8.3.7.52-8.3.3.

27 Manager-M-series Release Notes

McAfee Network Security Platform 8.3
Revision C

Contents
About this release
New features
Enhancements
Resolved issues
Installation instructions
Known issues
Product documentation

About this release

This document contains important information about the current release. We recommend that you
read the whole document.
Network Security Platform follows a new process release 8.2 onwards. The changes in the release
process are based on customer requirements, and best practices followed by other McAfee teams. For
details, read KB78795.

This release of Network Security Platform is to provide few features and enhancements on the
Manager and M-series Sensor software.

Release parameters Version

Network Security Manager software version 8.3.7.52
Signature Set 8.7.78.7
M-series Sensor software version 8.3.3.27

1
 This version of 8.3 Manager software can be used to configure and manage the following hardware:

Hardware Version
NS9x00-series Sensors (NS9100, NS9200, NS9300) 8.1, 8.2, 8.3
NS7x00-series Sensors (NS7100, NS7200, NS7300) 8.1, 8.2, 8.3
NS5x00-series Sensors (NS5100, NS5200) 8.1, 8.3

NS5x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known
Issues for more information. Sensor software version 8.2 is currently not available for
NS5x00-series.

NS3x00-series Sensors (NS3100, NS3200) 8.1, 8.3

NS3x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known
Issues for more information. Sensor software version 8.2 is currently not available for
NS3x00-series.

Virtual IPS Sensors (IPS-VM100 and IPS-VM600) 8.1, 8.2, 8.3

Virtual Security System Sensors (IPS-VM100-VSS) 8.1

Sensor software versions 8.2 and 8.3 are currently not available for IPS-VM100-VSS.

Mseries Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, 8.1, 8.2, 8.3
M-6050, M-8000)
Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.2, 8.3
XC Cluster Appliances (XC-240) 8.1, 8.2, 8.3
NTBA Appliance software (T-200, T-500, T-600, T-1200, T-VM, T-100VM, T-200VM) 8.1, 8.2, 8.3

The above mentioned Network Security Platform software versions support integration with the
following product versions:

Table 1-1 Network Security Platform compatibility matrix

Product Version supported
McAfee ePO 5.3.2, 5.1.1
McAfee Global Threat Intelligence Compatible with all versions
McAfee Advanced Threat Defense 3.8.0.29, 3.6.2.21
McAfee Virtual Advanced Threat Defense 3.10.0.35
McAfee Endpoint Intelligence Agent 2.6
McAfee Logon Collector 3.0.6
McAfee Threat Intelligence Exchange 2.0, 1.3
McAfee Data Exchange Layer 3.0.0, 2.0.1
McAfee Vulnerability Manager 7.5.10, 7.5.7
McAfee Host Intrusion Prevention 8.0
McAfee MOVE AntiVirus Agentless 4.5.0.148
McAfee MOVE AntiVirus Multi-Platform 4.5.0.211

Currently port 4167 is used as the UDP source port number for the SNMP command channel
communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound
connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the

2
 same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version
1.8.0_92, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to
bind for IPv6.

Manager 8.3 uses JRE version 1.8.0_92 and MySQL version 5.6.30. If you have IPv6 Sensors behind a
firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP
command channel to function between those IPv6 Sensors and the Manager.

Manager software version 8.3 is not supported on McAfee-built Dellbased Manager Appliances. McAfee
recommends that you use Intel-based Manager Appliances instead.

New features
This release is to provide fixes for some of the previously known issues, and does not include any new
features.

Enhancements
This release of Network Security Platform includes the following enhancements:

Layer 7 data capture enhancements

In the earlier releases, the time taken to display alerts in the Manager from the time they were
generated in the Sensor, was prolonged because of special alerts. Special alerts are alerts that are
generated to support Layer 7 data capture feature. They display additional information such as HTTP
URL, response code, FTP user name , etc. Excessive special alerts could load the alert buffers in the
Sensor causing queuing delays.

