About this documentThank you for choosing this McAfee product. This document contains important information about the current release. We strongly recommend that your read the entire document.
CAUTION: We do not support the automatic upgrade of a pre-release software version. To upgrade to a production release of the software, you must first uninstall the existing version.
New featuresHere is a list of new and updated features included with this release of the product.
What's newIPS - New features for the IPS Options policy:
- Startup protection: Protection at start-up before the IPS services have started
- New features for the IPS Rules policy:
- Exceptions based on IP address for Network IPS signatures
- Trusted networks for both IPS signatures and firewall rules
- Executable matching for applications is now by path, hash, digital signature and file description for signatures and exceptions instead of path only
Firewall - New features for the Firewall Options policy:
- TrustedSource rating and blocking: Firewall rules block or allow incoming or outgoing traffic according to McAfee TrustedSource ratings
- IP spoof protection: Firewall rules block outgoing traffic when the local IP address isn't one of the local system's IP addresses, and when a local MAC address is not a VM guest MAC address
- Bridged VM support: Firewall rules allow traffic with a local MAC address that is not the local system's MAC address but is one of the MAC addresses in the range of supported VM software
- Startup protection: Firewall rules block all incoming traffic before the firewall services have started
- New features for the Firewall Rules policy:
- Firewall rules are much more flexible: A single rule can now contain multiple applications (previously only one), multiple networks (previously only one), a local network and a remote network (previously only a remote network), and VPN media type in addition to wired and wireless
- Connection-Aware Groups are now simply firewall groups that have location information and schedules with timed access for connections associated with them
- Executable matching for applications is now by path, hash, digital signature and file description for firewall rules instead of path and hash only
- Additional firewall policy: Firewall DNS Blocking that consists of a set of domain name patterns that are to be blocked. This policy replaces the Domain Rule that blocked DNS resolution for user-specified domain names
General - Application Blocking polices removed and their functionality replaced by two content signatures in the Host IPS Rules policy
- Firewall Quarantine policies removed
- New Host IPS Catalog to organize and enable reuse of common policy components among policies, particularly firewall groups, rules, locations, executables, and networks
- Single standard set of wildcards used throughout the product
- Logs located in a common folder, with some logs simplified for easier reading
Platform support - Full feature parity across 32- and 64-bit Windows platforms
- Added: Windows 7; SUSE Linux 10 SP3, SUSE Linux 11; Solaris Zone support
- Removed: Windows 2000, Solaris 8, and SUSE Linux 9
SQL support - Added: SQL 2005, SQL 2008
- Removed: SQL 2000
Extension/client functionality - Two versions of Host Intrusion Prevention 8.0: a firewall-only version and a full version containing both firewall and IPS protection
- Host IPS extension compatibility with ePolicy Orchestrator versions 4.0, 4.5, and 4.6
- Ability to install the Host IPS 8.0 extension in ePolicy Orchestrator even with earlier versions of Host IPS installed
- Host IPS 8.0 extension manages only Host IPS 8.0 clients; it cannot support previous client versions
- Both IPS and firewall protection is disabled on the client after initial installation and requires the application of a policy to enable it
- On all platforms, upgrade from evaluation version to licensed version from ePolicy Orchestrator without reinstalling a client
Known issuesHere is a list of known issues that we were aware of at production time.
To view an updated list of issues associated with this release, see KnowledgeBase article 69184 at http://knowledge.mcafee.com.
