McAfee ePolicy Orchestrator 5.9.1 Release Notes

Contents About this release What's new Resolved issues Known issues Installation information Getting product information by email Where to find product documentation

About this releaseThis document contains important information about the current release. We recommend that you read thewhole document.

Release build — 5.9.1

Purpose

This release adds enhancements and fixes problems that were reported in the previous version.

Rating — Mandatory

Mandatory Critical High Priority Recommended

• Required for all environments.

• Failure to apply Mandatory updates might result in a security breach.

• Mandatory patches and hotfixes resolve vulnerabilities that might affect product functionality andcompromise security.

• You must apply these updates to maintain a viable and supported product.

1

For more information, see KB51560.

Upgrade paths

At the time of the current release, you can upgrade these versions to McAfee®

ePolicy Orchestrator®

(McAfee®

ePO™

) 5.9.1:

• McAfee ePO 5.1.3 • McAfee ePO 5.3.3

• McAfee ePO 5.3.1 • McAfee ePO 5.9.0

• McAfee ePO 5.3.2

For information about supported upgrade paths for McAfee ePO, see KB86693.

Updated components

The current release upgrades these components.

• Apache Http Server 2.4.28

• Apache Tomcat 7.0.82

• Java Runtime 1.8.0_152

• OpenSSL 1.0.2l

Supported platforms

The current release is compatible with these platforms.

Operating System and Agent Handler Support

• Windows 2008 R2

• Windows Server 2012

• Windows Server 2012 R2

• Windows Server 2016

Database

• Microsoft SQL Server and SQL Express Edition 2008 SP1

• Microsoft SQL Server and SQL Express Edition 2008 R2

• Microsoft SQL Server and SQL Express Edition 2012

• Microsoft SQL Server and SQL Express Edition 2014

• Microsoft SQL Server and SQL Express Edition 2016

Browser Support

• Internet Explorer 8.0 or later (including full support for compatibility mode)

• Firefox 24.0 or later

• Chrome 30.0 or later

• Safari 7.0 or later

• Microsoft Edge (Spartan browser)

This version of McAfee ePO requires enabling TLS 1.1 or 1.2 support on your browser.

2

For information about supported platforms, environments, and operating systems for McAfee ePO, seeKB51569.

What's newThe current release of the product includes these enhancements and changes.

Replaced Oracle Java Runtime Environment with Azul Zulu JREThe current release replaces the Oracle Java Runtime Environment with the Azul Zulu JRE in McAfee ePO.

Removed SQL Express from McAfee ePO installerThe McAfee ePO installer no longer provides the option to install SQL Express. SQL Express can still be usedwith McAfee ePO, but it must be installed separately.

Interface changes to Software ManagerThis graphic shows the changes to the Software Manager interface.

Added License Key, Edit link — At the bottom of the Product Categories tree, next to License Key, click Editto navigate to the Edit License Key page. There you can edit and save your software license key.

The actions that previously appeared in the component description are moved to blue bar above thecomponent list table.

Interface changes to Product DeploymentThis graphic shows the changes to the New Deployment interface.

3

Choose the type of deployment — These configuration settings were removed and the setting is nowconfigured automatically.

In Select your software, the + and – were replaced with the + Add another package link at the bottom of thesection.

In Select the systems, Select Individual Systems, and Select by Tag or Group to display options for selectingsystems.

4

Select Deployment was added and includes:• Auto Update — Previously part of Choose the type of deployment.

• Allow end users to postpone this deployment (Windows only) — Previously part of Select the systems.

• Maximum number of postponements allowed — Previously part of Select the systems.

• Option to postpone expires after (seconds) — Previously part of Select the systems.

• Display this text — Previously part of Select the systems.

Reworded option Select a start time to Start time.

Interface changes to Dashboards

This graphic shows the changes to the Dashboards interface.

A bell icon appears in the title bar, next to Log Off. A red icon indicates that software updates areavailable to download. By default, the icon is grey. Click the icon and the Software Manager page opens.Hover over the bell icon to show the software update status.

Database

Flattened the database views — The current release has reduced the number of database tables.

Resolved issuesThe current release of the product resolves these issues. For a list of issues fixed in earlier releases, see theRelease Notes for the specific release.

5

Security fixes

Reference Issue description

1176825 This release addresses several cross-site scripting (XSS) vulnerabilities.

1179499 This release updates the RSA SSL-J and Crypto-J libraries.

1192218 This release updates Apache Http Server to 2.4.27.

1193405 This release signs files with an SHA-2 certificate.

1196591 This release updates OpenSSL to 1.0.2k to address several vulnerabilities. See McAfee SB10197,ePolicy Orchestrator is vulnerable to Sweet32 vulnerability (CVE-2016-2183), for details.

