1 Release Notes McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2 About this document Thank you for choosing this McAfee ® product. This document contains important information about the current release. We strongly recommend that you read the entire document. About this release Release date Files included • ESS_Update_9.6.1MR2.signed.tgz • ESSREC_Update_9.6.1MR2.signed.tgz • RECEIVER_Update_9.6.1MR2.signed.tgz • APM_Update_9.6.1MR2.signed.tgz • DBM_Update_9.6.1MR2.signed.tgz • IPS_Update_9.6.1MR2.signed.tgz Upgrade Paths • You can upgrade to 9.6.1 MR2 directly from 9.5.2 or later. • You must upgrade versions before 9.5.x following this path: 9.0.2 > 9.2.1 > 9.4.2, 9.5.2 or later > 9.6.1 MR2 Bug Fixes and Enhancements This section provides a description of the fixes and enhancements included in this Maintenance Release. NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9 and 9.6.1 GA, MR1. 9.6.1 MR2 Bug Fixes Reference Number Device Area Issue Description 1193689 ESM User Interface Auto refresh now picks up new ePO extensions.
23
Embed
McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2 · 9.2.1 > 9.4.2, 9.5.2 or later > 9.6 ... Match component filter with a comma in correlation ... 1181790 ACE Other Added notifications
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Thank you for choosing this McAfee® product. This document contains important information about the
current release. We strongly recommend that you read the entire document.
About this release
Release date
Files included
• ESS_Update_9.6.1MR2.signed.tgz
• ESSREC_Update_9.6.1MR2.signed.tgz
• RECEIVER_Update_9.6.1MR2.signed.tgz
• APM_Update_9.6.1MR2.signed.tgz
• DBM_Update_9.6.1MR2.signed.tgz
• IPS_Update_9.6.1MR2.signed.tgz
Upgrade Paths
• You can upgrade to 9.6.1 MR2 directly from 9.5.2 or later.
• You must upgrade versions before 9.5.x following this path: 9.0.2 >
9.2.1 > 9.4.2, 9.5.2 or later > 9.6.1 MR2
Bug Fixes and Enhancements
This section provides a description of the fixes and enhancements included in this Maintenance Release.
NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9
and 9.6.1 GA, MR1.
9.6.1 MR2
Bug Fixes Reference Number
Device Area Issue Description
1193689 ESM User Interface Auto refresh now picks up new ePO extensions.
2
1192771
1193227 Other Other
Resolved a failure to boot issue when upgrading to ESM
9.6 or 10.0.
1202424 ESM Views Bad Query on views filtering by Device Type ID CLASS
1188096 ESM
Redundant
ESM (RESM)
Resolved an issue that prevented SNMP Health
Requests from being retrieved from a Redundant ESM.
1196145 ESM Other Added support for SMBv2 for file collection.
1182550
1188454 Receiver Collectors
Resolved an issue that prevented AWS Cloudtrail
Datasource data collection.
1144706 ESM User Interface
Resolved an issue that caused and error message while
editing the Date time format of ASP mapping in
Japanese version.
1187554 ESM
Backup /
Restore
Fixed an issue that caused watchlist entries to not be
restored from a full back-up.
1190606 ACE Other
Match component filter with a comma in correlation
rule now works correctly.
1198492 ESM Views
Filtering by special characters at the beginning of a
string no longer results in a Bad Query Error.
1184492 ESM Other Removed symlinks to non-existent startup script.
1182573 ESM Other
Accumulator field is now displayed for correlation
events.
1189341 ESM
Data
Enrichment
Data Enrichment Source tab now allows non-ASCII
characters in the Path field.
1193872 ESM Other Removed TLS v1.0 support.
1193866 ESM Other Updated to latest Java version.
1157226
1099966
1170534
1180693
1079411
1157739 Receiver Other
Syslog now gracefully recovers when too many
connections are active.
3
1194649 ESM Other
Fixed an issue that prevented the job for Discover NSM
Added an optional config file to fine tune rsync for
different customer environments.
1173204 ESM
Data
Enrichment
Resolved and issue that caused the data enrichment
process to fail when using the LDAP "Description" field
content.
1187443 ESM Other
Corrected an issue that caused the port number setting
to be ignored when importing SFTP data source settings
from a CSV file.
1182465 ESM Other
Set 1TB maximum disk usage limit on DAS drive packet
tables.
1191951
1192154
1202077 ESM Alarms
Fixed a regression that prevented internal events from
being written.
1195944 ESM Reports Improved query and report speed.
1196478
1189285
1196479 ESM Other
When modifying a Checkpoint data source with child
data sources, all the child data sources were disabled
when the IP of the data source wasn't changed. This
disabled state is now set only when validation is
required for the IP/port of the data source.
1188268
1171478
1149775 ESM Alarms
Added the ability to create alarms for groups of data
sources.
1186823 Receiver Other Removed unused symlinks that caused error messages.
1184401 ESM Policy
Corrected erroneous conflict errors during policy
import process.