Host Intrusion Prevention Extension- Issue — If the option "Include local subnet automatically" is selected in an assigned Trusted Networks policy and an HTTP or Network IPS event is triggered from a remote system on the local subnet, the remote IP address is reported as trusted in the IPS event details only if the remote IP address is explicitly included in the Trusted Networks policy. (521370)
- Issue — Location matching in a firewall rules group can take up to 20 seconds when a new registry value with data is created for the group. (549386)
- Issue — The Firewall DNS Blocking policy doesn't currently support localized domain name matching. (577640)
- Issue — For custom signatures, exceptions and trusted applications, the code for application paths for remote process and system process should contain brackets:
- Remote Process match--path <SystemRemoteClient> Executable { Include { -path <SystemRemoteClient>
- System Process match--path <System>
For example: Executable { Include { -path <SystemRemoteClient>}
(566890) - Issue — When the firewall is in adaptive mode, ICMP traffic is blocked and an allow rule is not created. Workaround — Apply the Typical Corporate Sample Firewall rules policy because it already contains ICMP rules. (489628)
- Issue — If both Host IPS 7.0 and Host IPS 8.0 extensions are installed, and version 8.0 is removed, purging of Host IPS 7.0 events fails on ePolicy Orchestrator 4.0 and 4.5. Workaround — Reinstall the Host IPS 8.0 extension that was removed. (578166)
Host Intrusion Prevention Windows Client- Issue — On Windows Vista and Windows 7, the repair option is not available for Host Intrusion Prevention in the Add/Remove Programs control panel. Workaround — For repairs on these operating systems, run either of these commands:
- For 32-bit version: msiexec.exe /fvomus {6B005DF6-6B6E-4551-B632-B0001DF50499} /l*v %windir%\Temp\McAfeeLogs\hip8.0_repair.log
- For 64-bit version: msiexec.exe /fvomus {D2B9C003-A3CD-44A0-9DE5-52FE986C03E5} /l*v %windir%\Temp\McAfeeLogs\hip8.0_repair.log (573713)
- Issue — The Host Intrusion Prevention client occasionally fails to restart after an update. Workaround — If the message "Failed to initialize Scrutinizer" is written to both the HIPShield log and the Windows event log and a "Failure stage: initialization - Agent Terminated" System Event is generated, restart the client system.
- Issue — Installing on Windows XP sometimes treats Host Intrusion Prevention drivers as unsigned. Please see the description and resolution of this issue in Microsoft Knowledge Base Article 822798. Alternatively, clicking "Continue" in the resulting dialog boxes will allow the software to be installed correctly. (593237)
- Issue — HTTP service restarts if it is running when a Host IPS client is installed. (361247)
- Issue — If you remove the client software from a system, then reinstall it, you must restart the client system. (583322)
- Issue — IPS alert messages and client exceptions list target executables without mention of any standard executable used to open the target executable. The exception includes the union of the two executables, but details appear on the details tab of the exception on the Host IPS tab under Reporting on the ePO server. (590152)
- Issue — Host IPS SQL engine does not report remote IP addresses. (591986)
- Issue — A dynamic IP Spoof rule created to block traffic associated with an application is deleted if the "Retain existing client rules" is not selected in the Firewall Options policy. Workaround — Select the "Retain existing client rules" option in the Firewall Options policy. (590775)
Content- Issue — Microsoft Office XP executables are not protected with the Host Intrusion Protection 8.0 content package released with the beta version.
- Issue — Microsoft SQL server engine does not work on Windows 2008 64-bit platforms.
- Issue — Duplicate entries for McAfee applications appear in the Application Protection Rules list. These duplicate will be eliminated in a future release and do not affect the operation of the product.
- Issue — Some signatures for unsupported versions of Microsoft SQL Server appear in the IPS Rules policy this release. These will be eliminated in a future release.
- Issue — Any system that triggers a NIPS signature is blocked by a target system even if the setting "Automatically block attacker for x minutes" is disabled. Workaround — Minimize the effects of this issue by setting the number of minutes to "1."
- Issue — Some triggered IPS signatures set to "Low" or "Informational" do not appear in the client console.
- Issue — When upgrading the 7.0 Client to version 8.0, application instability and false positive alerts for signature 432 might occur. Workaround — Create an exception in the Host IPS 8.0 IPS Rules policy for signature 432, setting the File description of a Caller Module executable to HIPSCORE INJECTED STUB. (583604)
- Issue — When upgrading the 7.0 Client to version 8.0, Windows Update might fail. Workaround — Create an exception in the Host IPS 8.0 IPS Rules policy for signature 1003, setting the File name of a Target executable to SVCHOST.EXE. (584986)
|
发表于 2010-10-21 10:15:23
楼主
