Mcafee Endpoint Security ENS 10.6 Release news

 

Mcafee Endpoint Security ENS 10.6 Release news

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27781/en_US/ens_1060_rn_ePOCloud_0-00_en-us.pdf

 

Mcafee 10.6 now supports Microsoft Anti Malware Scan Interface (AMSI) which was recommended to be used since 2016. API from Microsoft where always source for discussion and sometimes False/Positive and with all antivirus developers this was always a point where Microsoft and the producers seem to have different views. This regarding to Virus API, Backup or Snapshots API as you all know from Backup Software or VSSAPI (row order) story's.

2016 AMSI at Blackhat

https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

2018 AMSI Developer related and what it has done and not regarding Powershell

https://www.blackhat.com/docs/asia-18/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf

 

Here is the AMSI Option in the "ON ACCESS Rule". By default this is only in reporting mode.

There are some File less Powershell Exploits that AMSI can't capture (as mentioned in the Blackhat 2016 PDF link below) but some of those are separate captured by ENS with the Exploit IPS Module that is included in ENS since 10.X. 10.6 also brings a new rule to capture Doppelgänger Exploits.

Sample on of the IPS Rules which ENS would capture (Mentioned in 2018 Blackhat analyze) > NON AMSI

 

Update from 10.X to 10.6

Regarding update from 10.5.4 to 10.6 this should be seamless. There are certain cases if you have the additional ATP/TIE Module active where it can get stalled. Mcafee released a special package for that's case. We assume in those Ransomware days all are on latest release or at least 10.5.3 when not 10.5.4 before they upgrade.

Here is the ATP-Module Update stall described when you Update to 10.6 (If you don't have TIE or DAC you don't have this module)

 

https://kc.mcafee.com/corporate/index?page=content&id=KB90664

EPO Management and packages of 10.6

From EPO management this update after all the Patch and Actual/Previous/Eval rep. mess with 10.X this looks very clean. There is just ONE bundle you need and after that you can Upgrade the "Endpoint Migration assistant" to check your environment and if you can update seamless. You should however Reboot/Restart the client as recommended in the Release Notes.

Screenshot: This is all EPO show under "ENS 10.6"

Extract from:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27781/en_US/ens_1060_rn_ePOCloud_0-00_en-us.pdf