1

Release Notes McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2

About this document

Thank you for choosing this McAfee® product. This document contains important information about the

current release. We strongly recommend that you read the entire document.

About this release

Release date

Files included

• ESS_Update_9.6.1MR2.signed.tgz

• ESSREC_Update_9.6.1MR2.signed.tgz

• RECEIVER_Update_9.6.1MR2.signed.tgz

• APM_Update_9.6.1MR2.signed.tgz

• DBM_Update_9.6.1MR2.signed.tgz

• IPS_Update_9.6.1MR2.signed.tgz

Upgrade Paths

• You can upgrade to 9.6.1 MR2 directly from 9.5.2 or later.

• You must upgrade versions before 9.5.x following this path: 9.0.2 >

9.2.1 > 9.4.2, 9.5.2 or later > 9.6.1 MR2

Bug Fixes and Enhancements

This section provides a description of the fixes and enhancements included in this Maintenance Release.

NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9

and 9.6.1 GA, MR1.

9.6.1 MR2

Bug Fixes Reference Number

Device Area Issue Description

1193689 ESM User Interface Auto refresh now picks up new ePO extensions.

2

1192771

1193227 Other Other

Resolved a failure to boot issue when upgrading to ESM

9.6 or 10.0.

1202424 ESM Views Bad Query on views filtering by Device Type ID CLASS

1188096 ESM

Redundant

ESM (RESM)

Resolved an issue that prevented SNMP Health

Requests from being retrieved from a Redundant ESM.

1196145 ESM Other Added support for SMBv2 for file collection.

1182550

1188454 Receiver Collectors

Resolved an issue that prevented AWS Cloudtrail

Datasource data collection.

1144706 ESM User Interface

Resolved an issue that caused and error message while

editing the Date time format of ASP mapping in

Japanese version.

1187554 ESM

Backup /

Restore

Fixed an issue that caused watchlist entries to not be

restored from a full back-up.

1190606 ACE Other

Match component filter with a comma in correlation

rule now works correctly.

1198492 ESM Views

Filtering by special characters at the beginning of a

string no longer results in a Bad Query Error.

1184492 ESM Other Removed symlinks to non-existent startup script.

1182573 ESM Other

Accumulator field is now displayed for correlation

events.

1189341 ESM

Data

Enrichment

Data Enrichment Source tab now allows non-ASCII

characters in the Path field.

1193872 ESM Other Removed TLS v1.0 support.

1193866 ESM Other Updated to latest Java version.

1157226

1099966

1170534

1180693

1079411

1157739 Receiver Other

Syslog now gracefully recovers when too many

connections are active.

3

1194649 ESM Other

Fixed an issue that prevented the job for Discover NSM

Sensors from updating the sensors.

1189120 Receiver Collectors HTTPS curl collector mode now accepts Host Name.

1191952 ESM

Redundant

ESM (RESM)

Added an optional config file to fine tune rsync for

different customer environments.

1173204 ESM

Data

Enrichment

Resolved and issue that caused the data enrichment

process to fail when using the LDAP "Description" field

content.

1187443 ESM Other

Corrected an issue that caused the port number setting

to be ignored when importing SFTP data source settings

from a CSV file.

1182465 ESM Other

Set 1TB maximum disk usage limit on DAS drive packet

tables.

1191951

1192154

1202077 ESM Alarms

Fixed a regression that prevented internal events from

being written.

1195944 ESM Reports Improved query and report speed.

1196478

1189285

1196479 ESM Other

When modifying a Checkpoint data source with child

data sources, all the child data sources were disabled

when the IP of the data source wasn't changed. This

disabled state is now set only when validation is

required for the IP/port of the data source.

1188268

1171478

1149775 ESM Alarms

Added the ability to create alarms for groups of data

sources.

1186823 Receiver Other Removed unused symlinks that caused error messages.

1184401 ESM Policy

Corrected erroneous conflict errors during policy

import process.

1159179 ESM

System

Properties

Corrected an issue that prevented users from removing

email recipients from email groups.

