McAfee MVISION EDR 3.3.0 Release Notes (On-premises)

This McAfee® MVISION Endpoint Detection and Response 3.3.0 (On-premises) release includes new features and enhancements.

Every update release is cumulative and includes all features and fixes from the previous release.

Release details

Component Version
MVISION EDR Client 3.3.0.625
MVISION EDR Client Extension 3.3.0.625
MVISION EDR Extension 3.3.0.1
MVISION EDR Endpoint Snapshot Tool 6.5.0.5
MVISION EDR Rules 3.3.0.368

Updated platform, environment, or operating system support

MVISION EDR Client is now compatible with:

  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server 15 SP1
  • RHEL 7.8, 8.0, 8.1, and 8.2
  • Ubuntu 18.04
  • CentOS 8.0, 8.1, and 8.2

Layer 7 visibility

In the Monitoring dashboard, when you select a network connection event, in the Event details card of the Process Activity pane, you can see network information related to Layer 7:

  • URL
  • Verb
  • Header Request
  • Header Response

You can also see URL and Verb information in the Network Connections filter in the Historical Search dashboard.

Tamper protection

The new tamper protection feature allows the Administrator to configure a policy to prevent a user from uninstalling MVISION EDR client without an uninstallation password.

Note: This feature is supported only on Microsoft Windows.

Improved visibility of events generated by Endpoint Protection

This release improves visibility and handling of events generated by McAfee Endpoint Security and McAfee MVISION Endpoint. This allows you to better detect threats or alerts related to EPP events.

Trace and network plug-in disabled by default

When the MVISION EDR Client is installed, the Trace and NetworkFlow plug-ins are disabled by default until MVISION EDR receives a policy from McAfee ePO that enables the plug-ins. The Default policy already has these 2 plug-ins enabled.

MITRE ATT&CK® Techniques

This release improves visibility of new procedures that can be used for the following MITRE ATT&CK® Techniques:

Technique ID Description
T1003 OS Credential Dumping
T1010 Application Window Discovery
T1016 System Network Configuration Discovery
T1021 Remote Services
T1032 Encrypted Channel
T1033 System Owner/User Discovery
T1053 Scheduled Task/Job
T1055 Process Injection
T1056.004 Input Capture: Credential API Hooking
T1057 Process Discovery
T1069 Permission Groups Discovery
T1070 Indicator Removal on Host
T1070.004 Indicator Removal on Host: File Deletion
T1086 Command and Scripting Interpreter: PowerShell
T1087 Account Discovery
T1106 Native API
T1113 Screen Capture
T1135 Network Share Discovery
T1543.003 Create or Modify System Process: Windows Service
T1546.011 Event Triggered Execution: Application Shimming
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1559.002 Inter-Process Communication: Dynamic Data Exchange
T1562.001 Impair Defenses: Disable or Modify Tools
T1569.002 System Services: Service Execution
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
Important: Most visibility features from the Client are accessible from UI or leveraged for new detections with MVISION EDR 3.3 release. Some capabilities will be released in the next cloud releases and weekly updates.

Resolved issues

This release resolves known issues.

