McAfee Network Security Platform 8.3

8.3.7.52-8.3.5.32 Manager-NS-series Release Notes McAfee Network Security Platform 8.3 Revision C Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a new process release 8.2 onwards. The changes in the release process are based on customer requirements, and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide few features and enhancements on the Manager and NS-series Sensor software. Release parameters Version Network Security Manager software version 8.3.7.52 Signature Set 8.7.78.7 NS-series Sensor software version 8.3.5.32 1

This version of 8.3 Manager software can be used to configure and manage the following hardware: Hardware Version NS9x00-series Sensors (NS9100, NS9200, NS9300) 8.1, 8.2, 8.3 NS7x00-series Sensors (NS7100, NS7200, NS7300) 8.1, 8.2, 8.3 NS5x00-series Sensors (NS5100, NS5200) NS5x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known Issues for more information. Sensor software version 8.2 is currently not available for NS5x00-series. 8.1, 8.3 NS3x00-series Sensors (NS3100, NS3200) 8.1, 8.3 NS3x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known Issues for more information. Sensor software version 8.2 is currently not available for NS3x00-series. Virtual IPS Sensors (IPS-VM100 and IPS-VM600) 8.1, 8.2, 8.3 Virtual Security System Sensors (IPS-VM100-VSS) 8.1 Sensor software versions 8.2 and 8.3 are currently not available for IPS-VM100-VSS. M series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1, 8.2, 8.3 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.2, 8.3 XC Cluster Appliances (XC-240) 8.1, 8.2, 8.3 NTBA Appliance software (T-200, T-500, T-600, T-1200, T-VM, T-100VM, T-200VM) 8.1, 8.2, 8.3 The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.3.2, 5.1.1 McAfee Global Threat Intelligence Compatible with all versions McAfee Advanced Threat Defense 3.8.0.29, 3.6.2.21 McAfee Virtual Advanced Threat Defense 3.10.0.35 McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.6 McAfee Threat Intelligence Exchange 2.0, 1.3 McAfee Data Exchange Layer 3.0.0, 2.0.1 McAfee Vulnerability Manager 7.5.10, 7.5.7 McAfee Host Intrusion Prevention 8.0 McAfee MOVE AntiVirus Agentless 4.5.0.148 McAfee MOVE AntiVirus Multi-Platform 4.5.0.211 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the 2

same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_92, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.3 uses JRE version 1.8.0_92 and MySQL version 5.6.30. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 8.3 is not supported on McAfee-built Dell based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. New features This release is to provide fixes for some of the previously known issues, and does not include any new features. Enhancements This release of Network Security Platform includes the following enhancements: Layer 7 data capture enhancements In the earlier releases, the time taken to display alerts in the Manager from the time they were generated in the Sensor, was prolonged because of special alerts. Special alerts are alerts that are generated to support Layer 7 data capture feature. They display additional information such as HTTP URL, response code, FTP user name, etc. Excessive special alerts could load the alert buffers in the Sensor causing queuing delays. In version 8.3, an enhancement is made to reduce generation of excessive special alerts by delaying the alert generation either by a maximum of 5 seconds, or until the Layer 7 session is terminated. Increase in memory size for handling signature sets With a growing number of threats, the frequency of signature set updates and the number of attacks in each update constantly increases. As a means to accommodate a larger signature set size in the future, the memory size allocated to signature sets on the Sensor has been increased. Change in the update server from Menshen to Menshen1 In the earlier releases, the Manager was using the Menshen update server with SHA128 bit encryption algorithm. From this release onwards, the Manager will be using the Menshen1 update server with SHA256 bit encryption algorithm. Resolved issues The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: 3

