McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2 · 9.2.1 > 9.4.2, 9.5.2 or later > 9.6 ......
Transcript of McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2 · 9.2.1 > 9.4.2, 9.5.2 or later > 9.6 ......
1
Release Notes McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2
About this document
Thank you for choosing this McAfee® product. This document contains important information about the
current release. We strongly recommend that you read the entire document.
About this release
Release date
Files included
• ESS_Update_9.6.1MR2.signed.tgz
• ESSREC_Update_9.6.1MR2.signed.tgz
• RECEIVER_Update_9.6.1MR2.signed.tgz
• APM_Update_9.6.1MR2.signed.tgz
• DBM_Update_9.6.1MR2.signed.tgz
• IPS_Update_9.6.1MR2.signed.tgz
Upgrade Paths
• You can upgrade to 9.6.1 MR2 directly from 9.5.2 or later.
• You must upgrade versions before 9.5.x following this path: 9.0.2 >
9.2.1 > 9.4.2, 9.5.2 or later > 9.6.1 MR2
Bug Fixes and Enhancements
This section provides a description of the fixes and enhancements included in this Maintenance Release.
NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9
and 9.6.1 GA, MR1.
9.6.1 MR2
Bug Fixes Reference Number
Device Area Issue Description
1193689 ESM User Interface Auto refresh now picks up new ePO extensions.
2
1192771
1193227 Other Other
Resolved a failure to boot issue when upgrading to ESM
9.6 or 10.0.
1202424 ESM Views Bad Query on views filtering by Device Type ID CLASS
1188096 ESM
Redundant
ESM (RESM)
Resolved an issue that prevented SNMP Health
Requests from being retrieved from a Redundant ESM.
1196145 ESM Other Added support for SMBv2 for file collection.
1182550
1188454 Receiver Collectors
Resolved an issue that prevented AWS Cloudtrail
Datasource data collection.
1144706 ESM User Interface
Resolved an issue that caused and error message while
editing the Date time format of ASP mapping in
Japanese version.
1187554 ESM
Backup /
Restore
Fixed an issue that caused watchlist entries to not be
restored from a full back-up.
1190606 ACE Other
Match component filter with a comma in correlation
rule now works correctly.
1198492 ESM Views
Filtering by special characters at the beginning of a
string no longer results in a Bad Query Error.
1184492 ESM Other Removed symlinks to non-existent startup script.
1182573 ESM Other
Accumulator field is now displayed for correlation
events.
1189341 ESM
Data
Enrichment
Data Enrichment Source tab now allows non-ASCII
characters in the Path field.
1193872 ESM Other Removed TLS v1.0 support.
1193866 ESM Other Updated to latest Java version.
1157226
1099966
1170534
1180693
1079411
1157739 Receiver Other
Syslog now gracefully recovers when too many
connections are active.
3
1194649 ESM Other
Fixed an issue that prevented the job for Discover NSM
Sensors from updating the sensors.
1189120 Receiver Collectors HTTPS curl collector mode now accepts Host Name.
1191952 ESM
Redundant
ESM (RESM)
Added an optional config file to fine tune rsync for
different customer environments.
1173204 ESM
Data
Enrichment
Resolved and issue that caused the data enrichment
process to fail when using the LDAP "Description" field
content.
1187443 ESM Other
Corrected an issue that caused the port number setting
to be ignored when importing SFTP data source settings
from a CSV file.
1182465 ESM Other
Set 1TB maximum disk usage limit on DAS drive packet
tables.
1191951
1192154
1202077 ESM Alarms
Fixed a regression that prevented internal events from
being written.
1195944 ESM Reports Improved query and report speed.
1196478
1189285
1196479 ESM Other
When modifying a Checkpoint data source with child
data sources, all the child data sources were disabled
when the IP of the data source wasn't changed. This
disabled state is now set only when validation is
required for the IP/port of the data source.
1188268
1171478
1149775 ESM Alarms
Added the ability to create alarms for groups of data
sources.
1186823 Receiver Other Removed unused symlinks that caused error messages.
1184401 ESM Policy
Corrected erroneous conflict errors during policy
import process.
