Professional Documents
Culture Documents
• ESS_Update_9.6.1MR2.signed.tgz
• ESSREC_Update_9.6.1MR2.signed.tgz
• RECEIVER_Update_9.6.1MR2.signed.tgz
Files included
• APM_Update_9.6.1MR2.signed.tgz
• DBM_Update_9.6.1MR2.signed.tgz
• IPS_Update_9.6.1MR2.signed.tgz
This section provides a description of the fixes and enhancements included in this Maintenance
Release.
NOTE: This update is cumulative (i.e. 9.6.1 MR2 contains all the fixes and enhancements that were
previously in 9.6.1 MR1) and may be installed over the top of 9.6.0 GA, MR 1, 2, 3, 4, 5, 6, 7, 8, 9
and 9.6.1 GA, MR1.
9.6.1 MR2
Bug Fixes
Reference Device Area Issue Description
Number
ESM User Interface Auto refresh now picks up new ePO extensions.
1193689
1
1192771 Resolved a failure to boot issue when upgrading to ESM
1193227 Other Other 9.6 or 10.0.
1202424 ESM Views Bad Query on views filtering by Device Type ID CLASS
1196145 ESM Other Added support for SMBv2 for file collection.
1157226
1099966
1170534
1180693
1079411 Syslog now gracefully recovers when too many
1157739 Receiver Other connections are active.
2
Fixed an issue that prevented the job for Discover NSM
1194649 ESM Other Sensors from updating the sensors.
1189120 Receiver Collectors HTTPS curl collector mode now accepts Host Name.
1191951
1192154 Fixed a regression that prevented internal events from
1202077 ESM Alarms being written.
1188268
1171478 Added the ability to create alarms for groups of data
1149775 ESM Alarms sources.
1186823 Receiver Other Removed unused symlinks that caused error messages.
3
1197822
1196944
1197825
1198494
1197724
1201480
9.6.1 MR1
Bug Fixes
Reference Device Area Issue Description
Number
1111767 ELM Other Resolved an issue that would cause ELM Statistics to
show zero logs for some Data Sources, even though
the ESM UI shows there are logs in ELM.
1130033 ESM Reports Selecting a custom time range and a date format
other than mm/dd/yyyy could produce incorrect data
sets and time ranges.
1139436 Database Other Improved the logic to clean temporary files from
archive directory when dbserver restarts
1141155 ELM Database The ELM database would delete old partitions
without warning if the database and storage pools
were stored on the same device and that device
reached 90% full.
1150643 ESM Views Improved the handling of special characters for
filtering and views.
1150774 ESM Alarms Device status change alarms now accurately triggers
at the data source level
1153814 ESM Data LDAP Data Enrichment would not return any results
Enrichment if a non-ASCII character was used in the query.
1154596, ELM Search Resolved an issue where ELM logs would not be fully
1155865 decoded when retrieved through ELM Search.
1156585, Receiver Collectors Data collection would not resume after rebooting
1126930 VMware vCenter Server.
1157922 ESM Alarms Clicking “case link” on the generated alarm's Actions
tab would result in an error if the case summary
contains pipe ('|') character.
1157940 ACE Other Deviation component for flows using event count as
the deviation field would fail to write out to the ACE.
1158910 ELM Other When reducing the size of a storage pool the amount
of available space would display incorrectly in the
storage pools tab of ELM properties.
4
1160429 ELM Other Improved handling for displaying elm search
metadata for different date formats.
1164452 ELM Database Resolved an issue where the “Being moved” lock file
was not cleaned up after an ELM DB size increase.
1166780 ESM Policy The Japanese characters in the description when
importing correlating rules was not being properly
encoded. The import logic was modified to correctly
maintain the encoding of characters.
1167177 ESM Flash UI Changing the hostname or vendor/model of a client
data source would fail if the data source
vendor/model and host name were in use by another
clients.
1167541 ESM Redundant ACL setting would not get replicated to Redundant
ESM.
1168003 ESM Distributed Resolved an issue that would cause pulling packet
data the first time to fail.
5
1171229 ESM Reports Resolved an issue that prevented deselected emails
in an email group from being removed from group.
1171319, Receiver Other IPMI would not function with ERC 1260 receivers.
1159989,
1163200,
1175912
1171864 ESM Watchlist Watchlist would not get all of the file hashes when it
was uploaded from ATD Cyberthreat feed.
1171969 ESM Distributed Destination user and Object fields were sporadic in
propagating up to the parent ESM.
1172007, Receiver Collectors Resolved an issue where eStreamer would not write
1177421,
out correct json to be parsed.
1178857
1172474 ESM Other Multiple threads of the UpdateMTISThreads would
run when the thread takes a long time to finish.
