McAfee Enterprise Security Manager 10.3.x Release Notes Contents Installation information What's new in update 10.3.3 Resolved issues in update 10.3.3 Migrating from Flash to HTML Installation information Upgrading to this release requires preparation and an understanding of how the upgrade process works. Before beginning the upgrade: Review the upgrade information in the McAfee Enterprise Security Manager Installation Guide. Verify that your current McAfee ESM version is 9.6.x (or later). You can only upgrade to 10.x from 9.6.x or later. Remove Nitro IPS devices from McAfee ESM. You cannot upgrade to 10.x with deprecated Nitro IPS devices. After completing the upgrade Before logging on for the first time, clear your browser cache. Not doing so might cause issues when you log on. If you plan to upgrade to 11.x, upgrade to 11.0.3 (or later). 1
What's new in update 10.3.3 Update releases can update platform support. Import watchlist feature in the HTML interface validates shorter lists than Flash interface When importing watchlists using the HTML interface, lists containing 1,000 or more values are not validated. Values might be truncated or modified with no notification. In the Flash interface, validation and status messages are provided for lists of up to 25,000 values. What's new in the 10.3.0 release Backup and Restore You can now back up and restore McAfee ESM data. Dark mode Setting McAfee ESM to dark mode adjusts the displays to reduce eye strain in dark operating conditions. Scorecard improvements The McAfee ESM Scorecard view can now integrate with Tychon (requires a Tychon data source). Tychon is an Enterprise Detection and Response (EDR) product that lets you collect additional data needed to populate Scorecard. In combination with McAfee Policy Auditor and Tychon, customers can use ESM to visualize the 10 assessment items in the US Department of Defense CyberSecurity Scorecard. Scorecard requires McAfee epo and McAfee Policy Auditor. Additional VM platforms ESM virtual machines can now be created on the Azure, Hyper-V (2016 and later), and XEN (6.5 and later) platforms. Driver support ESM now supports Intel P4600 drivers. Resolved issues in update 10.3.3 This update resolves known issues. For a list of current known issues, see McAfee Enterprise Security Manager 10.x.x Known s (KB88184). Reference Resolution 1255805 Various ESM Redundancy fixes. 1242870 Corrected an issue that prevented McAfee Enterprise Log Manager with SAN from booting after upgrading to ESM 10.3. 1246623, 1256212, 1249825, 2541341, 1255215, 1253688, 1253686, 1253329, 1254508, 1249796, 1253425 Fixed several post-upgrade problems related to a kernel issue. 1255332 Geo Source ID /ASN data is now pulled after upgrading from ESM 10.3.1 to ESM 10.3.2. 2
Reference Resolution 1223564 Corrected an issue that caused Office 365 collection to lag. 1239405 Resolved an issue that caused a TMP file to grow in size unnecessarily. 1242992 ACE insert jobs no longer hang with bad queries. 1244304, 1247708 Health Monitor now correctly determines the life left in Micron SSD. 1255332, 1257023, 1257337, 1258305 Fixed several geolocation-related issues. Resolved s 10.3.2 Component McAfee ACE 1225395, 1227559 Historical correlation managers work even when default managers are disabled. Filter issue fixed. McAfee Enterprise Log Manager Enterprise Log Search 1231834, 1233732, 1237853, 1238940, 1242096, 1242111, 1244809 Log search process corrected. McAfee ESM Alarms 1224458, 1229739, 1242236, 1244984 Asset Manager 1187399, 1224355, 1225380, 1237529, 1242505, 1242516, 1249657 CAC authentication 1217136 Correlation rules 1243314 Data enrichment 1226077 Email report 1232660 Event forwarding 1231821 Passwords 1239935 Policies 1237483, 1240117, 1240414 Red flags 1218339, 1238772 Redundancy 1211091, 1235175, 1237728, 1242175, 1244364, 1246391, 1246559 System properties 1228601, 1230020, 1235908, 1238810, 1238811 Time zones 1241373, 1248987 Views 1235659 Watchlists 1234320, 1244589 Syslog or SNMP recipient settings saved correctly. Alarm emails that use custom types now correctly include type and data. Rapid7 VA data now collected correctly. CAC authentication process corrected. Rule configuration saved correctly. Source user field correctly shows user name instead of Microsoft SID. Weekly email report now generated correctly. Event filter displays correct values. When using Chrome Developer tool, password visibility corrected. SetThirdPartyConfig tmp file contains complete data source information. Red flag functionality corrected. Redundant ESM devices sync correctly. Changes to system properties saved correctly. Turkey time zone now available. Backup time zone used correctly. NetFlow data now visible. Dynamic watchlist status corrected. 3