1159179 ESM
System
Properties
Corrected an issue that prevented users from removing
email recipients from email groups.
1196773
1199677
1197646 ESM Reports
Fixed an issue that prevented reports with non-default
date formats from being run.
4
1197822
1196944
1197825
1198494
1197724
1201480
1196134 ESM: Views Other
Resolved an issue that was causing invalid error
messages when viewing the email content pack.
9.6.1 MR1
Bug Fixes Reference Number
Device Area Issue Description
1111767 ELM Other Resolved an issue that would cause ELM Statistics to
show zero logs for some Data Sources, even though the ESM UI shows there are logs in ELM.
1130033 ESM Reports Selecting a custom time range and a date format
other than mm/dd/yyyy could produce incorrect data
sets and time ranges.
1139436 Database Other Improved the logic to clean temporary files from
archive directory when dbserver restarts
1141155 ELM Database The ELM database would delete old partitions without warning if the database and storage pools were stored on the same device and that device
reached 90% full.
1150643 ESM Views Improved the handling of special characters for
filtering and views.
1150774 ESM Alarms Device status change alarms now accurately triggers
at the data source level
1153814 ESM Data Enrichment
LDAP Data Enrichment would not return any results if a non-ASCII character was used in the query.
1154596, 1155865
ELM Search Resolved an issue where ELM logs would not be fully decoded when retrieved through ELM Search.
1156585,
1126930
Receiver Collectors Data collection would not resume after rebooting
VMware vCenter Server.
1157922 ESM Alarms Clicking “case link” on the generated alarm's Actions
tab would result in an error if the case summary contains pipe ('|') character.
1157940 ACE Other Deviation component for flows using event count as the deviation field would fail to write out to the ACE.
1158910 ELM Other When reducing the size of a storage pool the amount of available space would display incorrectly in the
storage pools tab of ELM properties.
5
1160429 ELM Other Improved handling for displaying elm search
metadata for different date formats.
1160950, 1169537,
1154790
Receiver Other Resolved an issue that would cause an error message to report that re-keying a device failed
when it was actually successful.
1161125 ESM Views Resolved an issue that would cause long running delete queries to spawn additional queries.
1162888, 1179314
ELM Other Logs sent to the ELM would be deleted if no entry is found in ds2rg table.
1163035 ESM Custom Types Custom types in Name/Value groups would not be displayed in the event view for Japanese UI.
1163240 ELM Logs If ELM logs had duplicate archive ids incorrect raw logs would appear in the UI with some events.
1163730, 1167571
Receiver Other Resolved an issue where unknown events would show at the data source parent level when using
SIEM Collector.
1164411, 1153616,
1168229
ELM Redundant Fixed the counting of files for the rsync status to not
include close matching numbers like 1, 10 and 11
multiple times.
1164452 ELM Database Resolved an issue where the “Being moved” lock file was not cleaned up after an ELM DB size increase.
1166780 ESM Policy The Japanese characters in the description when
importing correlating rules was not being properly
encoded. The import logic was modified to correctly
maintain the encoding of characters.
1167177 ESM Flash UI Changing the hostname or vendor/model of a client
data source would fail if the data source
vendor/model and host name were in use by another
clients.
1167541 ESM Redundant ACL setting would not get replicated to Redundant
ESM.
1168003 ESM Distributed Resolved an issue that would cause pulling packet
data the first time to fail.
1168222 ESM Flash UI When changing the name of existing parameters in
the correlation rule editor, the name would change
to unknown. The default value for the parameter
was changed to always maintain the same format.
1168356 Receiver Other Resolved an issue that prevented parsing of an HTTP
data source due to extra white space.
1168675 ESM Security Resolved an issue that caused AD user accounts to
stay locked after the lockout duration has expired.
1168730, 1123306,
1130254
Receiver Other Resolved an issue that would trigger a device health alarm on a non HA receiver of: "HA status changed
from Critical to Warning".
1169223,
1185517
ESM Distributed Resolved an issue that would cause the ACE to show
out of sync on a distributed ESM
1170168 ESM Flash UI Resolved an issue that prevented expanding of
correlated events in source events when logged as a
limited user.
