What's new

New features

This release of Network Security Platform does not include any new features.

Enhancements

This release contains the following enhancements:

Update Server Infrastructure change

Previously, Network Security Platform used menshen1.intruvert.com as its Update Server to access the software images and signature set from the Manager. Starting with this release, nspupdate.mcafee.com is used as the Update Server in Network Security Platform for all software images and signature set updates.

Callback detector enhancements

With this release of 9.2, the callback detector files are available in the McAfee Update Server. Going forward, you must download the latest callback detectors from the McAfee Network Security Update Server to the Manager. The Download Callback Detectors page displays the latest 10 versions of the callback detectors.

To view the Download Callback Detectors page, go to Manager <Admin Domain Name>UpdatingDownload Callback Detectors.

For more information on callback detectors, see Download Callback Detectors in McAfee Network Security Platform 9.2.x Product Guide.

Removal of alert processing scripts

After a Manager upgrade, all new alerts are populated in the updated schema tables. The alerts and packet logs available in the Manager prior to the upgrade are still available in the database with a ' tmp_' prefixed to them. These alerts and packet logs were not accessible and had to be manually converted to the new schema before adding it back to the Manager. This was accomplished by running the Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts.

Starting with this release, the Manager installer will automatically merge the older alerts and packet logs to the updated schema. Therefore, manual conversion of the older alerts and packet logs using Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts is no longer required.

Log file for database admin tool

With this release of 9.2, a new log file, dbadmin.log is added in the App folder. This log file logs information related to the database admin tool activities such as alert archival, alert restore, database backup, database restore, database tuning, database purging, and password changes.

The database admin tool is available in the Manager server at C:\Program Files\McAfee\Network Security Manager\App\bin\dbadmin.bat.

The dbadmin.log file is available at:

Windows based Manager: C:\Program Files\McAfee\Network Security Manager\App

Linux based Manager: /opt/NetworkSecurityManager/App/bin

Note: For a Linux based Manager, the dbadmin.log file logs data when you execute the scripts dbrestore.sh, dbBackup.sh, purge.sh, passwordchange.sh, and InfoCollector.sh.

For more information on log files, see System Log Files in McAfee Network Security Platform 9.2.x Product Guide.

Terminology update in UI

This release contains the following terminology update in both UI to keep up with the global standard:

Navigation Path Prior 9.2.9.60 9.2.9.60 and later
AnalysisThreat Explorer Blacklisted/Whitelisted under the Executable Classification column in the Top Executables table Blocked/Allowed under the Executable Classification column in the Top Executables table
AnalysisMalware Files Blacklist column under Individual Engine Confidence column Block column under Individual Engine Confidence column
Manage Whitelist and Blacklist Manage allow and block lists
AnalysisNetwork Forensics Under Suspicious Flows PanelSuspicious activity indicatorsBlacklisted executable Under Suspicious Flows PanelSuspicious activity indicatorsBlocked executable
AnalysisEndpoint Executables Manage Whitelist and Blacklist Manage allow and block lists
Blacklisted/Whitelisted under the Classification column Blocked/Allowed under the Classification column
Double-click on an alert and go to EIA Details tab. Local Classification: Blacklisted/Whitelisted. Double-click on an alert and go to EIA Details tab. Local Classification: Blocked/Allowed.
AnalysisAttack Log
Note: Only for alerts with files and domains in them.
Click Other ActionsCreate ExceptionBlacklist File Hash: < hash file> or double-click on an alert and go to Details tab. Select Blacklist. Click Other ActionsCreate ExceptionBlock File Hash: < hash file> or double-click on an alert and go to Details tab. Select Block.
Click Other ActionsCreate ExceptionWhitelist File Hash: <hash file> or double-click on an alert and go to Details tab. Select Whitelist. Click Other ActionsCreate ExceptionAllow File Hash: < hash file> or double-click on an alert and go to Details tab. Select Allow.
PolicyIntrusion PreventionExceptions File Hash Exceptions Whitelisted Hashes Allowed Hashes
Take Action -

  • Move selected hashes to blacklist
  • Move all hashes to blacklist

Take Action -

  • Move selected hashes to block list
  • Move all hashes to block list

Import - On selecting, Import Whitelisted Hashes dialog is displayed. Import - On selecting, Import Allowed Hashes dialog is displayed.
Export Whitelist Export Allowed
Blacklisted Hashes Blocked Hashes
Take Action -

  • Move selected hashes to whitelist
  • Move all hashes to whitelist

Take Action -

  • Move selected hashes to allow list
  • Move all hashes to allow list

Import- On selecting, Import Blacklisted Hashes is displayed. Import- On selecting, Import Blocked Hashes is displayed.
Export Blacklist Export Block List
PolicyIntrusion PreventionExceptions Domain Name Exceptions Callback Detection Whitelist Callback Detection Exclusions
Import - On selecting, Import Whitelisted Domains dialog is displayed. Import - On selecting, Import Allowed Domains dialog is displayed.
IPS Inspection Whitelist IPS Inspection Exclusions
Policy Intrusion PreventionPolicy TypesAdvanced Malware Policies New or an existing policy - Blacklist and Whitelist column under the Scanning Options section. New or an existing policy - Allow and Block Lists column under the Scanning Options section.
Policy Intrusion PreventionPolicy TypesInspection Option Policies Domain Name Whitelist Processing under tab Inspection OptionsAdvanced Callback Detection Domain Name Exclusion List Processing under tab Inspection OptionsAdvanced Callback Detection
Blacklisted Text under tab Inspection OptionsWeb Server - Heuristic Analysis Blocked Text under tab Inspection OptionsWeb Server - Heuristic Analysis

For more information on Allow and Block List, see McAfee Network Security Platform 9.2.x Product Guide.

SSH communication with the Sensor

Previously, the SSH service in the Sensor supported RSA, DSA and ECDSA keys without any enforcement of a HostKeyAlgorithm. Starting with this release, the SSH service in the Sensor will only generate ECDSA keys and enforce ecdsa-sha2-nistp256 as the HostKeyAlgorithm. McAfee requires that all remote machines be configured to support this and avoid SSH connection failures to a Sensor running this image.

McAfee modified OpenSSH v7. 8p1 is configured to support only the following:

  • Ciphers: aes256-ctr, aes128-ctr, aes256-gcm@openSSH.com, and aes128-gcm@openSSH.com
  • MACs: hmac-sha2-256 and hmac-sha2-512
  • KexAlgorithms: ecdsa-sha2-nistp256
  • HostKeyAlgorithms: ecdsa-sha2-nistp256

Updated platform, environment, or operating system support

This release extends support to the following additional platforms, environments, or operating systems.

MariaDB database upgrade

Previously, the Network Security Manager used MariaDB version 10.3.22 or lower as the database. Starting with this release of 9.2, the Network Security Manager uses MariaDB version 10.3.27 with a collection of vulnerability fixes and bug fixes.

Azul Zulu java upgrade

Previously, the Network Security Manager used Azul Zulu java version 1.8.0_242 or lower. Starting with this release of 9.2, the Network Security Manager uses Azul Zulu java version 1.8.0_275. The Azul Zulu java version 1.8.0_275 consists of fixes for previously known issues and security fixes.

Apache Tomcat server upgrade

Starting with this release of 9.2, tomcat server used in the Network Security Manager is upgraded. This server update provides a collection of security fixes.

Discontinued features

This release no longer supports the following features:

vNSP solution for VMware NSX

Starting with this release, the vNSP solution for VMware NSX is deprecated.

Note:
  • McAfee recommends you not to create Virtual IPS Sensors managed using Intel Security Controller in the Manager version 9.2.9.60 or later.
  • On upgrading to Manager version 9.2.9.60 or later, you must delete the Virtual IPS Sensors managed using the Intel Security Controller in the Manager.