ID # 1169061 The device integrated with the NTBA appliance is not displayed in the device list under Devices <Admin Domain Name> Devices. 1118316 Incorrect description is displayed for alert details panel in Attack Log for Endpoint Executable and Malware Files. 1114679 The Attack Log does not display data for EIA executables. The following table lists the medium-severity Manager software issues: ID # 1175740 Upon trying to save a customized signature after adding an IPv4 address, the process sticks at 0%. 1166876 The Manager fails to generate automatic IPS configuration report daily. 1166084 The Attack logs saved in CSV format displays the Attacker Host Name and Target Host Name inappropriately. 1165036 The signatures of the newly added attacks are not displayed in the policy editor. 1164536 Creating an Ignore Rule in the Manager displays error Unable to get Resources for Admin Domain. failed to get sensor for subscriber "0". 1164024 In high availability mode, there is failure in alert channel after the secondary Sensor reboots. 1163187 In the Attack Log page, the log files generated in CSV or PDF format for unacknowledged alerts are incorrectly displayed as acknowledged alerts. 1162321 Custom roles created with View Only role are incorrectly applied as Edit roles. 1161236 Manager fails to perform configuration update on the Sensor due to compilation error. 1161090 / 1159384 Snort rules that use Snort IP headers as filters work incorrectly as the Sensor triggers alerts even when the parameters do not match with the header options. 1158605 The Manager is vulnerable to CVE-2016-6662. 1156873 The Attack Log page displays the proxy IP address instead of the true source IP address when XFF is enabled. 1156285 Running a health check fails when the Manager is connected through proxy settings. 1153466 An error is displayed while exporting packet captures of an alert from the Attack Log page. 1153107 The Manager uses SHA128 bit encryption algorithm instead of SHA256. 1152473 In the Attack Log page, filtering attacks for Attack SmartBlocked are not displayed in the Results column. 1152295 When adding an Ignore Rule from the Attack Log page, the action to create a new rule object fails in the Add Ignore Rule window. 1151225 The malware confidence (severity) for the same alert displays inconsistent value in the Manager (Attack Log, Alert Details, and Malware Files) and Syslog Message. 1150853 The configuration options are disabled for alert relevance in Manager <Admin Domain Name> Integration Vulnerability Assessment MVM Alert Relevance. 1149111 The IP address that is manually quarantined from the Attack Log page is not displayed in the Manager's quarantine list. 1149099 The Manager sends additional messages in the syslog notification for some alerts. 1148663 The actions performed to enable or disable the monitoring ports in the Sensor are displayed incorrectly in the User Activity Log page in the Manager. For example, if the port action is from Enabled to Disabled, it is displayed as Disabled to Enabled in the Manager. 1148454 In the Manager, the list to select the child domain is disabled. 4

ID # 1147762 Expired SSL certificate can be imported to the Manager which is displayed as Valid. 1147619 Alert count mismatch exists between the Primary and Secondary Manager. 1145115 The data truncation error description is very long. 1143918 The Result column does not display attacks for smartblocked attacks in the Attack Log after Manager upgrade. 1143558 E-mail notifications are incorrectly sent for alerts that are not configured to send notifications. 1142684 Error is displayed in the Manager when the number of quarantined IP addresses exceeds 1000. 1142079 Attacks names are displayed as --- after a signature set upgrade under Policy <Admin Domain Name> Intrusion Prevention Policy Types IPS Policies. 1142047 The Manager automatically deploys the signature sets even when automatic deployment is disabled. 1141070 The performance charts for Device Throughput Usage, Port Throughput, and CPU Usage under Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Performance Charts does not display weekly data. 1140604 When deploying updates to the Sensor, the Running Tasks and User Activity Log pages displays the device name as null. 1139033 Importing user-defined signatures in the Manager causes error. 1138655 In an MDR scenario, both the Primary and Secondary Manager sends fault notification for port link failures. 1138335 Communication between the Manager and the Sensor is disconnected after restarting the Manager service. 1136975 The trend analysis report scheduled for weekly or monthly time period does not display the data for the last day. 1135691 The fault for Gateway Anti-Malware file update is displayed in the Manager even when it successfully updated in the Sensor. 1131532 The syslog fault notifications for a high-availability Sensor cluster from the Manager, contains the cluster name instead of the node name. 1128407 Executive Summary report shows several Address Not Resolved results in the Hostname columns in the Top N Source IP and Top N Destination IP sections. 1126609 In the Attack Log page, the policy update fails when selecting a policy under Update Policy options from the Other Actions list. 1125670 Link failure SNMP trap shows incorrect port name. 1118293 The Traffic Statistics page displays an error when clicked. The following table lists the low-severity Manager software issues: ID # 1140630 The syslog notifications for performance faults does not include the value that triggered the fault or the threshold. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: 5