6
1171229 ESM Reports Resolved an issue that prevented deselected emails
in an email group from being removed from group.
1171319,
1159989, 1163200, 1175912
Receiver Other IPMI would not function with ERC 1260 receivers.
1171864 ESM Watchlist Watchlist would not get all of the file hashes when it was uploaded from ATD Cyberthreat feed.
1171969 ESM Distributed Destination user and Object fields were sporadic in propagating up to the parent ESM.
1172007, 1177421, 1178857
Receiver Collectors Resolved an issue where eStreamer would not write
out correct json to be parsed.
1172474 ESM Other Multiple threads of the UpdateMTISThreads would
run when the thread takes a long time to finish.
1173929 ESM Flash UI When doing a host lookup with correlation events,
the host lookup would not display in the correct
column.
1174315 ESM Data Enrichment
Performing data enrichment with a lookup field
custom type = 5, the destination fields would not be
replaced by data enrichment.
1174380 Receiver HA The default gateway would not be assigned to the
shared IP interface after HA fail-over.
1174542 DBM Other The TNS module in the DBM failed to handle a
particular data encoding that TOAD (Tool for Oracle
Application Developers) was using.
1174556 ESM Reports Resolved an issue that would cause stacking distribution charts to contain incorrect 'others'
values.
1174838 ACE Other Resolved an issue that would allow an unsupported field to a deviation.
1175569 ESM Health Monitor Enhancements to health monitor for device communication errors.
1176269 ESM Policy Added user information to policy change history.
1177260 ESM UI When correlating with a large threshold, it was
possible to exceed the supported packet length.
1178305 ESM Reports Report would not be generated if Devices filter is
empty. Added a check in the UI to validate a device is selected.
1180258 ESM Alarms Alarm acknowledge date and time was incorrectly displaying in the details panel and the clipboard.
1180636,
1158297, 1181997, 1184605,
1184764, 1193524
ELM Search Enhanced ELM log retrieval to search through all
possible log files instead of just one log file. Some log entries in aggregated events were not being displayed.
1181790 ACE Other Added notifications when correlation rules, threshold, and deviations exceed maximum packet length.
1182029 ELM Other Resolved an issue that, in rare instances, prevented logs from being displayed when a user was
connected to an ELM through SFTP.
7
1183281 Receiver Other Resolved an issue that caused syslog messages to
be sent to a data source when the host name matched but the port did not match.
1183572 ESM Reports Resolved an issue where the ESM would incorrectly
delete temporary files that were being used for
running report queries.
1183723 ELM Other Resolved an issue where the bloom does not get set when duplicate ELM id's span multiple partitions.
1184113 ACE Other The correlation rule has never triggered under specific condition
1184292 ESM Flash UI Updated the label of the ACE communication
configuration panel to be correct.
1184522 ESM Rules Resolved an issue that caused extra rows to be added when saving ASP rule text.
1185031 ACE Other Set the maximum allowed value for ACE Risk Correlation Manager threshold to 99%.
1185261 ELM Redundant Resolved an issue that prevented a redundant ELM from syncing completely.
1187430, 1187677
ACE Other Resolved an issue that caused alarms to trigger more frequently than the Maximum Condition Trigger Frequency (cooldown) setting.
1188302, 1188301,
1188448
ESM Other Resolved an issue that caused false error messages when users tried to view event data.
1189266 ESM Other Improved memory handling when the ESM populates
the device tree and when retrieving a list of
correlated events.
1188742, 1188752
Resolved an issue where editing blacklist IP
addresses would fail due to extra '\' characters
present in the commands parameters.
9.6.1
Bugs Reference
Number
Device Area Issue Description
1162135 McAfee
SIEM
ESM: Views When exporting table results from a custom case
view, the dialog to download the results would not
show up.
1181609 McAfee
SIEM
ELM API service would stop running during logging
to edsftp.
1162069 McAfee
SIEM
ACE Improved memory handling routines for java
correlator processes.