1159179 ESM
System
Properties
Corrected an issue that prevented users from removing
email recipients from email groups.
1196773
1199677
1197646 ESM Reports
Fixed an issue that prevented reports with non-default
date formats from being run.
4
1197822
1196944
1197825
1198494
1197724
1201480
1196134 ESM: Views Other
Resolved an issue that was causing invalid error
messages when viewing the email content pack.
9.6.1 MR1
Bug Fixes Reference Number
Device Area Issue Description
1111767 ELM Other Resolved an issue that would cause ELM Statistics to
show zero logs for some Data Sources, even though the ESM UI shows there are logs in ELM.
1130033 ESM Reports Selecting a custom time range and a date format
other than mm/dd/yyyy could produce incorrect data
sets and time ranges.
1139436 Database Other Improved the logic to clean temporary files from
archive directory when dbserver restarts
1141155 ELM Database The ELM database would delete old partitions without warning if the database and storage pools were stored on the same device and that device
reached 90% full.
1150643 ESM Views Improved the handling of special characters for
filtering and views.
1150774 ESM Alarms Device status change alarms now accurately triggers
at the data source level
1153814 ESM Data Enrichment
LDAP Data Enrichment would not return any results if a non-ASCII character was used in the query.
1154596, 1155865
ELM Search Resolved an issue where ELM logs would not be fully decoded when retrieved through ELM Search.
1156585,
1126930
Receiver Collectors Data collection would not resume after rebooting
VMware vCenter Server.
1157922 ESM Alarms Clicking “case link” on the generated alarm's Actions
tab would result in an error if the case summary contains pipe ('|') character.
1157940 ACE Other Deviation component for flows using event count as the deviation field would fail to write out to the ACE.
1158910 ELM Other When reducing the size of a storage pool the amount of available space would display incorrectly in the
storage pools tab of ELM properties.
5
1160429 ELM Other Improved handling for displaying elm search
metadata for different date formats.
1160950, 1169537,
1154790
Receiver Other Resolved an issue that would cause an error message to report that re-keying a device failed
when it was actually successful.
1161125 ESM Views Resolved an issue that would cause long running delete queries to spawn additional queries.
1162888, 1179314
ELM Other Logs sent to the ELM would be deleted if no entry is found in ds2rg table.
1163035 ESM Custom Types Custom types in Name/Value groups would not be displayed in the event view for Japanese UI.
1163240 ELM Logs If ELM logs had duplicate archive ids incorrect raw logs would appear in the UI with some events.
1163730, 1167571
Receiver Other Resolved an issue where unknown events would show at the data source parent level when using
SIEM Collector.
1164411, 1153616,
1168229
ELM Redundant Fixed the counting of files for the rsync status to not
include close matching numbers like 1, 10 and 11
multiple times.
1164452 ELM Database Resolved an issue where the “Being moved” lock file was not cleaned up after an ELM DB size increase.
1166780 ESM Policy The Japanese characters in the description when
importing correlating rules was not being properly
encoded. The import logic was modified to correctly
maintain the encoding of characters.
1167177 ESM Flash UI Changing the hostname or vendor/model of a client
data source would fail if the data source
vendor/model and host name were in use by another
clients.
1167541 ESM Redundant ACL setting would not get replicated to Redundant
ESM.
1168003 ESM Distributed Resolved an issue that would cause pulling packet
data the first time to fail.
1168222 ESM Flash UI When changing the name of existing parameters in
the correlation rule editor, the name would change
to unknown. The default value for the parameter
was changed to always maintain the same format.
1168356 Receiver Other Resolved an issue that prevented parsing of an HTTP
data source due to extra white space.
1168675 ESM Security Resolved an issue that caused AD user accounts to
stay locked after the lockout duration has expired.
1168730, 1123306,
1130254
Receiver Other Resolved an issue that would trigger a device health alarm on a non HA receiver of: "HA status changed
from Critical to Warning".
1169223,
1185517
ESM Distributed Resolved an issue that would cause the ACE to show
out of sync on a distributed ESM
1170168 ESM Flash UI Resolved an issue that prevented expanding of
correlated events in source events when logged as a
limited user.
6
1171229 ESM Reports Resolved an issue that prevented deselected emails
in an email group from being removed from group.
1171319,
1159989, 1163200, 1175912
Receiver Other IPMI would not function with ERC 1260 receivers.
1171864 ESM Watchlist Watchlist would not get all of the file hashes when it was uploaded from ATD Cyberthreat feed.
1171969 ESM Distributed Destination user and Object fields were sporadic in propagating up to the parent ESM.
1172007, 1177421, 1178857
Receiver Collectors Resolved an issue where eStreamer would not write
out correct json to be parsed.
1172474 ESM Other Multiple threads of the UpdateMTISThreads would
run when the thread takes a long time to finish.
1173929 ESM Flash UI When doing a host lookup with correlation events,
the host lookup would not display in the correct
column.
1174315 ESM Data Enrichment
Performing data enrichment with a lookup field
custom type = 5, the destination fields would not be
replaced by data enrichment.
