Release Notes

McAfee Enterprise Security Manager (ESM) 9.6.0

Maintenance Release (MR) 7

About this document

Thank you for choosing this McAfee product. This document contains important information about the
current release. We strongly recommend that you read the entire document.

About this release

Release date

ESS_Update_9.6.0MR7.signed.tgz
ESSREC_Update_9.6.0MR7.signed.tgz
RECEIVER_Update_9.6.0MR7.signed.tgz
Files included
APM_Update_9.6.0MR7.signed.tgz
DBM_Update_9.6.0MR7.signed.tgz
IPS_Update_9.6.0MR7.signed.tgz

You can upgrade to 9.6.0 MR7 directly from 9.4.2 or later.

Upgrade Paths You must upgrade versions before 9.4.2 following this path: 8.2.x >
8.3.x >8.4.2 > 8.5.6 > 9.0.2 > 9.2.1 > 9.4.2 or later > 9.6.0

Bug Fixes and Enhancements

This section provides a description of the fixes and enhancements included in this Maintenance
Release.

NOTE: This MR is cumulative (i.e. MR 7 contains all the fixes and enhancements that were previously
in MR 1, 2, 3, 4, 5 and 6) and may be installed over the top of MR 1, 2, 3, 4, 5 and 6.

MR7

Bug Fixes
Reference Device Area Issue Description
Number

1
1134137, ELM Redundant Resolved SFTP connectivity issues on redundant ELM
1156882,
1134136

1157720, ESM IOC Indicators of Compromise (IOC) back trace would

1160755, incorrectly match events when using the URL
1157744

1159852, ESM Backup &

Addressed an issue where restoring the
1150148, Restore configuration would fail with a ERCELM device
1132610

ESM Resolved time out values that would cause events to

1130545, Event
1128538 Forwarding be dropped when sending via TCP

1163248 ESM Resolved issue where performing an ESM backup

Backup &
Restore would result in slower alert inserts.

1161106 ESM Other Added logic to ensure enough space in memory to

store user input values for active directory logins and
user-defined fields in query results.

1151127 ESM Other Fixed locked ISO images so they work on an ERU
device.

1164816 ESM Views Fixed sorting problems with table components.

1149317 ACE Correlation Correlation managers would not filter for flows.

1159743 ESM Alarms Performance modifications for Alarm queries.

1133866 ESM Properties Increased the timeout for an active directory server
with two IP addresses to allow enough time for the
ESM to authenticate through the Second IP address if
the first one fails.

1152685 ELM Storage Added a health monitor check to warn when data is
about to be over written before the retention period
has expired.

1153832 ESM Other Enhanced DBSizeChange to keep index and bloom

files on /ss1 instead of moving them or creating them
on /db2.

1157708 ACE Health Flags for correlation would not occur in

Historical
Correlation Historical mode on an ACE.

1161284 ESM Other NSM rules will not default to enabled.

1164436 ESM Differential backups now look at the syssettings table

Backup &
Restore to figure out when the last successful backup of the
Alert (and Packet), Connection, and Log tables.

2
Enhancements
None

MR6

Bug Fixes
Reference Device Area Issue Description
Number

1150709 ESM Views Queries with an * in the Sig ID field would return
incorrect results.

1155797, ESM Upgrade Upgrading the ESM would take longer than expected if
1161496 Accumulator indexing is enabled.

1159852 Receiver HA The call to WriteConf, which was a recursive call to

itself, was corrected to get the configuration file name
and allow the function to write corosync.conf as
intended.

1158896 ESM Policy Fixed reversal of time formats when editing ASP rules

1147896 Receiver Data Source Updated Amazon CloudTrail collector to use

configured proxy server for all traffic.

1131211 ESM Correlation When viewing some correlation events in the GUI the
Correlation Details tab would show 'No Details Found'
when a special character was used in the name or
description of the correlation rule that generated the
event.

1141615, ESM Reports Device filters would not be retained for certain
1151613 queries.

1148814, ESM UI The Email recipients list for the Send Message action
1150322 of Alarms would be displayed incorrectly.

1145094 ESM Alarms A field match alarm which used a contains match
that ended in a backslash (\), would result in: "Error:
Could not move file to device (ER126)".

1155390 ESM Views Resolved an issue where cases assigned to a user that
were part of a NOT IN filter remained in the other
category.

1156995 Receiver Collector The mount collector would pull files smaller than 256
bytes repeatedly even if they hadnt changed.