In version 8.3, an enhancement is made to reduce generation of excessive special alerts by delaying
the alert generation either by a maximum of 5 seconds, or until the layer 7 session is terminated.

Increase in memory size for handling signature sets

With a growing number of threats, the frequency of signature set updates and the number of attacks
in each update constantly increases. As a means to accommodate a larger signature set size in the
future, the memory size allocated to signature sets on the Sensor has been increased.

Reverse proxy enhancement

In case of persistent HTTP traffic when XFF is enabled, the alerts previously displayed the proxy IP
information for the first HTTP request. With this release, the XFF information for all the HTTP
connections are displayed in the alerts. To view the XFF information for an alert, go to Analysis | <Admin
Domain Name> | Attack Log.

Change in the update server from Menshen to Menshen1

In the earlier releases, the Manager was using the Menshen update server with SHA128 bit encryption
algorithm. From this release onwards, the Manager will be using the Menshen1 update server with
SHA256 bit encryption algorithm.

3
Resolved issues
The current release of the product resolved these issues. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release.

Resolved Manager software issues

The following table lists the high-severity Manager software issues:

ID # Issue Description
1169061 The device integrated with the NTBA appliance is not displayed in the device list under
Devices | <Admin Domain Name> | Devices.
1118316 Incorrect description is displayed for alert details panel in Attack Log for Endpoint
Executable and Malware Files.
1114679 The Attack Log does not display data for EIA executables.

The following table lists the medium-severity Manager software issues:

ID # Issue Description
1175740 Upon trying to save a customized signature after adding an IPv4 address, the process
sticks at 0%.
1166876 The Manager fails to generate automatic IPS configuration report daily.
1166084 The Attack logs saved in CSV format displays the Attacker Host Name and Target Host Name
inappropriately.
1165036 The signatures of the newly added attacks are not displayed in the policy editor.
1164536 Creating an Ignore Rule in the Manager displays error Unable to get Resources for Admin Domain.
failed to get sensor for subscriber "0".
1164024 In high availability mode, there is failure in alert channel after the secondary Sensor
reboots.
1163187 In the Attack Log page, the log files generated in CSV or PDF format for unacknowledged alerts
are incorrectly displayed as acknowledged alerts.
1162321 Custom roles created with View Only role are incorrectly applied as Edit roles.
1161236 Manager fails to perform configuration update on the Sensor due to compilation error.
1161090 / Snort rules that use Snort IP headers as filters work incorrectly as the Sensor triggers
1159384 alerts even when the parameters do not match with the header options.

1158605 The Manager is vulnerable to CVE-2016-6662.

1156873 The Attack Log page displays the proxy IP address instead of the true source IP address
when XFF is enabled.
1156285 Running a health check fails when the Manager is connected through proxy settings.
1153466 An error is displayed while exporting packet captures of an alert from the Attack Log page.
1153107 The Manager uses SHA128 bit encryption algorithm instead of SHA256.
1152473 In the Attack Log page, filtering attacks for Attack SmartBlocked are not displayed in the Results
column.
1152295 When adding an Ignore Rule from the Attack Log page, the action to create a new rule
object fails in the Add Ignore Rule window.
1151225 The malware confidence (severity) for the same alert displays inconsistent value in the
Manager (Attack Log, Alert Details, and Malware Files) and Syslog Message.

1150853 The configuration options are disabled for alert relevance in Manager | <Admin Domain Name> |
Integration | Vulnerability Assessment | MVM | Alert Relevance.