1196773

1199677

1197646 ESM Reports

Fixed an issue that prevented reports with non-default

date formats from being run.

4

1197822

1196944

1197825

1198494

1197724

1201480

1196134 ESM: Views Other

Resolved an issue that was causing invalid error

messages when viewing the email content pack.

9.6.1 MR1

Bug Fixes Reference Number

Device Area Issue Description

1111767 ELM Other Resolved an issue that would cause ELM Statistics to

show zero logs for some Data Sources, even though the ESM UI shows there are logs in ELM.

1130033 ESM Reports Selecting a custom time range and a date format

other than mm/dd/yyyy could produce incorrect data

sets and time ranges.

1139436 Database Other Improved the logic to clean temporary files from

archive directory when dbserver restarts

1141155 ELM Database The ELM database would delete old partitions without warning if the database and storage pools were stored on the same device and that device

reached 90% full.

1150643 ESM Views Improved the handling of special characters for

filtering and views.

1150774 ESM Alarms Device status change alarms now accurately triggers

at the data source level

1153814 ESM Data Enrichment

LDAP Data Enrichment would not return any results if a non-ASCII character was used in the query.

1154596, 1155865

ELM Search Resolved an issue where ELM logs would not be fully decoded when retrieved through ELM Search.

1156585,

1126930

Receiver Collectors Data collection would not resume after rebooting

VMware vCenter Server.

1157922 ESM Alarms Clicking “case link” on the generated alarm's Actions

tab would result in an error if the case summary contains pipe ('|') character.

1157940 ACE Other Deviation component for flows using event count as the deviation field would fail to write out to the ACE.

1158910 ELM Other When reducing the size of a storage pool the amount of available space would display incorrectly in the

storage pools tab of ELM properties.

5

1160429 ELM Other Improved handling for displaying elm search

metadata for different date formats.

1160950, 1169537,

1154790

Receiver Other Resolved an issue that would cause an error message to report that re-keying a device failed

when it was actually successful.

1161125 ESM Views Resolved an issue that would cause long running delete queries to spawn additional queries.

1162888, 1179314

ELM Other Logs sent to the ELM would be deleted if no entry is found in ds2rg table.

1163035 ESM Custom Types Custom types in Name/Value groups would not be displayed in the event view for Japanese UI.

1163240 ELM Logs If ELM logs had duplicate archive ids incorrect raw logs would appear in the UI with some events.

1163730, 1167571

Receiver Other Resolved an issue where unknown events would show at the data source parent level when using

SIEM Collector.

1164411, 1153616,

1168229

ELM Redundant Fixed the counting of files for the rsync status to not

include close matching numbers like 1, 10 and 11

multiple times.

1164452 ELM Database Resolved an issue where the “Being moved” lock file was not cleaned up after an ELM DB size increase.

1166780 ESM Policy The Japanese characters in the description when

importing correlating rules was not being properly

encoded. The import logic was modified to correctly

maintain the encoding of characters.

1167177 ESM Flash UI Changing the hostname or vendor/model of a client

data source would fail if the data source

vendor/model and host name were in use by another

clients.

1167541 ESM Redundant ACL setting would not get replicated to Redundant

ESM.

1168003 ESM Distributed Resolved an issue that would cause pulling packet

data the first time to fail.

1168222 ESM Flash UI When changing the name of existing parameters in

the correlation rule editor, the name would change

to unknown. The default value for the parameter

was changed to always maintain the same format.

1168356 Receiver Other Resolved an issue that prevented parsing of an HTTP

data source due to extra white space.

1168675 ESM Security Resolved an issue that caused AD user accounts to

stay locked after the lockout duration has expired.

1168730, 1123306,

1130254

Receiver Other Resolved an issue that would trigger a device health alarm on a non HA receiver of: "HA status changed

from Critical to Warning".

1169223,

1185517

ESM Distributed Resolved an issue that would cause the ACE to show

out of sync on a distributed ESM

1170168 ESM Flash UI Resolved an issue that prevented expanding of

correlated events in source events when logged as a

limited user.

