What's new

New features

This release of Network Security Platform does not include any new features.

Enhancements

This release contains the following enhancements:

Gateway Anti-Malware for an air gapped network

Previously, the Gateway Anti-Malware software initialization in the Sensors required an active connection to a public or private GTI server. Hence, the Gateway Anti-Malware engine could not be updated in an air gapped network. Starting with this release of 9.2, the Sensor software is enhanced to initialize the Gateway Anti-Malware updates in an air gapped network without an active connection to the GTI server.

You can enable Gateway Anti-Malware update in an air gapped network by executing the set gam-airgap-network enable command in the Sensor CLI and reboot the Sensor for the changes to take effect.

Note: The Gateway Anti-Malware update for an air gapped network must be enabled before pushing Gateway Anti-Malware updates from the Manager to the Sensor.

To view the status of the Gateway Anti-Malware update in an air gapped network, execute the show gam-airgap-network status command in the Sensor CLI.

You can view the Gateway Anti-Malware version in the Manager under Devices<Admin Domain Name>Devices<Devices Name>SetupGAM Updating.

For more information about Gateway Anti-Malware for an air gapped network, see Malware engine updates in McAfee Network Security Platform 9.2.x Product Guide.

Gateway Anti-Malware version 2019

With this release of 9.2, Gateway Anti-Malware version 2019 is supported for both automatic and manual updates. Gateway Anti-Malware version 2019 version 0 is supported on Manager version 9.2.9.60 and above and Sensor version 9.2.5.190 and above.

With Manager version 9.2.9.60 and above, depending on the 9.2 Sensor software version, the Gateway Anti-Malware update server downloads the appropriate Gateway Anti-Malware version.

The following table describes the Gateway Anti-Malware versions supported:

Manager Sensor Gateway Anti-Malware engine version
9.2.9.60 or later 9.2.5.190 or later 2019 version 0
9.2.7.22 till 9.2.9.59 9.2.5.27 till 9.2.5.189 2017 version 3
9.2.7.22 or later 9.2.5.6 till 9.2.5.26 2017 version 1
9.2.7.9 (or any 9.2 Manager hotfix before 9.2.7.22) 9.2.5.6 or later NA
9.2.7.22 or later 9.1.5.40 or later 2017 version 1
9.2.7.22 or later 9.1.5.9 till 9.1.5.40 2014
Pre-9.2.7.9 9.2.5.6 or later NA

You can view the Gateway Anti-Malware version in the Manager under Devices<Admin Domain Name>Devices<Devices Name>SetupGAM Updating.

For more information, see Gateway Anti-Malware update in McAfee Network Security Platform 9.2.x Product Guide.

Update Server Infrastructure change

Previously, Network Security Platform used menshen1.intruvert.com as its Update Server to access the software images and signature set from the Manager. Starting with this release, nspupdate.mcafee.com is used as the Update Server in Network Security Platform for all software images and signature set updates.

Callback detector enhancements

With this release of 9.2, the callback detector files are available in the McAfee Update Server. Going forward, you must download the latest callback detectors from the McAfee Network Security Update Server to the Manager. The Download Callback Detectors page displays the latest 10 versions of the callback detectors.

To view the Download Callback Detectors page, go to Manager <Admin Domain Name>UpdatingDownload Callback Detectors.

For more information on callback detectors, see Download Callback Detectors in McAfee Network Security Platform 9.2.x Product Guide.

Removal of alert processing scripts

After a Manager upgrade, all new alerts are populated in the updated schema tables. These alerts and packet logs were not accessible and had to be manually converted to the new schema before adding it back to the Manager. This was accomplished by running the Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts. The alerts and packet logs available in the Manager prior to the upgrade are still available in the database with a ' tmp_' prefixed to them.

Starting with this release, the Manager installer will automatically merge the older alerts and packet logs to the updated schema. Therefore, manual conversion of the older alerts and packet logs using Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts is no longer required.

Log file for database admin tool

With this release of 9.2, a new log file, dbadmin.log is added in the App folder. This log file logs information related to the database admin tool activities such as alert archival, alert restore, database backup, database restore, database tuning, database purging, and password changes.

