Network Security Platform 8.1

8.1.7.13-8.1.5.71 NS9x00-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. This maintenance release of Network Security Platform is to provide minor enhancements and few fixes on the Sensor and Manager software. Network Security Manager software version: 8.1.7.13 Signature Set: 8.6.43.4 NS9x00-series Sensor software version: 8.1.5.71 Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases or hot-fix releases on version 8.0. 7.1, 7.5, and 8.1 M series and Mxx30-series Sensors 8.1 Virtual IPS Sensors 7.1, and 8.1 NS-series Sensors 1

7.1, 7.5, and 8.1 XC Cluster Appliances 7.1, 7.5, and 8.1 NTBA Appliance software (Physical and Virtual) 7.1 I-series Sensors Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell based Manager Appliances. New features This release is to provide few bug fixes for some of the previously known Sensor software issues, and does not include any new feature. Enhancements This release of Network Security Platform includes the following enhancements: IPS CLI command enhancement The show command previously displayed the primary and secondary serial numbers but did not display information for the master serial number of the Sensor in case of NS9300. With this release, the master serial number is displayed as the "System Serial number". The system serial number is mainly used for support purpose will reporting any issue to the support engineers. For further information, refer the Network Security Platform CLI Guide. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: 2

ID # SR# Issue Description 1020134 4-6965222403, 4-7247640621 Java takes 20% more RAM every day and CPU load is 100%. 1015045 NA On the Active Botnets page, the DNS, operating system, and user information is missing. 1012914 4-6912172874 Shutting down the Sensor from the Manager, logs out the user from the Manager. 1010396 4-6054436211 When Vulnerability Manager is configured with the Network Security Manager, error "Asset information not available for the given host" is displayed in the Manager upon selecting Destination Host Details. 1009752 4-6853544245 The NSCM alert set is not applying to the regional peer manager. 1009606 4-6814680795 The Destination Country filter does not display any alert results in the Threat Analyzer. 1007548 4-6537241187 If VirusScan Enterprise is installed and uninstalled on system, the TIE VirusScan Enterprise hotfix does not upgrade. 1006698 4-6681123582 The DATGTICommunicationFailure:ConnectionFailure error due to connection failure is not included in the faults report. 1006565 4-6787071227 The Manager logs out when a user is assigned a specific user role 1006240 4-6818622729 The Firewall rule, FW- International Offices does not load in the Manager. 1005282 4-6633803765 The Select or Deslect All checkbox does not function in the Email Now page in Automatically Generated Reports. When viewing pre-generated reports in Google Chrome, upon clicking the back icon the browser displays an error. 991464 4-4445388457 Host Intrusion Prevention attack IDs are not resolved to names after installing 8.1.7.5.3 hot fix. 989639 4-6374027251 The Dashboard does not display high-risk endpoints, malware detection and botnet detectors data even though there are alerts raised in the Threat Analyzer. 988371 4-6600829531 Duplicate entries for Hourly/Daily Data Mining are generated for Automated Pruning. 985695 4-6401635616 The Modification Time" is not included in the faults report for an alert generated as the fault flag is not deleted in the fault log. 984846 4-6418777195 The configuration update status displays as In Progress under long running process even after the signature sets are successfully downloaded. 983689 4-6405812063 The Name field in Advanced Malware Policy cannot be deleted upon reaching the limit. 982509 4-6361802941 When generating a new Next Generation Report, the report shows the attack count for signature attacks instead of alert count. 982477 4-6360329911 The Next Generation Report displays only 10 attack results even when are there more than 10 attack results in the Threat Analyzer. 981597 4-6195139993 The error "srleap:dev Prof Alert Queue" is displayed as the device profiling queue flags have reached the limit. 980430 4-6301811324 Email notifications are sent even after disabling the Enable E-mail Forwarding option in the Manager. 979763 4-6168992103 The Manager includes unexpected characters like "MNAC Forwarder Alert" to syslog messages. 979568 4-6282342427 The Physical Ports page does not display ports for a configured NTBA Appliance. 979075 4-5984332985 The syslog settings are not synchronized between the MDR pair after switchover to the secondary. 3

