Release Notes McAfee Advanced Threat Defense 3.4.4 Revision B Contents About this release New Features Enhancements Resolved issues Installation and upgrade notes Known issues Product documentation About this release This release notes announces the availability of McAfee Advanced Threat Defense software version 3.4.4 for McAfee Advanced Threat Defense Appliance models ATD-3000 and ATD-6000. If you plan to integrate this version of McAfee Advanced Threat Defense and with other supported products, then the minimum software combination supported is as listed below: Product Name McAfee Network Security Platform McAfee Web Gateway Email GatewayMcAfee Email Gateway McAfee Next Generation Firewall (McAfee NGFW) McAfee Data Exchange Layer Version Network Security Manager: 8.0.5.9 or later Signature set: 8.6.18.10 or later M-series: 8.0.3.10 or later NS-series: 8.0.5.8 or later Virtual IPS: 8.0.7.9 or later 7.4.0-16053 or later 7.6.3 or later 5.8 or later 1.0.0.1070 or later 1
Product Name McAfee Threat Intelligence Exchange McAfee Agent McAfee VirusScan Enterprise McAfee Enterprise Security Manager (McAfee ESM) Version 1.0.0.824 or later 5.0.0.2710 or later 1247 or later 9.4.1 or later New Features This release of McAfee Advanced Threat Defense includes the following new features and enhancements: SNMP support for ATD With this release, SNMP services are extended to ATD. The SNMP service allows users to obtain integral values for the following quantifiable attributes of the Advanced Threat Defense components. This information enables users to manage Advanced Threat Defense resources in an efficient manner. CPU Utilization HDD System Space Utilization Memory Utilization HDD Data Space Utilization Interface Counter Number of samples in waiting queue System Temperatur Number of samples under analysis User can also configure SNMP services to receive SNMP TRAPS for the following attributes. SNMP TRAPS are alert messages that notify users that the integral values of the following attributes has reached or exceeded the user-defined limit for that attribute. Traps are sent every 60 seconds if the integral value exceeds the configured threshold value: CPU Utilization Memory Utilization Enhancements This release of the product includes these enhancements. Syslog enhancement and Integration with ESM via syslog With this release, along with existing Analysis Results and User Login/Logout information, other information like HDD Utilization, CPU Utilization, Interface Status and Memory Utilization will be made available on an external syslog server including McAfee Enterprise Security Manager (ESM). This is done for all the files analyzed by Advanced Threat Defense. Users can now configure an external syslog server through which these information are sent. This release extends the syslog events support to Load Balancing. Syslogs events are generated for state transition happening for Primary/ Backup nodes. These events are generated in 5 minutes time interval, once the state is changed. 2
Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved McAfee Advanced Threat Defense Appliance software issues The following table lists the resolved high-severity issues: 948389 Clean PDF files are getting detected as malicious. The following table lists the resolved medium-severity issues: 1041933 IPS service crashes. Following URL message is displayed: FileId: %d URL: (%d)%s") at logbase.c:486. 1038334 ATD reboots when "shutdown" command is executed. 1037752 "Qualys" scan shows several vulnerabilities. 1037244 ATD is not able to send data from "Analysis Results" to "Export CSV". 1036808 Whitelist is automatically disabled. 1036431 ATD returns incorrect analysis result for sample submission via Rest API. 1036430 MS Office license activation fails using "Activation Over Call" option, after VM profile is created. 1034867 VM displays "Audio Device Error" using X-mode. 1033189 IPS service crashes and ATD is not able to process any samples from UI and NSP. 1031468 Unnecessary control character are observed in JSON response. 1031312 XMode is not displayed when samples are submitted with "Interactive mode" option. 1030444 ATD cannot get the.zip file using RestAPI or "Export" function from Analysis Results->Complete Results in UI. 1029298 Customer cannot access GUI on ATD. 1028636 "factorydefaults" fails to recover whitelist to original state. 1028114 ATD stops accepting samples after 250K samples are sent. 1027918 Customer samples are being seen as malicious, especially PDF and XLS files. 1027075 Certificate errors crop up while accessing ATD through RestAPI using SAP ABAP application. 