8
1161564 McAfee
SIEM
ELM When a DAS entry in the Das.conf file had a uuid of
zero, there would be an entry visible in the System >
Properties > Database > Data Storage > DAS page
which resulted in the appearance of an extra DAS
device.
Enhancements
Reference
Number
Device Area Issue Description
None All(except
IPS)
Hardware Added support for Gen 5 Hardware
None Added support for Check Point R80
9.6.0 MR9
Security Fixes
Reference
Number
Device Area Issue Description
1176754 McAfee SIEM
ESM Updated NTPD to version 4.2.8p9
Bug Fixes
Reference
Number
Device Area Issue Description
1179064 McAfee
SIEM
ESM Modifications to the way CPConsoleServer.cfg handles
the configuration parameter “allow_ssh”.
1178285 McAfee
SIEM
DBM DBM would fail to capture traffic from an MSSQL
database when using dynamic ports.
1145759 McAfee SIEM
DBM Removed the option to use nitrofirewall capture from
the DBM.
1162445 McAfee
SIEM
User Interface:
Flash (traditional UI)
When selecting a client data source for filtering event
forwarding results, the parent device would be shown on the device form instead of the client data source.
1167190, 1167576, 1167580,
1167757, 1168745, 1177122,
1177756, 1180901,
1168747, 1168745
McAfee SIEM
ESM Datasource inactivity flags would not properly clear.
9
1177859,
1122299, 1165318
McAfee
SIEM
ELM Improved the performance for obtaining ELM storage
pool data.
Enhancements
Reference
Number
Device Area Issue Description
None Receiver Other Added Support for CheckPoint R80
9.6.0 MR8
Security Fixes
Reference
Number
Device Area Issue Description
1166416 ESM Security Updated Kernel to resolve “Dirty COW” CVE-2016-
5195 (CVSS3 6.4/6.1)
1166418 ESM Security Updated JRE/JDK package to version 1.8.0 u102
1159740 ESM Security Resolved OS command injection (CVSS3 7.2 / 7.0)
1095836 Receiver Security Resolved issue where file name can execute
commands on upload (CVSS3 8.8 / 8.6)
Bug Fixes
Reference
Number
Device Area Issue Description
1165060 ESM Alarms Alarms would show [object object] as the default
values on Destination User filter.
1167202 ESM Alarms Resolved alarms that would generate QueryExec
errors after upgrades.
1168000 ESM Database Resolved issue where open file handles would reach 0
even though files were open.
1167217 ESM SNMP Resolved SNMP timeouts.
10
1162839 ESM System
Properties
Emails would fail to send if TLS and authentication
were both enabled.
1145767 ESM System
Properties
When writing out global blacklist would result in error
has been resolved.
1135671 ESM Reports Addressed an issue where the average normalized
event severity bar chart was not being displayed in
reports.
1148185,
1155206
REC Collectors eStreamer collector restarting several times a day has
been resolved.
1123046,
1164203,
1124250
ELM Redundant Partial rsync files would accumulate in /tmp and not
be cleaned up.
1168001 ELM Database ELM could incorrectly calculate disk space remaining
and remove partitions to free up space.
1157788 ACE Correlation Addressed correlation rules from not triggering when
using a “contains clause” that had Japanese
characters in the target string.
Enhancements
1151336 REC Collectors Added support for eStreamer to support
block type 42 for record type 400.
9.6.0 MR7
Bug Fixes
Reference
Number
Device Area Issue Description
1134137,
1156882,
1134136
ELM Redundant Resolved SFTP connectivity issues on redundant ELM
1157720,
1160755,
1157744
ESM IOC Indicators of Compromise (IOC) back trace would
incorrectly match events when using the URL
11
1159852,
1150148,
1132610
ESM Backup &
Restore
Addressed an issue where restoring the
configuration would fail with a ERCELM device
1130545,
1128538
ESM Event
Forwarding
Resolved time out values that would cause events to
be dropped when sending via TCP
1163248 ESM Backup &
Restore
Resolved issue where performing an ESM backup
would result in slower alert inserts.
1161106 ESM Other Added logic to ensure enough space in memory to
store user input values for active directory logins and
user-defined fields in query results.
