Release Notes

McAfee Endpoint Security 10.5.2

Contents
About this release
What's new
Resolved issues
Installation information
Known issues
Product documentation

About this release

This document contains important information about the current release. We recommend that you read the
whole document.

Release date
August 28, 2017

Release build
Endpoint Security 10.5.2.2041
Endpoint Security Threat Prevention 10.5.2.2108 extension 10.5.2.2015
Endpoint Security Common 10.5.2.2072 extension 10.5.2.2013
Endpoint Security Firewall 10.5.2.2030 extension 10.5.2.2017
Endpoint Security Web Control 10.5.2.2028 extension 10.5.2.2014
Endpoint Security Adaptive Threat Protection 10.5.2.2078 extension 10.5.2.2037
Endpoint Security Migration Assistant extension 10.5.2.2006

1
 This release was developed for use with:

McAfee Endpoint Security 10.5.0

McAfee ePolicy Orchestrator (McAfee ePO ) 5.1.1 and later

Important notes about this release

Endpoint Security 10.5.2 lists these products and versions in the Master Repository on the McAfee ePO server.

Product Version Minor version

Endpoint Security Common Patch 10.5.0 2
Endpoint Security Common 10.5.0 2072
Endpoint Security Threat Prevention Patch 10.5.0 2
Endpoint Security Threat Prevention 10.5.0 2108
Endpoint Security Firewall Patch 10.5.0 2
Endpoint Security Firewall 10.5.0 2030
Endpoint Security Web Control Patch 10.5.0 2
Endpoint Security Web Control 10.5.0 2028
Endpoint Security Adaptive Threat Protection 10.5.0 2078

Endpoint Security 10.5.2 lists these products and versions in the About dialog box of McAfee Agent and Endpoint
Security, and McAfee ePO product properties.

Product Version
Endpoint Security Common 10.5.2.2072
Endpoint Security Threat Prevention 10.5.2.2108
Endpoint Security Firewall 10.5.2.2030
Endpoint Security Web Control 10.5.2.2028
Endpoint Security Adaptive Threat Protection 10.5.2.2078

Purpose
This release of McAfee Endpoint Security contains improvements and fixes. This release also includes the ability
to disable scanners from the McAfee system tray, adds support for the Endpoint Security Profiler Tool, and
provides Extra.DAT support for Adaptive Threat Protection.

We recommend that you verify this update in test and pilot groups before mass deployment.

Rating Critical

Mandatory Critical High Priority Recommended

Critical for all environments.

Failure to apply a Critical update might result in severe business impact.

A hotfix for a Severity 1 or Severity 2 issue is considered Critical.

For more information, see KB51560.

2
What's new
The current release of the product includes these enhancements and changes.

McAfee ePO rollup reporting support

The McAfee ePO rollup reporting feature includes the ability to run queries that report summary data from
multiple databases.

Endpoint Security Profiler Tool support

The Endpoint Security Profiler Tool works with this release of Endpoint Security.
Analyzes on-access scanner activity

Gathers statistics on processes and files accessed by the on-access scanner

Uses the Default, Low, and High scanning profiles to present data based on different configurations

Analyzes activity from Threat Prevention and Adaptive Threat Protection modules

Using the collected data, decide if you want to exclude a file, exclude a folder, or change how scanning is
applied to a process' activity by placing it into a different scan profile.

McAfee Cloud Threat Detection support

McAfee Cloud Threat Detection (McAfee CTD) adds cloud-based sandboxing capability to your existing security

infrastructure through McAfee ePolicy Orchestrator (McAfee ePO ) software.

For information about configuring McAfee CTD to work with Endpoint Security, see the McAfee Cloud Threat
Detection documentation.

Common enhancements
Log file updates Changes the activity, error, and debug log files for all Endpoint Security modules so they are
now written in English only, regardless of system locale. This behavior is not configurable.

Installation improvements Adds a secondary validation check when a validation failure occurs through the
Validation and Trust Protection service. The secondary check succeeds if the calling process is signed by McAfee,
and all loaded modules are chained to a trusted certificate authority. This allows Endpoint Security processes to
operate normally in the presence of legitimate third-party software applications that inject processes, and
digitally sign the software.

Threat Prevention enhancements

Adds the option for disabling Endpoint Security scanners to the Quick Settings menu, accessed from the
McAfee system tray icon.

Adds support for Early Load Anti-Malware (Windows 8 and later). This feature collects the list of device
drivers loaded during the system boot process, then scans them when the scanning services run.

Firewall enhancements
The Endpoint Security Firewall: Events from McAfee GTI query is now called Endpoint Security Firewall: Events from McAfee
GTI in the last 6 months. Previously, this query had no date limit; now it only queries results from the last 6
months.

