McAfee VIRUSSCAN ENTERPRISE 8.7I PATCH 4 - RELEASE NOTES, VIRUSSCAN ENTERPRISE 8.7I Release Note
Release Notes for McAfee® VirusScan®Enterprise 8.7i Patch 4
Thank you for using McAfee software. This document contains important information about the current release. We strongly recommend
that you read the entire document.
Contents
About this release
Rating
Purpose
Improvements
Previous Improvements
Known issues
Resolved issues
Patch 4 resolved issues
Patch 3 resolved issues
Patch 2 resolved issues
Patch 1 resolved issues
Installation instructions
Verifying installation
Removing the patch
Copyright
About this release
Patch Release: 08-26-2010
This release was developed for use with:
VirusScan Enterprise: 8.7i
Detection Definitions (DAT): 6037.0000
Scan Engine: 5.4.00
Make sure you have installed the correct version of the product(s) in this list before using this release.
*This document makes references to the following products as VirusScan Modules:
McAfee® VirusScan® Enterprise for Offline Virtual Images 1.0
McAfee® VirusScan® Enterprise for Offline Virtual Images 2.0
McAfee® VirusScan® Enterprise for use with SAP NetWeaver® platform 1.0
McAfee® VirusScan® Enterprise for Storage 1.0
Rating
McAfee recommends this release for all environments. Patch 4 is considered a High Priority Release. See McAfee Support
KnowledgeBase article KB51560 for information on ratings.
Purpose
This Patch contains a variety of improvements. McAfee has spent a significant amount of time finding, fixing, and testing the fixes in
this release. Please review the Known and Resolved issues lists for additional information on the individual issues. Refer to online
KnowledgeBase article KB65944 at http://knowledge.mcafee.com for the most current information regarding this release.
This document supplements the product Release Notes in the release package and details fixes included in VirusScan Enterprise 8.7i
Patch 4.
Improvements
This release of the software includes the following improvements.
1. Changes were made to the way Run-Time DATs are handled during an update. These changes help the scanners reinitialize and
reload the newer DAT files. When multiple scanners are using the Run-Time DAT files and an update occurs, the first available
system scanner creates a new Run-Time DAT file with a unique name. As other scanners free up their current threads, they then
switch over to the newer Run-Time DAT files.
Note: With this new implementation of the Run-Time DATs, only system level scanners can update the Run-Time DATs. If only
user level scanners are enabled on a system, the Run-Time DATs are not updated on the system and can impact the memory
usage improvements provided by the Run-Time DATs.
Previous improvements
Previous releases of the software include the following improvements.
1. Changes were made to the service startup sequence to have less impact on the system during startup.
2. Improvements were made to the way that the CommonShell scanner interacts with file I/O. This improves performance with onaccess scanners within the product.
3. VirusScan Enterprise 8.7i Patch 2 and later now has the ability to report compliance to the newer versions of Windows Security
Center.
4. The VirusScan Enterprise 8.7i extension has improved support for ePolicy Orchestrator 4.5 with Firefox 3.0 and Internet Explorer
8.0.
5. Several modifications were made to the way that the VirusScan Enterprise system tray icon interacts with the new functionality
of McAfee Agent 4.5.
6. The file extension .txt was added to the SmoothWritesExtension registry value to increase performance in handling text files.
7. Russian language support was added to the VirusScan Enterprise user interface, NAP file, and extension.
NOTE: See items #3 and #4 under Known issues for further information about this topic.
8. The VirusScan Reports extension now has updated queries to show the status of Artemis settings for the on-access, on-demand,
and email scanners.
NOTE: The Artemis status requires VirusScan Enterprise 8.5i Patch 8 or VirusScan Enterprise 8.7i Patch 1 and later to be
installed on the client systems, in order to correctly populate the reports. Refer to McAfee Support KnowledgeBase article
KB53732 for further information on Artemis functionality.