1151127 ESM Other Fixed locked ISO images so they work on an ERU
device.
1164816 ESM Views Fixed sorting problems with table components.
1149317 ACE Correlation Correlation managers would not filter for flows.
1159743 ESM Alarms Performance modifications for Alarm queries.
1133866 ESM Properties Increased the timeout for an active directory server
with two IP addresses to allow enough time for the
ESM to authenticate through the Second IP address if
the first one fails.
1152685 ELM Storage Added a health monitor check to warn when data is
about to be over written before the retention period
has expired.
1153832 ESM Other Enhanced DBSizeChange to keep index and bloom
files on /ss1 instead of moving them or creating them
on /db2.
1157708 ACE Historical
Correlation
Health Flags for correlation would not occur in
Historical mode on an ACE.
1161284 ESM Other NSM rules will not default to enabled.
1164436 ESM Backup &
Restore
Differential backups now look at the syssettings table
to figure out when the last successful backup of the
Alert (and Packet), Connection, and Log tables.
9.6.0 MR6
Bug Fixes
Reference
Number
Device Area Issue Description
12
1150709 ESM Views Queries with an * in the Sig ID field would return
incorrect results.
1155797,
1161496
ESM Upgrade Upgrading the ESM would take longer than expected if
Accumulator indexing is enabled.
1159852 Receiver HA The call to WriteConf, which was a recursive call to
itself, was corrected to get the configuration file name
and allow the function to write corosync.conf as
intended.
1158896 ESM Policy Fixed reversal of time formats when editing ASP rules
1147896 Receiver Data Source Updated Amazon CloudTrail collector to use
configured proxy server for all traffic.
1131211 ESM Correlation When viewing some correlation events in the GUI the
Correlation Details tab would show 'No Details Found'
when a special character was used in the name or
description of the correlation rule that generated the
event.
1141615,
1151613
ESM Reports Device filters would not be retained for certain
queries.
1148814,
1150322
ESM UI The Email recipients list for the “Send Message” action
of Alarms would be displayed incorrectly.
1145094 ESM Alarms A field match alarm which used a “contains” match
that ended in a backslash (\), would result in: "Error:
Could not move file to device (ER126)".
1155390 ESM Views Resolved an issue where cases assigned to a user that
were part of a NOT IN filter remained in the “other”
category.
1156995 Receiver Collector The mount collector would pull files smaller than 256
bytes repeatedly even if they hadn’t changed.
1151610 ESM Reports Removed default time filter from "McAfee Collection
Rate - Events Per Second" and "McAfee Collection
Rate - Events Per Second" reports
1153672 ESM Policy Historical correlation filter protocol field would allow
too many characters.
1150916 ESM Alarms Fixed erroneous triggering of alarms after alarm
trigger type is changed.
1156879 ESM Filters Queries for views or reports with a regex in the filters
may not return.
1158180 ESM External API REST API would always return a locked status of false
for all users when retrieving user list.
13
1145221,
1147161,
1145199
ESM External API Modified the caseAddCase and caseEditCase to allow
event ids to be added / edited.
1153671 ESM Policy Fixed failure to edit correlation rules in non-english
languages.
1144331 ESM Users &
Groups
Resolved an issue saving devices to a group.
1149350 ESM Views Resolved an issue where queries with “or” conditions
in the filter would not return results.
1144333,
1151592
Receiver Collectors Syslogcollector now waits the proper time before
failing when trying to bind to the syslog socket.
1156640 Receiver Other Resolved an issue with routing of syslog events to
data sources when two data sources have the same
host name but different port.
1152342 ESM Alarms Fixed encoding of correlation rule filter values
1150479 ESM Users &
Groups
The Users and Groups dialog would not load if the
initial password prompt was cancelled.
1144573 ESM Views Some view results were not being returned when
querying a parent and group of child data sources.
1134164 ESM Other NSM Sensors auto refresh would fail with “ErrMsg=Ok,
Result: The session is invalid”.
1154571,
1156859,
1157028
ESM Views Column names were displayed incorrectly on CSV files
that were exported from a view.
