Release Notes

McAfee® Enterprise Security Manager (ESM) 9.6.1 MR2

About this document

Thank you for choosing this McAfee® product. This document contains important information about the
current release. We strongly recommend that you read the entire document.

About this release

Release date

• ESS_Update_9.6.1MR2.signed.tgz
• ESSREC_Update_9.6.1MR2.signed.tgz
• RECEIVER_Update_9.6.1MR2.signed.tgz
Files included
• APM_Update_9.6.1MR2.signed.tgz
• DBM_Update_9.6.1MR2.signed.tgz
• IPS_Update_9.6.1MR2.signed.tgz

• You can upgrade to 9.6.1 MR2 directly from 9.5.2 or later.

Upgrade Paths • You must upgrade versions before 9.5.x following this path: 9.0.2 >
9.2.1 > 9.4.2, 9.5.2 or later > 9.6.1 MR2

Bug Fixes and Enhancements

This section provides a description of the fixes and enhancements included in this Maintenance
Release.

NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were
previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9
and 9.6.1 GA, MR1.

9.6.1 MR2

Bug Fixes
Reference Device Area Issue Description
Number
ESM User Interface Auto refresh now picks up new ePO extensions.
1193689

1
1192771 Resolved a failure to boot issue when upgrading to ESM
1193227 Other Other 9.6 or 10.0.

1202424 ESM Views Bad Query on views filtering by Device Type ID CLASS

Redundant Resolved an issue that prevented SNMP Health

1188096 ESM ESM (RESM) Requests from being retrieved from a Redundant ESM.

1196145 ESM Other Added support for SMBv2 for file collection.

1182550 Resolved an issue that prevented AWS Cloudtrail

1188454 Receiver Collectors Datasource data collection.

Resolved an issue that caused and error message while

editing the Date time format of ASP mapping in
1144706 ESM User Interface Japanese version.

Backup / Fixed an issue that caused watchlist entries to not be

1187554 ESM Restore restored from a full back-up.

Match component filter with a comma in correlation

1190606 ACE Other rule now works correctly.

Filtering by special characters at the beginning of a

1198492 ESM Views string no longer results in a Bad Query Error.

1184492 ESM Other Removed symlinks to non-existent startup script.

Accumulator field is now displayed for correlation

1182573 ESM Other events.

Data Data Enrichment Source tab now allows non-ASCII

1189341 ESM Enrichment characters in the Path field.

1193872 ESM Other Removed TLS v1.0 support.

1193866 ESM Other Updated to latest Java version.

1157226
1099966
1170534
1180693
1079411 Syslog now gracefully recovers when too many
1157739 Receiver Other connections are active.

2
 Fixed an issue that prevented the job for Discover NSM
1194649 ESM Other Sensors from updating the sensors.

1189120 Receiver Collectors HTTPS curl collector mode now accepts Host Name.

Redundant Added an optional config file to fine tune rsync for

1191952 ESM ESM (RESM) different customer environments.

Resolved and issue that caused the data enrichment

Data process to fail when using the LDAP "Description" field
1173204 ESM Enrichment content.

Corrected an issue that caused the port number setting

to be ignored when importing SFTP data source settings
1187443 ESM Other from a CSV file.

Set 1TB maximum disk usage limit on DAS drive packet

1182465 ESM Other tables.

1191951
1192154 Fixed a regression that prevented internal events from
1202077 ESM Alarms being written.

1195944 ESM Reports Improved query and report speed.

When modifying a Checkpoint data source with child

data sources, all the child data sources were disabled
1196478 when the IP of the data source wasn't changed. This
1189285 disabled state is now set only when validation is
1196479 ESM Other required for the IP/port of the data source.

1188268
1171478 Added the ability to create alarms for groups of data
1149775 ESM Alarms sources.