Component McAfee Event Receiver 1232989, 1234415, 1234945, 1235014, 1240959, 1241603, 1242239, 1242403, 1243335, 1245387, 1248915 Event data process corrected. Hardware 1247161 ETM-X7 with Intel P4600 mdadm now generates index_hd. AWS, Hyper-V, and Azure 1247604 Supports ability to add storage (disks). HTML 1236839 Improved performance of drill-down and filter queries. Resolved s 10.3.1 Component Redundancy 1240147, 1238917, 1238823, 1238805, 1237930, 1237473, 1236780, 1232166, 1231856, 1230404, 1227133, 1226744, 1226384, 1238537, 1238804, 127930, 1237538, 1235669, 1237493, 1239063, 1239141, 1238945, 1239087 Email Settings 1236292, 1236451 Multiple Redundant ESM fixes aimed at preventing a frozen sync situation. You can now use a plus sign (+) in email addresses. Redundancy 1238794 The SendLiveData flag is no longer missing from the database. Backup 1240578 Fixed an issue that slowed incremental backups. Restore 1239138 Restore of Alert data now happens during a Restore Backup process. Reports 1229123, 1229853 CSV Reports now return all Cases results. Resolved issues 10.3.0 Find issues that have been fixed in this version. McAfee ACE 1229979, 1231006, 1236642, 1232452 1218722, 1222007, 1229025 Fixed a recursive loop issue in correlation rules. Fixed the parsing of comma values in parser rules. 1224056 Corrected an issue that the McAfee ACE correlator log to fill with SEVERE errors. 1220067 McAfee ACE no longer deadlocks when running "correlator.sh -status" while a rule update is in progress. 1220064 McAfee ACE no longer generates an erroneous IndexOutOfBoundsException. Database 1204820, 1210245, 1209415, 1221740, 1209623 The SendWatchlistChanges job no longer hangs. 4
DBM 1206230 Parameterized queries no longer show command as UNKNOWN under the custom types tab. McAfee Enterprise Log Manager 1216324, 1222957 Fixed an issue that caused an Access denied (ER70) error when a non-admin user performed an McAfee Enterprise Log Manager search. 1224372 When updating McAfee Enterprise Log Manager, the process now completes if the CIFS share takes longer to respond than the update timeout. McAfee Enterprise Log Manager: Redundant ELM 1222771, 1226366, 1229140 McAfee Enterprise Log Manager redundancy setup no longer gets stuck at 20%. ESM 1226176, 1227492 Resolved an issue that resulted in empty Scorecard & Asset, Threat, and Risk dashboards. 1236292, 1236451 You can now configure email recipient addresses that include + (plus sign). 1234991 Asset Sources pull from AD now works correctly. 1217387 CIFS View Files functionality no longer fails. 1227367 Corrected an out-of-memory problem caused by queries not terminating properly. 1224344 iscsi devices now work for Data Archival. 1224500, 1232083 Fixed an issue that caused Properties pages to appear blank when device communication was lost. 1218761 Fixed an issue that caused SFTP TestConnect to fail when there are thousands of files in a directory. 1215847 Fixed a kernel error that occurs when upgrading a combo device from 9.6.x to 10.1.x when all available loop devices are taken by McAfee Enterprise Log Manager storage pools. 1234307 Active response searches now execute successfully on an ESM device. ESM: Alarms 1217587, 1225706 Corrected false positives for alarms based on non-us geolocations. ESM: Backup/Restore 1217032 Fixed an issue that caused ESM scheduled daily backups to remote NFS shares to fail. 1222737 Restoring a backup now works correctly on receivers with HA settings. 1239138 Restoring a backup now restores Alert data. 5
