McAfee Host Intrusion Prevention Patch 6 Software

Full text

(1)

Release Notes

McAfee Host Intrusion Prevention 8.0.0

Patch 6 Software

For Windows

For use with McAfee ePolicy Orchestrator

Contents

About this release New features Resolved issues

Installation instructions Known issues

Find product documentation

About this release

Thank you for using this McAfee product. This document contains important information about the current release. We strongly recommend that you read the entire document.

The McAfee®

Host Intrusion Prevention 8.0.0 Patch 6 for Windows client package is for use on Windows platforms only. This is a change from previous McAfee Host IPS packages, which supported the Windows, Linux, and Solaris platforms. For Linux 64-bit platforms, use McAfee Host IPS 8.0.0 Patch 6 for Linux. For all other platforms (Solaris and 32-bit Linux), use McAfee Host IPS 8.0.0 Patch 5.

We do not support the automatic upgrade of a pre-release software version. To upgrade to a production release of the software, you must first uninstall the existing version.

Purpose

This release of McAfee Host IPS contains various improvements and fixes. Although McAfee has thoroughly tested this release, we strongly recommend that you verify this update in test and pilot groups before mass deployment. Review the New features, Resolved issues, and Known issues sections for additional information.

(2)

For a list of supported environments, release versions, and latest information for Host Intrusion Prevention 8.0.0 on Microsoft Windows, see KnowledgeBase article KB70778.

To install Host Intrusion Prevention on a server, you must purchase a license for Host Intrusion

Prevention for Server or a server suite that includes Host Intrusion Prevention for Server (such as Total Protection for Server). You cannot install Host Intrusion Prevention for Desktop on a server. For additional information, contact your McAfee sales or support representative.

Patch version

This Host Intrusion Prevention 8.0.0 release includes two packages:

• Patch 6 — Updates McAfee Host IPS 8.0.0 clients, with or without Patch 1, Patch 2, Patch 3, Patch 4, or Patch 5.

• Repost Patch 6 — Includes the full McAfee Host IPS installation.

Extension version

This McAfee Host IPS 8.0.0 release includes extension packages for McAfee®

ePolicy Orchestrator® (McAfee ePO™

) :

• Firewall — McAfee_HostFW_Extension_978.zip

• Intrusion Prevention System — McAfee_HostIPS_Extension_978.zip

Use this release of the extension to manage any version of the McAfee Host IPS client on any supported McAfee Host IPS platform, including Windows, Linux, and Solaris. This extension can also be used to manage McAfee Endpoint Protection for Mac and Firewall for Linux clients.

This release supports the following McAfee ePO versions: • 5.1 (509) and later

• 4.6 (1029) and later

Use this extension for both new installations and to update previous versions of Host Intrusion Prevention 8.0 Extension.

Refer to KnowledgeBase article KB70778 for the most current Host Intrusion Prevention 8.0.0 details.

Package date

August 20, 2015

Release build

Windows — 8.0.0.3363

(3)

New features — Windows client

This release of the Host Intrusion Prevention Windows client includes these new features.

Support for Windows 10

This release adds support for Host Intrusion Prevention on Windows 10.

Support for Windows 10 in-place upgrades

Host Intrusion Prevention Patch 6 supports upgrading from Windows 7, 8, and 8.1 to Windows 10.

Policy failover

This release includes a new policy failover mechanism, which results in enhanced reliability.

If the McAfee Host IPS LPC service receives invalid or incomplete policies from McAfee Agent, it now rejects and doesn't enforce these policies. When such anomalies occur, McAfee Host IPS sends events to McAfee ePO.

For more information, see KnowledgeBase article KB85187.

McAfee Firewall Core Service startup type set to Manual

For this release, the Startup type for the McAfee Firewall Core Service is set to Manual. The service is no longer started automatically.

For more information, see KnowledgeBase article KB85374.

Updated components

This release of Host Intrusion Prevention includes an updated VSCore: version 15.4.0.560.8.

New features — Extension

This release of the Host Intrusion Prevention Extension includes this new feature.

Support for

This release adds support for McAfee ePO 5.1.3 and McAfee ePO 5.3.1, as well as Java 8 compatibility.

Ability to query the Files field

This release adds support for querying the Files field in McAfee Host IPS events. This new field is available in McAfee ePO under Queries & Reports | Events | Threat Events in the Host IPS 8.0 Event Info category.

Data is visible only for events generated after upgrading the extension. No value is reported for older events reported before the extension upgrade – the data will be empty for the Files field.

(4)

Resolved issues

These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release.

• Patch 5 — PD25947 • Patch 2 — PD23957

• Patch 4 — PD25043 • Patch 1 — PD23514

• Patch 3 — PD24551

Windows client

Reference Resolution

1026207 The mfefire.exe service now starts correctly. (Resolved in Patch 5.)

1028341 McAfee Host Intrusion Prevention service now preserves rule order when there are more than 100 rules in the Firewall policy.