1186823 Receiver Other Removed unused symlinks that caused error messages.

Corrected erroneous conflict errors during policy

1184401 ESM Policy import process.

System Corrected an issue that prevented users from removing

1159179 ESM Properties email recipients from email groups.

1196773 Fixed an issue that prevented reports with non-default

1199677 ESM Reports date formats from being run.
1197646

3
 1197822
1196944
1197825
1198494
1197724
1201480

Resolved an issue that was causing invalid error

1196134 ESM: Views Other messages when viewing the email content pack.

9.6.1 MR1

Bug Fixes
Reference Device Area Issue Description
Number

1111767 ELM Other Resolved an issue that would cause ELM Statistics to
show zero logs for some Data Sources, even though
the ESM UI shows there are logs in ELM.
1130033 ESM Reports Selecting a custom time range and a date format
other than mm/dd/yyyy could produce incorrect data
sets and time ranges.

1139436 Database Other Improved the logic to clean temporary files from
archive directory when dbserver restarts

1141155 ELM Database The ELM database would delete old partitions
without warning if the database and storage pools
were stored on the same device and that device
reached 90% full.
1150643 ESM Views Improved the handling of special characters for
filtering and views.
1150774 ESM Alarms Device status change alarms now accurately triggers
at the data source level
1153814 ESM Data LDAP Data Enrichment would not return any results
Enrichment if a non-ASCII character was used in the query.
1154596, ELM Search Resolved an issue where ELM logs would not be fully
1155865 decoded when retrieved through ELM Search.
1156585, Receiver Collectors Data collection would not resume after rebooting
1126930 VMware vCenter Server.
1157922 ESM Alarms Clicking “case link” on the generated alarm's Actions
tab would result in an error if the case summary
contains pipe ('|') character.
1157940 ACE Other Deviation component for flows using event count as
the deviation field would fail to write out to the ACE.
1158910 ELM Other When reducing the size of a storage pool the amount
of available space would display incorrectly in the
storage pools tab of ELM properties.

4
1160429 ELM Other Improved handling for displaying elm search
metadata for different date formats.

1160950, Receiver Other Resolved an issue that would cause an error

1169537, message to report that re-keying a device failed
1154790 when it was actually successful.
1161125 ESM Views Resolved an issue that would cause long running
delete queries to spawn additional queries.
1162888, ELM Other Logs sent to the ELM would be deleted if no entry is
1179314 found in ds2rg table.
1163035 ESM Custom Types Custom types in Name/Value groups would not be
displayed in the event view for Japanese UI.
1163240 ELM Logs If ELM logs had duplicate archive ids incorrect raw
logs would appear in the UI with some events.
1163730, Receiver Other Resolved an issue where unknown events would
1167571 show at the data source parent level when using
SIEM Collector.
1164411, ELM Redundant Fixed the counting of files for the rsync status to not
1153616,
include close matching numbers like 1, 10 and 11
1168229
multiple times.

1164452 ELM Database Resolved an issue where the “Being moved” lock file
was not cleaned up after an ELM DB size increase.
1166780 ESM Policy The Japanese characters in the description when
importing correlating rules was not being properly
encoded. The import logic was modified to correctly
maintain the encoding of characters.
1167177 ESM Flash UI Changing the hostname or vendor/model of a client
data source would fail if the data source
vendor/model and host name were in use by another
clients.
1167541 ESM Redundant ACL setting would not get replicated to Redundant
ESM.
1168003 ESM Distributed Resolved an issue that would cause pulling packet
data the first time to fail.

1168222 ESM Flash UI When changing the name of existing parameters in

the correlation rule editor, the name would change
to unknown. The default value for the parameter
was changed to always maintain the same format.
1168356 Receiver Other Resolved an issue that prevented parsing of an HTTP
data source due to extra white space.
1168675 ESM Security Resolved an issue that caused AD user accounts to
stay locked after the lockout duration has expired.
1168730, Receiver Other Resolved an issue that would trigger a device health
1123306, alarm on a non HA receiver of: "HA status changed
1130254 from Critical to Warning".
1169223, ESM Distributed Resolved an issue that would cause the ACE to show
1185517 out of sync on a distributed ESM
1170168 ESM Flash UI Resolved an issue that prevented expanding of
correlated events in source events when logged as a
limited user.