3
 Adaptive Threat Protection enhancements
Adds the option for disabling Endpoint Security scanners to the Quick Settings menu, accessed from the
McAfee system tray icon.

Adds Extra.DAT support for Real Protect. You can install an Extra.DAT file to suppress false positive
detections until the next scheduled ATP content update is released.

The behavior of the Allow action for ATP threat notifications changed between 10.2 and 10.5. In 10.2, if a user
selected Allow, the application was contained. In 10.5, the Allow action lets the application run uncontained.

Adds the ability to view the Adaptive Threat Protection content version.

Integrates several Real Protect performance improvements, including the resolution of a Google Chrome
false positive issue.

Migration Assistant enhancements

This release adds a notification for unsupported characters in migrated Access Protection exclusions.

VirusScan Enterprise uses the semicolon ( ; ) characters to separate include and exclude processes, but the
Migration Assistant recognizes only the comma ( , ) characters. When you migrate exclusions that use
semicolons to separate multiple include and exclude processes, the processes are migrated to Access
Protection as a single process. The result is that migrated policies do not contain all the inclusions and
exclusions that were in the original policy.

Best practice: Review source VirusScan Enterprise policies before migration. Locate all semicolons and change
them to commas.

If you migrate policies with unrecognized semicolons, the Migration Assistant notifies you before completing
manual migration that policies have unsupported characters. You can cancel the migration, revise the source
policies, then begin manual migration again. You can also edit your migrated policies later.

Updated components
VSCore 15.6.0.2770 McAfee Agent 5.0.6

SysCore 15.6.0.2830 McAfee Anti-Malware Engine 5900

AMCore 1.5.0.3142

Endpoint Security rollup result types

Use these Endpoint Security result types in the Query Builder wizard for querying consolidated data.
Endpoint Security Firewall Rolled-Up Systems

Endpoint Security Platform Rolled-Up Systems

Endpoint Security Rolled-Up Threat Events

Endpoint Security Threat Prevention Rolled-Up Systems

Endpoint Security Web Control Rolled-Up Events

Endpoint Security Web Control Rolled-Up Systems

4
 Roll up system or event data for Endpoint Security
Compile data from multiple servers at the same time using McAfee ePO Roll Up Data server tasks.

Task
1 From the McAfee ePO console, open the Server Task Builder.
a Select Menu | Automation | Server Tasks.

b Click New Task.

2 On the Description page, type a name and description for the task, and select whether to enable it, then
click Next.

3 Click Actions, then select Roll Up Data.

4 From the Roll up data from: drop-down list, select one:

All registered servers

Selected registered servers Select the servers you want, then click OK.

5 To roll up system data:

a For the Data Type, select Managed Systems.

b Select the Additional Types: Configure link, and select the Endpoint Security types you want to include.

6 To roll up event data:

a Click the + button at the end of the table heading to add another data type, then select Threat Events.

b Click Additional Types: Configure, and select the Endpoint Security types you want to include.

7 Schedule the task, then click Next.

8 Review the settings, then click Save.

Resolved issues
The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the
Release Notes for the specific release.

Installation

Reference Resolution
1185007 An error no longer occurs, in rare cases, when migrating VirusScan Enterprise 8.8 to Endpoint
Security.
1187221 This release resolves a compatibility issue with HEAT Desktop & Server Management (DSM),
allowing a successful installation.

1193300 Endpoint Security 10.1.1 extensions now successfully upgrade to 10.5.2.

Common

Reference Resolution
1180277 Explorer now successfully accesses UPnP devices when Application Protection rules are enabled.
1189307 McAfee GTI connectivity status is now properly displayed immediately after a configuration
change.

5
 Threat Prevention

Reference Resolution
1167578 On-access scan no longer blocks access to Hyper-V configuration files that reside on a Cluster
Shared Volume (CSV).
1175984 You can now configure the ability to disable scanning from the McAfee system tray icon under
Quick Settings.
1178903 ScriptScan is now compatible with Internet Explorer 11.
1190143 On-demand scans now display the correct number of files when a file was cached during a
previous scan.
1195284 On-access scan and on-demand scan exclusions are no longer duplicated when systems restart.

Firewall

Reference Resolution
1189926 After upgrading the Endpoint Security extension in McAfee ePO, the Firewall Rules policy and Firewall
Catalog now display Local Network and Remote Network columns correctly.
1195643 mfefw.exe no longer crashes due to a rarely seen unhandled exception.

Adaptive Threat Protection

Reference Resolution
1175984 You can now configure the ability to disable scanning from the McAfee system tray icon under
Quick Settings.
1199945 The Adaptive Threat Protection client no longer submits erroneous application and DLL telemetry
to the TIE server when that telemetry was already sent.

