4 is no longer used or installed.
MEX-1002 The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MEX-1008 Signing of executable files now uses a SHA256 certificate. (January 12, 2015)

MEX-920 A message addressed to multiple distribution groups could be delivered to a recipient twice when released from quarantine. Fixed.
MEX-958 The URL for the Trustwave RSS feeds in the Console was incorrect. Fixed.
MEX-963 If the Controller service could not retrieve the location of the Exchange Replay directory, it could stop unexpectedly. Fixed.
MEX-965 The End User Licensing Agreement included in the product has been updated to the latest version. (May 8, 2014)

MEX-955 The product installer would not run on Server 2012 R2 and Windows 8.1 due to incorrect detection of the OS version. Fixed. (December 17, 2013)

MEX-914 Locations of the Incoming, ProcessedOK, DeadLetter, and Sending directories set in the Server Tool were not honored by the Agent. Fixed.
  • Note: If you move the Queues folder (parent of the Incoming, ProcessedOK, and Sending directories), you must grant full control over the new folder to the Network Service account used by the Exchange Agent.
MEX-915 In earlier versions installation with Marshal Reporting Console could fail due to a problem with prerequisite checks. Fixed.
MEX-918 Message files could not be opened in the Console for processing node IDs greater than 9, due to a file naming error. Fixed for newly created files. Incorrectly named existing files must be renamed manually.
MEX-921 On nodes with ID greater than 9, MML files were incorrectly named. Fixed for newly created files.
MEX-923 Notification message sending could fail if the Replay folder was not in the default location. Fixed: the Controller service now periodically verifies the location of this folder.
MEX-925 The Unpacker has been updated to the version supplied with SEG 7.1.
MEX-926 The PDF unpacker DLL provided has been updated to (this version was already provided through automatic updates).
MEX-927 The File Type DLL has been updated to the version supplied with SEG 7.1.
MEX-928 Messages with recipient address user parts over 64 characters in length could not be released from the Console. Fixed.
MEX-941 The installer did not correctly detect clean installations of Exchange 2010. Fixed.
MEX-942 Email sent by Exchange 2013 Health Check Monitors is not processed by default. For details and settings, see Knowledge Base article Q16478.
MEX-943 The check for excessive numbers of header lines is not performed due to Exchange 2013 behaviors that can result in large numbers of header lines.
MEX-944 The version of SQL Express included in installers has been updated to 2008 R2 SP2.
MEX-946 The Replay directory path could not be determined correctly if more than one Exchange server was present in the AD environment. Fixed.
MEX-950 New installations of Web Components bind the website to port 82 (because Exchange 2013 uses port 81). Upgrading does not change the existing binding.
MEX-951 Messages affected by the issue described in MEX-883 are now processed normally by default. (March 14, 2012)

MEX-902 The check for email files orphaned by a system halt was checking an incorrect folder. Fixed.
MEX-903 The PDF unpacker DLL provided has been updated from 4.0 (in version 7.1.0) to 4.1.
MEX-904 In version 7.1.0, PDF attachments with Unicode characters in the filename were not unpacked and scanned. Fixed.
MEX-908 In version 7.1.0, a message with duplicate email addresses (addressed to the same recipient more than once) would not be delivered in some cases. Fixed. (Limited availability February 7, 2012)