5
1171229 ESM Reports Resolved an issue that prevented deselected emails
in an email group from being removed from group.
1171319, Receiver Other IPMI would not function with ERC 1260 receivers.
1159989,
1163200,
1175912
1171864 ESM Watchlist Watchlist would not get all of the file hashes when it
was uploaded from ATD Cyberthreat feed.
1171969 ESM Distributed Destination user and Object fields were sporadic in
propagating up to the parent ESM.
1172007, Receiver Collectors Resolved an issue where eStreamer would not write
1177421,
out correct json to be parsed.
1178857
1172474 ESM Other Multiple threads of the UpdateMTISThreads would
run when the thread takes a long time to finish.
1173929 ESM Flash UI When doing a host lookup with correlation events,
the host lookup would not display in the correct
column.
1174315 ESM Data Performing data enrichment with a lookup field
Enrichment
custom type = 5, the destination fields would not be
replaced by data enrichment.
1174380 Receiver HA The default gateway would not be assigned to the
shared IP interface after HA fail-over.
1174542 DBM Other The TNS module in the DBM failed to handle a
particular data encoding that TOAD (Tool for Oracle
Application Developers) was using.
1174556 ESM Reports Resolved an issue that would cause stacking
distribution charts to contain incorrect 'others'
values.
1174838 ACE Other Resolved an issue that would allow an unsupported
field to a deviation.
1175569 ESM Health Monitor Enhancements to health monitor for device
communication errors.
1176269 ESM Policy Added user information to policy change history.
1177260 ESM UI When correlating with a large threshold, it was
possible to exceed the supported packet length.
1178305 ESM Reports Report would not be generated if Devices filter is
empty. Added a check in the UI to validate a device
is selected.
1180258 ESM Alarms Alarm acknowledge date and time was incorrectly
displaying in the details panel and the clipboard.
1180636, ELM Search Enhanced ELM log retrieval to search through all
1158297, possible log files instead of just one log file. Some
1181997, log entries in aggregated events were not being
1184605, displayed.
1184764,
1193524
1181790 ACE Other Added notifications when correlation rules,
threshold, and deviations exceed maximum packet
length.
1182029 ELM Other Resolved an issue that, in rare instances, prevented
logs from being displayed when a user was
connected to an ELM through SFTP.

6
 1183281 Receiver Other Resolved an issue that caused syslog messages to
be sent to a data source when the host name
matched but the port did not match.
1183572 ESM Reports Resolved an issue where the ESM would incorrectly
delete temporary files that were being used for
running report queries.
1183723 ELM Other Resolved an issue where the bloom does not get set
when duplicate ELM id's span multiple partitions.
1184113 ACE Other The correlation rule has never triggered under
specific condition
1184292 ESM Flash UI Updated the label of the ACE communication
configuration panel to be correct.
1184522 ESM Rules Resolved an issue that caused extra rows to be
added when saving ASP rule text.
1185031 ACE Other Set the maximum allowed value for ACE Risk
Correlation Manager threshold to 99%.
1185261 ELM Redundant Resolved an issue that prevented a redundant ELM
from syncing completely.
1187430, ACE Other Resolved an issue that caused alarms to trigger
1187677 more frequently than the Maximum Condition
Trigger Frequency (cooldown) setting.
1188302, ESM Other Resolved an issue that caused false error messages
1188301, when users tried to view event data.
1188448
1189266 ESM Other Improved memory handling when the ESM populates
the device tree and when retrieving a list of
correlated events.
1188742, Resolved an issue where editing blacklist IP
1188752
addresses would fail due to extra '\' characters
present in the commands parameters.

9.6.1

Bugs
Reference Device Area Issue Description
Number

1162135 McAfee ESM: Views When exporting table results from a custom case
SIEM view, the dialog to download the results would not
show up.

1181609 McAfee ELM API service would stop running during logging
SIEM to edsftp.

1162069 McAfee ACE Improved memory handling routines for java

SIEM correlator processes.

7
 1161564 McAfee ELM When a DAS entry in the Das.conf file had a uuid of
SIEM zero, there would be an entry visible in the System >
Properties > Database > Data Storage > DAS page
which resulted in the appearance of an extra DAS
device.

