What's new in the 10.7 release

Releases can introduce new features and enhancements or update platform support.

This release of McAfee® Endpoint Security contains improvements and fixes, including:

  • Enhanced remediation capabilities
  • Increased context for fileless threat detections
  • Enhanced protection against fileless attack methods
  • Support for on-demand scan from the command line and improved scanning performance

Caution: Upgrading from the beta version of Endpoint Security 10.7 is not supported. To install the production release of the software, you must first uninstall the beta version.

New features

This release introduces new features or improves existing features.

Installation and upgrade
  • Advanced Detection and Remediation extension — View Story Graph and remediation data reported by the Advanced Detection and Remediation extension that's now included in the Endpoint Security installation package. The Story Graph is a visual representation of events leading up to a detected threat.
  • Endpoint Security Package Designer enhancements — Create separate installation packages for 32-bit and 64-bit versions of the product, and create installation packages that include McAfee® Endpoint Security Adaptive Threat Protection (ATP).

    Adaptive Threat Protection requires McAfee® Endpoint Security Threat Prevention.

    Support added in Endpoint Security Package Designer to trim future updates of Endpoint Security 10.7.0.

  • Support for case sensitivity — Allow Microsoft Windows to correctly manage mix-case file and folder names. You can check and change this attribute setting in Windows. It's disabled by default.

    On systems running Windows 10 October 2018 Update or later, you must make sure that the case-sensitivity attribute is disabled for folders where you want to install the product software. Once Endpoint Security is installed or upgraded, Endpoint Security folders are protected against being set as case sensitive to make sure that this setting does not prevent product updates and upgrades.

    All product features in each module protect and exclude files and folders in a case-insensitive manner, but use the correct case for reporting events.

Endpoint Security Platform
  • On-demand scan logging — During on-demand scans, all scanned files can now be logged when this feature is enabled. This feature is disabled by default.
  • Endpoint Security logging — Format improvements were made to standardize the Endpoint Security logs.
Threat Prevention
  • On-demand scan command line interface — Start, stop, pause, resume, and get status for all types of on-demand scans (quick, full, and custom) from the command line or as part of a batch file.
  • Custom on-demand scan command line interface — Run a previously defined custom on-demand scan with new settings, without changing the original custom scan setting.
  • Update command line interface— Update the scan engine, AMCore content, and Exploit Prevention from the command line or as part of a batch file.
  • On-demand scan CPU throttling — Configure the maximum percentage of CPU (25% – 100%, default is 80%) that all types of on-demand scans (quick, full, and custom) consume when scanning files.

    This feature is disabled by default and available only when Scan anytime is selected. It's an alternative to using the System utilization setting. CPU throttling always uses THREAD_PRIORITY_IDLE threads for the least possible impact to other programs.

  • Choosing when to scan — Configure the on-access scanner to bypass trust logic and examine all files when writing to disk, reading from disk, or both with the new Let me decide option.

    For the best performance, enable the Let McAfee Decide option.

  • Expert Rules enhancements
    • REGVAL_DATAYou can use this MATCH_type value to control or filter the data being written or changed in a registry value.
    • Next_Process_BehaviorYou can use this command to create behavioral rules to block a specific sequence of actions.
    • AggregateMatch — You can use this command to create a list of values to match in a rule, so you can use the same data without having to rewrite the values.

For information about the latest Exploit Prevention content, see the McAfee Exploit Prevention Security Content Release Notes.

Web Control
Browser support — Microsoft Edge is now a supported browser on systems running Windows 10 Creators Update (15063) and later.
Adaptive Threat Protection
  • Enhanced Real Protect script scanning — Support for the Anti-Malware Scanning Interface (AMSI) enables ATP technologies, including Real Protect to detect threats on supported events such as PowerShell. For more information about the file types that AMSI supports, see How AMSI helps you to defend against malware. This feature is enabled by default.
  • Enhanced remediation capabilities — Monitor the behavior of processes with a reputation of Unknown and below, and their children, tracking all changes that the processes make to the system.

    As it runs, the ATP scanner and Real Protect scanner inspect the process. After a limited period, if the scanners don't detect malicious behavior, enhanced remediation stops monitoring the process.

    If a monitored process exhibits malicious behavior, enhanced remediation stops the process, its children, and ancestors, and rolls back the changes that it made, restoring the system as close as possible to its original state before the process ran. Files created in the convicted process are deleted, but to roll back the changes and restore the files, you must enable Monitor and remediate deleted and changed files.

    This feature is enabled by default and only available when Clean when reputation threshold reaches is enabled.

  • Enhanced protection against fileless attack methods — Detect and protect against fileless, dual-use, and live-off-the-land attacks using ATP rules, the Real Protect scanner, and Real Protect script scanning integration with AMSI.
  • Increased context for ATP detections — View ATP detection details in the Story Graph. The Story Graph provides context for the events leading up to a detected threat, allowing you to see why ATP thinks the activity is malicious and what actions led to the conviction.

    Drill down from an event in the McAfee® ePolicy Orchestrator® (McAfee® ePO™) Threat Event Log to review the event's Story Graph.

  • Reputation source configuration — Configure the source for file reputation information. For example, you can use only McAfee® Global Threat Intelligence™ (McAfee GTI) even if the McAfee® Threat Intelligence Exchange (TIE) server is reachable.

    The name of the option for using McAfee GTI for file reputation information if the TIE server isn't reachable has changed and now three options are available in the new Reputation Source drop-down list in the Adaptive Threat Protection Options policy:

    • Use McAfee GTI if the TIE server is not reachable
    • Use Only the TIE server
    • Use Only McAfee GTI

    Your selected option is retained across upgrades and compatible with pre-10.7 extensions and client systems.

  • Updated Real Protect architectureMcAfee now delivers Real Protect and other scanner updates in AMCore Content updates.

For information about the latest ATP content, see the McAfee TIE and ATP Security Content Release Notes.

Updated platform, environment, or operating system support

This release extends support to additional platforms, environments, or operating systems.

  • The minimum McAfee ePO version for this release is 5.9.0.

For a complete list of current platform, environment, or operating system support, and the build numbers for this release, see KB82761.