Release Notes
Revision D
McAfee Data Loss Prevention 10.0.200
For use with McAfee ePolicy Orchestrator
Contents
About this release
New features
Enhancements
Resolved issues
Installation instructions
Known issues
Getting product information by email
Find product documentation
About this release
This document contains important information about the current release. We recommend that you
read the whole document.
This release includes the following:
•
McAfee Data Loss Prevention (McAfee DLP) extension for McAfee ePolicy Orchestrator
(McAfee ePO ) build 10.0.200.19
®
®
®
®
™
•
McAfee Data Loss Prevention Endpoint (McAfee DLP Endpoint) client for Microsoft Windows build
10.0.200.392
•
McAfee Data Loss Prevention Prevent (McAfee DLP Prevent) extension for McAfee ePO build
10.0.202.107
®
®
McAfee DLP Prevent requires these McAfee ePO extensions:
•
•
Appliance Management Extension build 1.0.0.448
•
Common UI build 1.3.0.258
McAfee DLP Endpoint Diagnostic Tool for Windows build 10.0.200.16
1
•
McAfee DLP Prevent appliance installation image
•
McAfee Help Desk build 2.0.0.130
®
®
®
McAfee Data Loss Prevention Endpoint for Mac (McAfee DLP Endpoint for Mac), McAfee Data Loss
Prevention Discover (McAfee DLP Discover), , and McAfee Data Loss Prevention Prevent for Mobile
Email (McAfee DLP Prevent for Mobile Email) are not part of this release. The previous release of each of
these products is supported by the current extension.
®
McAfee DLP Prevent does not support automatic updates.
Supported McAfee ePO and McAfee Agent versions
Software
Version
McAfee ePO
• 5.1.3 or later
• 5.3.2 hotfix 1144868
• 5.9
When running McAfee ePO in Microsoft Internet Explorer, use version
10.0 or later.
McAfee Agent for
Windows
®
• 4.8 Patch 3
• 5.0.5
McAfee DLP requirements
Table 1-1 Hardware requirements
Hardware type
Specifications
McAfee ePO server
McAfee DLP extension in McAfee ePO
• RAM — 1 GB minimum (2 GB recommended)
• Hard disk — 80 GB minimum
McAfee DLP Discover server
• CPU — Intel Core 2 64-bit, minimum 2 CPUs
• RAM — 4 GB minimum
• Hard disk — 100 GB minimum
McAfee DLP Prevent
server
Hardware appliance:
• Model 4400
• Model 5500
• Model 6600
Endpoint computers
• RAM — 1 GB minimum (2 GB recommended)
• Hard disk — 300 MB minimum free disk space (500 MB recommended)
Network
2
Minimum 100 megabit LAN serving all workstations and the McAfee ePO
server
Table 1-2 Supported operating systems
Computer type
Software
Endpoint
computers,
Microsoft Windows
• Windows 7 SP1 32-bit or 64-bit
• Windows 8 or 8.1 32-bit or 64-bit
• Windows 10 1507, Windows 10 1511, and Windows 10 1607 (Anniversary
Update) 32-bit or 64-bit
• Windows Server 2008 SP2 32-bit or 64-bit
• Windows Server 2008 R2 SP1 64-bit
• Windows Server 2012 64-bit
• Windows Server 2012 R2 64-bit
File System Discovery Rules and Network Communication Protection Rules are
not supported on servers.
Table 1-3 Supported virtual operating systems
System type
Software
VDI systems
McAfee DLP extension in McAfee ePO
• Citrix XenDesktop 7.0 and 7.9
• VMware View 5.3, 6.0, and 6.2
McAfee DLP Prevent server
• VMware vSphere 5.5
• VMware Server 5.5 or 6.0
Remote desktops
• Citrix XenApp 6.5 Feature Pack 2, 7.0, and 7.8
• Microsoft Remote Desktop
Compatible McAfee products
The McAfee DLP Endpoint client for Windows in this release has been tested for compatibility with the
following McAfee managed product versions.