ESM: Case Management 1218899, 1227065 Corrected a navigation issue that disabled the navigation buttons when viewing more than 100 case management cases. 1226398 Bad Query Error no longer occurs when adding Avg Severity field to a Case Management component. ESM: Data Enrichment 1220769 Data enrichment no longer times out when using a pipe character as delimiter. ESM: Distributed ESM 1206143, 1216680, 1220040, 1220596 Corrected an issue that precluded the use of a VM as a Distributed ESM. 1222519 Child ESMs now show current data. 1213903 McAfee ACE no longer displays as out-of-sync and no longer shows invalid signature IDs for ACE events on distributed ESM devices. ESM: Redundant ESM 1227305, 1226384, 1232725 Fixed a problem that prevented Redundant ESM from completing a sync. 1231856 Redundant ESM sync no longer stalls during a re-sync. 1217349, 1219101, 1219576 Sync data is now moved from primary to redundant ESM. 1216804, 1220332, 1219870, 1220330, 1220331 Corrected an issue that prevented Redundant ESMs from syncing properly in some instances. ESM: Reports 1229123 Query CSV option now retrieves output with a filter set to Open cases. ESM: Views 1224834, 1224835, 1224918 Fixed an issue that caused only 100 bars to be displayed in distribution charts on the Flash interface. 1222799 Corrected an issue that caused table widgets to display an error: "EC 255 Error Invalid Filter Item, Possible SQL Injection attempted." when marking events as reviewed. 1226125 Details pane no longer goes blank after paging the events list. 1234238, 1240803 Corrected an issue that caused an error when selecting a device during creation of a widget. 1226603 Fixed an issue that caused an HTTP 404 error when scrolling in a Dest IP widget. 1234806 In Scorecard, extra results are no longer displayed after deleting and re-pulling assets. 1217682 Added a validation to support translation of DB values to UI values. 6
1219372 Fixed an issue that caused some widgets to display records incorrectly for the Administrator user. 1216577, 1226934 The McAfee Enterprise Log Manager logging Archive tab now shows events on separate lines. 1234023, 1236843, 1239507 Fixed an issue that showed a "Something went wrong" error message when using Device ID filters. McAfee Event Receiver 1227457, 1236953, 1227697, 1229076 1223325, 1226187, 1226185, 1226051, 1227675, 1228474 Cloudtrail now connects to AWS. Improved HA stability and health monitoring. 1231867, 1235191 Send2ELM settings no longer cause receivers to become backlogged waiting for McAfee Enterprise Log Manager disk space to drop. 1228643 Fixed a memory usage error associated with WMI data sources. 1216602 Auto learn now runs on receivers. 1233086 Added a check to ensure the McAfee Event Receiver doesn't exhaust inodes with data collection. 1222915 Added IIS compatible date/time formats for the http collector. 1233082 McAfee Enterprise Log Manager no longer runs out of inodes. 1222238 epo database instance settings are now applied when changes are written. 1225358 Auto retrieve from VA sources now works. 1221888 Updating a KVM VM to 10.2.0 no longer hangs at startup. 1224551 Wildcard expressions for NFS data sources no longer behave as backward matches. 1216147 NSM devices with less active sensors no longer generate Out of Sync flags on a McAfee Event Receiver multiple times per day. 1218540 You can now configure a device to correlate events from a specific device. 1210619 IPFIX now parses correctly. 1216573 IPv4 route is now applied to eth1 on high availability receivers. User Interface 1224062, 1219097 Fixed a memory leak that caused multiple errors. 1226546 Test connections for data sources using Tivoli now test successfully. 1210455 Corrected an API issue that limited the number of returned alarms to 100. User Interface 1235135 Page size property now works properly. 1224078 Error Converting circular structure to JSON after drilling down from Geolocation view. 7
1224072 Export to CSV now selects the correct data set or number. 1226120 You no longer get an infinite search loop when using 'contains' with an odd number of slashes. 1234870 Corrected an issue that caused packet data to be corrupted when downloaded. 1216577, 1218378 Page breaks are now respected in ELM Archive in HTML5 user interface. 1215843, 1223187 Event drill-down now shows accurate values in widgets. Migrating from Flash to HTML With each release, McAfee Enterprise Security Manager functionality continues to move from Flash to HTML5. 10.x Ability to convert Flash views into HTML views (import views into dashboard) New HTML dashboard Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.