The database admin tool is available in the Manager server at C:\Program Files\McAfee\Network Security Manager\App\bin\dbadmin.bat.

The dbadmin.log file is available at:

Windows based Manager: C:\Program Files\McAfee\Network Security Manager\App

Linux based Manager: /opt/NetworkSecurityManager/App/bin

Note: For a Linux based Manager, the dbadmin.log file logs data when you execute the scripts dbrestore.sh, dbBackup.sh, purge.sh, passwordchange.sh, and InfoCollector.sh.

For more information, see System Log Files in McAfee Network Security Platform 9.2.x Product Guide.

Terminology update in UI and CLI command

This release contains the following terminology update in both UI and CLI commands to keep up with the global standard:

Navigation Path Prior 9.2.9.60 9.2.9.60 and later
AnalysisThreat Explorer Blacklisted/Whitelisted under the Executable Classification column in the Top Executables table Blocked/Allowed under the Executable Classification column in the Top Executables table
AnalysisMalware Files Blacklist column under Individual Engine Confidence column Block column under Individual Engine Confidence column
Manage Whitelist and Blacklist Manage allow and block lists
AnalysisNetwork Forensics Under Suspicious Flows PanelSuspicious activity indicatorsBlacklisted executable Under Suspicious Flows PanelSuspicious activity indicatorsBlocked executable
AnalysisEndpoint Executables Manage Whitelist and Blacklist Manage allow and block lists
Blacklisted/Whitelisted under the Classification column Blocked/Allowed under the Classification column
Double-click on an alert and go to EIA Details tab. Local Classification: Blacklisted/Whitelisted. Double-click on an alert and go to EIA Details tab. Local Classification: Blocked/Allowed.
AnalysisAttack Log
Note: Only for alerts with files and domains in them.
Click Other ActionsCreate ExceptionBlacklist File Hash: < hash file> or double-click on an alert and go to Details tab. Select Blacklist. Click Other ActionsCreate ExceptionBlock File Hash: < hash file> or double-click on an alert and go to Details tab. Select Block.
Click Other ActionsCreate ExceptionWhitelist File Hash: <hash file> or double-click on an alert and go to Details tab. Select Whitelist. Click Other ActionsCreate ExceptionAllow File Hash: < hash file> or double-click on an alert and go to Details tab. Select Allow.
PolicyIntrusion PreventionExceptions File Hash Exceptions Whitelisted Hashes Allowed Hashes
Take Action -

  • Move selected hashes to blacklist
  • Move all hashes to blacklist

Take Action -

  • Move selected hashes to block list
  • Move all hashes to block list

Import - On selecting, Import Whitelisted Hashes dialog is displayed. Import - On selecting, Import Allowed Hashes dialog is displayed.
Export Whitelist Export Allowed
Blacklisted Hashes Blocked Hashes
Take Action -

  • Move selected hashes to whitelist
  • Move all hashes to whitelist

Take Action -

  • Move selected hashes to allow list
  • Move all hashes to allow list

Import- On selecting, Import Blacklisted Hashes is displayed. Import- On selecting, Import Blocked Hashes is displayed.
Export Blacklist Export Block List
PolicyIntrusion PreventionExceptions Domain Name Exceptions Callback Detection Whitelist Callback Detection Exclusions
Import - On selecting, Import Whitelisted Domains dialog is displayed. Import - On selecting, Import Allowed Domains dialog is displayed.
IPS Inspection Whitelist IPS Inspection Exclusions
Policy Intrusion PreventionPolicy TypesAdvanced Malware Policies New or an existing policy - Blacklist and Whitelist column under the Scanning Options section. New or an existing policy - Allow and Block Lists column under the Scanning Options section.
Policy Intrusion PreventionPolicy TypesInspection Option Policies Domain Name Whitelist Processing under tab Inspection OptionsAdvanced Callback Detection Domain Name Exclusion List Processing under tab Inspection OptionsAdvanced Callback Detection
Blacklisted Text under tab Inspection OptionsWeb Server - Heuristic Analysis Blocked Text under tab Inspection OptionsWeb Server - Heuristic Analysis
CLI Command Prior 9.2.5.190 9.2.5.190 and later
CLI command in debug mode show wb stats show ab stats

For more information on Allow and Block List, see McAfee Network Security Platform 9.2.x Product Guide.