1026680 FTP TEST and SUBMIT button does not work when password contains "&" character. 1026263 Source/Destination IP is not seen in analysis Results page. 1025339 Internet access on VM is intermittent. 1024792 Some of the.exe files are getting crashed after submission to ATD. 1024577 "gettaskidlist.php" does not work with "new_jobid". 1024314 VM Profile creation fails after upgrade from 3.2.2.46 to 3.4.2.32. 1023308 ZIP files with enhanced compression methods are not detected by ATD. 1022046 IPS Service crashes. Following data is returned in NtbaSslSession "incusecount (this=0x5433434d) at src/ntbaampktrecvsession.cpp:395". 1018055 The backup filename shows the older version even after the UI upgrade. 1017625 Backup configuration is editable from secondary node in ATD. 3
1016052 ATD reports fail to get parsed at the NSM, malware results are deleted. 1013401 Embedded contents are not extracted from PDF, resulting in poor detection (for all Adobe Reader versions). 1012322 Clicking Test button on Proxy Settings page without providing username/password throws error message that reads "All fields are required". 1008963 Vulnerability exists with the ATD web application. The following table lists the resolved low-severity issues: 1053940 Ghost Vulnerability (CVE-2015-0235) in "glibc" library is fixed. 1037116 "Allow Multiple Logins" checkbox in the ATD UI is modifiable and not disabled. 991389 Blank browsing windows are logged in the Summary report. Installation and upgrade notes Review the following before you install McAfee Advanced Threat Defense in your network. If you have already deployed McAfee Advanced Threat Defense and you require information on how to upgrade to this release of McAfee Advanced Threat Defense, refer to step 3 below. If you are installing McAfee Advanced Threat Defense, then review the steps below. 1 Review the Warnings and cautions and the Usage restrictions sections in the McAfee Advanced Threat Defense 3.4.4 Product Guide. 2 Refer to McAfee Advanced Threat Defense 3.4.4 Product Guide for information on how to install the McAfee Advanced Threat Defense Appliance. You can also refer to the McAfee Advanced Threat Defense 3.0 Quick Start Guide for information on how to quickly set up the McAfee Advanced Threat Defense Appliance. 3 Refer to the Upgrade McAfee Advanced Threat Defense and Android VM section in the McAfee Advanced Threat Defense 3.4.4 Product Guide and upgrade the embedded McAfee Advanced Threat Defense software to 3.4.4. If the current version is below than 3.4.2.32 and you want to upgrade to 3.4.4.63, you upgrade the McAfee Advanced Threat Defense to 3.4.2.32 or above and then upgrade to 3.4.4.63. If the current version is 3.4.2.32 or above, you can directly upgrade to 3.4.4.63. Once you upgrade, you cannot downgrade by loading the backup image using the reboot backup command. Once you upgrade to 3.4.4, you cannot downgrade by using system.msu files. Once you upgrade to 3.4.4, use copyto backup command to ensure that the Active disk and Backup disk remain on the same software version of McAfee Advanced Threat Defense. Boot from Backup disk is not supported in case the Backup disk and Active disk reside at different software versions of McAfee Advanced Threat Defense. The Android version in the default Android analyzer VM is 2.3. After you upgrade McAfee Advanced Threat Defense software to 3.4.4.xx, you can upgrade the Android version to 4.3. 4
4 Refer to McAfee Advanced Threat Defense 3.4.4 Product Guide and configure it for malware analysis. 5 To integrate with Network Security Platform, refer to the corresponding Network Security Platform release notes as well as the latest Network Security Platform Integration Guide. Recall that you need a Manager and a Sensor on version 8.0 or later. 6 To integrate with McAfee Web Gateway, you need McAfee Web Gateway 7.4.0-16053 or later. Refer to the McAfee Web Gateway 7.4.0 Product Guide. 7 To integrate with McAfee epo, you need version 4.6 or later. In order to integrate McAfee Advanced Threat Defense with McAfee Threat Intelligence Exchange (TIE), you need 5.1.1 or above version of McAfee epo. The information for this integration is in the McAfee Advanced Threat Defense 3.4.4 Product Guide. Known issues McAfee Advanced Threat Defense software issues in this release: KB83259. Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 3.4.4 product documentation list The following software guides are available for Advanced Threat Defense 3.4.4 release: Quick Start Guide Product Guide API Reference Guide Copyright 2015 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.