McAfee managed product
Supported versions
McAfee Application Control (formerly Solidcore)
6.2, 7.0.1, and 8.0
McAfee Client Proxy
2.3.1
McAfee Data Exchange Layer (DXL)
3.0.1 and 3.1
McAfee Threat Intelligence Exchange (TIE) for Endpoint Security
10.2.2
McAfee Drive Encryption (formerly McAfee Endpoint Encryption for PC)
7.1.3 and 7.2.1
McAfee Endpoint Security
10.2.1 and 10.5.1
®
®
®
®
®
®
McAfee File and Removable Media Protection (FRP) (formerly McAfee
Endpoint Encryption for Files and Folders)
4.3.1 HF2 and 5.0.2
McAfee Host Intrusion Prevention System
8.0 Patch 8 and Patch 9
McAfee Management of Native Encryption (MNE)
4.1.1
McAfee Policy Auditor
6.2.2
McAfee Risk Advisor
2.7.2
®
®
®
®
®
®
3
McAfee managed product
Supported versions
McAfee Rogue System Detection (RSD)
5.0.4 and 5.0.5
McAfee SiteAdvisor Enterprise
3.5.5
McAfee Virtual Technician
8.1.0
McAfee VirusScan Enterprise
8.8.8 and 8.8.9
®
®
®
®
®
®
In addition, McAfee DLP Endpoint is compatible with the latest release of the WebMER tool, and
McAfee DLP Prevent extension is compatible with McAfee Logon Collector 3.0.2.
®
Supported software
McAfee DLP Endpoint supports the following third-party software products. These versions have been
tested for compatibility with this release.
Application Type
Software
Versions
Virtualization applications
Citrix XenApp
6.5 FP2 and 7.9
Citrix Device Rules
are not supported
when using a
separate controller
server with XenApp
7.x.
Cloud applications
Security and encryption applications
Supported on McAfee DLP Endpoint.
Other McAfee DLP products recognize
that these files are encrypted.
Citrix XenDesktop VDI
7 and 7.9
VMware View
5.3, 6.0, and 6.2
VMware Hyper-V
6.3.9600
Box
4.0.7724.0
Dropbox
16.4.29
Google Drive
1.32.4066.7445
iCloud
6.1.0.30
Microsoft OneDrive
17.0.2015–17.3.6517.0809
Syncplicity
4.1.1.1006
Boldon James Email and
Office Classifier
3.9.0
Boldon James File Classifier
3.8.1
Microsoft Active Directory
Rights Management Service
(AD RMS)
2008 and 2012
McAfee DLP Discover
also supports Microsoft
RMS.
4
MobileIron
8.5.0
MobileIron AdminPortal
8.5.0
MobileIron Sentry
7.6.0
Seclore FileSecure Policy
Server
2.78.0.0
Application Type
Software
Versions
Seclore Desktop Client
2.43.0.0
McAfee DLP Discover
supports detecting if a
file was encrypted with
Seclore.
Office and productivity applications
Stormshield Data Security
9.1.20688
Titus Classification Suite
4.6 HF 3
Titus SDK
3.1.9.9
TrueCrypt
7.0.1
Adobe Acrobat Pro
X and XI
Adobe Reader
11 and DC
Google Chrome, 32-bit
37.0.2062.103–
57.0.2987.110 (not
including 54.x)
Google Chrome, 64-bit
49.0.2623.108–
57.0.2987.110 (not
including 54.x)
Lotus Notes client software
8.5.3 and 9.0.1
Microsoft Edge
20.10240.16384.0
Internet Explorer
11
Microsoft Office, 32-bit and
64-bit
2010, 2013 SP1, and 2016
Microsoft Outlook, 32-bit
and 64-bit
2010, 2013 SP1, and 2016
Microsoft Sharepoint
2010 and 2013
Mozilla Firefox, 32-bit and
64-bit
48–50
New features
The current release of the product includes these new features.
McAfee DLP Prevent load balancing
Use the Load Balancing option in the DLP Prevent Server product to create a cluster of appliances. A cluster
configuration balances the email and web traffic for analysis between a master appliance and a
number of cluster scanners to enhance performance. It also ensures high availability in case of failure.
RESPMOD support
McAfee DLP Prevent now supports ICAP Response Modification (RESPMOD) for analyzing web content
being sent from internal web servers.
