What's new

The current release of the product includes these enhancements and changes.

Microsoft product support

  • Microsoft Windows 10, version 1803
  • Microsoft Windows Server 2016, version 1803

Threat Prevention enhancements

  • Enhances protection against script-based threats by integrating with the Antimalware Scan Interface (AMSI) feature, provided by Microsoft and supported on Windows 10 and Windows Server 2016 systems.

    By default, AMSI integration is in Observe mode. AMSI scanning events report malicious scripts to the server, but no action is taken. Disable Observe mode to actively block these threats.

  • Adds command-line parameter details for events triggered by Exploit Prevention rules to distinguish false positives from real attacks.
  • Adds the ability to exclude IP addresses from Network IPS.
  • Extends the ability to identify high-risk and low-risk processes. You can now enter full file paths, file paths with wildcard for files (*) and file paths with wildcard for multi-level directories (**), in addition to the existing support for file names.
  • Provides the ability to manage Access Protection settings on Linux systems.
  • The Scan email attachments option is now called Detect suspicious email attachments.
  • This release includes the following new Access Protection rules:
    McAfee-defined rule Description Default setting Benefits
    Doppelganging attacks on processes Prevents "Process Doppelgänging" attacks from changing processes.



    Prevents malware from loading and executing arbitrary code in the context of legitimate or trusted processes.
    Executing Windows Subsystem for Linux

    Prevents an Administrator user from running the Windows Subsystem for Linux (WSL).

    Note: This rule was introduced in Endpoint Security 10.5.3, but was missing from the documentation.



    Prevents malware designed for Linux systems from attacking Windows computers.

Firewall enhancements

  • Adds the option to specify whether to block or allow traffic by default if the McAfee® Global Threat Intelligence™ (McAfee GTI) ratings server is not available.
  • File queries to McAfee GTI are now SHA-256 instead of MD5. Endpoint Security continues to support MD5 for policy configuration and reporting.

Web Control enhancements

  • Adds the ability to run Internet Explorer in extension-off mode with the -extoff command-line option.

    Previously, a Self Protection rule blocked Internet Explorer users from using InPrivate browsing and the -extoff switch.

  • Adds behavior that allows files to be downloaded from blocked sites if the reputation for the file indicates that it isn't malicious.
  • Adds support for Firefox version 56 and later and multi-process architecture (E10S).
  • File queries to McAfee GTI are now SHA-256 instead of MD5. Endpoint Security continues to support MD5 for policy configuration and reporting.

Adaptive Threat Protection enhancements

  • Adds the ability to control scanning network drives using the new Scan processes started from network drives Adaptive Threat Protection setting. Previously, Adaptive Threat Protection used the On network drives setting from Threat Prevention On-Access Scan.
  • Adds the ability to run client-based Real Protect scanning offline, without requiring connectivity to McAfee GTI or the McAfee® Endpoint Security Adaptive Threat Protection (ATP) server.
  • Adds the ability to download Real Protect scanner updates, when available, through content updates. This allows you to keep your protection up to date regardless of what Endpoint Security version you're using.
  • Provides the ability to manage Adaptive Threat Protection settings on Mac systems.
  • The Enable Observe mode option is now disabled by default.
  • File queries to McAfee GTI are now SHA-256 instead of MD5. Endpoint Security continues to support MD5 for policy configuration and reporting.
  • The Real Protect scanner and Dynamic Application Containment now protect systems against trusted processes that load untrusted DLLs after processes are created.

Documentation available at docs.mcafee.com

You can now access the latest documentation for McAfee Business Products online at docs.mcafee.com. This new portal collects all documentation for products released since mid-2016 and will be the ongoing library for Business Product Documentation.

  • Search — Search across all guides for McAfee Business Products. Quickly narrow results with category filters (product, version, guide type).
  • All device access — Access the site from any device (mobile, tablet, desktop, etc.).
  • Always up to date — Know that you are always reading the most current version of a document.
  • PDFs available — Save as much of a guide as you need in PDF format, whether a single page, a section of pages, or an entire guide.
  • Share with colleagues — Easily share links to individual topic pages.

McAfee product support

This release adds support for McAfee® Endpoint Security for Servers. Endpoint Security for Servers monitors and controls the load of hypervisors for Virtual Desktop Infrastructure (VDI) and virtual servers. It works with Threat Prevention to minimize the performance impact of resource-intensive tasks like on-demand scan.