1173929 ESM Flash UI When doing a host lookup with correlation events,
the host lookup would not display in the correct
column.
1174315 ESM Data Performing data enrichment with a lookup field
Enrichment
custom type = 5, the destination fields would not be
replaced by data enrichment.
1174380 Receiver HA The default gateway would not be assigned to the
shared IP interface after HA fail-over.
1174542 DBM Other The TNS module in the DBM failed to handle a
particular data encoding that TOAD (Tool for Oracle
Application Developers) was using.
1174556 ESM Reports Resolved an issue that would cause stacking
distribution charts to contain incorrect 'others'
values.
1174838 ACE Other Resolved an issue that would allow an unsupported
field to a deviation.
1175569 ESM Health Monitor Enhancements to health monitor for device
communication errors.
1176269 ESM Policy Added user information to policy change history.
1177260 ESM UI When correlating with a large threshold, it was
possible to exceed the supported packet length.
1178305 ESM Reports Report would not be generated if Devices filter is
empty. Added a check in the UI to validate a device
is selected.
1180258 ESM Alarms Alarm acknowledge date and time was incorrectly
displaying in the details panel and the clipboard.
1180636, ELM Search Enhanced ELM log retrieval to search through all
1158297, possible log files instead of just one log file. Some
1181997, log entries in aggregated events were not being
1184605, displayed.
1184764,
1193524
1181790 ACE Other Added notifications when correlation rules,
threshold, and deviations exceed maximum packet
length.
1182029 ELM Other Resolved an issue that, in rare instances, prevented
logs from being displayed when a user was
connected to an ELM through SFTP.
6
1183281 Receiver Other Resolved an issue that caused syslog messages to
be sent to a data source when the host name
matched but the port did not match.
1183572 ESM Reports Resolved an issue where the ESM would incorrectly
delete temporary files that were being used for
running report queries.
1183723 ELM Other Resolved an issue where the bloom does not get set
when duplicate ELM id's span multiple partitions.
1184113 ACE Other The correlation rule has never triggered under
specific condition
1184292 ESM Flash UI Updated the label of the ACE communication
configuration panel to be correct.
1184522 ESM Rules Resolved an issue that caused extra rows to be
added when saving ASP rule text.
1185031 ACE Other Set the maximum allowed value for ACE Risk
Correlation Manager threshold to 99%.
1185261 ELM Redundant Resolved an issue that prevented a redundant ELM
from syncing completely.
1187430, ACE Other Resolved an issue that caused alarms to trigger
1187677 more frequently than the Maximum Condition
Trigger Frequency (cooldown) setting.
1188302, ESM Other Resolved an issue that caused false error messages
1188301, when users tried to view event data.
1188448
1189266 ESM Other Improved memory handling when the ESM populates
the device tree and when retrieving a list of
correlated events.
1188742, Resolved an issue where editing blacklist IP
1188752
addresses would fail due to extra '\' characters
present in the commands parameters.
9.6.1
Bugs
Reference Device Area Issue Description
Number
1162135 McAfee ESM: Views When exporting table results from a custom case
SIEM view, the dialog to download the results would not
show up.
1181609 McAfee ELM API service would stop running during logging
SIEM to edsftp.
7
1161564 McAfee ELM When a DAS entry in the Das.conf file had a uuid of
SIEM zero, there would be an entry visible in the System >
Properties > Database > Data Storage > DAS page
which resulted in the appearance of an extra DAS
device.
Enhancements
Reference Device Area Issue Description
Number
9.6.0 MR9
Security Fixes
Reference Device Area Issue Description
Number
Bug Fixes
Reference Device Area Issue Description
Number
8
1177859, McAfee ELM Improved the performance for obtaining ELM storage
1122299, SIEM pool data.
1165318
Enhancements
Reference Device Area Issue Description
Number
9.6.0 MR8
Security Fixes
Reference Device Area Issue Description
Number
1095836 Receiver Security Resolved issue where file name can execute
commands on upload (CVSS3 8.8 / 8.6)
Bug Fixes
Reference Device Area Issue Description
Number
1165060 ESM Alarms Alarms would show [object object] as the default
values on Destination User filter.
1168000 ESM Database Resolved issue where open file handles would reach 0
even though files were open.
9
1162839 ESM System Emails would fail to send if TLS and authentication
Properties were both enabled.
1145767 ESM System When writing out global blacklist would result in error
Properties has been resolved.
1148185, REC Collectors eStreamer collector restarting several times a day has
1155206 been resolved.
1123046, ELM Redundant Partial rsync files would accumulate in /tmp and not
1164203, be cleaned up.
1124250
1168001 ELM Database ELM could incorrectly calculate disk space remaining
and remove partitions to free up space.
