Professional Documents
Culture Documents
ESS_Update_9.6.0MR7.signed.tgz
ESSREC_Update_9.6.0MR7.signed.tgz
RECEIVER_Update_9.6.0MR7.signed.tgz
Files included
APM_Update_9.6.0MR7.signed.tgz
DBM_Update_9.6.0MR7.signed.tgz
IPS_Update_9.6.0MR7.signed.tgz
This section provides a description of the fixes and enhancements included in this Maintenance
Release.
NOTE: This MR is cumulative (i.e. MR 7 contains all the fixes and enhancements that were previously
in MR 1, 2, 3, 4, 5 and 6) and may be installed over the top of MR 1, 2, 3, 4, 5 and 6.
MR7
Bug Fixes
Reference Device Area Issue Description
Number
1
1134137, ELM Redundant Resolved SFTP connectivity issues on redundant ELM
1156882,
1134136
1151127 ESM Other Fixed locked ISO images so they work on an ERU
device.
1149317 ACE Correlation Correlation managers would not filter for flows.
1133866 ESM Properties Increased the timeout for an active directory server
with two IP addresses to allow enough time for the
ESM to authenticate through the Second IP address if
the first one fails.
1152685 ELM Storage Added a health monitor check to warn when data is
about to be over written before the retention period
has expired.
2
Enhancements
None
MR6
Bug Fixes
Reference Device Area Issue Description
Number
1150709 ESM Views Queries with an * in the Sig ID field would return
incorrect results.
1155797, ESM Upgrade Upgrading the ESM would take longer than expected if
1161496 Accumulator indexing is enabled.
1158896 ESM Policy Fixed reversal of time formats when editing ASP rules
1131211 ESM Correlation When viewing some correlation events in the GUI the
Correlation Details tab would show 'No Details Found'
when a special character was used in the name or
description of the correlation rule that generated the
event.
1141615, ESM Reports Device filters would not be retained for certain
1151613 queries.
1148814, ESM UI The Email recipients list for the Send Message action
1150322 of Alarms would be displayed incorrectly.
1145094 ESM Alarms A field match alarm which used a contains match
that ended in a backslash (\), would result in: "Error:
Could not move file to device (ER126)".
1155390 ESM Views Resolved an issue where cases assigned to a user that
were part of a NOT IN filter remained in the other
category.
1156995 Receiver Collector The mount collector would pull files smaller than 256
bytes repeatedly even if they hadnt changed.
3
1151610 ESM Reports Removed default time filter from "McAfee Collection
Rate - Events Per Second" and "McAfee Collection
Rate - Events Per Second" reports
1153672 ESM Policy Historical correlation filter protocol field would allow
too many characters.
1156879 ESM Filters Queries for views or reports with a regex in the filters
may not return.
1158180 ESM External API REST API would always return a locked status of false
for all users when retrieving user list.
1150479 ESM Users & The Users and Groups dialog would not load if the
Groups initial password prompt was cancelled.
1134164 ESM Other NSM Sensors auto refresh would fail with ErrMsg=Ok,
Result: The session is invalid.
4
1119239, ESM Other Resolved an issue where a content pack shows
1129882, available to install but no associated file was found on
1155086 the ESM.
1152567 Receiver Collector The mount collector would fail when the source
directory contained many tens of thousands of files.
Enhancements
1154800 Database Other Decreased ESM shutdown time for systems that have
a large number of alert partitions.
MR5
Reference Device Area Issue Description
Number
1153182 ESM Distributed When adding devices to a distributed ESM they would
not be automatically refreshed on the parent system
tree.
1083558 ESM Alarms Occasionally alarms would show in the triggered alarm
view but not in the alarm pane.
5
1099227, ESM Other Source passwords for Watch lists were not encrypted
1149635 in the database.
1124573, Receiver Collector Curl Collector would not pull events as frequent as it
1141208, was configured to.
1146734
1129072 ESM Distributed Pulling packets from the child ESM could result in
Malformed data (ER1010).
1134437, ESM Alarms Certain alarm actions would show up twice in alert
1139544 details.
1135203 ESM Distributed Device type filters for Distributed ESM were not
correctly saved after upgrade.
1136220, ELM Archive In some cases ELM archive would fail to retrieve logs
1126080, for aggregated events.
1137745,
1142554,
1147442
1139440 ESM Reports Non-Admin users would not be able to see reports
created by others even when sufficient access had
been granted.
1141625 ESM Data Source SCP test connect could fail when thousands of files
exist in the remote directory.
6
1143510 ESM Improved memory handling for alarms and reports
1144598, ESM Distributed Pulling event would time out if the ESM was more
1150298 than one day behind on retrievals.
1145128 ESM Other Modified string handling techniques for some APIs.
1145415, Receiver High Improved error reporting on the process to verify the
1146564 Availability hi_bit in ha_conf
1146200, ESM Alarms Triggered alarm views would not show acknowledged
1143324 alarms when logged in as Non NGCP user.