9. The Artemis level settings of the On-Access Scanner is now modifiable via the properties UI, and the equivalent VirusScan 8.7i
NAP and extension included in the Patch package.
NOTE: Because this setting is new with this release of the VirusScan 8.7i NAP and extension, there is no preserved setting upon
check-in of the management package. The ePolicy Orchestrator administrator must update that setting in the policies to match
the current Artemis policy.
10. Several modifications were made to the way VirusScan Enterprise interacts with the operating system on startup, suspend, and
shutdown. These modifications resolve and improve performance issues.
11. Current DAT files are compressed to conserve network bandwidth. Now, changes were made to decompress the DATs during the
AutoUpdate process and leave them in that state, so that scanners do not have to decompress them during initialization of the
scan.
12. The on-demand scanner now uses Windows Priority Control setting for the scan process. This lets the operating system set the
amount of CPU time that the on-demand scanner receives at any point in the scan process. The System Utilization setting in the
On-Demand Scan Properties maps to Windows Priority Control as:
Utilization Priority
10% Low
20%-50% Below Normal
60%-100% Normal
13. The on-access, on -demand, email, and script scanners now use a runtime copy of the DATs. This change has reduced the
memory consumption of affected scanners by having the DATs in a readily available state for the scan engine to load.
NOTE: In some scenarios, the Run-Time DATs are not available. See item #1 under Known issues. Refer to McAfee Support
KnowledgeBase article KB65459 for further information on Run-Time DATs.
14. VirusScan Enterprise functions that request the current version of DATs no longer need to initialize the scan engine to do so. This
prevents excessive CPU spikes during ePolicy Orchestrator properties collection, as well as other functions that poll the DATs.
15. The on-access scanner memory scan function (Processes on enable) has been modified significantly to make it more
comprehensive.
NOTE: The improved functionality can cause a performance impact to the system. See item #2 under Known issues.
16. When a web browser opens a site that is script-intensive, scanning the scripts adds to the delay of loading the page. This Patch
contains new functionality for ScriptScan whitelisting. If the website is a trusted Intranet and/or frequently visited, the new
implementation now allows for the exclusion of that site from script scanning.
NOTE: Refer to McAfee Support KnowledgeBase article KB65382 for further information.
17. The installation packages for patches and reposts were upgraded so that the installation log name, created in the McAfeeLogs
folder, has a dynamically generated name based on the current date and time of the installation. This helps save logs that might
have been overwritten with the previous “backup previous log only” method.
Known issues
Here is a list of known issues that we were aware of at production time.
1. Issue: In some situations, the product switches over to using the normal copy of the DAT files, instead of the Run-Time DATs:
2. Issue: With the improved functionality of the on-access scanner memory scan, lower and middle ranged systems might see a
3. Issue: With the introduction of support for Russian, you might need to remove the previous version of the extension from
4. Issue: McAfee Agent 4.0 Patch 2 and later includes support for displaying status and logs in Russian. Older versions display this
If the McAfee AntiSpyware Enterprise module is installed after VirusScan Enterprise 8.7i Patch 3 is on the system, some of
the new registry settings, which are new for the runtime functionality, were changed back. This resolves itself with a
restart of the McTaskManager service or with a reboot.
If one of the scanners is busy on a large file when the AutoUpdate process posts the revised copy of the DATs, the process
of refreshing the runtime copy of the DATs times out. All scanners use the normal DATs until the next successful update.
The VirusScan Modules* will not use the Run-Time DAT functionality until they receive their next Patch.
performance impact at startup and after a successful AutoUpdate of the engine or DATs. Currently the Process on enable option
is enabled by default on the shipping version of VirusScan Enterprise 8.7i. McAfee recommends that in a managed environment,
disable this option prior to deployment of the Patch, until the impact of memory scanning can be determined for your
environment. It is not possible to maintain both the more comprehensive scanning that comes with Patch 1 and later, and the
former level of scanning. Therefore, only the more comprehensive scan is used.