4
ID # Issue Description
1149111 The IP address that is manually quarantined from the Attack Log page is not displayed in
the Manager's quarantine list.
1149099 The Manager sends additional messages in the syslog notification for some alerts.
1148663 The actions performed to enable or disable the monitoring ports in the Sensor are
displayed incorrectly in the User Activity Log page in the Manager. For example, if the port
action is from Enabled to Disabled, it is displayed as Disabled to Enabled in the Manager.
1148454 In the Manager, the list to select the child domain is disabled.
1147762 Expired SSL certificate can be imported to the Manager which is displayed as Valid.
1147619 Alert count mismatch exists between the Primary and Secondary Manager.
1145115 The data truncation error description is very long.
1143918 The Result column does not display attacks for smartblocked attacks in the Attack Log
after Manager upgrade.
1143558 E-mail notifications are incorrectly sent for alerts that are not configured to send
notifications.
1142684 Error is displayed in the Manager when the number of quarantined IP addresses exceeds
1000.
1142079 Attacks names are displayed as --- after a signature set upgrade under Policy | <Admin
Domain Name> | Intrusion Prevention | Policy Types | IPS Policies.
1142047 The Manager automatically deploys the signature sets even when automatic deployment
is disabled.
1141070 The performance charts for Device Throughput Usage, Port Throughput, and CPU Usage under
Devices | <Admin Domain Name> | Devices | <Device Name> | Troubleshooting | Performance Charts does
not display weekly data.
1140604 When deploying updates to the Sensor, the Running Tasks and User Activity Log pages displays
the device name as null.
1139033 Importing user-defined signatures in the Manager causes error.
1138655 In an MDR scenario, both the Primary and Secondary Manager sends fault notification for
port link failures.
1138335 Communication between the Manager and the Sensor is disconnected after restarting the
Manager service.
1136975 The trend analysis report scheduled for weekly or monthly time period does not display
the data for the last day.
1135691 The fault for Gateway Anti-Malware file update is displayed in the Manager even when it
successfully updated in the Sensor.
1131532 The syslog fault notifications for a high-availability Sensor cluster from the Manager,
contains the cluster name instead of the node name.
1128407 Executive Summary report shows several Address Not Resolved results in the Hostname
columns in the Top N Source IP and Top N Destination IP sections.
1126609 In the Attack Log page, the policy update fails when selecting a policy under Update Policy
options from the Other Actions list.
1125670 Link failure SNMP trap shows incorrect port name.
1118293 The Traffic Statistics page displays an error when clicked.

The following table lists the low-severity Manager software issues:

ID # Issue Description
1140630 The syslog notifications for performance faults does not include the value that triggered
the fault or the threshold.

5
 Resolved Sensor software issues
The following table lists the medium-severity Sensor software issues:

ID # Issue Description
1184408 After an upgrade, the Sensor experiences exception while processing signature set causing
it to go to bad health or experience auto recovery. This happens more often when there
are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled.
1166353 For XFF traffic, the Sensor does not send true client IP address to the syslog server.
1164826 Syslog alerts sent from the Sensor display the timestamp incorrectly with a 12 hour
difference.
1164047 Filename and domain in URI path contain duplicate domain name information when
submitted to Advanced Threat Defense.
1163993 The show feature status command displays incorrect status of the configured features in
the Sensor since the operation fails.
1163689 Whitelisted entries with more than two labels do not generate an exact match like they
should.
1159776 The vulnerability scanner reports the following Sensor vulnerabilities:
SSH weak algorithms supported
SSH server CBC Mode Ciphers Enabled (CVE-2008-5161)
SSH weak MAC Algorithm Enabled

1159229 The Sensor fails to send packet log information when the packet log resources are not
initialized.
1156118 [M-2950] The Sensor switches to layer 2 bypass mode.
1152648 The management process incorrectly invalidates a valid memory which causes the Sensor
to go to bad health.
1152472 The Sensor is vulnerable to the following vulnerabilities:
CVE-2016-4953 CVE-2016-4956
CVE-2016-4954 CVE-2016-4957
CVE-2016-4955