ID # SR# Issue Description 978015 4-6193626349 The Alert Channel Down fault takes 12 hours to be cleared after the channel comes online. 977974 4-6150715017 The file name cannot be added for an NTBA communication rule. 977943 4-6196721715 The primary Manager switches to standby mode due to overloading of the heapdump. 977359 4-6208350339 The IPS Event Logging feature cannot be configured for older M-series Sensor softwares before 8.1.5.14. 976417 4-6035875389 The Next Generation reports filter accepts only abbreviation for source and destination countries. 976299 4-5844633413 The View Connectivity Data is not displayed correctly when extracted from NTBA response logs. 975753 4-5956289953 The time zone formats on the Manager and the report generated from the Threat Analyzer are different. 974497 4-5786861094 The Running Tasks report displays the Sensor configuration update as failed even though the configuration update was completed successfully. 973858 4-6079102245 The options for Additional Constraints are empty in the Historical Threat Analyzer. 973071 4-5763994204 The user cannot perform certain actions in the Manager even after a custom role is assigned. 972740 4-6088959788 During scheduled backup, the temporary tables are also included in the process. 970942 4-5728500019 The secondary Manager displays the "Incompatible custom attack" fault when synchronization is initiated with the primary Manager due to SSID.bin file corruption. 969889 4-5860372972 While viewing the configuration update table, the Last Updated column does not sort correctly. 969510 4-5666108292 The user once logged out of the Manager cannot login back without restarting the Manager service. 969112 4-5536313723, 4-4445388457, 4-6193528953 The Top Attacks in the Threat Explorer displays a numeral instead of the attack name. 968658 4-3255226237 Bulk signature set update for 20 or 30 Sensors fails. 964715 4-5499983545 The Botnet DAT update fails on multiple Sensors. 964351 4-5782998225 In rare scenarios, after Sensor reboot the SSL certificates are not enabled on the Sensor due to concurrent SNMP error. 964185 4-5619858799 The Manager versions 8.0.5.11 / 7.5.3.11 are vulnerable to "HTTP Server Prone To Slow Denial Of Service Attack" when configured with Vulnerability Manager. 957285 NA The Protection Profile page stops responding when opened in Chrome browser and eventually leads to Java crashing. 956340 NA The Manager fault for exceeding the 10,000 AD user groups limit is displayed incorrectly in the Manager. 946781 NA The Chrome browser crashes when the Manager is opened in Windows 8.0 mode. 941108 4-4688169731 The Sensor performance report provides incorrect data and labels. 924628 4-3769517245, 4-5903447045 The synchronization between the Central Manager and MDR pair is generating the fault Manager mssmcf03:12.39.195.84 unreachable. 4

Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # SR# Issue Description 1021386 4-7339235541 In rare scenarios, the Sensor goes into a lockout condition which results in a hung state or reboot. 1019138 4-6538954104 The User Defined Report in Traditional Report shows McAfee NAC for Alert/Attack Type. 1018360 4-7019069923 The source IPs are reversed in ARP spoofing alerts. 1018047 4-6759097987, 4-7222316110, 4-7130485976 The GTI alert Connection from high risk internal IP is incorrectly triggered even when it is not present in the signature set. 1014646 4-7100058545 The CPU utilization graph and show sensor-load values do not match. 1012922 4-7044838603, 4-7141403801 SSL Decryption fails with Internet Explorer 11 on Windows 8 and with TLS enabled. 1012305 4-7029053873 In some scenarios, the Sensor reboots which causes some loss of data due sudden reboot. 1012154 4-6932647511 In rare scenarios, the Sensor either goes to layer2 or reboots when new configuration updates are deployed to the Sensor. 1011827 4-6865291892 In rare scenario, the Sensor may raise incorrect fan faults. 1011380 4-6266860473 In rare scenarios, the Sensor may reboot or autorecover when multiple malware files are processed in the same flow. 1010765 4-6531330130 Under certain error conditions in HTML decoder (under Advanced Traffic Inspection), the control packet buffers are not released. 1010345 4-6950675035 The exception objects are not taking effect for some reconnaissance attacks. As a result the alerts are still displayed in the Threat Analyzer. 1010209 4-6865540216 The fault Sensor connectivity status with GTI server is not automatically cleared in the System Faults page. 1009744 4-6921191507 The deployment of Botnet update to the Sensor fails, due to which the Internal configuration error critical fault is generated. 1007014 4-6843624841 When the Sensor experiences abnormal reboot, or in a failover configuration if one of the Sensor reboots, then the front end processor gets stuck in rare scenarios. 1006999 4-6719164849 When the Sensor configuration update fails, the Sensor is in uninitialized state. The Sensor then rejects the configuration update as the maximum number of supported CIDR interface is incorrectly calculated by the Sensor software for inline port. 1005048 4-6799734661 The SNMP Get/Walk executed on the Sensor returns the SCP file server credentials. 1003367 4-6791826128 In high availability setup, the show layer2 forward intfport CLI command shows incorrect port for the failover pair. 996681 4-6697259041 When the shutdown CLI command is issued, the Sensor does not shutdown but reboots when there is no signature set initialized. 992436 4-6427239390 The Firewall policy does not block some HTTPS applications. 989829 4-6602530773 The Sensor switches to layer 2 mode in certain scenarios during signature set/configuration update. 988339 4-6438205343 [NS9300] In a high availability pair, once the pair is created, the multicast data and protocol traffic is dropped. 5