NOTE FOR CURRENT AND NEW USERS:
The Patch installation does not modify current settings to disable the Process on enable option.
The VirusScan 8.7i NAP and extension that are included with the Patch do change the McAfee Default policy, but do not
modify the My Default policy, or any custom policy settings that were made prior to the check-in of the new
NAP/extension.
The VirusScan Enterprise 8.7i Repost with Patch now installs with the Process on enable option disabled, unless the
Maximum Security option is selected during the installation.
ePolicy Orchestrator before adding the new extension. If you do not, some of the interface might be displayed in the original
language.
information in English by default.
5. Issue: Since VirusScan Enterprise 8.7i Patch 2 and later include the new interface for reporting status to Windows Security
Center, uninstalling the Patch removes this function -- without reintroducing the older expired function. This means that Windows
Security Center does not report VirusScan Enterprise 8.7i being installed until Patch 2 or later is implemented.
6. Issue: When you remove the McAfee AntiSpyware Module, the status in Windows Security Center is not updated.
7. Issue: In deployments of VirusScan Enterprise 8.7i Patch 2 and later with McAfee Agent 4.5, the VirusScan tray plug-in does not
appear until after a restart of the McAfee system tray icon. If VirusScan is uninstalled, the VirusScan tray plug-in is still visible
until a similar restart.
8. Issue: This Patch adds needed support for McAfee VirusScan Enterprise for Offline Virtual Images 2.0, and should not be
removed unless the VirusScan Module is removed first.
9. Issue: The Patch installer included an MSI deferred action to resolve an issue that occurred when attempting to uninstall the
Patch on some newer operating systems. The deferred.mfe file updated the cached MSI of the currently installed VirusScan
Enterprise 8.7i product. If the Patch is included in a McAfee Installation Designer customized package, the deferred.mfe file was
not included, and therefore the Patch might not be able to be uninstalled in some newer operating systems.
10. Issue: If you installed this release interactively and cancelled the installation on a system where a previous Patch was installed,
after the rollback was complete, the previous Patch might no longer report to ePolicy Orchestrator or appear in the About
VirusScan Enterprise window.
11. Issue: Installing the Patch and specifying a log file path using the Microsoft Installer (MSI) switch “/L” did not log to the
specified path. A log file capturing full data was logged to the folder “McAfeeLogs” under the Temp folder.
12. Issue: If Host Intrusion Prevention 6.x or later was installed and disabled prior to installing VirusScan Enterprise, it was
necessary to re-enable Host Intrusion Prevention and disable it again, in order for VirusScan Buffer Overflow Protection to be
properly enabled.
13. Issue: Uninstalling VirusScan Enterprise Patches is possible for computers running Windows Installer v3.x or later. This
technology is not fully integrated for Windows 2000 operating systems, so there is no option to remove the Patch in Add/Remove
programs. See Removing the Patch for instructions on removal via command -line options.
14. Issue: Patches for VirusScan Enterprise 8.7i can only be uninstalled via Add/Remove programs, not via ePolicy Orchestrator.
15. Issue: Due to changes made to the VirusScan Enterprise 8.7 Repost 3 MSI, VirsuScan Enterprise 8.7 patches will not install with
McAfee Installation Designer without an additional configuration step. See McAfee Installation Designer patch configuration under
Installation instructions for instructions on adding a patch to a custom installation package.
Resolved issues
The resolved issues are divided into subsections per Patch, showing when each fix was added to the compilation.
Patch 4 resolved issues
1. Issue: Applications were not being monitored by VirusScan Enterprise Buffer Overflow Protection, which could cause a
performance penalty when the Buffer Overflow Protection feature was enabled for other processes. (Reference: 508049)
Resolution: Changes were made in the way some APIs are monitored for the VirusScan Enterprise Buffer Overflow Protection
implementation, so that processes not being monitored by VirusScan Enterprise Buffer Overflow Protection can be excluded from
evaluation earlier and with less of a performance impact.