1119239,
1129882,
1155086
ESM Other Resolved an issue where a content pack shows
available to install but no associated file was found on
the ESM.
1157322,
1157938
ESM Other Improvements to memory handling functions.
1151639,
1153939
Database Other Resolved an issue where some Partitions would be
marked bad after a clean shutdown.
1144304,
1146001,
1152277,
1154840,
ELM Other Fixed erroneous “path in use” message when adding
second SAN device to an ELM.
14
1156141,
1149815
1152567 Receiver Collector The mount collector would fail when the source
directory contained many tens of thousands of files.
1162898 Receiver Collector Resolved an issue where SIEM collector connection
would drop and events wouldn’t be sent to the
receiver
Enhancements
1154800 Database Other Decreased ESM shutdown time for systems that have
a large number of alert partitions.
1159668 ESM Other Updated to OpenSSL 1.0.2j
9.6.0 MR5
Reference
Number
Device Area Issue Description
1153182 ESM Distributed When adding devices to a distributed ESM they would
not be automatically refreshed on the parent system
tree.
1083558 ESM Alarms Occasionally alarms would show in the triggered alarm
view but not in the alarm pane.
1099227,
1149635
ESM Other Source passwords for Watch lists were not encrypted
in the database.
1121047,
1132605
ESM Other Geo-Location information for some IP addresses were
incorrect.
1124573,
1141208,
1146734
Receiver Collector Curl Collector would not pull events as frequent as it
was configured to.
1124737 ESM Views The event summary selection would not be
maintained in the drill-down view when switching data
sources.
1129072 ESM Distributed Pulling packets from the child ESM could result in
Malformed data (ER1010).
15
1133676,
1115503
ESM Distributed When exporting data sources in a distributed ESM
model they would sometimes be duplicated.
1134437,
1139544
ESM Alarms Certain alarm actions would show up twice in alert
details.
1135202 ESM Reports Performance enhancements for CSV Reports.
1135203 ESM Distributed Device type filters for Distributed ESM were not
correctly saved after upgrade.
1136220,
1126080,
1137745,
1142554,
1147442
ELM Archive In some cases ELM archive would fail to retrieve logs
for aggregated events.
1139436 Database Other Enhanced clean-up of temporary files on das1 and
ad1.
1139440 ESM Reports Non-Admin users would not be able to see reports
created by others even when sufficient access had
been granted.
1140627 ESM Events Unnecessary internal events would be triggered on
login for file deletions.
1141625 ESM Data Source SCP test connect could fail when thousands of files
exist in the remote directory.
1142777 ESM Other Event aggregation exceptions would be deleted after a
change to custom types.
1143510 ESM Improved memory handling for alarms and reports
1144598,
1150298
ESM Distributed Pulling event would time out if the ESM was more
than one day behind on retrievals.
1145128 ESM Other Modified string handling techniques for some API’s.
1145382,
1145768
ESM Other SNMP V2 Trap Object Identifier was incorrectly
formatted.
1145415,
1146564
Receiver High
Availability
Improved error reporting on the process to verify the
hi_bit in ha_conf
1146200,
1143324
ESM Alarms Triggered alarm views would not show acknowledged
alarms when logged in as Non NGCP user.
16
1146734 Receiver Collector Improvements to curl collector.
1147690 ESM Other Increased the maximum number of detached
partitions the GUI allows to be attached manually to
100
1147939 ESM Backup &
Restore
“last backup success” dates were incorrectly using
the last differential backup date.
1147941 ESM Backup &
Restore
Improved space requirement checking for differential
backups
1149605 ESM Policy Performance enhancements for loading policy editor.
1150508 ESM Views Distribution Chart would be blank when filtering or
stacking by device type ID.
1150509 ESM Views Table components would return no results with “or”
filters and certain fields in “Select” statements.
1151844 ESM External API Selecting 159 fields through the External API would
result in an error
1152075 Database Other Improved database rebuild process.
1152306 ESM Policy When filtering by “Tag” all rules would be returned.
1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM
logs.
1152670 ESM Other When viewing triggered alarms not all alarms would
show.