1157788 ACE Correlation Addressed correlation rules from not triggering when
using a “contains clause” that had Japanese
characters in the target string.
Enhancements
9.6.0 MR7
Bug Fixes
Reference Device Area Issue Description
Number
10
1159852, ESM Backup &
Addressed an issue where restoring the
1150148, Restore configuration would fail with a ERCELM device
1132610
9.6.0 MR6
Bug Fixes
Reference Device Area Issue Description
Number
11
1150709 ESM Views Queries with an * in the Sig ID field would return
incorrect results.
1155797, ESM Upgrade Upgrading the ESM would take longer than expected if
1161496 Accumulator indexing is enabled.
1141615, ESM Reports Device filters would not be retained for certain
1151613 queries.
1148814, ESM UI The Email recipients list for the “Send Message” action
1150322 of Alarms would be displayed incorrectly.
1155390 ESM Views Resolved an issue where cases assigned to a user that
were part of a NOT IN filter remained in the “other”
category.
1156995 Receiver Collector The mount collector would pull files smaller than 256
bytes repeatedly even if they hadn’t changed.
1153672 ESM Policy Historical correlation filter protocol field would allow
too many characters.
1156879 ESM Filters Queries for views or reports with a regex in the filters
may not return.
12
Modified the caseAddCase and caseEditCase to allow
1145221, ESM External API
1147161, event ids to be added / edited.
1145199
1149350 ESM Views Resolved an issue where queries with “or” conditions
in the filter would not return results.
1150479 ESM Users & The Users and Groups dialog would not load if the
Groups initial password prompt was cancelled.
1134164 ESM Other NSM Sensors auto refresh would fail with “ErrMsg=Ok,
Result: The session is invalid”.
13
1156141,
1149815
1152567 Receiver Collector The mount collector would fail when the source
directory contained many tens of thousands of files.
Enhancements
1154800 Database Other Decreased ESM shutdown time for systems that have
a large number of alert partitions.
9.6.0 MR5
Reference Device Area Issue Description
Number
1153182 ESM Distributed When adding devices to a distributed ESM they would
not be automatically refreshed on the parent system
tree.
1083558 ESM Alarms Occasionally alarms would show in the triggered alarm
view but not in the alarm pane.
1099227, ESM Other Source passwords for Watch lists were not encrypted
1149635 in the database.
1124573, Receiver Collector Curl Collector would not pull events as frequent as it
1141208, was configured to.
1146734
1129072 ESM Distributed Pulling packets from the child ESM could result in
Malformed data (ER1010).
14
1133676, ESM Distributed When exporting data sources in a distributed ESM
1115503 model they would sometimes be duplicated.
1134437, ESM Alarms Certain alarm actions would show up twice in alert
1139544 details.
1135203 ESM Distributed Device type filters for Distributed ESM were not
correctly saved after upgrade.
1136220, ELM Archive In some cases ELM archive would fail to retrieve logs
1126080, for aggregated events.
1137745,
1142554,
1147442
1139440 ESM Reports Non-Admin users would not be able to see reports
created by others even when sufficient access had
been granted.
1141625 ESM Data Source SCP test connect could fail when thousands of files
exist in the remote directory.
1144598, ESM Distributed Pulling event would time out if the ESM was more
1150298 than one day behind on retrievals.
1145128 ESM Other Modified string handling techniques for some API’s.
1145415, Receiver High Improved error reporting on the process to verify the
1146564 Availability hi_bit in ha_conf
1146200, ESM Alarms Triggered alarm views would not show acknowledged
1143324 alarms when logged in as Non NGCP user.
15
1146734 Receiver Collector Improvements to curl collector.
1147939 ESM Backup & “last backup success” dates were incorrectly using
Restore the last differential backup date.
1150509 ESM Views Table components would return no results with “or”
filters and certain fields in “Select” statements.
1151844 ESM External API Selecting 159 fields through the External API would
result in an error
1152306 ESM Policy When filtering by “Tag” all rules would be returned.
1152666 ESM Redundant A redundant ESM is now able to pull packets and ELM
logs.
1152670 ESM Other When viewing triggered alarms not all alarms would
show.
1153168 Database Other Improved the process of moving data partitions on the
ESM.
1155287, ESM Rules Rule updates could fail while checking for new MTIS
1155527, threats.
1156135,
1152883
9.6.0 MR4
Reference Device Area Issue Description
Number
16
1128533 ESM VA Source Testing the connection on a Critical Watch FusionVM
Vulnerability Assessment Source with a Server URL
could result in “VAER1 HTTP Error: Not Found
1134390 ESM Other Processing cyber threat feeds could have resulted in
an access violation message being logged to
/var/log/messages.
1141609 ESM ELM Search ELM Search downloads would not work for non-admin
users.
