What's new

New features

This release of Network Security Platform does not include any new features.

Enhancements

This release of Network Security Platform includes the following enhancements:

Update Server Infrastructure change

Previously, Network Security Platform used menshen1.intruvert.com as its Update Server to access the software images and signature set from the Manager. Starting with this release, nspupdate.mcafee.com is used as the Update Server in Network Security Platform for all software images and signature set updates.

Callback detector enhancements

With this release, the callback detector files are available in the McAfee Update Server. Going forward, you must download the latest callback detectors from the McAfee Network Security Update Server to the Manager. The Download Callback Detectors page displays the latest 10 versions of the callback detectors.

To view the Download Callback Detectors page, go to Manager <Admin Domain Name>UpdatingDownload Callback Detectors.

For more information on callback detectors, see Download Callback Detectors in McAfee Network Security Platform 9.1.x Product Guide.

Removal of alert processing scripts

After a Manager upgrade, all new alerts are populated in the updated schema tables. The alerts and packet logs available in the Manager prior to the upgrade are still available in the database with a ' tmp_' prefixed to them. These alerts and packet logs were not accessible and had to be manually converted to the new schema before adding it back to the Manager. This was accomplished by running the Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts.

Starting with this release, the Manager installer will automatically merge the older alerts and packet logs to the updated schema. Therefore, manual conversion of the older alerts and packet logs using Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts is no longer required.

Log file for database admin tool

With this release of 9.1, a new log file, dbadmin.log is added in the App folder. This log file logs information related to the database admin tool activities such as alert archival, alert restore, database backup, database restore, database tuning, database purging, and password changes.

The database admin tool is available in the Manager server at C:\Program Files\McAfee\Network Security Manager\App\bin\dbadmin.bat.

The dbadmin.log file is available at:

Windows based Manager: C:\Program Files\McAfee\Network Security Manager\App

Linux based Manager: /opt/NetworkSecurityManager/App/bin

Note: For a Linux based Manager, the dbadmin.log file logs data when you execute the scripts dbrestore.sh, dbBackup.sh, purge.sh, passwordchange.sh, and InfoCollector.sh.

For more information on log files, see System Log Files in McAfee Network Security Platform 9.1.x Product Guide.

Terminology update in UI and CLI command

This release contains the following terminology update in both UI and CLI commands to keep up with the global standard:

Navigation Path Prior 9.1.7.83 9.1.7.83 and later
AnalysisThreat Explorer Blacklisted/Whitelisted under the Executable Classification column in the Top Executables table Blocked/Allowed under the Executable Classification column in the Top Executables table
AnalysisMalware Files Blacklist column under Individual Engine Confidence column Block column under Individual Engine Confidence column
Manage Whitelist and Blacklist Manage allow and block lists
AnalysisNetwork Forensics Under Suspicious Flows PanelSuspicious activity indicatorsBlacklisted executable Under Suspicious Flows PanelSuspicious activity indicatorsBlocked executable
AnalysisEndpoint Executables Manage Whitelist and Blacklist Manage allow and block lists
Blacklisted/Whitelisted under the Classification column Blocked/Allowed under the Classification column
Double-click on an alert and go to EIA Details tab. Local Classification: Blacklisted/Whitelisted. Double-click on an alert and go to EIA Details tab. Local Classification: Blocked/Allowed.
AnalysisAttack Log
Note: Only for alerts with files and domains in them.
Click Other ActionsCreate ExceptionBlacklist File Hash: < hash file> or double-click on an alert and go to Details tab. Select Blacklist. Click Other ActionsCreate ExceptionBlock File Hash: < hash file> or double-click on an alert and go to Details tab. Select Block.
Click Other ActionsCreate ExceptionWhitelist File Hash: <hash file> or double-click on an alert and go to Details tab. Select Whitelist. Click Other ActionsCreate ExceptionAllow File Hash: < hash file> or double-click on an alert and go to Details tab. Select Allow.
PolicyIntrusion PreventionExceptions File Hash Exceptions Whitelisted Hashes Allowed Hashes
Take Action -

  • Move selected hashes to blacklist
  • Move all hashes to blacklist

Take Action -

  • Move selected hashes to block list
  • Move all hashes to block list

Import - On selecting, Import Whitelisted Hashes dialog is displayed. Import - On selecting, Import Allowed Hashes dialog is displayed.
Export Whitelist Export Allowed
Blacklisted Hashes Blocked Hashes
Take Action -

  • Move selected hashes to whitelist
  • Move all hashes to whitelist

Take Action -

  • Move selected hashes to allow list
  • Move all hashes to allow list

Import- On selecting, Import Blacklisted Hashes is displayed. Import- On selecting, Import Blocked Hashes is displayed.
Export Blacklist Export Block List
PolicyIntrusion PreventionExceptions Domain Name Exceptions Callback Detection Whitelist Callback Detection Exclusions
Import - On selecting, Import Whitelisted Domains dialog is displayed. Import - On selecting, Import Allowed Domains dialog is displayed.
IPS Inspection Whitelist IPS Inspection Exclusions
Policy Intrusion PreventionPolicy TypesAdvanced Malware Policies New or an existing policy - Blacklist and Whitelist column under the Scanning Options section. New or an existing policy - Allow and Block Lists column under the Scanning Options section.
Policy Intrusion PreventionPolicy TypesInspection Option Policies Domain Name Whitelist Processing under tab Inspection OptionsAdvanced Callback Detection Domain Name Exclusion List Processing under tab Inspection OptionsAdvanced Callback Detection
Blacklisted Text under tab Inspection OptionsWeb Server - Heuristic Analysis Blocked Text under tab Inspection OptionsWeb Server - Heuristic Analysis

NTBA CLI Commands Prior 9.1.3.65 9.1.3.65 and later
deinstall

Whitelist and blacklist sync information is reset to default.

Allowlist and blocklist sync information is reset to default.

resetconfig

Whitelist and blacklist sync information is reset to default.

Allowlist and blocklist sync information is reset to default.

show endpointintelligence details
  • Total auto-classified white executables
  • Total auto-classified black executables
  • Total connections by blacklisted executables
  • Total connections by whitelisted executables
  • Total connections by cert whitelisted executables
  • Total connections by GTI whitelisted executables
  • Total connections by GTI blacklisted executables
  • Total connections by Raptor blacklisted executables
  • [Whitelist and Blacklist]
  • Last Whitelist and Blacklist update time
  • Total user blacklisted executables
  • Total user whitelisted executables
  • GTI whitelisted executable events to NSM
  • GTI blacklisted executable events to NSM
  • Cert whitelisted executable events to NSM
  • Blacklisted executable alerts
  • Whitelisted executable alerts
  • Total auto-classified allowed executables
  • Total auto-classified blocked executables
  • Total connections by blocked executables
  • Total connections by allowed executables
  • Total connections by cert allowed executables
  • Total connections by GTI allowed executables
  • Total connections by GTI blocked executables
  • Total connections by Raptor blocked executables
  • [Allow and Block List]
  • Last Allowlist and Blocklist update time
  • Total user blocked executables
  • Total user allowed executables
  • GTI allowed executable events to NSM
  • GTI blocked executable events to NSM
  • Cert allowed executable events to NSM
  • Blocked executable alerts
  • Allowed executable alerts

For more information on Allow and Block List, see McAfee Network Security Platform 9.1.x Product Guide.