6

1171229 ESM Reports Resolved an issue that prevented deselected emails

in an email group from being removed from group.

1171319,

1159989, 1163200, 1175912

Receiver Other IPMI would not function with ERC 1260 receivers.

1171864 ESM Watchlist Watchlist would not get all of the file hashes when it was uploaded from ATD Cyberthreat feed.

1171969 ESM Distributed Destination user and Object fields were sporadic in propagating up to the parent ESM.

1172007, 1177421, 1178857

Receiver Collectors Resolved an issue where eStreamer would not write

out correct json to be parsed.

1172474 ESM Other Multiple threads of the UpdateMTISThreads would

run when the thread takes a long time to finish.

1173929 ESM Flash UI When doing a host lookup with correlation events,

the host lookup would not display in the correct

column.

1174315 ESM Data Enrichment

Performing data enrichment with a lookup field

custom type = 5, the destination fields would not be

replaced by data enrichment.

1174380 Receiver HA The default gateway would not be assigned to the

shared IP interface after HA fail-over.

1174542 DBM Other The TNS module in the DBM failed to handle a

particular data encoding that TOAD (Tool for Oracle

Application Developers) was using.

1174556 ESM Reports Resolved an issue that would cause stacking distribution charts to contain incorrect 'others'

values.

1174838 ACE Other Resolved an issue that would allow an unsupported field to a deviation.

1175569 ESM Health Monitor Enhancements to health monitor for device communication errors.

1176269 ESM Policy Added user information to policy change history.

1177260 ESM UI When correlating with a large threshold, it was

possible to exceed the supported packet length.

1178305 ESM Reports Report would not be generated if Devices filter is

empty. Added a check in the UI to validate a device is selected.

1180258 ESM Alarms Alarm acknowledge date and time was incorrectly displaying in the details panel and the clipboard.

1180636,

1158297, 1181997, 1184605,

1184764, 1193524

ELM Search Enhanced ELM log retrieval to search through all

possible log files instead of just one log file. Some log entries in aggregated events were not being displayed.

1181790 ACE Other Added notifications when correlation rules, threshold, and deviations exceed maximum packet length.

1182029 ELM Other Resolved an issue that, in rare instances, prevented logs from being displayed when a user was

connected to an ELM through SFTP.

7

1183281 Receiver Other Resolved an issue that caused syslog messages to

be sent to a data source when the host name matched but the port did not match.

1183572 ESM Reports Resolved an issue where the ESM would incorrectly

delete temporary files that were being used for

running report queries.

1183723 ELM Other Resolved an issue where the bloom does not get set when duplicate ELM id's span multiple partitions.

1184113 ACE Other The correlation rule has never triggered under specific condition

1184292 ESM Flash UI Updated the label of the ACE communication

configuration panel to be correct.

1184522 ESM Rules Resolved an issue that caused extra rows to be added when saving ASP rule text.

1185031 ACE Other Set the maximum allowed value for ACE Risk Correlation Manager threshold to 99%.

1185261 ELM Redundant Resolved an issue that prevented a redundant ELM from syncing completely.

1187430, 1187677

ACE Other Resolved an issue that caused alarms to trigger more frequently than the Maximum Condition Trigger Frequency (cooldown) setting.

1188302, 1188301,

1188448

ESM Other Resolved an issue that caused false error messages when users tried to view event data.

1189266 ESM Other Improved memory handling when the ESM populates

the device tree and when retrieving a list of

correlated events.

1188742, 1188752

Resolved an issue where editing blacklist IP

addresses would fail due to extra '\' characters

present in the commands parameters.

9.6.1

Bugs Reference

Number

Device Area Issue Description

1162135 McAfee

SIEM

ESM: Views When exporting table results from a custom case

view, the dialog to download the results would not

show up.

1181609 McAfee

SIEM

ELM API service would stop running during logging

to edsftp.

1162069 McAfee

SIEM

ACE Improved memory handling routines for java

correlator processes.

8

1161564 McAfee

SIEM

ELM When a DAS entry in the Das.conf file had a uuid of

zero, there would be an entry visible in the System >

Properties > Database > Data Storage > DAS page

which resulted in the appearance of an extra DAS

device.