1174380 Receiver HA The default gateway would not be assigned to the
shared IP interface after HA fail-over.
1174542 DBM Other The TNS module in the DBM failed to handle a
particular data encoding that TOAD (Tool for Oracle
Application Developers) was using.
1174556 ESM Reports Resolved an issue that would cause stacking distribution charts to contain incorrect 'others'
values.
1174838 ACE Other Resolved an issue that would allow an unsupported field to a deviation.
1175569 ESM Health Monitor Enhancements to health monitor for device communication errors.
1176269 ESM Policy Added user information to policy change history.
1177260 ESM UI When correlating with a large threshold, it was
possible to exceed the supported packet length.
1178305 ESM Reports Report would not be generated if Devices filter is
empty. Added a check in the UI to validate a device is selected.
1180258 ESM Alarms Alarm acknowledge date and time was incorrectly displaying in the details panel and the clipboard.
1180636,
1158297, 1181997, 1184605,
1184764, 1193524
ELM Search Enhanced ELM log retrieval to search through all
possible log files instead of just one log file. Some log entries in aggregated events were not being displayed.
1181790 ACE Other Added notifications when correlation rules, threshold, and deviations exceed maximum packet length.
1182029 ELM Other Resolved an issue that, in rare instances, prevented logs from being displayed when a user was
connected to an ELM through SFTP.
7
1183281 Receiver Other Resolved an issue that caused syslog messages to
be sent to a data source when the host name matched but the port did not match.
1183572 ESM Reports Resolved an issue where the ESM would incorrectly
delete temporary files that were being used for
running report queries.
1183723 ELM Other Resolved an issue where the bloom does not get set when duplicate ELM id's span multiple partitions.
1184113 ACE Other The correlation rule has never triggered under specific condition
1184292 ESM Flash UI Updated the label of the ACE communication
configuration panel to be correct.
1184522 ESM Rules Resolved an issue that caused extra rows to be added when saving ASP rule text.
1185031 ACE Other Set the maximum allowed value for ACE Risk Correlation Manager threshold to 99%.
1185261 ELM Redundant Resolved an issue that prevented a redundant ELM from syncing completely.
1187430, 1187677
ACE Other Resolved an issue that caused alarms to trigger more frequently than the Maximum Condition Trigger Frequency (cooldown) setting.
1188302, 1188301,
1188448
ESM Other Resolved an issue that caused false error messages when users tried to view event data.
1189266 ESM Other Improved memory handling when the ESM populates
the device tree and when retrieving a list of
correlated events.
1188742, 1188752
Resolved an issue where editing blacklist IP
addresses would fail due to extra '\' characters
present in the commands parameters.
9.6.1
Bugs Reference
Number
Device Area Issue Description
1162135 McAfee
SIEM
ESM: Views When exporting table results from a custom case
view, the dialog to download the results would not
show up.
1181609 McAfee
SIEM
ELM API service would stop running during logging
to edsftp.
1162069 McAfee
SIEM
ACE Improved memory handling routines for java
correlator processes.
8
1161564 McAfee
SIEM
ELM When a DAS entry in the Das.conf file had a uuid of
zero, there would be an entry visible in the System >
Properties > Database > Data Storage > DAS page
which resulted in the appearance of an extra DAS
device.
Enhancements
Reference
Number
Device Area Issue Description
None All(except
IPS)
Hardware Added support for Gen 5 Hardware
None Added support for Check Point R80
9.6.0 MR9
Security Fixes
Reference
Number
Device Area Issue Description
1176754 McAfee SIEM
ESM Updated NTPD to version 4.2.8p9
Bug Fixes
Reference
Number
Device Area Issue Description
1179064 McAfee
SIEM
ESM Modifications to the way CPConsoleServer.cfg handles
the configuration parameter “allow_ssh”.
1178285 McAfee
SIEM
DBM DBM would fail to capture traffic from an MSSQL
database when using dynamic ports.
1145759 McAfee SIEM
DBM Removed the option to use nitrofirewall capture from
the DBM.
1162445 McAfee
SIEM
User Interface:
Flash (traditional UI)
When selecting a client data source for filtering event
forwarding results, the parent device would be shown on the device form instead of the client data source.
1167190, 1167576, 1167580,
1167757, 1168745, 1177122,
1177756, 1180901,
1168747, 1168745
McAfee SIEM
ESM Datasource inactivity flags would not properly clear.
9
1177859,
1122299, 1165318
McAfee
SIEM
ELM Improved the performance for obtaining ELM storage
pool data.
Enhancements
Reference
Number
Device Area Issue Description
None Receiver Other Added Support for CheckPoint R80
9.6.0 MR8
Security Fixes
Reference
Number
Device Area Issue Description
1166416 ESM Security Updated Kernel to resolve “Dirty COW” CVE-2016-
5195 (CVSS3 6.4/6.1)
1166418 ESM Security Updated JRE/JDK package to version 1.8.0 u102