McAfee MVISION EDR Release Notes (Cloud) - December 2020 release

This McAfee® MVISION Endpoint Detection and Response - Cloud December 2020 release includes new features and enhancements.

Every update release is cumulative and includes all features and fixes from the previous release.

Improved visibility of PowerShell events

MVISION EDR provides visibility of PowerShell commands or script blocks executed in a PowerShell console or script (.ps1).

The default events collected can be reduced through filtering according to customer value through content changes. To enable the collection of all events without filters, there is a new configuration option:

  1. Log on to MVISION EDR as administrator.
  2. Go to the Configuration page.
  3. Under Finetune configuration, select Customize data to collect.
  4. Select the Enable verbose collection of CLI & Script content checkbox.
  5. Enter your Device and Period, then click Save.

In the Monitoring dashboard, a new Script Executed event type has been added to the Process Activity pane. When you select this event, in the Event details pane, you can click the Show all link to display a list of Intentions that could be attributed to the script mapped to the specific Code line. You can also export this information to your local host by clicking Export to CSV.

In the Historical Search dashboard, a new CLI & Script Content bucket displays information about the PowerShell command executed:

  • Date
  • Process ID
  • Content Analysis
  • Interpreter

In the Content Analysis column, you can click the Show all link to display a list of Intentions and Code line. You can also export this information to your device by clicking Export to CSV.

Improved visibility of events in the Process Activity pane

In the Monitoring dashboard, the visualization of events in the Process Activity pane has been significantly improved. You can see the most relevant activity that provides evidence for the Techniques Observed and Suspicious Indicators in the Threat Behavior pane.

New icons have been added to the Process Activity pane to improve visibility of the following events:

  • API Call
  • Image Loaded
  • DNS Query
  • Windows Management Instrumentation

Mapping of Techniques Observed and Suspicious Indicators

In the Monitoring dashboard, MVISION EDR maps Techniques Observed and Suspicious Indicators to specific events in the Process Activity pane to understand the evidence that supports the behavior described for a threat. This helps you understand which events have triggered the Suspicious Indicator and the reason behind the activity being monitored.

You can select any Technique Observed or Suspicious Indicator from the Threat Behavior pane to filter the events that triggered them and clearly identify the events in the Process Activity pane Sequential View, Time View, or Table View.

Filter events by Severity in Process Activity pane

When you select a threat in the Monitoring dashboard, the most relevant activity that evidence the threat behavior is displayed by default in the Process Activity pane.

A new filter called Severity has been added to Filter events in the Process Activity pane. You can filter events by Severity or Event Type.

Severity levels:

  • High severity threats are displayed in red.
  • Medium severity threats are displayed in orange.
  • Low severity threats are displayed in yellow.
  • Other severity threats are displayed in blue.

Next to each severity filter, you can see the total number of events with High, Medium, Low, or Other severity.

High, Medium and Low severity levels are selected and displayed by default. You can also select Other if you want to see the complete list of threats and get a wider context for investigation.

Colors assigned to threat severity levels in Process Activity pane

In the Monitoring dashboard, threat severity levels are color-coded. This color indicator helps you easily identify the high severity events that require immediate attention.

The Process bar is also color-coded. This bar represents the process execution and it links the events generated by the process. It always has the color of the event with the highest severity in it.

Color-coded threat levels
Color Threat level
Red High
Orange Medium
Yellow Low
Blue Events with no severity

Visibility of Windows Registry key and Process Hollowed events

In the Process Activity pane of the Monitoring dashboard, you can see Registry Key and Process Hollowed events to give you more context and information related to the threat.

You have full visibility of:

  • Registry Keys Created and Registry Keys Deleted events.
  • Process Hollowed events which are displayed as Injection events.

Improvements and changes in the Historical Search dashboard

This release includes the following changes and improvements in the Historical Search dashboard:

  • Include and Exclude filters have been improved to support Exact, Starts with, and Contains filter options. Now you can use Starts with and Exact filters for searches over the whole retention period, while Contains limits the search to a 24-hour period.
    Note: Not all columns in each bucket are searchable.
  • The Service Changed bucket is now called Services.

    A new Action column has been added to indicate when Services are Started or Stopped.

  • The Scheduled Task Changed bucket is now called Scheduled Tasks.

    A new Action column has been added to indicate when Windows scheduled tasks are Created, Deleted, Disabled, Launched, or Modified.

  • The User Logon Activities bucket includes the following new columns:

    • Success
    • Workstation Name
    • Source IP
    • Source Port

  • The name of the File bucket changed to Executable Files.
  • A new Non Executable Files bucket displays file events that are not Portable Executables, scripts, or file archives. The following information is displayed:

    • Date
    • Activity
    • MD5/SHA-256
    • File Name
    • Process ID
    • Original Name
    • File Extension
    • Path
    • Size (Bytes)

Improved Loaded DLLs events in Historical Search

In the Historical Search dashboard, the Loaded DLLs bucket has been improved to provide more information about the modules in the selected event. The following information is displayed:

  • Date
  • Process ID
  • Loaded Modules

In the Loaded Modules column, you can click the Show all DLLs link to display the complete list of modules with the following information:

  • Load Time
  • Module
  • Path
  • SHA-256

You can also export this information to your local host by clicking Export to CSV.

Visibility of Windows API Call events

In the Historical Search dashboard, a new API Calls bucket displays information about Windows APIs used by processes monitored by MVISION EDR.

The following information is displayed:

  • Date
  • Process ID
  • API name
  • Arguments
  • Result
  • Module
  • Target PID
  • Data

Removal of VirusTotal integration

VirusTotal has been removed as a threat intelligence source for guided investigations. To enhance reputation for FQDN and files, MVISION EDR translates McAfee GTI reputation scores to human readable reputation.

Installation information

The MVISION Endpoint Detection and Response Installation Guide has all the information you need to install the product for the first time and to migrate from McAfee® Active Response.

Known issues

For a list of known issues in this product release, see KB91275.