1142567 ESM Distributed Event pulls would time out when the ESM was days
behind on retrievals.
1144316 ESM Events When drilling down on IOC events event data would
not populate in the details tab.
17
Writing out Data sources failed for receivers with
1145946 ESM Data Source
multiple data sources if one of the data sources was
an ACE.
1147443 Database Other Improved error handling for a theoretical data sorting
failure.
1150257 ESM Other Fixed memory leak associated with Risk Score.
1150303
9.6.0 MR3
Reference Device Area Issue Description
Number
1126931 ESM Data Sources Updated the test connect functionality for SCP data
sources to use the select system call to ensure the
socket is ready for reading and writing before
performing I/O operations.
1131039 ESM Security Modified the location to check for permissions for views
to allow groups permission set in earlier releases to
persist
18
1135480 ESM Logging Resolved an issue where the “updated column” for flow
retrieval logs would show a negative number.
1135975 ESM ELM Increased the timeout for ElmDBStop to allow the ELM
to startup automatically when there are large storage
pools.
1137345 ESM Backup/Restore After a redundant ESM (RESM) failover more than one
day of data was backed-up and could run out of disk
space.
1141908 ESM Data Source Modified the check for duplicate data sources when a
data source is created to not include the new data
source in the list of existing data sources.
1143015 ESM Database A failed move of a single partition could prevent all
subsequent partition moves which caused the disk to
run out of space.
1144259 ESM Database Root directory ran out of space due to an error message
being repeatedly written to NitroError.Log.
1137625 ESM Views View with Domain and SigID filter would load slowly
1135719 ESM Database Database - Log table reported negative record count
after an index rebuild
19
1140155 ESM Other ref lock not being released in some exception cases
1141098 ESM Database Move Points being set "at 0" would cause partitions to
be deleted or move to archive early
1119516 ESM Correlation Improved error handing to detect corrupt records and
continue processing the next record
1119042 ESM Views Export View queries would generate multiple times
1123564 ESM Database Alert table closing down while dbserver is running
1130691 ESM Rules Modification of a rule does not always show the correct
regular expressions
1129167 ESM Data Source ER15 upon editing Generic Data Source if the user does
not have administrator rights
1130040 ESM Events Event Forwarding would not work when using non-
default sate format user settings
1136891 ESM Data Source Passwords for data source profiles were not being
encrypted
1133088 ESM Collectors Syslog-ng Client DS would not route correctly if its
hostname contains an underscore character ("_")
1131849 ESM Filters ER 15 when opening filter list with limited privileges
1133119 ESM Backups Incremental backup would not start from last good
backup
1129511 ESM Other Assets without IP Addresses are being pulled from ePO
but should not be
1135427 ESM Rules ASP Rule Editor: Number of PCRE's goes beyond limit -
But ASP Rule Editor GUI says the opposite
1135713 ESM Other Getting I/O lock on the SSD file system when reaching
a certain I/O load on the ESM X6/X4
1136836 ESM Redundant Event details for a query that runs on a redundant were
not correct.
20
1138122 ESM Filters Report Device filters would always show "Physical
Display"
1140849 ESM Other GUI hung due to a thread lock not being released
1108436 Receiver Collectors Syslog relay would not honor Hostname plus Port
1131861 Receiver Collectors Amazon Cloudtrail event logs are larger than collector
and msgwrite can handle
1138885 Receiver Parsers The Advanced Syslog Parser (ASP) woulod stop parsing
data after a SIEM upgrade if, prior to upgrade, there
were only Custom ASP Rules and the Rules were
ordered
1123294 Receiver Data Sources Receiver – could not write out data sources when client
data sources have the same IP but different ports
1116394 ELM Other Duplicate archive ids for ELM logs would cause incorrect
raw logs to appear in the UI with some events.
1123010 ELM Bloom ELM indexing queue would get filled up with duplicate
files
21
1123077 ELM Datbase Increasing size of management database fails with an
error that there is not enough disk space even though
there is enough disk space
1133051 ELM Bloom Could not modify ELM Storage Pool. “List index (0) out
of bounds" error in the ELM's /var/log/messages
1137612 ELM Bloom elmdbrebuild would fail after upgrade from 9.4.2 to
9.6.0
1136298, Device Inserts Resolved the issue where puling events may result in a
1136296, success message when zero events were pulled.
1136295,
1135926
1137088, ESM Data Source Auto-learned data source would not be removed from
1136604, the auto-learn file when being removed from the list.
1135458
Installation instructions
For new installation instructions please refer to the following document.
Task
22
1. Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center
tab.
2. In the Knowledge Base pane under Content Source, click Product Documentation.
3. Select a product and version, then click Search to display a list of documents.
23