1151327 In a rare condition, the malware processing engine experiences an exception while
processing an SMTP attachment file having large encoded content.
1150815 The events.log does not persist after Sensor reboot.
1149298 Internal resource leak in the malware processing modules cause the Sensor to stop
sending files to the Advanced Threat Defense appliance.
1149107 Port throughput utilization is wrongly calculated for ports with speed greater than 1G.
1147328 The Sensor is vulnerable to CVE-2016-4448.
1146928 The TCP: Microsoft Windows TCP IP Driver Denial of Service alert is generated due to incorrect packet
length.
1146409 The Sensor may go to bad health, autorecovers or reboots due to incorrect validation
during allocation or freeing of data buffers.
1145843 In a rare condition when multiple connection attempts, between the Sensor and Advanced
Threat Defense appliance or NTBA appliance, fails in a short span of time, the Sensor
reboots.
1144514 Default IP address is sometimes not available after you run the factory defaults command.
1143386 The alerts are not displayed in the malware dashboard due to internal resource exhaustion.
1140389 Unable to quarantine IP address 172.30.6.100.

6
ID # Issue Description
1139962 The ICMP Nachi Attack alert is incorrectly raised.
1139454 Sensor generates a false positive alert for the IGMP: Fragmented IGMP Packet Attack alert.
1138571 The Connection Count for TCP/UDP on Next Generation report always shows 0.
1137501 The Sensor is vulnerable to the following Improper Input Validation vulnerabilities:
CVE-2015-7704 CVE-2016-2516
CVE-2015-8138 CVE-2015-7975
CVE-2015-7705 CVE-2016-2517
CVE-2016-1550 CVE-2015-7976
CVE-2015-7974

1137245 Layer 7 DDOS response action configuration does not work correctly.
1136618 ISAKMP traffic is not dropped by the Sensor when the application Firewall policy is
configured to drop.
1133662 Deploying changes related to rate limiting policies every third time results in Sensor going
to bad health.
1133656 SSL connections for unsupported ciphers are not consistently detected and blocked.
1132694 In a rare scenario, VoIP calls get disconnected due to processing delays of VoIP traffic in
the Sensor.
1131649 In rare scenarios, malware engine does not come up, impacting the processing of files.
1129065 Manual signature set push causes Sensor to reboot.
1126206 Alerts have incorrect information when parsing XFF flows with persistent HTTP connection.
1117263 The Sensor raises SSL: Connections Exhausted message or the Sensor goes to bad health
because of incorrect software corruption.
1114845 During a configuration update, few UDP packets are dropped.
1097502 The Manager user interface incorrectly shows pending entries for Advanced Threat Defense
even when submitted files are not processed due to an overload or any other error
scenario.
1051747 The Next Generation report, Default - Top 10 Application Categories by Bandwidth Usage, displays traffic
volume in bytes instead of bits.

7
Installation instructions
Manager server/client system requirements
The following table lists the 8.3 Manager server requirements:

Minimum required Recommended

Operating Any of the following: Windows Server 2012 R2
system Standard Edition
Windows Server 2008 R2 Standard or Enterprise Edition, operating system.
English operating system, SP1 (64-bit) (Full Installation)
Windows Server 2008 R2 Standard or Enterprise Edition,
Japanese operating system, SP1 (64-bit) (Full
Installation)
Windows Server 2012 R2 Standard Edition (Server with
a GUI) English operating system
Windows Server 2012 R2 Standard Edition (Server with
a GUI) Japanese operating system
Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) Japanese operating system

Only X64 architecture is supported.

Memory 8 GB >16 GB

Supports up to 3 million alerts in Solr. Supports up to 10

million alerts in
Solr.

CPU Server model processor such as Intel Xeon Same

Disk space 100 GB 300 GB or more
Network 100 Mbps card 1000 Mbps card
Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above)

The following are the system requirements for hosting Central Manager/Manager server on a VMware
platform.