ID # SR# Issue Description 987278 4-6453518275 After updating to the signature set version 8.6.37.4, false postive alerts are generated with the attack name ICMP: Nachi-like Ping 0x40015500. 982750 4-6099619631 In a rare case scenario, there is traffic delay shortly after a signature or configuration update to the Sensor. 981250 NA Filename is missing in Malware Details section of alert details for Global Threat Intelligence and Advanced Threat Defense. 979110 4-6025808161 When quarantine is enabled in the connection limiting policy, the first quarantined host is not released after the specified release time. 978286 4-6083314232 ARP packets (matching the MAC flip flop event) are dropped which leads to network outage in rare scenarios. This happens when MAC flip flop attack is disabled and Heuristic Web Application Server Protection (WASP) is enabled on any interface of the Sensor. 977449 4-6208350339 After a Sensor name change, the $IV_SENSOR_NAME$ flag is not updated until Sensor reboot. 975938 4-5839231257 The Reconnaissance alerts are not filtered correctly when the alert filter contains rules as Any internal IP or Any external IP. 974849 NA File save option does not work when IPv6 is used for Sensor-Manager connectivity. 974810 NA Malware blacklist/whitelist feature does not work after hitless reboot due to a race condition. 973547 4-5996807719 In rare scenarios, when SSL is enabled, CPU utilization is incorrectly reported as High. 973385 4-6027606839 In rare scenario, the Sensor reboots due to memory corruption in the malware detection process. 970872 NA When the PDF emulator engine is configured for malware detection, the Sensor reboots in certain scenarios. 969563 4-5926477162 Layer 7 data are missing for alerts generated by Advanced Threat Defense. 968947 4-5487957247 The Sensor throughput value is displayed as 9GB for 1GB ports in the Manager. 966281 4-5606846411 In rare scenarios, routers running EIGRP experience neighbor adjacency flap while the Sensor processes the EIGRP update packets. 959712 NA In rare scenarios, when there is heavy traffic load, the UDLD packets are dropped by front end processor. 958957 4-4971322149 The L3/L4 error count in SPAN port cannot be viewed even after it crosses the threshold limit. 957173 4-5488302851 The Sensor causes RST packets to be sent out of order. 945675 4-4910150446 In extremely rare scenario, the traffic is not forwarded because of internal switch buffer exhaustion. 943598 4-4692873853 In rare scenario with SSL and malware functionality enabled, the SSL attacks are not detected. 939736 NA In a Failover pair, the changes made for inline failopen or inline failclose mode is applied even to the peer Sensor. 907976 3-3033672232, 4-5327125501, 4-5734280453 In a failover pair after upgrade, the Active Fail-Open kit status switches between Inline and Bypass. 882189 NA With high amount of SSL traffic being decrypted, the Sensor throughput could temporarily drop during the signature file update process. 6

The following table lists the low-severity Sensor software issues: ID # SR# Issue Description 980117 4-6984779920 The Sensor management port is affected by shellshock vulnerability. Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), English operating system Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), Japanese operating system Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition with SP1 English operating system Windows Server 2008 R2 Standard or Enterprise Edition with SP1 Japanese operating system Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB 8

Minimum Recommended CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) If you are using Google Chrome, add the Manager certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or above Google Chrome 24.0 or above For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software 7.1 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14, 7.1.5.15 7.5 7.5.3.11, 7.5.5.6, 7.5.5.7, 7.5.5.10 8.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12 NS-series Sensor software NS9100, NS9200 7.1 7.1.5.11, 7.1.5.23, 7.1.5.40, 7.1.5.72, 7.1.5.91 8.1 8.1.5.14 NS9300 7.1 7.1.5.33, 7.1.5.40, 7.1.5.72, 7.1.5.91 8.1 8.1.5.14 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 NS-series Sensor software issues: KB82173 9

Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Installation Guide Upgrade Guide Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide Custom Attacks Definition Guide XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide Copyright 2015 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 0A-00