What's new

McAfee® MVISION Endpoint Detection and Response (MVISION EDR) is security software that allows you to detect, investigate, and contain threats. You can access MVISION EDR from McAfee® MVISION ePO (MVISION ePO) or McAfee® ePolicy Orchestrator® (McAfee® ePO™) .

Alerting dashboard

You can now click on any alert from the new Alerting dashboard to view the details of the alert, information of the device where the alert was triggered, and the user of that device.

Command line and user information

When reviewing alerts or detections from the Alerting or Historical Search dashboards, you can quickly view the command line and user of the process that triggered it.

Integrate new threat detections into your preferred SIEM tool through syslog

You can now feed detections from MVISION EDR into your SIEM tool by configuring your McAfee® Enterprise Security Manager (McAfee ESM) to consume standard Syslogs. To perform this, you can download the code from https://github.com/mcafee/mvision-edr-activity-feed and configure on your environment. You can also contribute to this project and share the code for integrations with other products.

Improved error management in the Real-time Search dashboard

When you perform an incorrect search using the Real-time Search dashboard, the system throws errors. You can now view details of those errors and devices that were affected by those errors, and take corrective actions so that the search succeeds.

Seven-day SKU retention period enforcement for historical search data

Customers that purchased the basic SKU that entitle to seven-day retention period can now only access up to 30 days of threat data as well as historical search data.

New response actions available from Real-time Search dashboard

You can now take more actions on endpoints from the Real-time Search dashboard that are classified into remediation, containment, and investigation.

  • For remediation, you can perform these actions:
    • Delete Folder — Deletes a selected folder or folders on the system.
    • Delete Registry Value — Deletes a Windows Registry value in a specified registry key path.
    • Execute Reboot OS — Reboots the endpoint's operating system without warning the user.
    • Remove File — Deletes files from endpoint file systems.
    • Remove File Safe — Before deleting a file, validates whether the file is trusted or not to avoid impact on endpoints, using the Validation and Trust Protection (VTP) service. For more information about VTP, see the McAfee Endpoint Security 10.6.0 Product Guide.
  • For containment, you can perform these actions:
    • Execute Shutdown OS — Shuts down the operating system.
    • Execute User Logoff — Log off the user by user name.
    • Kill Process — Kill a process on endpoints by passing the process ID, file hash, process name, and file path.
    • Kill Process Tree — Kill a process and all its subprocesses by passing the process ID.
    • Schedule Reboot — Schedule a system reboot for a certain day and time.
  • For investigation, you can perform these actions:
    • Dump process to file — Generate a memory dump of a given process into a file.

Create custom collector using the Catalog dashboard

You can now use the Catalog dashboard to create or delete collectors. This allows you to increase the capabilities of your real-time search that security analysts can use to collect information from the endpoints. You can create collectors using Bash, Powershell, Python, or Visual Basic programming languages.

Create custom reaction using the Catalog dashboard

You can now use the Catalog dashboard to create or delete reactions. This allows you to create custom script based actions that can be executed in one or more endpoints.

Export real-time search results

You can use the Export option in the Real-time Search dashboard to export the results from a real-time search to a .csv file to analyze it offline using third-party tools.

Publish update to potential threat detections in Activity Feed

You can now monitor your SIEM tool through events that get generated when a new threat is detected and the severity of an existing threat is changed.

User interface improvements

These are the key user interface improvements throughout the different dashboards:

  • The Process Details panel in the Monitoring dashboard can be collapsed to provide more space to view process activity and threat behavior.
  • You can now view the descriptions from Artifacts Details better in the Investigating dashboard when the text is long and truncated. The copy to clipboard option is added in descriptions for command line and hashes like MD5, SHA-1 and SHA-256.

Contextual menu in trace chart in Monitoring dashboard

You can now see the links in the assets displayed in the sequential view of process activity to help you pivot and search in real-time for the presence of the asset in the environment.

Quarantine status in Monitoring dashboard

You can now see the status of the endpoint to understand if a host is quarantined.

Setting confidence threshold

You can customize the threshold to fine tune the number of attention-worthy threats.

Display detections in the Historical Search dashboard

You can quickly identify detections and alerts that happened on a device at the specific time.

Visibility on user accounts

You can now view all user-related events on the Historical Search dashboard.

Improvements on action history

You can now query remediation and actions performed in the past, which allows you to be aware of the remediation history and also compare the previous and current remediation plans.