ID # 1184408 After an upgrade, the Sensor experiences exception while processing signature set causing it to go to bad health or experience auto recovery. This happens more often when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. 1173413 Configuration update fails after a certain number of times when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. Internal resources fail to free for such configurations. 1170675 Invalid characters are sent as URL information to Advanced Threat Defense. 1166353 For XFF traffic, the Sensor does not send true client IP address to the syslog server. 1166244 [NS9300] When the Sensor switches from Layer 2, the packets loop for a failover pair. 1164826 Syslog alerts sent from the Sensor display the timestamp incorrectly with a 12 hour difference. 1164047 Filename and domain in URI path contain duplicate domain name information when submitted to Advanced Threat Defense. 1163993 The show feature status command displays incorrect status of the configured features in the Sensor since the operation fails. 1163689 Whitelisted entries with more than two labels do not generate an exact match like they should. 1161908 [NS9300] Sensor fails to initialize correctly when 4-port 40GigE network module are installed in both slot 1 and 2 of NS9300P. 1159776 The vulnerability scanner reports the following Sensor vulnerabilities: SSH weak algorithms supported SSH server CBC Mode Ciphers Enabled (CVE-2008-5161) SSH weak MAC Algorithm Enabled 1159229 The Sensor fails to send packet log information when the packet log resources are not initialized. 1154129 The Sensor fails to plot the interface throughput statistics. 1152648 The management process incorrectly validates a valid memory which causes the Sensor to go to bad health. 1152635 [NS7x00, NS5x00] The exportsensorcerts command fails to export Sensor certificates. 1152472 The Sensor is vulnerable to the following vulnerabilities: CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-4957 1151327 In a rare condition, the malware processing engine experiences an exception while processing an SMTP attachment file having large encoded content. 1150815 The events.log does not persist after Sensor reboot. 1149298 Internal resource leak in the malware processing modules causes the Sensor to stop sending files to the Advanced Threat Defense appliance. 1149107 Port throughput utilization is wrongly calculated for ports with speed greater than 1G. 1147328 The Sensor is vulnerable to CVE-2016-4448. 1146928 The TCP: Microsoft Windows TCP IP Driver Denial of Service alert is generated due to incorrect packet length. 1146237 The link for some ports in the Sensor goes down after clearing and reestablishing trust between the Sensor and the Manager. 6

ID # 1145843 In a rare condition when multiple connection attempts, between the Sensor and Advanced Threat Defense appliance or NTBA appliance, fails in a short span of time, the Sensor reboots. 1144821 In certain cases, the retransmitted TCP acknowledged packets with stale sequence number causes missed attack detection. 1144527 In a rare condition, the Sensor crashes during initialization and triggers auto recovery. 1144514 Default IP address is sometimes not available after running the factory defaults command. 1143423 [NS7x00] LEDs are not activated even when the traffic is forwarded. 1142942 [NS7100] Output for show powersupply command is unreliable. the command is removed from CLI. 1142858 [NS9300] DNS packets are duplicated multiple times when connected in a failover mode. 1140973 [NS7x00, NS5x00] Serial numbers for copper SFPs are not working when show coppersfpserialnumbers is executed. 1140389 Unable to quarantine IP address 172.30.6.100. 1139962 The ICMP Nachi Attack alert is incorrectly raised. 1139745 [NS9300 HA] UDLD packets are duplicated and sent on the incorrect interface which causes the peer device to disable the UDLD enabled port. 1139476 The Sensor incorrectly raises the Pluggable interface absent Port fault to the Manager even when XFP/SFP is present. 1139454 Sensor generates a false positive alert for the IGMP: Fragmented IGMP Packet Attack alert. 1138571 The Connection Count for TCP/UDP in the Next Generation report always shows 0. 1138004 With layer 3 off, the ARP packets are sent by the Sensor with additional header which causes the peer device to drop it. 1137501 The Sensor is vulnerable to the following Improper Input Validation vulnerabilities: CVE-2015-7704 CVE-2015-8138 CVE-2015-7705 CVE-2016-1550 CVE-2015-7974 CVE-2016-2516 CVE-2015-7975 CVE-2016-2517 CVE-2015-7976 1137363 Establishing MDR between two Managers after resetting to standalone causes the authentication channel to go down in all Sensors. 1137245 Layer 7 DDOS response action configuration does not work correctly. 1136618 ISAKMP traffic is not dropped by the Sensor when the application Firewall policy is configured to drop. 1136610 The Sensor goes to bad health or autorecovers or reboots when the active directory related changes are updated multiple times in the Sensor. 1135590 In scenarios where the configuration changes are significantly larger than the previous configuration between Sensor diagnostic trace uploads, the Sensor reboots. 1137285/ 1135165 Sensor fails to trigger a match in a SNORT rule when the pattern is embedded in a HTTP response beyond 256 bytes. 1134703 [NS7x00, NS5x00, NS3x00] Links are flapping randomly because of incorrect internal ports timeout configuration. 1133662 Deploying changes related to rate limiting policies every third time results in Sensor going to bad health. 7