3
1151610 ESM Reports Removed default time filter from "McAfee Collection
Rate - Events Per Second" and "McAfee Collection
Rate - Events Per Second" reports

1153672 ESM Policy Historical correlation filter protocol field would allow
too many characters.

1150916 ESM Alarms Fixed erroneous triggering of alarms after alarm

trigger type is changed.

1156879 ESM Filters Queries for views or reports with a regex in the filters
may not return.

1158180 ESM External API REST API would always return a locked status of false
for all users when retrieving user list.

ESM External API Modified the caseAddCase and caseEditCase to allow

1145221,
1147161, event ids to be added / edited.
1145199

1153671 ESM Policy Fixed failure to edit correlation rules in non-english

languages.

1144331 ESM Users & Resolved an issue saving devices to a group.

Groups

1149350 ESM Views Resolved an issue where queries with or conditions

in the filter would not return results.

Receiver Collectors Syslogcollector now waits the proper time before

1144333,
1151592 failing when trying to bind to the syslog socket.

1156640 Receiver Other Resolved an issue with routing of syslog events to

data sources when two data sources have the same
host name but different port.

1152342 ESM Alarms Fixed encoding of correlation rule filter values

1150479 ESM Users & The Users and Groups dialog would not load if the
Groups initial password prompt was cancelled.

1144573 ESM Views

Some view results were not being returned when
querying a parent and group of child data sources.

1134164 ESM Other NSM Sensors auto refresh would fail with ErrMsg=Ok,
Result: The session is invalid.

ESM Views Column names were displayed incorrectly on CSV files

1154571,
1156859, that were exported from a view.
1157028

4
 1119239, ESM Other Resolved an issue where a content pack shows
1129882, available to install but no associated file was found on
1155086 the ESM.

1157322, ESM Other Improvements to memory handling functions.

1157938

1151639, Database Other Resolved an issue where some Partitions would be

1153939 marked bad after a clean shutdown.

ELM Other Fixed erroneous path in use message when adding

1144304,
1146001, second SAN device to an ELM.
1152277,
1154840,
1156141,
1149815

1152567 Receiver Collector The mount collector would fail when the source
directory contained many tens of thousands of files.

1162898 Receiver Collector Resolved an issue where SIEM collector connection

would drop and events wouldnt be sent to the
receiver

Enhancements
1154800 Database Other Decreased ESM shutdown time for systems that have
a large number of alert partitions.

1159668 ESM Other Updated to OpenSSL 1.0.2j

MR5
Reference Device Area Issue Description
Number

1153182 ESM Distributed When adding devices to a distributed ESM they would
not be automatically refreshed on the parent system
tree.

1083558 ESM Alarms Occasionally alarms would show in the triggered alarm
view but not in the alarm pane.

5
1099227, ESM Other Source passwords for Watch lists were not encrypted
1149635 in the database.

1121047, ESM Other Geo-Location information for some IP addresses were

1132605 incorrect.

1124573, Receiver Collector Curl Collector would not pull events as frequent as it
1141208, was configured to.
1146734

1124737 ESM Views The event summary selection would not be

maintained in the drill-down view when switching data
sources.

1129072 ESM Distributed Pulling packets from the child ESM could result in
Malformed data (ER1010).

1133676, ESM Distributed When exporting data sources in a distributed ESM

1115503 model they would sometimes be duplicated.

1134437, ESM Alarms Certain alarm actions would show up twice in alert
1139544 details.

1135202 ESM Reports Performance enhancements for CSV Reports.

1135203 ESM Distributed Device type filters for Distributed ESM were not
correctly saved after upgrade.

1136220, ELM Archive In some cases ELM archive would fail to retrieve logs
1126080, for aggregated events.
1137745,
1142554,
1147442

1139436 Database Other Enhanced clean-up of temporary files on das1 and

ad1.

1139440 ESM Reports Non-Admin users would not be able to see reports
created by others even when sufficient access had
been granted.

1140627 ESM Events Unnecessary internal events would be triggered on

login for file deletions.

1141625 ESM Data Source SCP test connect could fail when thousands of files
exist in the remote directory.

1142777 ESM Other Event aggregation exceptions would be deleted after a

change to custom types.

6
1143510 ESM Improved memory handling for alarms and reports

1144598, ESM Distributed Pulling event would time out if the ESM was more
1150298 than one day behind on retrievals.

1145128 ESM Other Modified string handling techniques for some APIs.

1145382, ESM Other SNMP V2 Trap Object Identifier was incorrectly

1145768 formatted.