MEX-831 Return of messages from the Engine to the Agent (and to Microsoft Exchange) now uses a new, faster process.
MEX-848 Some information has been removed from the standard (not debug) view of service text logs, to enhance readability.
MEX-850 Category Scripts that searched the message body using Regular Expressions (RegExpBody) did not check TNEF bodies. Fixed.
MEX-863 Messages with attached Office 2003 documents that contained embedded Office 2007/2010 documents were deadlettered. Fixed.
MEX-864 When services failed unexpectedly, some service logging information was not correctly cleaned up on restart. Fixed.
MEX-883 In rare cases a message was wrongly reported as corrupt when sent between Exchange hub servers in the same domain with different Exchange versions and separate MailMarshal Exchange arrays. Fixed: Contact M86 Support for a setting to allow these messages.
MEX-892 Messages with attached Office 2003 documents that contained embedded Office 2007/2010 documents were deadlettered. Fixed.
MM-108 Many images are now extracted from PDF documents.
MM-1567 PDF unpacking now handles Unicode.
MM-2236 Some PDF files caused recursion in the Engine and could not be unpacked. Fixed.
MM-2363 The version of 7zip (archive unpacker) included with MailMarshal has been updated to 9.20. This version handles additional compression formats.
MM-2834 PDF files with limitations on printing and other functions were incorrectly identified as Encrypted PDF. Fixed.
MM-2837 Image Analyzer has been updated to version 5.
MM-2859 Binary files are now better recognized as type COM or EXE.
MM-2977 PDF Xref detection is improved.
MM-3332 Engine logs for each message are now stored in the message file. The Console message viewer displays the available information in a separate tab.
MM-3367 Certain Office 2007 documents were not recognized due to internal structure. Fixed.
MM-3387 SQL code for database creation and upgrade is now within a transaction to allow easier rollback if problems are encountered.
MM-3410 DBlog files now correctly handle larger content.
MM-3419 Office 2007 files generated through the OpenXML SDK were not correctly unpacked. Fixed.
MM-3422 PDF unpacking has been improved, notably for Unicode and some encodings of images.
MM-3427 The MailMarshal database now supports index partitioning if installed on SQL Server Enterprise Edition (for new databases only).
MM-3456 User Defined and custom document properties are now unpacked and scanned in Word 2003 and Word 2007 documents.
MM-3472 The Server Tool now checks the validity of the configured database on startup (this allows the database to be re-created when the SQL server has been rebuilt).
MM-3494 Word documents encrypted with IRM in Word 2007 (2003 compatibility mode) were deadlettered. Fixed: these documents are correctly recognized.
MM-3513 Messages quarantined with a default release action of "skip remaining rules" were not reprocessed as requested upon release. Fixed.
MM-3514 Console Dashboard data was never purged from the database. Fixed.
MM-3538 The certificate used to sign executable files has been updated.
MM-3539 The message parking feature logged redundant messages when a message was unparked. Fixed.
MM-3550 Logging of low disk space warnings has been enhanced for readability.
MM-3551 The Array Manager could stop unexpectedly if a new database was created and configuration was not synchronized. Fixed.
MM-3598 PDF unpacking has been enhanced. Images, attachments, and annotations are unpacked.
MM-3604 Deadlettered messages can be passed through to users by rule action.
MM-3612 The integration with Norman Endpoint Protection is updated.
MM-3613 Retention and permissions for Deadletter folders are now set through the Configurator.
MM-3628 EMF files are now correctly unpacked and the contents are scanned. See also MM-3725.
MM-3649 Additional logging has been added in the Engine service for Dead Letter rule processing.
MM-3684 Error messages logged to the Event Log could cause issues due to recursive substitution of variables. Fixed.
MM-3696 PDF unpacking has been improved. Incorrect character strings are no longer present.
MM-3697 PDF unpacking now supports "linearized" PDF.
MM-3699 Selecting the default message digest template for new digests loaded additional incorrect characters. Fixed.
MM-3705 The Console and Configurator now use the terms "Content Analysis Policy" or "Content Analysis Log".
MM-3712 A more descriptive logging message is written by the Array Manager on shutdown when the SQL database is unavailable.
MM-3725 Files unpacked from EMF files (MM-3628) are only saved and scanned if they are of a recognized type. Type BIN (unknown) files are not saved.
MM-3770 Upgrade now provides more user friendly information about status during database upgrade.
MM-3771 Upgrade now provides more user friendly information about status while calculating time required for database upgrade. (July 14, 2011)

MEX-810 Upgrade required a restart to replace the Transport Agent. Fixed - no restart will be required.
MEX-817 Installation could fail because it did not correctly check that the local Exchange Server was configured with the Hub Transport role. Fixed.
MEX-819 Out of Office messages and other messages with a blank Sender field could result in a .BAD file in the Replay directory. Fixed.
MEX-827 Exchange Server did not generate delivery reports because MailMarshal Exchange did not copy recipient DSN data to the message envelope. Fixed.

7.0.1 (March 21, 2011)


Legal Notice

Copyright © 2017 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit