What's new in the 3.0.0 release

The current release of the product includes these enhancements and changes.

Purpose

This release was developed for use with:

  • McAfee® ePolicy Orchestrator® (McAfee® ePO™) 5.3.x on-premises or later.
  • McAfee® Data Exchange Layer (DXL) 4.0.0 or later.
    Important: If you activate the McAfee® Active Response service, you must use DXL Broker 4.1.1.113 or later.
  • McAfee® Threat Intelligence Exchange (TIE) server 2.0.x or later, for direct upgrade.
  • McAfee® Active Response 2.4.0 for simplified deployment.

New features

External Reputation Provider — Enhance your threat intelligence and detection platform by enabling an external reputation provider in your environment through OpenDXL. If the endpoint doesn’t detect a match from other reputation providers, it can allow or block files based on the trust level assigned by the External Provider as a fallback rule. Endpoint upgrades might be required if not running latest TIE and McAfee Adaptive Threat Protection security content and McAfee Endpoint Security revisions of each minor release. For more information, see McAfee Knowledge Base article KB91975.

Alerts on Relevant Unknowns — A new alert is displayed in McAfee ePO (version 5.10) notifications section, reporting Files or Certificates that might require attention based on their high impact and lack of a trust score.

Reputation Import Wizard Improvement — Import wizard now enables you to import CSV files apart from STIX ones. You can generate csv files by using the option Export table in the TIE Reputations page. This helps to share data between different TIE environments.

Update Metadata Aggregation for local intelligenceTIE server now supports the Update Metadata Aggregation for Local Intelligence IPE extension that is available in DXL broker 5.0.1 or later. This reduces the bandwidth and the number of Update Metadata messages that TIE server needs to process.

Enhancements

McAfee GTI connectivity proxy — This release supports HTTPS protocol and two new proxy authentication methods such as NTLM and Digest Authentication for TIE server.

Interesting unknowns — A new priority attribute is added to the File Details page. Endpoint reports this new attribute to flag for unknowns having unusual attributes. This attribute is also available to create queries and reports.

Enhancement in importing reputation — When you import the Reputations manually, the Filename field is no longer a mandatory field.

Note: You can import the details from TIE Reputations pageFile OverrideActionsImport Reputations in McAfee ePO.

Priority Queue integration — If a file is reported to have priority, the TIE server submits the file to the Advanced Threat Defense priority queue.

Optimizations for On-Demand/On-Access Scan — Files received as part of on-access scan and on-demand scan are no longer tagged as Advanced Threat Defense candidates.

PostgreSQL database upgradeTIE server is now shipped with PostgreSQL 10 database system that includes the latest security updates and improvements. When upgrading an existing server to TIE server 3.0.0, a major database version upgrade is performed.

Note: This update process forces a full database replication from the Primary server to every Secondary and Reporting Secondary server of the topology.

Composite Reputation display improvements — Composite Reputation calculation now uses the Latest Local Reputation update date instead of the last update date of the file. TIE server displays the Latest Local Reputation date separately from the Last Update date in File Details page. You can also add it as a new column and filter for Queries and Reports.

First-time setup wizard — The setup wizard now includes these enhancements:

  • Warning messages are now displayed for networking or Network Time Protocol (NTP) issues. You can reconfigure the network interface or NTP servers respectively.
  • The Maintenance mode allows dropping to a shell in early stage of setup wizard after the Open Virtualization Application(OVA) deployment.
  • Detailed information is added for the initial configuration and handshake process.

Upgrade process

  • The existing RPMs packages in the /apps directory and legacy log files are removed.
  • The older kernels are uninstalled and only the two latest kernels are retained.
  • McAfee® Agent is automatically upgraded together with the TIE server. Nevertheless, the McAfee Agent upgrade is delayed until 12.00 A.M. of the following day.

TIE server Topology Management page

  • A warning message is displayed when more than one Primary is configured.
  • McAfee GTI Health Check now displays information about latency and rolling average response time of the latest requests.
  • The Database and Storage health check displays only details of the issue that triggers the warning or error.

General improvements

  • TIE server now saves the file type of the files reported by Advanced Threat Defense if it is not available.
  • The reconfig-ca script is automatically executed when a new policy is received that includes TIE servers managed by a remote McAfee ePO.
  • Advanced Threat Defense polling configuration is added to the TIE server policy that allows to disable polling or configure polling for all or only local servers.
  • A transition-status.sh script is included to display relevant information regarding the status of an operation mode change.

Updated version support

McAfee® Threat Intelligence Exchange (TIE) server 2.0 and 2.1 will reach their End of Life (EOL) on December 17, 2019. For more information, see KB91113. TIE 1.3.0 reached its EOL on August 15, 2018, and 1.2.1 on December 31, 2017.

We recommend upgrading to the latest version of TIE server to benefit from the newest software developments, and to avoid interruption of product support.

See KB89670 for details. The McAfee EOL product list and policy is available at https://www.mcafee.com/us/support/support-eol.aspx.

McAfee® Cloud Threat Detection (McAfee® CTD) reached its End of Sale (EOS) and its EOL on December 31, 2018. See KB90296 for details.

Updated platform support

This release extends support to the McAfee ePO 5.10 security management platform.

Note: In McAfee ePO 5.10, Software Manager is renamed as the Software Catalog. The documentation now uses the new term.

Important: We don't support the automatic upgrade of a pre-release software version. To upgrade to a production release of the software, you must first uninstall the existing version.

This release upgrades the following components and libraries:

  • Added Bouncy Castle cryptography libraries.
  • Updated Zulu JRE (Java) to 8.38.0.10
  • Updated Jetty server to 9.4
  • Updated the VMware Virtual Hardware version to 11 that matches ESXi server 6+ (OVA only)