8
Table 5-1 Virtual machine requirements
Component Minimum Recommended
Operating Any of the following: Windows Server 2012 R2
system Standard Edition
Windows Server 2008 R2 Standard or Enterprise
operating system.
Edition, English operating system, SP1 (64-bit) (Full
Installation)
Windows Server 2008 R2 Standard or Enterprise
Edition, Japanese operating system, SP1 (64-bit)
(Full Installation)
Windows Server 2012 R2 Standard Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Standard Edition (Server
with a GUI) Japanese operating system
Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Datacenter (Server with a
GUI) Japanese operating system

Only X64 architecture is supported.

Memory 8 GB >16 GB

Supports up to 3 million alerts in Solr. Supports up to 10

million alerts in
Solr.

Virtual CPUs 2 2 or more

Disk Space 100 GB 300 GB or more

Table 5-2 VMware ESX server requirements

Component Minimum
Virtualization software ESXi 5.1 Update 2

ESXi 5.5 Update 3

ESXi 6.0 Update 1

CPU Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical
Processors 8; Processor Speed 2.00 GHz
Memory Physical Memory: 16 GB
Internal Disks 1 TB

9
 The following table lists the 8.3 Manager client requirements when using Windows 7, Windows 8, or
Windows 2012:

Minimum Recommended
Operating Windows 7, English or Japanese
system
Windows 8, English or Japanese
Windows 8.1, English or Japanese
Windows 10, English or Japanese

The display language of the Manager client must be

the same as that of the Manager server operating
system.

RAM 2 GB 4 GB
CPU 1.5 GHz processor 1.5 GHz or faster
Browser Internet Explorer 10, 11, or Microsoft Edge Internet Explorer 11
Mozilla Firefox Mozilla Firefox 20.0 or
later
Google Chrome (App mode in Windows 8 is not
supported.) Google Chrome 24.0 or
later
To avoid the certificate mismatch error and security
warning, add add the Manager web certificate to the
trusted certificate list.

If you are using Google Chrome 42 or later, the NPAPI plug-in is disabled by default, which means that
Java applet support is disabled by default. Perform the following steps to enable NPAPI plug-in:

1 In the address bar, type chrome://flags/#enable-npapi.

2 Click the Enable link in the Enable NPAPI configuration option.

3 Click Relaunch Now at the bottom of the page to restart Google Chrome for the changes to take
effect.

For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the
operating systems mentioned for the Manager server.

The following are Central Manager and Manager client requirements when using Mac:

Mac operating system Browser

Yosemite Safari 8 or 9

El Capitan

For more information, see McAfee Network Security Platform Installation Guide.

Upgrade recommendations
McAfee regularly releases updated versions of the signature set. Note that automatic signature set
upgrade does not happen. You need to manually import the latest signature set and apply it to your
Sensors.

10
 The following is the upgrade matrix supported for this release:

Component Minimum Software Version

Manager/Central 8.1: 8.1.7.33, 8.1.7.82
Manager software
Manager version 8.1.7.52 is only for 8.1 NS5x00 and 8.1.7.73 is only
for 8.1 NS3x00 Sensors.

8.2: 8.2.7.71, 8.2.7.83

8.3: 8.3.7.7, 8.3.7.28

M-series Sensor software 8.1: 8.1.3.89, 8.1.3.100

8.2: 8.2.3.84, 8.2.3.113

8.3: 8.3.3.4, 8.3.3.9

Known issues
For a list of known issues in this product release, see this McAfee KnowledgeBase article:
Network Security Platform software issues: KB86387

Product documentation
Every McAfee product has a comprehensive set of documentation.

Find product documentation

1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center.

2 Enter a product name, select a version, then click Search to display a list of documents.

8.3 product documentation list

The following software guides are available for Network Security Platform 8.3 release:

Quick Tour

Installation Guide (includes Upgrade Guide)

Manager Administration Guide

Manager API Reference Guide (selective distribution - to be requested via support)

CLI Guide

IPS Administration Guide

Custom Attacks Definition Guide

XC Cluster Administration Guide

Integration Guide

NTBA Administration Guide

11
 Best Practices Guide

Troubleshooting Guide

2017 Intel Corporation

Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.

00