Enhancements
Reference Device Area Issue Description
Number

None All(except Hardware Added support for Gen 5 Hardware

IPS)

None Added support for Check Point R80

9.6.0 MR9

Security Fixes
Reference Device Area Issue Description
Number

1176754 McAfee ESM Updated NTPD to version 4.2.8p9

SIEM

Bug Fixes
Reference Device Area Issue Description
Number

1179064 McAfee ESM Modifications to the way CPConsoleServer.cfg handles

SIEM the configuration parameter “allow_ssh”.
1178285 McAfee DBM DBM would fail to capture traffic from an MSSQL
SIEM database when using dynamic ports.
1145759 McAfee DBM Removed the option to use nitrofirewall capture from
SIEM
the DBM.
1162445 McAfee User Interface: When selecting a client data source for filtering event
SIEM Flash forwarding results, the parent device would be shown
(traditional UI) on the device form instead of the client data source.
1167190, McAfee ESM Datasource inactivity flags would not properly clear.
1167576, SIEM
1167580,
1167757,
1168745,
1177122,
1177756,
1180901,
1168747,
1168745

8
 1177859, McAfee ELM Improved the performance for obtaining ELM storage
1122299, SIEM pool data.
1165318

Enhancements
Reference Device Area Issue Description
Number

None Receiver Other Added Support for CheckPoint R80

9.6.0 MR8

Security Fixes
Reference Device Area Issue Description
Number

1166416 ESM Security Updated Kernel to resolve “Dirty COW” CVE-2016-

5195 (CVSS3 6.4/6.1)

1166418 ESM Security Updated JRE/JDK package to version 1.8.0 u102

1159740 ESM Security Resolved OS command injection (CVSS3 7.2 / 7.0)

1095836 Receiver Security Resolved issue where file name can execute
commands on upload (CVSS3 8.8 / 8.6)

Bug Fixes
Reference Device Area Issue Description
Number

1165060 ESM Alarms Alarms would show [object object] as the default
values on Destination User filter.

1167202 ESM Alarms Resolved alarms that would generate QueryExec

errors after upgrades.

1168000 ESM Database Resolved issue where open file handles would reach 0
even though files were open.

1167217 ESM SNMP Resolved SNMP timeouts.

9
 1162839 ESM System Emails would fail to send if TLS and authentication
Properties were both enabled.

1145767 ESM System When writing out global blacklist would result in error
Properties has been resolved.

1135671 ESM Reports Addressed an issue where the average normalized

event severity bar chart was not being displayed in
reports.

1148185, REC Collectors eStreamer collector restarting several times a day has
1155206 been resolved.

1123046, ELM Redundant Partial rsync files would accumulate in /tmp and not
1164203, be cleaned up.
1124250

1168001 ELM Database ELM could incorrectly calculate disk space remaining
and remove partitions to free up space.

1157788 ACE Correlation Addressed correlation rules from not triggering when
using a “contains clause” that had Japanese
characters in the target string.

Enhancements

1151336 REC Collectors Added support for eStreamer to support

block type 42 for record type 400.

9.6.0 MR7

Bug Fixes
Reference Device Area Issue Description
Number

1134137, ELM Redundant Resolved SFTP connectivity issues on redundant ELM

1156882,
1134136

1157720, ESM IOC Indicators of Compromise (IOC) back trace would

1160755, incorrectly match events when using the URL
1157744

10
 1159852, ESM Backup &
Addressed an issue where restoring the
1150148, Restore configuration would fail with a ERCELM device
1132610

Resolved time out values that would cause events to

1130545, ESM Event
1128538 Forwarding be dropped when sending via TCP

Resolved issue where performing an ESM backup

1163248 ESM Backup &
Restore would result in slower alert inserts.

Added logic to ensure enough space in memory to

1161106 ESM Other
store user input values for active directory logins and
user-defined fields in query results.
Fixed locked ISO images so they work on an ERU
1151127 ESM Other
device.
Fixed sorting problems with table components.
1164816 ESM Views

Correlation managers would not filter for flows.