ID # 1133656 SSL connections for unsupported ciphers are not consistently detected and blocked. 1132187 The link on the interfaces of the Sensor suddenly switches on and off. 1131958 Sensor will remains in progress state if it is disconnected from the Manager during a configuration update. 1126938 [NS7100, NS7300] Packet capture Feature shows zero packets uploaded on the Manager. 1122077 CVE-2015-3197 - OpenSSL: SSL v2 does not block disabled ciphers. 1120248 FTP file transfer cannot be blocked with advanced malware policy. 1119829 User role based firewall rule does not work because of incorrect translation within the Sensor when attempting a match. 1113689 Sometimes the data path processor does not receive files as they are ignored for analysis. 1104385 The Sensor stops sending packet logs to the Manager when layer 7 data collection is enabled. 1053967 Under a certain rare condition, the Sensor reboots due to hardware watchdog expiration. 1051747 The Next Generation report, Default - Top 10 Application Categories by Bandwidth Usage, displays traffic volume in bytes instead of bits. Installation instructions Manager server/client system requirements The following table lists the 8.3 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Recommended Windows Server 2012 R2 Standard Edition operating system. Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. 8

Minimum required CPU Server model processor such as Intel Xeon Same Recommended Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Windows Server 2012 R2 Standard Edition operating system. Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB 9

The following table lists the 8.3 Manager client requirements when using Windows 7, Windows 8, or Windows 2012: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11, or Microsoft Edge Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported.) To avoid the certificate mismatch error and security warning, add add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later If you are using Google Chrome 42 or later, the NPAPI plug-in is disabled by default, which means that Java applet support is disabled by default. Perform the following steps to enable NPAPI plug-in: 1 In the address bar, type chrome://flags/#enable-npapi. 2 Click the Enable link in the Enable NPAPI configuration option. 3 Click Relaunch Now at the bottom of the page to restart Google Chrome for the changes to take effect. For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. 10

The following is the upgrade matrix supported for this release: Component Manager/Central Manager software Minimum Software Version 8.1: 8.1.7.33, 8.1.7.82 Manager version 8.1.7.52 is only for 8.1 NS5x00 and 8.1.7.73 is only for 8.1 NS3x00 Sensors. 8.2: 8.2.7.71, 8.2.7.83 8.3: 8.3.7.7, 8.3.7.28 NS-series Sensor software NS9x00, NS7x000 8.1: 8.1.5.135, 8.1.5.175 8.2: 8.2.5.100, 8.2.5.145 8.3: 8.3.5.6, 8.3.5.11 NS5x00, NS3x00 8.1: 8.1.5.154 (NS5x00), 8.1.5.170 (NS3x00) 8.3: 8.3.5.15 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB86387 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.3 product documentation list The following software guides are available for Network Security Platform 8.3 release: Quick Tour Installation Guide (includes Upgrade Guide) Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide Custom Attacks Definition Guide 11

XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide 2017 Intel Corporation Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 00