What's new

The current release of the product includes these enhancements and changes.

New Microsoft product support

  • Microsoft Windows 10 Fall Creators Update
  • Microsoft Windows Server 2016 RS3

Installation, upgrade, and migration enhancements

VSCore 15.7 with InstallAll — Deploys all kernel-level drivers required to provide security services, for example, regulating access to registries, processes, and memory, to the products that use VSCore. This prevents incompatibilities between older and newer versions of drivers.

Endpoint Security Package Designer update — Adds the ability to select executable files to include in custom deployment packages. (McAfee ePO on-premise only)

Migration Assistant update — Adds the ability to migrate the Network IPS configuration in McAfee Host IPS, whether it's enabled, and how long to retain blocked hosts. (McAfee ePO on-premise only)

Support for Endpoint Upgrade Assistant 1.5McAfee® Endpoint Upgrade Assistant is a McAfee ePO extension that simplifies and automates the tasks required to upgrade. It analyzes the endpoints in a McAfee ePO environment, detects the supported McAfee products that are installed, and determines the minimum requirements for upgrading to current versions of the products. (McAfee ePO on-premise only)

Use the Endpoint Upgrade Assistant to simplify the upgrade planning and preparation time, reduce required reboots and uninstall failures, and create and track the status of deployment tasks. Use the Upgrade Automation feature to upgrade all supported McAfee products with a single deployment task.

For customers who do not use McAfee ePO for deployments, the new release adds the ability to upgrade using the Endpoint Upgrade Assistant. The new Package Creator tool creates product installers for deployment with third-party tools. For help using the Endpoint Upgrade Assistant and Package Creator, see PD27281.

Common enhancements

  • Adds the option to select a language for activity logging.
  • Adds the ability to set the size of an event database from 50–999 MB. The default is 50 MB.
  • Adds the ability to include the certificate of a third-party application as a trusted process through McAfee ePO.

Threat Prevention — Exploit Prevention enhancements

Expert Rules — Provides additional parameters and allows much more flexibility than the custom rules you create in the Access Protection policy. Expert Rules are text-based custom rules that you create in the Exploit Prevention policy in Threat Prevention. Threat Prevention enforces Expert Rules on the client system the same as any other rule.

Exploit Prevention includes two types of Expert Rules:

  • AAC-based rules — Protects files, processes, and registry items.
  • McAfee Host IPS-based rules — Prevents buffer overflow and illegal API use, and protects Windows Services.

Tip: Best practice: Before writing Expert Rules, familiarize yourself with the Tcl programming language and understand the McAfee proprietary syntax when using Expert Rules.

For more information about Expert Rules, including syntax structures and examples, see PD27227.

For videos about how to use Expert Rules, see KB89677.

Network IPS — Monitors network activity to protect client systems from threats. The Network IPS protection filter driver inspects all data that flows between the client system and the network and takes specified actions on known attacks.

Network IPS also enables you to automatically block network intruder hosts for a specified period, even if the action for the Network IPS signature isn't set to Block. You can see the list of blocked hosts in the Endpoint Security Client in the Exploit Prevention category under Threat Prevention settings.

New protection signatures — The Exploit Prevention content includes the following new signatures, which you can manage in the Signatures section of the Exploit Prevention policy:

Signature ID Description Type
1157 USB Storage Device Inserted Registry
6088 Microsoft Office DLL planting vulnerability File
6089 Microsoft Office DLL side load vulnerability File
6093 Microsoft Office OneNote DLL side load vulnerability File
6094 Adobe Acrobat Reader DLL side load vulnerability File

Threat Prevention — On-Access Scan enhancements

On-access scan update — Adds the option to disable read/write scanning of Shadow Copy volumes for system users. By default, this option is not selected.

Scan email attachments update — The Scan email attachments option is now called Detect suspicious email attachments.

Adaptive Threat Protection enhancements

Real Protect sensitivity — Adds the ability to configure the sensitivity level to use with client-based scanning when determining whether a file matches known malware.

Updated components

  • VSCore
  • SysCore
  • AMCore

    AMCore Content 3125 or greater is required.

  • McAfee Agent 5.0.6
  • McAfee Anti-Malware Engine 5900