1149317 ACE Correlation

Performance modifications for Alarm queries.

1159743 ESM Alarms

Increased the timeout for an active directory server

1133866 ESM Properties
with two IP addresses to allow enough time for the
ESM to authenticate through the Second IP address if
the first one fails.
Added a health monitor check to warn when data is
1152685 ELM Storage
about to be over written before the retention period
has expired.
Enhanced DBSizeChange to keep index and bloom
1153832 ESM Other
files on /ss1 instead of moving them or creating them
on /db2.
Health Flags for correlation would not occur in
1157708 ACE Historical
Correlation Historical mode on an ACE.

NSM rules will not default to enabled.

1161284 ESM Other

Differential backups now look at the syssettings table

1164436 ESM Backup &
Restore to figure out when the last successful backup of the
Alert (and Packet), Connection, and Log tables.

9.6.0 MR6

Bug Fixes
Reference Device Area Issue Description
Number

11
1150709 ESM Views Queries with an * in the Sig ID field would return
incorrect results.

1155797, ESM Upgrade Upgrading the ESM would take longer than expected if
1161496 Accumulator indexing is enabled.

The call to WriteConf, which was a recursive call to

1159852 Receiver HA
itself, was corrected to get the configuration file name
and allow the function to write corosync.conf as
intended.
Fixed reversal of time formats when editing ASP rules
1158896 ESM Policy

Updated Amazon CloudTrail collector to use

1147896 Receiver Data Source
configured proxy server for all traffic.
When viewing some correlation events in the GUI the
1131211 ESM Correlation
Correlation Details tab would show 'No Details Found'
when a special character was used in the name or
description of the correlation rule that generated the
event.

1141615, ESM Reports Device filters would not be retained for certain
1151613 queries.

1148814, ESM UI The Email recipients list for the “Send Message” action
1150322 of Alarms would be displayed incorrectly.

A field match alarm which used a “contains” match

1145094 ESM Alarms
that ended in a backslash (\), would result in: "Error:
Could not move file to device (ER126)".

1155390 ESM Views Resolved an issue where cases assigned to a user that
were part of a NOT IN filter remained in the “other”
category.

1156995 Receiver Collector The mount collector would pull files smaller than 256
bytes repeatedly even if they hadn’t changed.

Removed default time filter from "McAfee Collection

1151610 ESM Reports
Rate - Events Per Second" and "McAfee Collection
Rate - Events Per Second" reports

1153672 ESM Policy Historical correlation filter protocol field would allow
too many characters.

Fixed erroneous triggering of alarms after alarm

1150916 ESM Alarms
trigger type is changed.

1156879 ESM Filters Queries for views or reports with a regex in the filters
may not return.

REST API would always return a locked status of false

1158180 ESM External API
for all users when retrieving user list.

12
 Modified the caseAddCase and caseEditCase to allow
1145221, ESM External API
1147161, event ids to be added / edited.
1145199

Fixed failure to edit correlation rules in non-english

1153671 ESM Policy
languages.

1144331 ESM Users & Resolved an issue saving devices to a group.

Groups

1149350 ESM Views Resolved an issue where queries with “or” conditions
in the filter would not return results.

Syslogcollector now waits the proper time before

1144333, Receiver Collectors
1151592 failing when trying to bind to the syslog socket.

1156640 Receiver Other Resolved an issue with routing of syslog events to

data sources when two data sources have the same
host name but different port.
Fixed encoding of correlation rule filter values
1152342 ESM Alarms

1150479 ESM Users & The Users and Groups dialog would not load if the
Groups initial password prompt was cancelled.

1144573 ESM Views

Some view results were not being returned when
querying a parent and group of child data sources.

1134164 ESM Other NSM Sensors auto refresh would fail with “ErrMsg=Ok,
Result: The session is invalid”.

Column names were displayed incorrectly on CSV files

1154571, ESM Views
1156859, that were exported from a view.
1157028

1119239, ESM Other Resolved an issue where a content pack shows

1129882, available to install but no associated file was found on
1155086 the ESM.