Installation information
Use this information while installing Endpoint Security.
For more information, see the McAfee Endpoint Security Installation Guide.

Best practice: Restart the client system after installing this release of the product.

Requirements
This release installs Endpoint Security on Windows systems that are self-managed and managed with McAfee
ePO or McAfee ePO Cloud.

For a complete list of current system requirements, see KB82761.

Important information about McAfee Host IPS

The Endpoint Security 10.5.2 installation package includes McAfee Host Intrusion Prevention Content
8.0.0.7850. This content version is required by McAfee Host IPS and adds support for the new digital signatures
used by Endpoint Security 10.5.2. The installation updates the content on systems running McAfee Host IPS
with previous versions of the content.

6
 Management software
McAfee ePO 5.1.1

McAfee ePO 5.3.1

McAfee ePO 5.9.0

McAfee ePO Cloud

For the latest Endpoint Security management entitlement and license information, see KB87057.

McAfee Agent 5.0 Patch 2 (5.0.2.333) (minimum)

McAfee Agent 5.0.5 (recommended)

For systems running an earlier version of McAfee Agent:

On systems managed by McAfee ePO, upgrade the McAfee Agent manually before deployment.

On systems managed by McAfee ePO Cloud, no action is required. The new agent is installed
automatically on managed systems from the McAfee ePO Cloud installation URL sent to users.

On self-managed systems, no action is required to upgrade version 4.0 and later. For earlier versions,
upgrade McAfee Agent manually.

For more information, see the McAfee Endpoint Security Installation Guide.

Supported legacy products (required for migration only)

Migration supports all patch levels for these legacy products.

McAfee VirusScan Enterprise 8.8

McAfee VirusScan Enterprise for Linux 2.0.2

McAfee Host Intrusion Prevention 8.0

McAfee SiteAdvisor Enterprise 3.5

McAfee Endpoint Protection for Mac 2.3 or McAfee VirusScan for Mac 9.8

Products and platforms no longer supported

McAfee Agent 5.0.2.132 Windows Server 2008

McAfee Agent 5.0.1 Windows Vista Service Pack 2 (SP2)

McAfee Agent 5.0.0

Known issues
For a list of known issues in this product release, see KB82450.

7
 Updates to documentation
Some updates to Endpoint Security 10.5.2 are not reflected in the product guide or Help.

Documentation Incorrect Updated information

information
McAfee Endpoint Proxy Server for Proxy Server for McAfee GTI is now Proxy Server. Proxy support applies
Security 10.5.0 Product McAfee GTI to multiple technologies, including the Real Protect feature of
Guide and Common Adaptive Threat Protection.
Help This text will be updated in the next version of the
documentation.

McAfee Endpoint Server Settings Server Settings Adaptive Threat Protection page
Security 10.5.0 Product Adaptive Threat If you manage clients running Adaptive Threat Protection and
Guide and Adaptive Protection page either the Threat Intelligence Exchange module for McAfee
Threat Protection Help Missing Endpoint Security or Threat Prevention from the same McAfee
information about ePO server, the rule displayed in the Server Settings page depends
Adaptive Threat on the content checked in to the Master Repository. If the AMCore
Protection content. Content Package is checked in, Adaptive Threat Protection displays
rules from that content package. Otherwise, Adaptive Threat
Protection displays rules from the Threat Intelligence Exchange
module Content. If neither are present in the Master Repository, the
Server Settings page for Adaptive Threat Protection is blank.
Adaptive Threat Protection displays rules from only one content
source.

If an update to Adaptive Threat Protection module Content

includes changes to rules, those changes don't appear in Server
Settings (and can't be edited) until AMCore Content Package is
updated with those changes.

This text will be included in the next version of the

documentation.

Product documentation
McAfee Endpoint Security includes the following documentation.
McAfee Endpoint Security Release Notes (this document)

McAfee Endpoint Security Installation Guide

McAfee Endpoint Security Migration Guide

McAfee Endpoint Security Client Help

Endpoint Security Common Help

Endpoint Security Threat Prevention Help

Endpoint Security Firewall Help

Endpoint Security Web Control Help

Endpoint Security Adaptive Threat Protection Help

8
 Getting product information by email
The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help you
increase the functionality and protection capabilities of your McAfee products.
To receive SNS email notices, go to the SNS Subscription Center at https://sns.secure.mcafee.com/signup_login
to register and select your product information options.

Where to find product documentation

Go to docs.mcafee.com to find the product documentation for this product.

Go to support.mcafee.com to find supporting content on released products, including technical articles.

Copyright 2017 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.

0-00