1153168 Database Other Improved the process of moving data partitions on the
ESM.
1155287,
1155527,
1156135,
1152883
ESM Rules Rule updates could fail while checking for new MTIS
threats.
9.6.0 MR4
Reference
Number
Device Area Issue Description
17
1128533 ESM VA Source Testing the connection on a Critical Watch FusionVM
Vulnerability Assessment Source with a Server URL
could result in “VAER1 HTTP Error: Not Found
1134390 ESM Other Processing cyber threat feeds could have resulted in
an access violation message being logged to
/var/log/messages.
1134465.
1148187
ESM Other Improved process for handling files in the
/var/log/ace/enrichment folder to prevent the
directory from becoming too large.
Note: The MR4 upgrade process will delete extraneous
files in the /var/log/ace/enrichment folder. If the
folder contains a large number of files, (more than a
few million) the delete process may take an extended
period of time (up to 2 hours).
While the delete process in underway, messages
similar to the following are logged to
var/log/messages:
McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment
Directory (logged at the beginning of the process)
McAfee NGCPRebuild[1130]: Cleaning up stale
watchlist files. This process could take an extended
period of time. (logged during the process at an
interval of approximately 60 seconds)
McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment
Directory completed. (logged at the end of the
process)
1141609 ESM ELM Search ELM Search downloads would not work for non-admin
users.
1142567 ESM Distributed Event pulls would time out when the ESM was days
behind on retrievals.
1144316 ESM Events When drilling down on IOC events event data would
not populate in the details tab.
1144591 Database Other Partial backup would sometimes fail on a table
containing closed partitions.
1145155 Receiver Collectors Mount collector would not run when a configured data
source was disabled.
1145736 Database Other Narrows the search window to ensure non-relevant
data isn’t needlessly searched in order to pull data
from child to master ESM.
18
1145946 ESM Data Source Writing out Data sources failed for receivers with
multiple data sources if one of the data sources was
an ACE.
1146948,
1147183,
1148843
ESM IOC False positive could be triggered when a cyberthreat
feed was setup with multiple IOC’s in one file.
1147443 Database Other Improved error handling for a theoretical data sorting
failure.
1149095 Database Other Increased the query performance when handling large amounts IPSID’s.
1150257
1150303
ESM Other Fixed memory leak associated with Risk Score.
1151583 ESM Other Occasionally while starting services CPServiced would
start more than 1 instance.
9.6.0 MR3
Reference
Number
Device Area Issue Description
1148378,
1148628
ADM Other ADM Kernel Panic
9.6.0 MR2 – Internal Release only
Reference
Number
Device Area Issue Description
1123068 Receiver Other Added functionality to clean out files older than a day
from /var/log/data/va/.
1126931 ESM Data Sources Updated the test connect functionality for SCP data
sources to use the select system call to ensure the
socket is ready for reading and writing before
performing I/O operations.
1131039 ESM Security Modified the location to check for permissions for views
to allow groups permission set in earlier releases to
persist
19
1135480 ESM Logging Resolved an issue where the “updated column” for flow
retrieval logs would show a negative number.
1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM
to startup automatically when there are large storage
pools.
1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one
day of data was backed-up and could run out of disk
space.
1141908 ESM Data Source Modified the check for duplicate data sources when a
data source is created to not include the new data
source in the list of existing data sources.
1142715 ESM Database Modifications made to improve the handling of long
strings.
1142955,
1145170
ESM Alarms Made modifications so that the queries of alarms with
the Condition of “Deviation from Baseline” and condition
query of "Total Events" will run in the background.
1143015 ESM Database A failed move of a single partition could prevent all
subsequent partition moves which caused the disk to
run out of space.
1143247 Receiver Parsers The OpenVAS xml parser would try to read an item
from the xml that did not exist.
1144259 ESM Database Root directory ran out of space due to an error message
being repeatedly written to NitroError.Log.