1210887 This release adds TLS 1.2 support for McAfee ePO outbound connections.

1212417 This release addresses a CVE-2007-6750 vulnerability.

1213891 Windows Authentication now correctly functions after disabling SMBv1.

Client and server tasks

Reference Issue description

1147067 When a client task is created or edited by a user who does not have administrator rights, theOwner group is no longer incorrectly set to Administrators.

1182958 You can now run an external command as a server task action without the next action startingbefore the command completes.

1190211 Server tasks configured to run client tasks on the results of a query are no longer categorized asfailed if the query returns no results.

1198430 When multiple McAfee ePO servers are registered with policy sharing enabled, the SynchronizeShared Policies server task now continues to execute if it can't connect to a registered server.

1209063 Client tasks no longer inherit settings from the My Organization level when inheritance was brokenat a lower group.

1209066 In some cases, saving a policy causes the McAfee ePO console to become unresponsive for 15 ormore minutes. This release resolves this issue.

1211700 The randomization setting in the sub-action under the Wakeup Agent, Run Client Task Now, and ClientTask Assignment server tasks is now enforced correctly.

1211789 Opening a client task no longer takes an unusually long time.

1212397 If you try to create a client task with a name that is already used, you're notified and the Savebutton is disabled.

Database

Reference Issue description

1185912 The McAfee ePO console is no longer slow to edit or save certain custom queries due toinadequate indexing on the EPOServerEventsMT table in the database.

1195177 When an Active Directory synchronization task syncs with a large number of systems, the McAfeeePO server can reach a MAX connection state, rejecting new agent-server communicationrequests until the task is complete. This release resolves this issue.

1210653 You can now successfully convert Universal Time Coordinated (UTC) to Eastern Standard Time(EST).

1211146 If the SQL Server is running long transactions, the SQL TempDB can grow in size, eventuallyrunning out of space and causing the data channel tables in the database to grow. This releaseresolves this issue.

6

Policy, tag, and key management

Reference Issue description

1154375 When using the Firefox browser, McAfee ePO now opens the Edit Assignment page when you save apolicy assignment on a single endpoint.

1179253 In the Tag Catalog, tags are now successfully applied after creating a tag.

1196882 Text strings are now correctly displayed in the Policy Comparison page.

1202501 An Active Directory synchronization no longer creates duplicate entries if the system is in theSystem Tree and Leave systems in their current location is selected.

1203516 Tags set to apply on every agent-server communication based on IP are now properly applied.

1206256 Tags with double-byte characters are now successfully applied to endpoints.

1207218 Policy owner information in Broken Inheritance is now correctly displayed.

1209077 Applying a tag using the Contain pattern comparison no longer generates the error S-Expressionin tag ID x did not match.

Queries and reports

Reference Issue description

1175417 Running a query as a non-administrator no longer generates the error message An erroroccurred while retrieving the requested data.

1193656 Duplicate query entries now include the correct query name.

1187446 Queries that run in the McAfee ePO console no longer hang and always return results.

1199459 The product version is now correctly displayed after the Bar Chart query runs and returns theresults.

1205176 On the System Details page, the installed McAfee Agent version now appears, instead of EPOAGENT.

1206036 On the Actions tab of the Server Task Builder, if the query Agent Uninstalls Attempted in the Last 7 Days ispreselected, the Sub-Actions option is now enabled.

1208404 When exporting data from some queries and reports to XML, the XML file no longer containsredundant carriage return, line feed (CRLF).

1213873 The Pie Chart query now correctly runs in a standalone query.

1216109 On the System Details page, DAT-Version (VirusScan Enterprise) is now correctly displayed.

System Tree

Reference Issue description

1156776 During an Active Directory synchronization, excluded containers are no longer added to theSystem Tree.

1160948 Duplicate systems no longer frequently appear in the System Tree.

1164286 Selecting System Tree | Select a machine | Action | Show Client Events no longer generates the error Therequested resource was not found.

1166161 All systems are now visible when you test sorting in the System Tree with sorting disabled orenabled.

1192912 Custom property fields now remain visible after entering a new value.

1198853 When Active Directory synchronization runs, some systems are no longer populated tounexpected locations in the System Tree.

7

Reference Issue description

1209069 System Tree path now provides the correct result of the Applied Client Task query.

1218697 The System Tree now moves systems to the correct folder with sorting disabled.

Upgrades and installation

Reference Issue description

1181912 Permission sets with Global Reviewer permissions no longer change after upgrading from 5.3.3 to5.9.0.

1184484 The McAfee Agent installation path is now correctly displayed as Program Files\McAfee\Agent if you'relogged on in French.

1190740 The McAfee Agent 5.x default installation path is now correctly displayed as Program Files\McAfee\Agent instead of Program Files\McAfee\Common Framework.

1197173 Upgrades no longer fail because a SQL Server user is no longer required to have systemadministrator rights.

1217643 In some cases, combinations of 1024 certificates and cipher suite lists caused failed connections,resulting in upgrade issues. This release resolves this issue.