5
Enhancements
The current release of the product includes these enhancements.
Web protection rule enhancements
•
The web protection rule definition now includes another condition, Upload Type. The condition has two
options, selected from a drop-down list: Is any data upload (ALL) and Is file upload. The file upload option
only inspects files. It does not try to block other data types such as webmail or web forms.
When used in backward-compatible mode (strict or non-strict), the condition triggers a warning but
the policy can still be applied. Clients older than 10.0.101 treat all uploads as
Is any data upload (ALL).
•
Web protection rules now support HTTPS 2.0.
•
Outlook Web Access (OWA) is now supported in web protection rules. Refer to these guidelines
when using protected content with OWA:
•
To protect text in the OWA email body, use content classification criteria, not content
fingerprinting ("tagging").
Content fingerprinting is not recognized in the OWA email body. When text is copied from a file
that was content fingerprinted ("tagged") and pasted into the OWA email body, the Microsoft
webpage adds additional elements and proprietary formatting notations such as
.<o:p> </o:p> </p> <p class=\"MsoNormal\"> /n. </span>. These additions cause content
fingerprints to not match.
•
To protect content copied from fingerprinted documents and pasted into OWA, use clipboard
protection rules. Set the clipboard rule Destination application to is one of supported browsers and set the
Destination URL to the OWA URL.
•
When using OWA for Exchange Online (Office 365) and attaching a file that is already in
OneDrive or already in SharePoint online (Attach Group Files), the file is attached to the email
envelope on the Exchange server and not in the browser. Since the file is not attached in the
browser, the web request does not include the file and McAfee DLP Endpoint can't analyze it.
Application file access rules for unsupported Chrome versions
Application file access protection rules now support a parameter of unsupported Chrome version
together with a URL definition. The parameter allows blocking specific URLs when accessed with
unsupported versions of the Chrome browser.
For more information on using application file access protection and web protection rules with Chrome,
see KB88322.
Advanced pattern and dictionary enhancements
6
•
The maximum threshold for dictionaries and advanced patterns is now 1,000. When selecting
dictionaries or advanced patterns to add to a classification definition, the Threshold value (default =
1) can be edited. Values larger than the maximum now default to the maximum or are truncated.
•
Two advanced patterns and validation algorithms, Dutch citizen service number (BSN) and bank
account numbers, have been added to the built-in list.
•
Advanced pattern definitions now support MasterCard numbers starting with 2. MasterCard
introduced the new Bank Identification Numbers (BINs) in October 2016. MasterCard BINs starting
with 5 are still supported.
Query enhancement
Drilling down into an incident in McAfee ePO Queries and Reports displays the same properties that are
displayed in the incident details in the DLP Incident Manager.
Import/export enhancements
These definitions can be imported and exported in CSV format:
•
Email address lists
•
Serial number and end-user pair
•
URL lists
•
Device templates
•
Dictionaries
Match string tab
When reviewing incident details in the DLP Incident Manager, clicking the match string count opens the
match string file in a new tab.
REST API support
The McAfee DLP extension for McAfee ePO provides a set of REST APIs to create definitions and control
policies. The REST API calls require a valid McAfee ePO user who has permissions in McAfee ePO
Permission Sets to perform the DLP actions invoked by the API. Supported in this release are applying
policies and importing URL lists, email lists, device templates, and dictionary definitions.
You can create REST API calls in the programming language of your preference . See KB87855 for
sample Java source code that shows how to use the REST API.
Device groups
Device groups have been added to simplify rules while maintaining granularity. A device group
combines several device templates into a single template. Device groups are defined in the Device
Templates section of the DLP Policy Manager. When creating a group, you must specify if it is a fixed hard
drive, plug and play, or removable storage group. The group template must apply to either Windows
or Mac devices; you can't combine both types of templates in a single group.
McAfee DLP Prevent enhancements
•
This release shows improved performance when handling large numbers of email and web
protection rules and terms used in classifications.
•
McAfee DLP Prevent can perform cryptographic operations in a way that is compliant with FIPS
140-2. The option to enable FIPS 140-2 is located in the General category of the DLP Prevent Server
product in the Policy Catalog.