1157322, ESM Other Improvements to memory handling functions.

1157938

1151639, Database Other Resolved an issue where some Partitions would be

1153939 marked bad after a clean shutdown.

Fixed erroneous “path in use” message when adding

1144304, ELM Other
1146001, second SAN device to an ELM.
1152277,
1154840,

13
 1156141,
1149815

1152567 Receiver Collector The mount collector would fail when the source
directory contained many tens of thousands of files.

1162898 Receiver Collector Resolved an issue where SIEM collector connection

would drop and events wouldn’t be sent to the
receiver

Enhancements
1154800 Database Other Decreased ESM shutdown time for systems that have
a large number of alert partitions.

1159668 ESM Other Updated to OpenSSL 1.0.2j

9.6.0 MR5
Reference Device Area Issue Description
Number

1153182 ESM Distributed When adding devices to a distributed ESM they would
not be automatically refreshed on the parent system
tree.

1083558 ESM Alarms Occasionally alarms would show in the triggered alarm
view but not in the alarm pane.

1099227, ESM Other Source passwords for Watch lists were not encrypted
1149635 in the database.

1121047, ESM Other Geo-Location information for some IP addresses were

1132605 incorrect.

1124573, Receiver Collector Curl Collector would not pull events as frequent as it
1141208, was configured to.
1146734

1124737 ESM Views The event summary selection would not be

maintained in the drill-down view when switching data
sources.

1129072 ESM Distributed Pulling packets from the child ESM could result in
Malformed data (ER1010).

14
1133676, ESM Distributed When exporting data sources in a distributed ESM
1115503 model they would sometimes be duplicated.

1134437, ESM Alarms Certain alarm actions would show up twice in alert
1139544 details.

1135202 ESM Reports Performance enhancements for CSV Reports.

1135203 ESM Distributed Device type filters for Distributed ESM were not
correctly saved after upgrade.

1136220, ELM Archive In some cases ELM archive would fail to retrieve logs
1126080, for aggregated events.
1137745,
1142554,
1147442

1139436 Database Other Enhanced clean-up of temporary files on das1 and

ad1.

1139440 ESM Reports Non-Admin users would not be able to see reports
created by others even when sufficient access had
been granted.

1140627 ESM Events Unnecessary internal events would be triggered on

login for file deletions.

1141625 ESM Data Source SCP test connect could fail when thousands of files
exist in the remote directory.

1142777 ESM Other Event aggregation exceptions would be deleted after a

change to custom types.

1143510 ESM Improved memory handling for alarms and reports

1144598, ESM Distributed Pulling event would time out if the ESM was more
1150298 than one day behind on retrievals.

1145128 ESM Other Modified string handling techniques for some API’s.

1145382, ESM Other SNMP V2 Trap Object Identifier was incorrectly

1145768 formatted.

1145415, Receiver High Improved error reporting on the process to verify the
1146564 Availability hi_bit in ha_conf

1146200, ESM Alarms Triggered alarm views would not show acknowledged
1143324 alarms when logged in as Non NGCP user.

15
 1146734 Receiver Collector Improvements to curl collector.

1147690 ESM Other Increased the maximum number of detached

partitions the GUI allows to be attached manually to
100

1147939 ESM Backup & “last backup success” dates were incorrectly using
Restore the last differential backup date.

Improved space requirement checking for differential

1147941 ESM Backup &
Restore backups

1149605 ESM Policy Performance enhancements for loading policy editor.

1150508 ESM Views Distribution Chart would be blank when filtering or

stacking by device type ID.

1150509 ESM Views Table components would return no results with “or”
filters and certain fields in “Select” statements.

1151844 ESM External API Selecting 159 fields through the External API would
result in an error

1152075 Database Other Improved database rebuild process.

1152306 ESM Policy When filtering by “Tag” all rules would be returned.

1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM
logs.