User interface

Reference Issue description

1186589 Translated migration text now consistently appears in the Root Certificate section in the CertificateManager.

1192234 In the Tag Catalog Preview page, the option Reset X manually tagged and excluded systems is now grayedout if you create a tag with no criteria, manually create a computer object, and assign the tag tothe computer.

1196845 The title Create New Task in the pop-up window is now translated and displayed correctly.

1211077 A space is no longer missing between continuous and deployment on the New Deployment page.

1211766 In the System Tree, Threat Events in the Last 2 Weeks now appears in the correct size.

Miscellaneous

Reference Issue description

1165844 Reviewers are no longer given Global Administrator permissions after upgrading from 4.6.x to5.1.x, or after exporting permissions from 4.6.x to 5.1.x.

1165876 An Apache out-of-memory condition no longer causes a failure to process data channel requeststhat resulted in agent-server communication failures with Connection refused and Serverbusy error messages.

1182940 This release replaces Oracle Java Runtime Environment with Azul Zulu JRE.

1186330 The McAfee ePO Application Server (Tomcat) no longer crashes when an Active Directorysynchronization task runs and the task is unable to connect to the LDAP server.

1190396 From McAfee® Endpoint Security, Automatic Response emails containing the {threatActionTaken}variable now return the correct value.

1196946 If you remove a server task, it no longer stays in the Task Queue in the database, resulting in theprocess trying to validate the deleted server task every minute.

1203183 The Run at every policy enforcement (Windows only) option is no longer available. This feature wasdeprecated in McAfee Agent 5.0.

8

Reference Issue description

1204151 The McAfee ePO Application Server (Tomcat) no longer crashes when replicating to distributedrepositories due to Java heap corruption.

1209055 Checking in an Extra.DAT file no longer generates data truncation errors in the Orion Log.

1209343 Creating an Automatic Response with multiple groups using the Defined at filter, and adding twogroups with an Or operator, no longer generates the error message Can't continue editingthis response since it has been put into an invalid state. Click OK toreturn to the responses page.

1209946 Custom properties are now always removed from McAfee ePO when they are removed from anendpoint.

1210469 A user with Global Reviewer permissions can now view Client Event details.

1219115 This release resolves an Agent Handler issue where a null pointer error can lead to an Apacheout-of-memory condition, resulting in agent-server communication failure until Apache restarts.

Known issuesFor a list of known issues in this product release, see this McAfee KnowledgeBase article: KB87673.

Installation informationThe current release of the product has specific installation requirements and best practices.

For information about installing or upgrading ePolicy Orchestrator software, see the McAfee ePolicy OrchestratorInstallation Guide.

Best practice: Run the Pre-Installation AuditorBefore you upgrade McAfee ePO, run the McAfee ePO Pre-Installation Auditor to reduce or prevent upgradeissues.

Running the auditor automates many of the verification tasks included in the upgrade process.

Task1 Download the McAfee ePO Pre-Installation Auditor from the McAfee ePO Downloads page:

secure.mcafee.com/apps/downloads/my-products/login.aspx

2 Double-click ePIP.exe to start the auditor, then follow the prompts.

For more information, see the McAfee ePO Pre-Installation Auditor Release Notes.

Upgrade McAfee ePO in a Windows clusterIf you are upgrading McAfee ePO in a Windows cluster, you must delete the certificates from your quorum disk.

Deleting the certificates prevents service startup failures in a failover situation (see tracking issue 1213758).

Delete these files in <EPO>\Apache2\conf\ssl.crt:

9

• ahCert.crt

• ahpriv.key

• mfscabundler.cer

Requirements for installation or upgrade if using SSL connection to SQLServerYour installation or upgrade might fail if you use an SSL connection between your McAfee ePO 5.9.1 server andyour SQL database.

This release of McAfee ePO updated the RSA libraries that have additional security requirements forcommunication with the database. To meet the new compatibility requirements, install all available Windowsupdates on your McAfee ePO server and the SQL Server before starting the installation or upgrade.

For more information, see KB87731.

Enable TLS 1.1 or 1.2 on your browserThis version of McAfee ePO 5.9.1 requires enabling TLS 1.1 or 1.2 support on your browser.

To provide additional security for the communications between your web browser and your McAfee ePO server,you must enable TLS 1.1 or 1.2 support on your browser.

See the documentation for your browser to enable TLS 1.1 or 1.2 support.

Getting product information by emailThe Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help youincrease the functionality and protection capabilities of your McAfee products.

To receive SNS email notices, go to the SNS Subscription Center at https://sns.secure.mcafee.com/signup_loginto register and select your product information options.

Where to find product documentationGo to docs.mcafee.com to find the product documentation for this product.

Go to support.mcafee.com to find supporting content on released products, including technical articles.

Copyright © 2018 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Othermarks and brands may be claimed as the property of others.

0-00