IPS CLI enhancements

The following new Sensor CLI commands are available from this release:

Normal Mode
CLI Command Description
set gam-airgap-network This command allows configuring Gateway Anti-Malware engine initialization in the Sensor within an air gapped network. After executing this command, a Sensor reboot is required for the changes to take effect.
show gam-airgap-network status Displays availability of Gateway Anti-Malware engine initialization for the Sensor in an air gapped network.
Debug Mode
CLI Command Description
reset-gam-update This command deletes the Gateway Anti-Malware engine related data in the Sensors.

For more information, see CLI commands in McAfee Network Security Platform 9.2.x Product Guide.

SSH communication with the Sensor

Previously, the SSH service in the Sensor supported RSA, DSA and ECDSA keys without any enforcement of a HostKeyAlgorithm. Starting with this release, the SSH service in the Sensor will only generate ECDSA keys and enforce ecdsa-sha2-nistp256 as the HostKeyAlgorithm. McAfee requires that all remote machines be configured to support this and avoid SSH connection failures to a Sensor running this image.

McAfee modified OpenSSH v7. 8p1 is configured to support only the following:

  • Ciphers: aes256-ctr, aes128-ctr, aes256-gcm@openSSH.com, and aes128-gcm@openSSH.com
  • MACs: hmac-sha2-256 and hmac-sha2-512
  • KexAlgorithms: ecdsa-sha2-nistp256
  • HostKeyAlgorithms: ecdsa-sha2-nistp256

Updated platform, environment, or operating system support

This release extends support to the following additional platforms, environments, or operating systems.

MariaDB database upgrade

Previously, the Network Security Manager used MariaDB version 10.3.22 or lower as the database. Starting with this release of 9.2, the Network Security Manager uses MariaDB version 10.3.27 with a collection of vulnerability fixes and bug fixes.

Azul Zulu java upgrade

Previously, the Network Security Manager used Azul Zulu java version 1.8.0_242 or lower. Starting with this release of 9.2, the Network Security Manager uses Azul Zulu java version 1.8.0_275. The Azul Zulu java version 1.8.0_275 consists of fixes for previously known issues and security fixes.

Apache Tomcat server upgrade

Starting with this release of 9.2, tomcat server used in the Network Security Manager is upgraded. This server update provides a collection of security fixes.

Discontinued features

This release no longer supports the following features:

vNSP solution for VMware NSX

Starting with this release, the vNSP solution for VMware NSX is deprecated.

Note:
  • McAfee recommends you not to create Virtual IPS Sensors managed using Intel Security Controller in the Manager version 9.2.9.60 or later.
  • On upgrading to Manager version 9.2.9.60 or later, you must delete the Virtual IPS Sensors managed using the Intel Security Controller in the Manager.

End-of-Life of fail open switch models

The following fail-open switch models applicable to NS-series Sensors are End-of-Life.

Model no. Fail-open switch SKU
1 Passive 1000Base -TX/ Copper IAC-CGFO-KT2
2 Passive 1000Base-SX/MM Fibre ITV-MMF1-NA-100
3 Passive 10GBase - SR/62.5μm MM Fibre IAC-MM62-KT1
4 Passive 10GBase - SR/50μm MM Fibre IAC-MM50-KT1
5 Passive 1000Base -LX/SM Fibre ITV-SMF1-NA-100
6 Passive 10GBase -LR/SM Fibre IAC-SMGB-KT1
7 Active 1000Base - TX/Copper IAC-CGAFO-KT2
8 Active 1000Base - TX/Copper with SNMP IAC-CGAFOS-KT2
9 Active 1000Base - SX/62.5μm MM Fibre IAC-62F1-KT7
10 Active 1000Base - LX/8.5μm SM Fibre IAC-85F1-KT7
11 Active 10GBase - SR/MM Fibre IAC-10FO-850X
12 Active 10GBase - LR/SM Fibre IAC-10FO-1310