1152670 ESM Other When viewing triggered alarms not all alarms would
show.

1153168 Database Other Improved the process of moving data partitions on the
ESM.

1155287, ESM Rules Rule updates could fail while checking for new MTIS
1155527, threats.
1156135,
1152883

9.6.0 MR4
Reference Device Area Issue Description
Number

16
1128533 ESM VA Source Testing the connection on a Critical Watch FusionVM
Vulnerability Assessment Source with a Server URL
could result in “VAER1 HTTP Error: Not Found

1134390 ESM Other Processing cyber threat feeds could have resulted in
an access violation message being logged to
/var/log/messages.

1134465. ESM Other Improved process for handling files in the

1148187 /var/log/ace/enrichment folder to prevent the
directory from becoming too large.

Note: The MR4 upgrade process will delete extraneous

files in the /var/log/ace/enrichment folder. If the
folder contains a large number of files, (more than a
few million) the delete process may take an extended
period of time (up to 2 hours).

While the delete process in underway, messages

similar to the following are logged to
var/log/messages:

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory (logged at the beginning of the process)

McAfee NGCPRebuild[1130]: Cleaning up stale

watchlist files. This process could take an extended
period of time. (logged during the process at an
interval of approximately 60 seconds)

McAfee NGCPRebuild[1130]: Cleaning ACE Enrichment

Directory completed. (logged at the end of the
process)

1141609 ESM ELM Search ELM Search downloads would not work for non-admin
users.

1142567 ESM Distributed Event pulls would time out when the ESM was days
behind on retrievals.

1144316 ESM Events When drilling down on IOC events event data would
not populate in the details tab.

1144591 Database Other Partial backup would sometimes fail on a table

containing closed partitions.

Mount collector would not run when a configured data

1145155 Receiver Collectors
source was disabled.

1145736 Database Other Narrows the search window to ensure non-relevant

data isn’t needlessly searched in order to pull data
from child to master ESM.

17
 Writing out Data sources failed for receivers with
1145946 ESM Data Source
multiple data sources if one of the data sources was
an ACE.

1146948, ESM IOC False positive could be triggered when a cyberthreat

1147183, feed was setup with multiple IOC’s in one file.
1148843

1147443 Database Other Improved error handling for a theoretical data sorting
failure.

Increased the query performance when handling large

1149095 Database Other amounts IPSID’s.

1150257 ESM Other Fixed memory leak associated with Risk Score.

1150303

1151583 ESM Other Occasionally while starting services CPServiced would

start more than 1 instance.

9.6.0 MR3
Reference Device Area Issue Description
Number

1148378, ADM Other ADM Kernel Panic

1148628

9.6.0 MR2 – Internal Release only

Reference Device Area Issue Description
Number

Added functionality to clean out files older than a day

1123068 Receiver Other
from /var/log/data/va/.

1126931 ESM Data Sources Updated the test connect functionality for SCP data
sources to use the select system call to ensure the
socket is ready for reading and writing before
performing I/O operations.

1131039 ESM Security Modified the location to check for permissions for views
to allow groups permission set in earlier releases to
persist

18
 1135480 ESM Logging Resolved an issue where the “updated column” for flow
retrieval logs would show a negative number.

1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM
to startup automatically when there are large storage
pools.

1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one
day of data was backed-up and could run out of disk
space.

1141908 ESM Data Source Modified the check for duplicate data sources when a
data source is created to not include the new data
source in the list of existing data sources.

1142715 ESM Database Modifications made to improve the handling of long

strings.

Made modifications so that the queries of alarms with

1142955, ESM Alarms
1145170 the Condition of “Deviation from Baseline” and condition
query of "Total Events" will run in the background.

1143015 ESM Database A failed move of a single partition could prevent all
subsequent partition moves which caused the disk to
run out of space.

