What's new

The current release of the product includes these enhancements and changes.

New Microsoft product support

  • Microsoft Windows 10 Fall Creators Update
  • Microsoft Windows Server 2016 RS3

Installation, upgrade, and migration enhancements

VSCore 15.7 with InstallAll — Deploys all kernel-level drivers required to provide security services, for example, regulating access to registries, processes, and memory, to the products that use VSCore. This prevents incompatibilities between older and newer versions of drivers.

Common enhancements

  • Adds the option to select a language for activity logging.
  • Adds the ability to set the size of an event database from 50–999 MB. The default is 50 MB.
  • Adds the ability to include the certificate of a third-party application as a trusted process through McAfee ePO.

Threat Prevention — Exploit Prevention enhancements

Expert Rules — Provides additional parameters and allows much more flexibility than the custom rules you create in the Access Protection policy. Expert Rules are text-based custom rules that you create in the Exploit Prevention policy in Threat Prevention. Threat Prevention enforces Expert Rules on the client system the same as any other rule.

Exploit Prevention includes two types of Expert Rules:

  • AAC-based rules — Protects files, processes, and registry items.
  • McAfee Host IPS-based rules — Prevents buffer overflow and illegal API use, and protects Windows Services.

Tip: Best practice: Before writing Expert Rules, familiarize yourself with the Tcl programming language and understand the McAfee proprietary syntax when using Expert Rules.

For more information about Expert Rules, including syntax structures and examples, see PD27227.

For videos about how to use Expert Rules, see KB89677.

Network IPS — Monitors network activity to protect client systems from threats. The Network IPS protection filter driver inspects all data that flows between the client system and the network and takes specified actions on known attacks.

Network IPS also enables you to automatically block network intruder hosts for a specified period, even if the action for the Network IPS signature isn't set to Block. You can see the list of blocked hosts in the Endpoint Security Client in the Exploit Prevention category under Threat Prevention settings.

New protection signatures — The Exploit Prevention content includes the following new signatures, which you can manage in the Signatures section of the Exploit Prevention policy:

Signature ID Description Type
1157 USB Storage Device Inserted Registry
6088 Microsoft Office DLL planting vulnerability File
6089 Microsoft Office DLL side load vulnerability File
6093 Microsoft Office OneNote DLL side load vulnerability File
6094 Adobe Acrobat Reader DLL side load vulnerability File

Threat Prevention — On-Access Scan enhancements

On-access scan update — Adds the option to disable read/write scanning of Shadow Copy volumes for system users. By default, this option is not selected.

Scan email attachments update — The Scan email attachments option is now called Detect suspicious email attachments.

Adaptive Threat Protection enhancements

Real Protect sensitivity — Adds the ability to configure the sensitivity level to use with client-based scanning when determining whether a file matches known malware.

Updated components

  • VSCore
  • SysCore
  • AMCore

    AMCore Content 3125 or greater is required.

  • McAfee Agent 5.0.6
  • McAfee Anti-Malware Engine 5900