1146677 ESM Database Released a database lock being held to long
1146723 ESM Database Deletion of an incorrect partition on Receiver was
possible in a rare circumstance
9.6.0 MR1 – Limited Release
Reference
Number
Device Area Issue Description
1137625 ESM Views View with Domain and SigID filter would load slowly
1135719 ESM Database Database - Log table reported negative record count
after an index rebuild
1138925 ESM Database dbserverd threads locked from BFile^.UserCount being
stuck
20
1140155 ESM Other ref lock not being released in some exception cases
1141098 ESM Database Move Points being set "at 0" would cause partitions to
be deleted or move to archive early
1119516 ESM Correlation Improved error handing to detect corrupt records and
continue processing the next record
1122397 ESM Backups Enhancements to the ESM’s backup procedures to
include /root/.ssh/known_hosts
1119042 ESM Views Export View queries would generate multiple times
1123564 ESM Database Alert table closing down while dbserver is running
1130691 ESM Rules Modification of a rule does not always show the correct
regular expressions
1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does
not have administrator rights
1130040 ESM Events Event Forwarding would not work when using non-
default sate format user settings
1136891 ESM Data Source Passwords for data source profiles were not being
encrypted
1127706 ESM Parsers ASP-Test segfault when opening a rule
1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its
hostname contains an underscore character ("_")
1131849 ESM Filters ER 15 when opening filter list with limited privileges
1133119 ESM Backups Incremental backup would not start from last good
backup
1129511 ESM Other Assets without IP Addresses are being pulled from ePO
but should not be
1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -
But ASP Rule Editor GUI says the opposite
1135713 ESM Other Getting I/O lock on the SSD file system when reaching
a certain I/O load on the ESM X6/X4
1136836 ESM Redundant Event details for a query that runs on a redundant were
not correct.
21
1138122 ESM Filters Report Device filters would always show "Physical
Display"
1138933,
1139168,
1133094
ESM Other Improved memory handling. “StringsS” entry logged in
/var/log/messages.
1140849 ESM Other GUI hung due to a thread lock not being released
1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port
1133658,
1135210,
1101562,
1133661,
1133663,
1133665,
1134370,
1134910
Receiver VA Rapid7 Nexpose as Va Source Fails "Server message:
Authorization required for API access
1122750 Receiver Collectors eStreamer – could fail on an HA receiver pair when
eth0 and eth1 are on same subnet
1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector
and msgwrite can handle
1138266 Receiver Collectors eStreamer "title verification failed; expected:
estreamer"
1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing
data after a SIEM upgrade if, prior to upgrade, there
were only Custom ASP Rules and the Rules were
ordered
1123294 Receiver Data Sources Receiver – could not write out data sources when client
data sources have the same IP but different ports
1143303 ACE Report Device filters always show "Physical Display"
1137523 ADM Other ADM Kernel panic
1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect
raw logs to appear in the UI with some events.
1123010 ELM Bloom ELM indexing queue would get filled up with duplicate
files
22
1123077 ELM Datbase Increasing size of management database fails with an
error that there is not enough disk space even though
there is enough disk space
1133051 ELM Bloom Could not modify ELM Storage Pool. “List index (0) out
of bounds" error in the ELM's /var/log/messages
1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to
9.6.0
1136298,
1136296,
1136295,
1135926
Device Inserts Resolved the issue where puling events may result in a
success message when zero events were pulled.
1137088,
1136604,
1135458
ESM Data Source Auto-learned data source would not be removed from
the auto-learn file when being removed from the list.
Installation instructions
For new installation instructions please refer to the following document.
McAfee Enterprise Security Manager 9.6.0 Installation Guide
For upgrade installation instructions please refer to the following document.
McAfee Enterprise Security Manager 9.6.1 Release Notes
Troubleshooting installation issues
Common issues encountered during/after installation
When using the Chrome browser, you could see that the upgrade tarball will not upload properly to
the ESM and is decompressed from a .tgz file. This is due to the way Chrome uploads the file. If you
experience this issue we recommend using Internet Explorer, or FireFox to do the upgrade.
Recovering from a failed installation
Contact McAfee Support.
Finding product documentation
On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
23
1. Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center
tab.
2. In the Knowledge Base pane under Content Source, click Product Documentation.
3. Select a product and version, then click Search to display a list of documents.