The OpenVAS xml parser would try to read an item

1143247 Receiver Parsers
from the xml that did not exist.

1144259 ESM Database Root directory ran out of space due to an error message
being repeatedly written to NitroError.Log.

1146677 ESM Database Released a database lock being held to long

1146723 ESM Database Deletion of an incorrect partition on Receiver was

possible in a rare circumstance

9.6.0 MR1 – Limited Release

Reference Device Area Issue Description
Number

1137625 ESM Views View with Domain and SigID filter would load slowly

1135719 ESM Database Database - Log table reported negative record count
after an index rebuild

1138925 ESM Database dbserverd threads locked from BFile^.UserCount being

stuck

19
1140155 ESM Other ref lock not being released in some exception cases

1141098 ESM Database Move Points being set "at 0" would cause partitions to
be deleted or move to archive early

1119516 ESM Correlation Improved error handing to detect corrupt records and
continue processing the next record

1122397 ESM Backups Enhancements to the ESM’s backup procedures to

include /root/.ssh/known_hosts

1119042 ESM Views Export View queries would generate multiple times

1123564 ESM Database Alert table closing down while dbserver is running

1130691 ESM Rules Modification of a rule does not always show the correct
regular expressions

1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does
not have administrator rights

1130040 ESM Events Event Forwarding would not work when using non-
default sate format user settings

1136891 ESM Data Source Passwords for data source profiles were not being
encrypted

1127706 ESM Parsers ASP-Test segfault when opening a rule

1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its
hostname contains an underscore character ("_")

1131849 ESM Filters ER 15 when opening filter list with limited privileges

1133119 ESM Backups Incremental backup would not start from last good
backup

1129511 ESM Other Assets without IP Addresses are being pulled from ePO
but should not be

1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -
But ASP Rule Editor GUI says the opposite

1135713 ESM Other Getting I/O lock on the SSD file system when reaching
a certain I/O load on the ESM X6/X4

1136836 ESM Redundant Event details for a query that runs on a redundant were
not correct.

20
1138122 ESM Filters Report Device filters would always show "Physical
Display"

1138933, ESM Other Improved memory handling. “StringsS” entry logged in

1139168, /var/log/messages.
1133094

1140849 ESM Other GUI hung due to a thread lock not being released

1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port

1133658, Receiver VA Rapid7 Nexpose as Va Source Fails "Server message:

1135210, Authorization required for API access
1101562,
1133661,
1133663,
1133665,
1134370,
1134910

1122750 Receiver Collectors eStreamer – could fail on an HA receiver pair when

eth0 and eth1 are on same subnet

1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector
and msgwrite can handle

1138266 Receiver Collectors eStreamer "title verification failed; expected:

estreamer"

1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing
data after a SIEM upgrade if, prior to upgrade, there
were only Custom ASP Rules and the Rules were
ordered

1123294 Receiver Data Sources Receiver – could not write out data sources when client
data sources have the same IP but different ports

1143303 ACE Report Device filters always show "Physical Display"

1137523 ADM Other ADM Kernel panic

1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect
raw logs to appear in the UI with some events.

1123010 ELM Bloom ELM indexing queue would get filled up with duplicate
files

21
 1123077 ELM Datbase Increasing size of management database fails with an
error that there is not enough disk space even though
there is enough disk space

1133051 ELM Bloom Could not modify ELM Storage Pool. “List index (0) out
of bounds" error in the ELM's /var/log/messages

1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to
9.6.0

1136298, Device Inserts Resolved the issue where puling events may result in a
1136296, success message when zero events were pulled.
1136295,
1135926

1137088, ESM Data Source Auto-learned data source would not be removed from
1136604, the auto-learn file when being removed from the list.
1135458

Installation instructions
For new installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.0 Installation Guide

For upgrade installation instructions please refer to the following document.

McAfee Enterprise Security Manager 9.6.1 Release Notes

Troubleshooting installation issues

Common issues encountered during/after installation

When using the Chrome browser, you could see that the upgrade tarball will not upload properly to
the ESM and is decompressed from a .tgz file. This is due to the way Chrome uploads the file. If you
experience this issue we recommend using Internet Explorer, or FireFox to do the upgrade.

Recovering from a failed installation

Contact McAfee Support.

Finding product documentation

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.

Task

22
1. Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center
tab.

2. In the Knowledge Base pane under Content Source, click Product Documentation.

3. Select a product and version, then click Search to display a list of documents.

23