Enhancements

Reference

Number

Device Area Issue Description

None All(except

IPS)

Hardware Added support for Gen 5 Hardware

None Added support for Check Point R80

9.6.0 MR9

Security Fixes

Reference

Number

Device Area Issue Description

1176754 McAfee SIEM

ESM Updated NTPD to version 4.2.8p9

Bug Fixes

Reference

Number

Device Area Issue Description

1179064 McAfee

SIEM

ESM Modifications to the way CPConsoleServer.cfg handles

the configuration parameter “allow_ssh”.

1178285 McAfee

SIEM

DBM DBM would fail to capture traffic from an MSSQL

database when using dynamic ports.

1145759 McAfee SIEM

DBM Removed the option to use nitrofirewall capture from

the DBM.

1162445 McAfee

SIEM

User Interface:

Flash (traditional UI)

When selecting a client data source for filtering event

forwarding results, the parent device would be shown on the device form instead of the client data source.

1167190, 1167576, 1167580,

1167757, 1168745, 1177122,

1177756, 1180901,

1168747, 1168745

McAfee SIEM

ESM Datasource inactivity flags would not properly clear.

9

1177859,

1122299, 1165318

McAfee

SIEM

ELM Improved the performance for obtaining ELM storage

pool data.

Enhancements

Reference

Number

Device Area Issue Description

None Receiver Other Added Support for CheckPoint R80

9.6.0 MR8

Security Fixes

Reference

Number

Device Area Issue Description

1166416 ESM Security Updated Kernel to resolve “Dirty COW” CVE-2016-

5195 (CVSS3 6.4/6.1)

1166418 ESM Security Updated JRE/JDK package to version 1.8.0 u102

1159740 ESM Security Resolved OS command injection (CVSS3 7.2 / 7.0)

1095836 Receiver Security Resolved issue where file name can execute

commands on upload (CVSS3 8.8 / 8.6)

Bug Fixes

Reference

Number

Device Area Issue Description

1165060 ESM Alarms Alarms would show [object object] as the default

values on Destination User filter.

1167202 ESM Alarms Resolved alarms that would generate QueryExec

errors after upgrades.

1168000 ESM Database Resolved issue where open file handles would reach 0

even though files were open.

1167217 ESM SNMP Resolved SNMP timeouts.

10

1162839 ESM System

Properties

Emails would fail to send if TLS and authentication

were both enabled.

1145767 ESM System

Properties

When writing out global blacklist would result in error

has been resolved.

1135671 ESM Reports Addressed an issue where the average normalized

event severity bar chart was not being displayed in

reports.

1148185,

1155206

REC Collectors eStreamer collector restarting several times a day has

been resolved.

1123046,

1164203,

1124250

ELM Redundant Partial rsync files would accumulate in /tmp and not

be cleaned up.

1168001 ELM Database ELM could incorrectly calculate disk space remaining

and remove partitions to free up space.

1157788 ACE Correlation Addressed correlation rules from not triggering when

using a “contains clause” that had Japanese

characters in the target string.

Enhancements

1151336 REC Collectors Added support for eStreamer to support

block type 42 for record type 400.

9.6.0 MR7

Bug Fixes

Reference

Number

Device Area Issue Description

1134137,

1156882,

1134136

ELM Redundant Resolved SFTP connectivity issues on redundant ELM

1157720,

1160755,

1157744

ESM IOC Indicators of Compromise (IOC) back trace would

incorrectly match events when using the URL

11

1159852,

1150148,

1132610

ESM Backup &

Restore

Addressed an issue where restoring the

configuration would fail with a ERCELM device

1130545,

1128538

ESM Event

Forwarding

Resolved time out values that would cause events to

be dropped when sending via TCP

1163248 ESM Backup &

Restore

Resolved issue where performing an ESM backup

would result in slower alert inserts.

1161106 ESM Other Added logic to ensure enough space in memory to

store user input values for active directory logins and

user-defined fields in query results.

1151127 ESM Other Fixed locked ISO images so they work on an ERU

device.