2. Issue: VirusScan Task Manager could encounter access violation and crash on exit. Threads were not properly synchronizing on
exit, resulting in access violation. (Reference: 530449)
Resolution: Threads are now being properly synchronized, providing serialized access to common data on exit.
3. Issue: Tasks created by ePolicy Orchestrator were not stopping when set to only run for a specified time. (Reference: 531674)
Resolution: The VirusScan Management Plug-in now uses the correct function call to terminate the task on 64-bit platforms. The
fix provided in this Patch improves the fix provided in Hotfix 537674, which was released 02-19-2010.
4. Issue: An issue can arise during an upgrade from VirusScan Enterprise 8.5i to VirusScan Enterprise 8.7i where the preserved
tasks are deleted after the first reboot. (Reference: 537579)
Resolution: The McAfee Task Manager service no longer attempts to index the tasks during shutdown, which caused the task to
be deleted.
5. Issue: The OutlookScan feature could fail to release an instance of the scan engine that was loaded via EngineServer.exe. This
could lead to symptoms of EngineServer.exe using large amounts of memory, until the service was restarted. (Reference:
539488)
Resolution: The Outlook UI library now properly releases the engine instance on exit of Outlook.
6. Issue: VirusScan events received by ePolicy Orchestrator may fail to be processed by the Event Parser. Unexpected characters in
the event caused an error to be logged by the Event Parser, and the event to remain in the events folder on the server.
(Reference: 539709)
Resolution: The CommonShell library has been updated to replace invalid characters to be changed to a question mark in order
to be successfully received by ePolicy Orchestrator.
7. Issue: Users were unable to save an Alert Policy change if all options were disabled. (Reference: 539933)
Resolution: User can now save policies after deselecting all components that generate alerts. Users also can use the
checkboxes and drop-down options on the Additional Alerting Options tab after deselecting all components that generate alerts.
8. Issue: Certain German cookies were causing on-demand scans to appear to hang during the Cookie Scan. (Reference: 542698)
Resolution: The commonshell library better handles reparse points that are being checked while walking through profiles folders
for cookies.
9. Issue: The On-Delivery Email Scan Policies Report tab was missing descriptive text for dialog boxes. (Reference: 544855)
Resolution: 'Maximum log file size:' and 'MB' descriptive text has been added to the On Delivery Email Scan Policies Report tab.
10. Issue: When using McAfee Installation Designer to configure the Artemis setting for email scanning, the value was being read
and written to the regular location under HKLM registry key. (Reference: 547056)
Resolution: The value is now correctly read and written to the temporary MID key under HKCU. This allows the value to be
correctly saved when McAfee Installation Designer generates the settings for custom packages.
11. Issue: No event XML files were being generated for event IDs 1087 and 1088. (Reference: 547867)
Resolution: XML files will now be created for event IDs 1087 and 1088 and will be seen in the AgentEvents folder.
12. Issue: In certain circumstances, the extra460575.rul that controls the Access Protection rule "Prevent Termination of McAfee
Processes" was incorrectly placed on 32-bit systems and improperly removed on 64-bit systems. (Reference: 549354)
Resolution: The MSP Patch installer now checks for the existence of the file and corrects any invalid states.
13. Issue: Invoking an on-demand scan on a folder that is a part of a Symbolic or Junction Link results in an indefinite on -demand
scan estimation/scanning time. (Reference: 551494)
Resolution: On-demand scan estimation function now handles Symbolic and Junction Links properly.
14. Issue: VirusScan Task Manager could leave runaway threads when exiting. The runaway threads created high CPU situations
that could make servers unresponsive. (Reference: 552611)
Resolution: This issue has been corrected by ensuring no runaway threads are left behind on exit.
15. Issue: Artemis sensitivity level pull-down menu for the default on-demand full scan was diabled (grayed out) periodically.
(Reference: 552834)
Resolution: Artemis sensitivity level pull-down menu is now always enabled and not grayed out in the On-Demand Full Scan
Loading...