1147939 ESM Backup & last backup success dates were incorrectly using
Restore the last differential backup date.
1151844 ESM External API Selecting 159 fields through the External API would
result in an error
1152306 ESM Policy When filtering by Tag all rules would be returned.
1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM
logs.
1152670 ESM Other When viewing triggered alarms not all alarms would
show.
7
1153168 Database Other Improved the process of moving data partitions on the
ESM.
1155287, ESM Rules Rule updates could fail while checking for new MTIS
1155527, threats.
1156135,
1152883
MR4
Reference Device Area Issue Description
Number
1134390 ESM Other Processing cyber threat feeds could have resulted in
an access violation message being logged to
/var/log/messages.
8
1141609 ESM ELM Search ELM Search downloads would not work for non-admin
users.
1142567 ESM Distributed Event pulls would time out when the ESM was days
behind on retrievals.
1144316 ESM Events When drilling down on IOC events event data would
not populate in the details tab.
1145155 Receiver Collectors Mount collector would not run when a configured data
source was disabled.
1145946 ESM Data Source Writing out Data sources failed for receivers with
multiple data sources if one of the data sources was
an ACE.
1147443 Database Other Improved error handling for a theoretical data sorting
failure.
1150257 ESM Other Fixed memory leak associated with Risk Score.
1150303
MR3
Reference Device Area Issue Description
Number
9
MR2 Internal Release only
Reference Device Area Issue Description
Number
1123068 Receiver Other Added functionality to clean out files older than a day
from /var/log/data/va/.
1126931 ESM Data Sources Updated the test connect functionality for SCP data
sources to use the select system call to ensure the
socket is ready for reading and writing before
performing I/O operations.
1131039 ESM Security Modified the location to check for permissions for views
to allow groups permission set in earlier releases to
persist
1135480 ESM Logging Resolved an issue where the updated column for flow
retrieval logs would show a negative number.
1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM
to startup automatically when there are large storage
pools.
1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one
day of data was backed-up and could run out of disk
space.
1141908 ESM Data Source Modified the check for duplicate data sources when a
data source is created to not include the new data
source in the list of existing data sources.
1143015 ESM Database A failed move of a single partition could prevent all
subsequent partition moves which caused the disk to
run out of space.
1143247 Receiver Parsers The OpenVAS xml parser would try to read an item
from the xml that did not exist.
10
1144259 ESM Database Root directory ran out of space due to an error message
being repeatedly written to NitroError.Log.
1137625 ESM Views View with Domain and SigID filter would load slowly
1135719 ESM Database Database - Log table reported negative record count
after an index rebuild
1140155 ESM Other ref lock not being released in some exception cases
1141098 ESM Database Move Points being set "at 0" would cause partitions to
be deleted or move to archive early
1119516 ESM Correlation Improved error handing to detect corrupt records and
continue processing the next record
1119042 ESM Views Export View queries would generate multiple times
1123564 ESM Database Alert table closing down while dbserver is running
1130691 ESM Rules Modification of a rule does not always show the correct
regular expressions
1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does
not have administrator rights
1130040 ESM Events Event Forwarding would not work when using non-
default sate format user settings
11
1136891 ESM Data Source Passwords for data source profiles were not being
encrypted
1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its
hostname contains an underscore character ("_")
1131849 ESM Filters ER 15 when opening filter list with limited privileges
1133119 ESM Backups Incremental backup would not start from last good
backup
1129511 ESM Other Assets without IP Addresses are being pulled from ePO
but should not be
1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -
But ASP Rule Editor GUI says the opposite
1135713 ESM Other Getting I/O lock on the SSD file system when reaching
a certain I/O load on the ESM X6/X4
1136836 ESM Redundant Event details for a query that runs on a redundant were
not correct.
1138122 ESM Filters Report Device filters would always show "Physical
Display"
1140849 ESM Other GUI hung due to a thread lock not being released
1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port
12
1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector
and msgwrite can handle
1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing
data after a SIEM upgrade if, prior to upgrade, there
were only Custom ASP Rules and the Rules were
ordered
1123294 Receiver Data Sources Receiver could not write out data sources when client
data sources have the same IP but different ports
1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect
raw logs to appear in the UI with some events.
1123010 ELM Bloom ELM indexing queue would get filled up with duplicate
files
1133051 ELM Bloom Could not modify ELM Storage Pool. List index (0) out
of bounds" error in the ELM's /var/log/messages
1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to
9.6.0
1136298, Device Inserts Resolved the issue where puling events may result in a
1136296, success message when zero events were pulled.
1136295,
1135926
1137088, ESM Data Source Auto-learned data source would not be removed from
1136604, the auto-learn file when being removed from the list.
1135458
13
Installation instructions
For new installation instructions please refer to the following document.
Task
2. In the Knowledge Base pane under Content Source, click Product Documentation.
3. Select a product and version, then click Search to display a list of documents.
14