1164816 ESM Views Fixed sorting problems with table components.

1149317 ACE Correlation Correlation managers would not filter for flows.

1159743 ESM Alarms Performance modifications for Alarm queries.

1133866 ESM Properties Increased the timeout for an active directory server

with two IP addresses to allow enough time for the

ESM to authenticate through the Second IP address if

the first one fails.

1152685 ELM Storage Added a health monitor check to warn when data is

about to be over written before the retention period

has expired.

1153832 ESM Other Enhanced DBSizeChange to keep index and bloom

files on /ss1 instead of moving them or creating them

on /db2.

1157708 ACE Historical

Correlation

Health Flags for correlation would not occur in

Historical mode on an ACE.

1161284 ESM Other NSM rules will not default to enabled.

1164436 ESM Backup &

Restore

Differential backups now look at the syssettings table

to figure out when the last successful backup of the

Alert (and Packet), Connection, and Log tables.

9.6.0 MR6

Bug Fixes

Reference

Number

Device Area Issue Description

12

1150709 ESM Views Queries with an * in the Sig ID field would return

incorrect results.

1155797,

1161496

ESM Upgrade Upgrading the ESM would take longer than expected if

Accumulator indexing is enabled.

1159852 Receiver HA The call to WriteConf, which was a recursive call to

itself, was corrected to get the configuration file name

and allow the function to write corosync.conf as

intended.

1158896 ESM Policy Fixed reversal of time formats when editing ASP rules

1147896 Receiver Data Source Updated Amazon CloudTrail collector to use

configured proxy server for all traffic.

1131211 ESM Correlation When viewing some correlation events in the GUI the

Correlation Details tab would show 'No Details Found'

when a special character was used in the name or

description of the correlation rule that generated the

event.

1141615,

1151613

ESM Reports Device filters would not be retained for certain

queries.

1148814,

1150322

ESM UI The Email recipients list for the “Send Message” action

of Alarms would be displayed incorrectly.

1145094 ESM Alarms A field match alarm which used a “contains” match

that ended in a backslash (\), would result in: "Error:

Could not move file to device (ER126)".

1155390 ESM Views Resolved an issue where cases assigned to a user that

were part of a NOT IN filter remained in the “other”

category.

1156995 Receiver Collector The mount collector would pull files smaller than 256

bytes repeatedly even if they hadn’t changed.

1151610 ESM Reports Removed default time filter from "McAfee Collection

Rate - Events Per Second" and "McAfee Collection

Rate - Events Per Second" reports

1153672 ESM Policy Historical correlation filter protocol field would allow

too many characters.

1150916 ESM Alarms Fixed erroneous triggering of alarms after alarm

trigger type is changed.

1156879 ESM Filters Queries for views or reports with a regex in the filters

may not return.

1158180 ESM External API REST API would always return a locked status of false

for all users when retrieving user list.

13

1145221,

1147161,

1145199

ESM External API Modified the caseAddCase and caseEditCase to allow

event ids to be added / edited.

1153671 ESM Policy Fixed failure to edit correlation rules in non-english

languages.

1144331 ESM Users &

Groups

Resolved an issue saving devices to a group.

1149350 ESM Views Resolved an issue where queries with “or” conditions

in the filter would not return results.

1144333,

1151592

Receiver Collectors Syslogcollector now waits the proper time before

failing when trying to bind to the syslog socket.

1156640 Receiver Other Resolved an issue with routing of syslog events to

data sources when two data sources have the same

host name but different port.

1152342 ESM Alarms Fixed encoding of correlation rule filter values

1150479 ESM Users &

Groups

The Users and Groups dialog would not load if the

initial password prompt was cancelled.

1144573 ESM Views Some view results were not being returned when

querying a parent and group of child data sources.

1134164 ESM Other NSM Sensors auto refresh would fail with “ErrMsg=Ok,

Result: The session is invalid”.

1154571,

1156859,

1157028

ESM Views Column names were displayed incorrectly on CSV files

that were exported from a view.