1038207 Multicast traffic is now correctly matched within a location aware group. (Resolved in Patch 5.)

1039302 McAfee Host IPS LPC service no longer fails to start automatically on some Windows platforms.

1042273 If the McAfee Host IPS LPC service receives invalid or incomplete policies from McAfee Agent, it correctly rejects and doesn't enforce these policies. When such anomalies occur, McAfee Host IPS sends events to McAfee ePO.

Extension

Reference Resolution

940706 The McAfee ePO console no longer hangs. Open SQL connections no longer prevent the Property Translator task from running.

951746 The Automatic Response feature now functions properly.

991091 Email sent with Automatic Response feature no longer include HTML tags.

1019482 The Property Translator task no longer fails when run manually. Dash (-) characters in domain names are now considered valid.

1028156 McAfee Host IPS content versions now display correctly. Open SQL connections no longer prevent the Property Translator task from running.

1040082 The Event Parser no longer crashes.

1066687 The McAfee Host IPS Product Version property now correctly shows "Host Intrusion Prevention" rather than the incorrect "Product Version (McAfee Firewall for Linux)".

(5)

Install the product directly to a client system

Follow these steps to install the package directly to a target client system.

The installation does not require a restart but might cause a brief interruption in network traffic.

For more information, see the Host Intrusion Prevention Installation Guide.

We don't support non-McAfee ePO-managed systems.

Task

1 Download the package: HIP80LMLRPx.Zip. • Patch — HIP80Px.Zip

• Repost Patch — HIP80LMLRPx.Zip

2 Extract the patch files to a temporary folder on your hard drive.

3 Disable Host Intrusion Prevention protection with an McAfee ePO delivered policy or in the local client interface.

4 Double-click the setup file in the temporary folder created in Step 2: • Patch — McAfeeHIP_ClientPatchx.exe

• Repost Patch — McAfeeHIP_ClientSetup.exe

5 Follow the installation wizard instructions.

6 Enable Host Intrusion Prevention protection.

Install the extensions into McAfee ePO

Install the Host Intrusion Prevention extensions into McAfee ePO.

See the topic on bringing products under management in the McAfee ePO Help.

Task

For option definitions, click ? in the interface.

1 In McAfee ePO, select Menu | Software | Extensions.

2 Click Install Extension.

3 Browse to and select the extension .zip file, then click OK.

This process might take several minutes to complete.

4 Repeat steps 2 and 3 for each extension .zip file, then click OK.

(6)

Deploy the product from McAfee ePO

Follow these steps to deploy this release to managed systems using McAfee ePO. Before you begin

This release requires McAfee Agent 4.8 or later.

For more information, see the Host Intrusion Prevention Installation Guide.

Task

For option definitions, click ? in the interface.

1 Check the package into the McAfee ePO Master Repository:

a Select Menu | Software | Master Repository, then click Check In Package.

b Select the Product or Update (.ZIP) package type.

c Click Choose File and select the Host Intrusion Prevention HIP80LMLRPx.Zip file. This process might take several minutes to complete.

For more information, see the topic on checking in packages manually in the McAfee ePO Help.

2 Deploy the package to the client systems: use a McAfee Agent Product Deployment client task.

Verify the client installation

After installing the Host Intrusion Prevention Patch 6 package, verify that the product installed correctly on the client systems.

Releases are not displayed or do not report installed if an error occurred during installation, or if a file did not install correctly.

Task

1 In McAfee ePO, run the Host IPS: Client Versions query.

For systems with Patch 6 installed, the Client Version (Host IPS) is 8.0.0.3363.

2 Click the version number to display the system names.

3 Verify the installation on the client: in the Host Intrusion Prevention client, select Help | About. The Build Version shows 3363.

File inventory

This release of the software includes these files. Table 4-1 McAfee Host IPS files

(7)

Table 4-1 McAfee Host IPS files (continued)