1145415, Receiver High Improved error reporting on the process to verify the
1146564 Availability hi_bit in ha_conf

1146200, ESM Alarms Triggered alarm views would not show acknowledged
1143324 alarms when logged in as Non NGCP user.

1146734 Receiver Collector Improvements to curl collector.

1147690 ESM Other Increased the maximum number of detached

partitions the GUI allows to be attached manually to
100

1147939 ESM Backup & last backup success dates were incorrectly using
Restore the last differential backup date.

1147941 ESM Improved space requirement checking for differential

Backup &
Restore backups

1149605 ESM Policy Performance enhancements for loading policy editor.

1150508 ESM Views Distribution Chart would be blank when filtering or

stacking by device type ID.

1150509 ESM Views Table components would return no results with or

filters and certain fields in Select statements.

1151844 ESM External API Selecting 159 fields through the External API would
result in an error

1152075 Database Other Improved database rebuild process.

1152306 ESM Policy When filtering by Tag all rules would be returned.

1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM
logs.

1152670 ESM Other When viewing triggered alarms not all alarms would
show.

7
 1153168 Database Other Improved the process of moving data partitions on the
ESM.

1155287, ESM Rules Rule updates could fail while checking for new MTIS
1155527, threats.
1156135,
1152883

MR4
Reference Device Area Issue Description
Number

1128533 ESM VA Source Testing the connection on a Critical Watch FusionVM

Vulnerability Assessment Source with a Server URL
could result in VAER1 HTTP Error: Not Found

1134390 ESM Other Processing cyber threat feeds could have resulted in
an access violation message being logged to
/var/log/messages.

1134465. ESM Other Improved process for handling files in the

1148187 /var/log/ace/enrichment folder to prevent the
directory from becoming too large.

Note: The MR4 upgrade process will delete extraneous

files in the /var/log/ace/enrichment folder. If the
folder contains a large number of files, (more than a
few million) the delete process may take an extended
period of time (up to 2 hours).

While the delete process in underway, messages

similar to the following are logged to
var/log/messages:

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory (logged at the beginning of the process)

McAfee NGCPRebuild[1130]: Cleaning up stale

watchlist files. This process could take an extended
period of time. (logged during the process at an
interval of approximately 60 seconds)

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory completed. (logged at the end of the
process)

8
 1141609 ESM ELM Search ELM Search downloads would not work for non-admin
users.

1142567 ESM Distributed Event pulls would time out when the ESM was days
behind on retrievals.

1144316 ESM Events When drilling down on IOC events event data would
not populate in the details tab.

1144591 Database Other Partial backup would sometimes fail on a table

containing closed partitions.

1145155 Receiver Collectors Mount collector would not run when a configured data
source was disabled.

1145736 Database Other Narrows the search window to ensure non-relevant

data isnt needlessly searched in order to pull data
from child to master ESM.

1145946 ESM Data Source Writing out Data sources failed for receivers with
multiple data sources if one of the data sources was
an ACE.

1146948, ESM IOC False positive could be triggered when a cyberthreat

1147183, feed was setup with multiple IOCs in one file.
1148843

1147443 Database Other Improved error handling for a theoretical data sorting
failure.

Increased the query performance when handling large

1149095 Database Other amounts IPSIDs.

1150257 ESM Other Fixed memory leak associated with Risk Score.

1150303

1151583 ESM Other Occasionally while starting services CPServiced would

start more than 1 instance.

MR3
Reference Device Area Issue Description
Number

1148378, ADM Other ADM Kernel Panic

1148628

9
MR2 Internal Release only
Reference Device Area Issue Description
Number

1123068 Receiver Other Added functionality to clean out files older than a day
from /var/log/data/va/.

1126931 ESM Data Sources Updated the test connect functionality for SCP data
sources to use the select system call to ensure the
socket is ready for reading and writing before
performing I/O operations.

1131039 ESM Security Modified the location to check for permissions for views
to allow groups permission set in earlier releases to
persist

1135480 ESM Logging Resolved an issue where the updated column for flow
retrieval logs would show a negative number.

1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM
to startup automatically when there are large storage
pools.

1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one
day of data was backed-up and could run out of disk
space.

1141908 ESM Data Source Modified the check for duplicate data sources when a
data source is created to not include the new data
source in the list of existing data sources.

1142715 ESM Database Modifications made to improve the handling of long

strings.

ESM Alarms Made modifications so that the queries of alarms with

1142955,
1145170 the Condition of Deviation from Baseline and condition
query of "Total Events" will run in the background.