1119239,

1129882,

1155086

ESM Other Resolved an issue where a content pack shows

available to install but no associated file was found on

the ESM.

1157322,

1157938

ESM Other Improvements to memory handling functions.

1151639,

1153939

Database Other Resolved an issue where some Partitions would be

marked bad after a clean shutdown.

1144304,

1146001,

1152277,

1154840,

ELM Other Fixed erroneous “path in use” message when adding

second SAN device to an ELM.

14

1156141,

1149815

1152567 Receiver Collector The mount collector would fail when the source

directory contained many tens of thousands of files.

1162898 Receiver Collector Resolved an issue where SIEM collector connection

would drop and events wouldn’t be sent to the

receiver

Enhancements

1154800 Database Other Decreased ESM shutdown time for systems that have

a large number of alert partitions.

1159668 ESM Other Updated to OpenSSL 1.0.2j

9.6.0 MR5

Reference

Number

Device Area Issue Description

1153182 ESM Distributed When adding devices to a distributed ESM they would

not be automatically refreshed on the parent system

tree.

1083558 ESM Alarms Occasionally alarms would show in the triggered alarm

view but not in the alarm pane.

1099227,

1149635

ESM Other Source passwords for Watch lists were not encrypted

in the database.

1121047,

1132605

ESM Other Geo-Location information for some IP addresses were

incorrect.

1124573,

1141208,

1146734

Receiver Collector Curl Collector would not pull events as frequent as it

was configured to.

1124737 ESM Views The event summary selection would not be

maintained in the drill-down view when switching data

sources.

1129072 ESM Distributed Pulling packets from the child ESM could result in

Malformed data (ER1010).

15

1133676,

1115503

ESM Distributed When exporting data sources in a distributed ESM

model they would sometimes be duplicated.

1134437,

1139544

ESM Alarms Certain alarm actions would show up twice in alert

details.

1135202 ESM Reports Performance enhancements for CSV Reports.

1135203 ESM Distributed Device type filters for Distributed ESM were not

correctly saved after upgrade.

1136220,

1126080,

1137745,

1142554,

1147442

ELM Archive In some cases ELM archive would fail to retrieve logs

for aggregated events.

1139436 Database Other Enhanced clean-up of temporary files on das1 and

ad1.

1139440 ESM Reports Non-Admin users would not be able to see reports

created by others even when sufficient access had

been granted.

1140627 ESM Events Unnecessary internal events would be triggered on

login for file deletions.

1141625 ESM Data Source SCP test connect could fail when thousands of files

exist in the remote directory.

1142777 ESM Other Event aggregation exceptions would be deleted after a

change to custom types.

1143510 ESM Improved memory handling for alarms and reports

1144598,

1150298

ESM Distributed Pulling event would time out if the ESM was more

than one day behind on retrievals.

1145128 ESM Other Modified string handling techniques for some API’s.

1145382,

1145768

ESM Other SNMP V2 Trap Object Identifier was incorrectly

formatted.

1145415,

1146564

Receiver High

Availability

Improved error reporting on the process to verify the

hi_bit in ha_conf

1146200,

1143324

ESM Alarms Triggered alarm views would not show acknowledged

alarms when logged in as Non NGCP user.

16

1146734 Receiver Collector Improvements to curl collector.

1147690 ESM Other Increased the maximum number of detached

partitions the GUI allows to be attached manually to

100

1147939 ESM Backup &

Restore

“last backup success” dates were incorrectly using

the last differential backup date.

1147941 ESM Backup &

Restore

Improved space requirement checking for differential

backups

1149605 ESM Policy Performance enhancements for loading policy editor.

1150508 ESM Views Distribution Chart would be blank when filtering or

stacking by device type ID.

1150509 ESM Views Table components would return no results with “or”

filters and certain fields in “Select” statements.

1151844 ESM External API Selecting 159 fields through the External API would

result in an error

1152075 Database Other Improved database rebuild process.

1152306 ESM Policy When filtering by “Tag” all rules would be returned.

1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM

logs.

1152670 ESM Other When viewing triggered alarms not all alarms would

show.