Folder name File name Version 32-bit 64-bit

FireCore.dll 8.0.0.3363 X X

FireEpo.dll 8.0.0.3363 X X

FireSvc.exe 8.0.0.3363 X X

FireTray.exe 8.0.0.3363 X X

HcApi.dll 8.0.0.3363 X X

HcCode.dll 8.0.0.3363 X X

HcSql.dll 8.0.0.3363 X X

HcSvc.dll 8.0.0.3363 X X

HcThe.dll 8.0.0.3363 X X

Helper.exe 8.0.0.3363 X X

HipIISEngine.dll 8.5.64.0 X X

HipIISEngineStub.dll 8.4.64.0 X X

HipMgtPlugin.dll 8.0.0.3363 X X

HipRc.dll 8.0.0.3363 X X

HipShield.dll 8.0.0.3363 X X

HpmRegistry.dll 8.0.0.3363 X X

McAfeeFire.exe 8.0.0.3363 X X

mcafeewin32guisupportdll.dll 8.0.0.3363 X X

MngFirecore.dll 8.0.0.3363 X X

nailite.dll 1.0.0.937 X X

SecCtrFw.exe 8.0.0.3363 X X

ts.dll 2.1.0.3 X X

WinToast.dll 8.0.0.3363 X X

3rdParty.txt X

C:\Program Files (x86)\McAfee\Host Intrusion Prevention

DebugLog.dll 8.0.0.3363 X

FireCL.dll 8.0.0.3363 X

FireCNL.dll 8.0.0.3363 X

FireComm.dll 8.0.0.3363 X

FireCore.dll 8.0.0.3363 X

FireEpo.dll 8.0.0.3363 X

HcApi.dll 8.0.0.3363 X

HcCode.dll 8.0.0.3363 X

HcSql.dll 8.0.0.3363 X

HcThe.dll 8.0.0.3363 X

Helper.exe 8.0.0.3363 X

HipIISEngine.dll 8.0.0.3363 X

HipIISEngineStub.dll 8.0.0.3363 X

(8)

Table 4-1 McAfee Host IPS files (continued)

Folder name File name Version 32-bit 64-bit

HipMgmtHpr.dll 8.0.0.3363 X

HipMgtPlugin.dll 8.0.0.3363 X

HpmRegistry.dll 8.0.0.3363 X

McTrayHipPlugin.dll 8.0.0.3363 X

MngFirecore.dll 8.0.0.3363 X

msvcp71.dll 7.10.3077.0 X

msvcr71.dll 7.10.3052.4 X

nailite.dll 1.0.0.937 X

ts.dll 2.1.0.3 X

WinToast.dll 8.0.0.3363 X

C:\Windows\System32\Drivers

HipShieldK.sys 8.0.0.3353 X X

Table 4-2 SysCore files

Folder name File name Version 32-bit 64-bit

C:\Program Files\Common Files\McAfee\SystemCore

cacheinfo.exe * 15.4.0.651 X X

fwinfo.exe 15.4.0.651 X X

mfeapfa.dll 15.4.0.651 X X

mfeavfa.dll 15.4.0.651 X X

mfefire.exe 15.4.0.651 X X

mfecana.dll * 15.4.0.651 X X

mfecanary.exe * 15.4.0.651 X X

mfefwctl.dll 15.4.0.651 X X

mfehida.dll 15.4.0.651 X X

mfehidk_messages.dll 15.4.0.651 X X

mfenlfk.inf X X

mfevtpa.dll 15.4.0.651 X X

mfemms.exe 15.4.0.651 X X

mfemms_messages.dll 15.4.0.651 X X

mfemmsa.dll 15.4.0.651 X X

(9)

Table 4-2 SysCore files (continued)

Folder name File name Version 32-bit 64-bit

mfehida.dll 15.4.0.651 X

mfemmsa.dll 15.4.0.651 X

C:\Windows\System32\Drivers

mfeapfk.sys 15.4.0.651 X X

mfeavfk.sys 15.4.0.651 X X

mfefirek.sys 15.4.0.651 X X

mfehidk.sys 15.4.0.651 X X

mfenlfk.sys † 15.4.0.651 X X

mfewfpk.sys † 15.4.0.651 X X

mfetdi2k.sys ‡ 15.4.0.651 X X

mfendisk.sys ‡ 15.4.0.651 X X

C:\Windows\System32

mfevtps.exe 15.4.0.651 X X

* New with this release.

† All operating systems except Windows XP and Windows 2003. ‡ Only Windows XP and Windows 2003 operating system.

Remove installation files

You can remove the Host Intrusion Prevention patch from McAfee ePO or directly from the client computer.

For information, see the McAfee Host Intrusion Prevention Installation Guide.

Known issues

For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB70778

and search for the Patch 6 Known Issues link.

Find product documentation

After a product is released, information about the product is entered into the McAfee online Knowledge Center.

Task

1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

2 In the Knowledge Base pane, click a content source: • Product Documentation to find user documentation • Technical Articles to find KnowledgeBase articles

(10)

3 Select Do not clear my filters.

Figure

Table 4-1  McAfee Host IPS files

Table 4-1

McAfee Host IPS files p.6
Table 4-1  McAfee Host IPS files (continued)

Table 4-1

McAfee Host IPS files (continued) p.7
Table 4-1  McAfee Host IPS files (continued)

Table 4-1

McAfee Host IPS files (continued) p.8
Table 4-2  SysCore files (continued)

Table 4-2

SysCore files (continued) p.9