1143015 ESM Database A failed move of a single partition could prevent all
subsequent partition moves which caused the disk to
run out of space.

1143247 Receiver Parsers The OpenVAS xml parser would try to read an item
from the xml that did not exist.

10
 1144259 ESM Database Root directory ran out of space due to an error message
being repeatedly written to NitroError.Log.

1146677 ESM Database Released a database lock being held to long

1146723 ESM Database Deletion of an incorrect partition on Receiver was

possible in a rare circumstance

MR1 Limited Release

Reference Device Area Issue Description
Number

1137625 ESM Views View with Domain and SigID filter would load slowly

1135719 ESM Database Database - Log table reported negative record count
after an index rebuild

1138925 ESM Database dbserverd threads locked from BFile^.UserCount being

stuck

1140155 ESM Other ref lock not being released in some exception cases

1141098 ESM Database Move Points being set "at 0" would cause partitions to
be deleted or move to archive early

1119516 ESM Correlation Improved error handing to detect corrupt records and
continue processing the next record

1122397 ESM Backups Enhancements to the ESMs backup procedures to

include /root/.ssh/known_hosts

1119042 ESM Views Export View queries would generate multiple times

1123564 ESM Database Alert table closing down while dbserver is running

1130691 ESM Rules Modification of a rule does not always show the correct
regular expressions

1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does
not have administrator rights

1130040 ESM Events Event Forwarding would not work when using non-
default sate format user settings

11
1136891 ESM Data Source Passwords for data source profiles were not being
encrypted

1127706 ESM Parsers ASP-Test segfault when opening a rule

1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its
hostname contains an underscore character ("_")

1131849 ESM Filters ER 15 when opening filter list with limited privileges

1133119 ESM Backups Incremental backup would not start from last good
backup

1129511 ESM Other Assets without IP Addresses are being pulled from ePO
but should not be

1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -
But ASP Rule Editor GUI says the opposite

1135713 ESM Other Getting I/O lock on the SSD file system when reaching
a certain I/O load on the ESM X6/X4

1136836 ESM Redundant Event details for a query that runs on a redundant were
not correct.

1138122 ESM Filters Report Device filters would always show "Physical
Display"

1138933, ESM Other Improved memory handling. StringsS entry logged in

1139168, /var/log/messages.
1133094

1140849 ESM Other GUI hung due to a thread lock not being released

1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port

1133658, Receiver VA Rapid7 Nexpose as Va Source Fails "Server message:

1135210, Authorization required for API access
1101562,
1133661,
1133663,
1133665,
1134370,
1134910

1122750 Receiver Collectors eStreamer could fail on an HA receiver pair when

eth0 and eth1 are on same subnet

12
1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector
and msgwrite can handle

1138266 Receiver Collectors eStreamer "title verification failed; expected:

estreamer"

1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing
data after a SIEM upgrade if, prior to upgrade, there
were only Custom ASP Rules and the Rules were
ordered

1123294 Receiver Data Sources Receiver could not write out data sources when client
data sources have the same IP but different ports

1143303 ACE Report Device filters always show "Physical Display"

1137523 ADM Other ADM Kernel panic

1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect
raw logs to appear in the UI with some events.

1123010 ELM Bloom ELM indexing queue would get filled up with duplicate
files

1123077 ELM Datbase Increasing size of management database fails with an

error that there is not enough disk space even though
there is enough disk space

1133051 ELM Bloom Could not modify ELM Storage Pool. List index (0) out
of bounds" error in the ELM's /var/log/messages

1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to
9.6.0

1136298, Device Inserts Resolved the issue where puling events may result in a
1136296, success message when zero events were pulled.
1136295,
1135926

1137088, ESM Data Source Auto-learned data source would not be removed from
1136604, the auto-learn file when being removed from the list.
1135458

13
Installation instructions
For new installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.0 Installation Guide

For upgrade installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.0 Release Notes

Troubleshooting installation issues

Common issues encountered during/after installation

When using the Chrome browser, you could see that the upgrade tarball will not upload properly to
the ESM and is decompressed from a .tgz file. This is due to the way Chrome uploads the file. If you
experience this issue we recommend using Internet Explorer, or FireFox to do the upgrade.

Recovering from a failed installation

Contact McAfee Support.

Finding product documentation

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.

Task

1. Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center

tab.

2. In the Knowledge Base pane under Content Source, click Product Documentation.

3. Select a product and version, then click Search to display a list of documents.

14