1153168 Database Other Improved the process of moving data partitions on the

ESM.

1155287,

1155527,

1156135,

1152883

ESM Rules Rule updates could fail while checking for new MTIS

threats.

9.6.0 MR4

Reference

Number

Device Area Issue Description

17

1128533 ESM VA Source Testing the connection on a Critical Watch FusionVM

Vulnerability Assessment Source with a Server URL

could result in “VAER1 HTTP Error: Not Found

1134390 ESM Other Processing cyber threat feeds could have resulted in

an access violation message being logged to

/var/log/messages.

1134465.

1148187

ESM Other Improved process for handling files in the

/var/log/ace/enrichment folder to prevent the

directory from becoming too large.

Note: The MR4 upgrade process will delete extraneous

files in the /var/log/ace/enrichment folder. If the

folder contains a large number of files, (more than a

few million) the delete process may take an extended

period of time (up to 2 hours).

While the delete process in underway, messages

similar to the following are logged to

var/log/messages:

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory (logged at the beginning of the process)

McAfee NGCPRebuild[1130]: Cleaning up stale

watchlist files. This process could take an extended

period of time. (logged during the process at an

interval of approximately 60 seconds)

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory completed. (logged at the end of the

process)

1141609 ESM ELM Search ELM Search downloads would not work for non-admin

users.

1142567 ESM Distributed Event pulls would time out when the ESM was days

behind on retrievals.

1144316 ESM Events When drilling down on IOC events event data would

not populate in the details tab.

1144591 Database Other Partial backup would sometimes fail on a table

containing closed partitions.

1145155 Receiver Collectors Mount collector would not run when a configured data

source was disabled.

1145736 Database Other Narrows the search window to ensure non-relevant

data isn’t needlessly searched in order to pull data

from child to master ESM.

18

1145946 ESM Data Source Writing out Data sources failed for receivers with

multiple data sources if one of the data sources was

an ACE.

1146948,

1147183,

1148843

ESM IOC False positive could be triggered when a cyberthreat

feed was setup with multiple IOC’s in one file.

1147443 Database Other Improved error handling for a theoretical data sorting

failure.

1149095 Database Other Increased the query performance when handling large amounts IPSID’s.

1150257

1150303

ESM Other Fixed memory leak associated with Risk Score.

1151583 ESM Other Occasionally while starting services CPServiced would

start more than 1 instance.

9.6.0 MR3

Reference

Number

Device Area Issue Description

1148378,

1148628

ADM Other ADM Kernel Panic

9.6.0 MR2 – Internal Release only

Reference

Number

Device Area Issue Description

1123068 Receiver Other Added functionality to clean out files older than a day

from /var/log/data/va/.

1126931 ESM Data Sources Updated the test connect functionality for SCP data

sources to use the select system call to ensure the

socket is ready for reading and writing before

performing I/O operations.

1131039 ESM Security Modified the location to check for permissions for views

to allow groups permission set in earlier releases to

persist

19

1135480 ESM Logging Resolved an issue where the “updated column” for flow

retrieval logs would show a negative number.

1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM

to startup automatically when there are large storage

pools.

1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one

day of data was backed-up and could run out of disk

space.

1141908 ESM Data Source Modified the check for duplicate data sources when a

data source is created to not include the new data

source in the list of existing data sources.

1142715 ESM Database Modifications made to improve the handling of long

strings.

1142955,

1145170

ESM Alarms Made modifications so that the queries of alarms with

the Condition of “Deviation from Baseline” and condition

query of "Total Events" will run in the background.

1143015 ESM Database A failed move of a single partition could prevent all

subsequent partition moves which caused the disk to

run out of space.

1143247 Receiver Parsers The OpenVAS xml parser would try to read an item

from the xml that did not exist.

1144259 ESM Database Root directory ran out of space due to an error message

being repeatedly written to NitroError.Log.