•
McAfee DLP Prevent can limit the hosts that are allowed to send mail to the appliance.
•
McAfee DLP Prevent now identifies DLP Manual file classifications set by users.
Resolved issues
The current release of the product resolved these issues. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release.
7
McAfee DLP Endpoint for Windows client resolved issues
Reference
Issue description
1084751
Web protection rules now block uploads to OneDrive when using a Google Chrome
browser.
1106858,
1171764
Forwarding emails or cancelling calendar events in Microsoft Outlook now proceed
normally; Outlook does not crash.
1127608
USB devices are no longer blocked when the McAfee DLP Endpoint client is in
bypass mode.
1126815
The McAfee DLP Endpoint client now goes offline when the computer is turned off.
1147516
Bypass mode timeouts now continue to bypass even when the computer is
restarted during a timeout.
1148160,
1128370
Web post protection rules block Google Drive uploads from browsers.
1151690
F5 VPN now connects when McAfee DLP Endpoint is installed. The root cause was
an issue with the mechanism used to prevent tampering with the McAfee DLP
registry keys. The mechanism was changed to prevent it from interfering with the
F5 VPN registry keys as well.
1154533
Discovery OST scans no longer miss sensitive content. The root cause was
improperly identifying OST as non-cached. McAfee DLP Endpoint now inspects all
relevant registry keys to identify cached accounts.
1160164
Microsoft Outlook no longer throws random runtime errors when McAfee DLP
Endpoint add-ins are enabled.
1164235
Opening PDF files using Internet Explorer now proceeds normally; Internet
Explorer does not crash.
1177242
fcagchrome.dll and fcagchrome64.dll do not inject in Google Chrome in Device
Control mode.
1179101
Web application content fingerprinting now works in SharePoint.
1179109
Web post protection rules do not cause Internet Explorer or Chrome to crash.
McAfee DLP extension for McAfee ePO resolved issues
8
Reference
Issue description
1143599
Resolves two related issues: Duplicate entries in device parameters are no longer
allowed, and the device instance ID text field now accepts 150 characters.
1147650
The Product properties for DLP Endpoint section on the McAfee ePO System Tree | Systems
Information | Products page now displays all properties, not just Product Version,
Language, and Hotfix/Patch Version.
1151821
The PluginUTCTime, PlugDurationInSec, and PluginLocalTime parameters in the McAfee DLP
rollup reports can now be accessed in the McAfee ePO Query Builder.
1156646
Threat events log and Incident List events now match.
1158617
The McAfee DLP UI for protection rule exclusions no longer locks up when the
McAfee ePO language is set to German.
1159123
Exceptions can now be created for CD/DVD removable storage protection rules.
1159682
You can now use the comparison Contains when defining a USB device serial
number in a device definition.
1174129
Register Documents uploads now accept file names in Cyrillic characters when the file
name begins with a capital letter.
1175169
Importing dictionaries with UTF8 (double byte) characters now has the same limit
as ASCII dictionaries (20,000 entries)
Reference
Issue description
1176240,
1170245,
1176241
DLP Policy Manager no longer displays policies deleted from the Policy Catalog.
1178434
Whitelisted URLs can now begin with a number (for example, http://126.com).
1180476
Network McAfee DLP events in the DLP Incident Manager now display the client IP
address correctly.
1180714
Rule names with quotes (for example, "plug and play" test) can be grouped by
rule name in DLP Incident Manager.
McAfee DLP Prevent resolved issues
•
Resolves an issue where a web request with no content would be blocked if it was sent immediately
after a blocked request. (1181637)
•
Passwords that you create for the administrator account can now contain apostrophes. (1174351)
•
Registration now allows the custom port specified in the setup wizard to register McAfee ePO with a
McAfee DLP Prevent appliance. (1166942)
•
A web protection rule that uses the classification is any data (ALL) to analyze data sent by a member of
an LDAP group now works correctly. (1164289)
•
The score is now calculated correctly for threshold-based dictionaries. (1164092)
•
The correct validation algorithm is now used for the Australian Medicare card number pattern.
(1159008)
•
Addresses some security vulnerabilities by updating OpenSSL and the Linux kernel. For
information, see McAfee DLP Prevent Release Notes Hotfix 10.0.101.