Reference Resolved Issue
SEC-34850 Trace Scanner still running even after disabling the plug-in.
SEC-34739 Ignore Application Paths from Quarantine for Windows (and macOS) policy changes are not saved in the Client extension on MVISION ePO.
SEC-34237 Action Chrono worker thread doesn't detect exceptions in actions. This causes the mfemvedr.exe process to crash.
SEC-34129 TDM Rule 107 is not working for some binaries.
SEC-33847 MVISION EDR crash: APPLICATION_FAULT_NULL_CLASS.
SEC-33846 System Info plug-in crash.
SEC-33774 MVISION EDR doesn't inject processes with Cairo and HC DLLs.
SEC-33757 Process Exclusion on Trace is not applying.
SEC-33163 Samples are not stopped and removed manually.
SEC-33103 Update File Hashing Exclusions.
SEC-32957 Folder C:\Program Files\McAfee\MAR\tools\phoenix\temp consumes more than 30 GB of hard drive space.
SEC-32792 MVISION EDR client crashes continuously and trace communication stops.
SEC-32786 MVISION EDR memory leak continues even when the parent process has already stopped.
SEC-32458 Content update is shown as successful in UI when it fails to update.
SEC-32088 MVISION EDR causes high CPU usage.
SEC-31956 Windows Performance Analyzer crashes when opening WPA event trace log (ETL) files.
SEC-31720 MVISION EDR upgrade doesn't always remove old data and it doesn't update registry key related to Content data.
SEC-31663 MVISION EDR Client fails to add traces to database.
SEC-30793 Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfemvedr.exe is not protected.
SEC-30288 When a fake process instance that creates three children processes is started and then it tries to kill the process tree, there are more than four processes killed.
SEC-29955 Enable triggers checkbox should not be visible in McAfee ePO policy. We don't have triggers in MVISION EDR.
SEC-29762 In cases of Full shutdown and Resume from standby, there is a considerable performance impact with MVISION EDR and McAfee Endpoint Security.
SEC-29728 In Real-time Search, DNSCache collector returns no results when nslookup command fails on Linux.
SEC-29401 Binaries for MVISION EDR client have outdated copyright strings.
SEC-29383 Process Injection detection is not triggered using MSF Mimikatz extension.
SEC-29382 Lack of API hooking visibility with rundll32.
SEC-29374 Trace enabled prevents download of VMware workstation file from software center.
SEC-28943 Fix Coverity Findings.
SEC-28437 MVISION EDR Rules are automatically deployed when Unattended Content Updates is disabled.
SEC-28418 WinRegistry queries fail to execute.
SEC-27489 VM Map tool reports two Write/Read/Execute pages.
SEC-26852 AAC errors are reported continuously on macOS machines with MVEDR installed.
SEC-25872 Files collector fields related to creation, change, and deletion of files are empty for Linux.
SEC-25652 When user edits an MVISION EDR policy, the product name in policy edit page should be MVISION EDR and not MVISION EDR:MVEDR__META.
SEC-25550 Quarantine action doesn't get applied to an offline machine after it comes back online.
SEC-25444 MVISION EDR policy shows blank page when adding custom quarantine message containing double quotes.
SEC-24976 Performance issue related to WMI when using MVISION EDR.
SEC-19181 HostInfo collector not returning macOS endpoint status as Quarantined.
SEC-17877 VNC connection is not working after End Quarantine reaction in macOS Mojave.
SEC-36169 Duplicate core object error prevents phoenix tool from taking a snapshot.

Known issues

For a list of known issues in this product release, see KB91275.

Important: On SUSE Linux Enterprise 15, netstat from the net-tools package is deprecated. If you want to run CurrentFlow Collector, installation of the net-tools-deprecated package is required.

This might also apply to other Linux distributions that no longer include the net-tools package by default.

Installation information

The MVISION Endpoint Detection and Response Installation Guide has the information you need to install the product for the first time and to migrate from McAfee® Active Response.

Important: macOS File Hashing exclusions have changed. See Information below.

If you install MVISION EDR 3.3.x Client extension on McAfee ePO for the first time:

  • The default MVISION EDR policy already has the new exclusions available as part of the default policy.

If you upgrade to MVISION EDR 3.3.x Client Extension on McAfee ePO:

  • File Hashing exclusions are added only as part of the default MVISION EDR policy.
  • File Hashing exclusions are not merged into the editable default policy. The user has to merge the new exclusions into their default policy.
  • Custom policies are not updated automatically. You have to manually update the File Hashing exclusions into your custom policies.

New exclusions added only for macOS

Folders:

  • /System/Volumes/Data/;
  • /usr/local/McAfee/;

File Extensions:

  • .png;
  • .jpg;
  • .jpeg;
  • .hpp;