1146677 ESM Database Released a database lock being held to long

1146723 ESM Database Deletion of an incorrect partition on Receiver was

possible in a rare circumstance

9.6.0 MR1 – Limited Release

Reference

Number

Device Area Issue Description

1137625 ESM Views View with Domain and SigID filter would load slowly

1135719 ESM Database Database - Log table reported negative record count

after an index rebuild

1138925 ESM Database dbserverd threads locked from BFile^.UserCount being

stuck

20

1140155 ESM Other ref lock not being released in some exception cases

1141098 ESM Database Move Points being set "at 0" would cause partitions to

be deleted or move to archive early

1119516 ESM Correlation Improved error handing to detect corrupt records and

continue processing the next record

1122397 ESM Backups Enhancements to the ESM’s backup procedures to

include /root/.ssh/known_hosts

1119042 ESM Views Export View queries would generate multiple times

1123564 ESM Database Alert table closing down while dbserver is running

1130691 ESM Rules Modification of a rule does not always show the correct

regular expressions

1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does

not have administrator rights

1130040 ESM Events Event Forwarding would not work when using non-

default sate format user settings

1136891 ESM Data Source Passwords for data source profiles were not being

encrypted

1127706 ESM Parsers ASP-Test segfault when opening a rule

1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its

hostname contains an underscore character ("_")

1131849 ESM Filters ER 15 when opening filter list with limited privileges

1133119 ESM Backups Incremental backup would not start from last good

backup

1129511 ESM Other Assets without IP Addresses are being pulled from ePO

but should not be

1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -

But ASP Rule Editor GUI says the opposite

1135713 ESM Other Getting I/O lock on the SSD file system when reaching

a certain I/O load on the ESM X6/X4

1136836 ESM Redundant Event details for a query that runs on a redundant were

not correct.

21

1138122 ESM Filters Report Device filters would always show "Physical

Display"

1138933,

1139168,

1133094

ESM Other Improved memory handling. “StringsS” entry logged in

/var/log/messages.

1140849 ESM Other GUI hung due to a thread lock not being released

1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port

1133658,

1135210,

1101562,

1133661,

1133663,

1133665,

1134370,

1134910

Receiver VA Rapid7 Nexpose as Va Source Fails "Server message:

Authorization required for API access

1122750 Receiver Collectors eStreamer – could fail on an HA receiver pair when

eth0 and eth1 are on same subnet

1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector

and msgwrite can handle

1138266 Receiver Collectors eStreamer "title verification failed; expected:

estreamer"

1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing

data after a SIEM upgrade if, prior to upgrade, there

were only Custom ASP Rules and the Rules were

ordered

1123294 Receiver Data Sources Receiver – could not write out data sources when client

data sources have the same IP but different ports

1143303 ACE Report Device filters always show "Physical Display"

1137523 ADM Other ADM Kernel panic

1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect

raw logs to appear in the UI with some events.

1123010 ELM Bloom ELM indexing queue would get filled up with duplicate

files

22

1123077 ELM Datbase Increasing size of management database fails with an

error that there is not enough disk space even though

there is enough disk space

1133051 ELM Bloom Could not modify ELM Storage Pool. “List index (0) out

of bounds" error in the ELM's /var/log/messages

1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to

9.6.0

1136298,

1136296,

1136295,

1135926

Device Inserts Resolved the issue where puling events may result in a

success message when zero events were pulled.

1137088,

1136604,

1135458

ESM Data Source Auto-learned data source would not be removed from

the auto-learn file when being removed from the list.

Installation instructions

For new installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.0 Installation Guide

For upgrade installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.1 Release Notes

Troubleshooting installation issues

Common issues encountered during/after installation

When using the Chrome browser, you could see that the upgrade tarball will not upload properly to

the ESM and is decompressed from a .tgz file. This is due to the way Chrome uploads the file. If you

experience this issue we recommend using Internet Explorer, or FireFox to do the upgrade.

Recovering from a failed installation

Contact McAfee Support.

Finding product documentation

On the ServicePortal, you can find information about a released product, including product

documentation, technical articles, and more.

Task

23

1. Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center

tab.

2. In the Knowledge Base pane under Content Source, click Product Documentation.

3. Select a product and version, then click Search to display a list of documents.