Installation instructions
McAfee DLP releases can contain multiple components.
If your McAfee DLP extension is version 9.4.0 or later, you can upgrade directly to 10.0.200. When
upgrading from 9.4.0, you must migrate events by running the incident migration server task.
With large event databases (> several million incidents and operational events), upgrading the McAfee
DLP extension from version 9.4.0 to 10.0.x can take longer than 30 minutes. We recommend not using
any McAfee DLP functionality during the upgrade, because it might result in product errors.
To confirm that the McAfee DLP extension upgrade process is complete, in McAfee ePO go to Menu |
Software | Extensions and verify that the McAfee DLP 10.0.x extension is present.
This release does not include updates to the McAfee DLP Endpoint client for Mac, McAfee DLP Discover
server, McAfee DLP Prevent appliance installation image, or McAfee DLP Prevent for Mobile Email. You
do not need to update these components.
This release does not support upgrading from McAfee DLP Prevent 9.3.4 or earlier.
9
Type of
release
Components
Point release
• McAfee DLP extension for McAfee ePO
• McAfee DLP Discover server package
• McAfee DLP Endpoint client for Microsoft Windows
• McAfee DLP Endpoint client for Mac
• McAfee DLP Prevent extension for McAfee ePO
• McAfee DLP Prevent appliance installation image
Patch release
Patch releases typically update the McAfee DLP extension and one of the McAfee
DLP Endpoint clients. Some patch releases include both clients.
Hotfix release
Hotfix releases typically update only the McAfee DLP extension or the McAfee DLP
Endpoint client. Sometimes both the extension and a client are released in one
hotfix.
Installation of the McAfee ePO extension uses either the McAfee ePO Software Manager or the Software
| Extensions feature.
The recommended installation of the McAfee DLP Endpoint client and the McAfee DLP Discover server
software uses the McAfee ePO infrastructure for deployment to the endpoint computers.
You can also deploy McAfee DLP Endpoint client software to your network using third‑party enterprise
deployment tools such as Microsoft Systems Management Server (SMS).
For information about installing and configuring McAfee DLP products, see the McAfee Data Loss
Prevention Product Guide.
Considerations for upgrading McAfee DLP Prevent
To apply a patch or hotfix, you must first update the McAfee DLP extensions in McAfee ePO, then
reboot the appliance from the .iso file that contains the patch or hotfix.
Task
1
Upgrade the extensions in this order:
•
McAfee Data Loss Prevention extension
•
McAfee DLP Prevent extension
2
Update the install image using a command line session or a utility such as WinSCP to copy the .iso
file to /home/admin/upload/iso/.
3
Using a command line session, log on to the appliance as admin.
4
From the appliance console menu, select Upgrade.
5
Select Show the internal install image details to confirm the version.
6
Confirm that the current version of the internal install image has updated to the version you want
to install.
7
Select Boot from the internal install image.
8
Select the Full option, then select Yes.
The appliance restarts and installs, preserving all data.
9
10
Select Show the internal install image details to confirm the version.
Known issues
For a list of known issues in this product release, see these McAfee KnowledgeBase articles.
•
For the McAfee DLP McAfee ePO extension (all products): KB87578
•
For McAfee DLP Endpoint: KB87188
•
For McAfee DLP Discover: KB87580
•
For McAfee DLP Prevent: KB86523
•
For McAfee DLP Prevent for Mobile Email: KB87581
Getting product information by email
The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to
help you increase the functionality and protection capabilities of your McAfee products.
To receive SNS email notices, go to the SNS Subscription Center at https://
sns.secure.intelsecurity.com/signup_login to register and select your product information options.
Find product documentation
On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1
Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2
In the Knowledge Base pane under Content Source, click Product Documentation.
3
Select a product and version, then click Search to display a list of documents.
Product documentation
Every McAfee product has a comprehensive set of documentation.
McAfee Data Loss Prevention Release Notes
McAfee Data Loss Prevention Product Guide
McAfee Data Loss Prevention Hardware Guide
McAfee Data Loss Prevention Prevent Quick Start Guide
11
© 2017 Intel Corporation
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
D00