Release Notes for McAfee Vulnerability Manager 7.0.0

About this document

Thank you for using McAfee® Vulnerability Manager® 7.0.0. This document contains important information about this release. We strongly recommend that you read the entire document.
NOTE: The McAfee Foundstone product is now known as McAfee Vulnerability Manager. For this release, some portions of the product retain the Foundstone label.

New and updated features

New and updated features in the current release of the software are described below:

Web application scanner

The web application scanner provides a scan configuration, vulnerability checks, and scan reports for web applications. Using a web application scan configuration, you can set the entry URL, paths to include or exclude, and parameters to exclude during a web application scan.

The web application scanner searches for vulnerabilities and weaknesses in the web code that could lead to an exploit. For example, web sites that have forms that require users to enter information or use databases as back-end repositories may be directly exploited through mechanisms such as SQL injection, where a URL request with specific text could allow direct access to the SQL database.

The web application scanner requires the appropriate license.

Remediation is now Ticketing

The Remediation feature in McAfee Vulnerability Manager is now Ticketing. Ticketing is a more accurate description of this feature. Tickets can be viewed by asset, by vulnerability, by user, or view all tickets. The Ticketing feature also has a Ticket Summary email that will send an email with summary information about all the tickets that have changed for that user.

Scan controller service

The scan controller provides the communication between the scan engine and the database. If you have multiple scan engines running simultaneous scans, you might need multiple scan controllers.

Scan engine timezone

When configuring a scan and scheduling a time, you can select to use the timezone of the scan engine or select a local timezone.

Platform enhancements

New operating systems:
  • Microsoft Windows Server 2003 64-bit
  • Microsoft Windows Server 2008 R2 64-bit
    NOTE: Microsoft Windows Server 2008 is not supported.
New virtualization platforms:
  • VMware Workstation 7.0
  • VMware vSphere 4.0
New database support:
  • Microsoft SQL Server 2008 64-bit
  • Microsoft SQL Server Express 2008 64-bit
New browser support:
  • Microsoft Internet Explorer 7
  • Microsoft Internet Explorer 8

License usage displayed in the UI

The license usage manager shows the valid dates for your license, license usage (license allowance, active IP address usage, and web application usage), licensed IP ranges, and the McAfee Vulnerability Manager components the user is licensed to use.

PCI enhancements

By adding the web application scanner, McAfee Vulnerability Manager can scan for SQL injection and cross-site scripting vulnerabilities.

The PCI reports have been updated to be PCI DSS compliant. PCI reports include sorting vulnerabilities by CVSS score, scan configuration and scan summary sections, and a false-positive appendix.

SSH key collection

In previous releases, SSH key collection was done using the configuration manager. Now SSH key collection is part of a scan configuration. When creating a scan configuration, on the Settings tab, under Optimize, there is a Perform SSH Key Collection checkbox. Selecting this option means while scanning, McAfee Vulnerability Manager will collect the SSH keys that are available on the scan targets. After the SSH keys are collected, you can then go to the asset management page and mark the asset as trusted.

Known issues

Known issues in this release of the software are described below:

Installation and upgrade issues


  • Installation fails when trying to install the McAfee Vulnerability Manager database on a system running .NET 4.0. Remove .NET 4.0 before installing McAfee Vulnerability Manager.(589403)
  • After an upgrade, verify that any custom port settings are properly configured. (566910, 556664)
  • During an upgrade, once you click Install, you cannot cancel the installation process and roll back to the previously installed version. (561651)
  • When installing the scan controller as the only component on a system, typing in a custom port number does not work and the default port is used. Use the following steps to change the port number for the scan controller. (558157)
    1. Open the Registry Editor.
    2. In Microsoft Windows 2003, go to HKEY_LOCAL_MACHINE\SOFTWARE\Foundstone\FSScanCtrl. In Microsoft Windows 2008 R2, go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foundstone\FSScanCtrl.
    3. Double-click Port.
    4. Select Decimal.
    5. Type the port number for the scan controller.
    6. Click OK.
  • When installing on a 64-bit operating system, the database name is not automatically added to the database field on the Database Administrator page. You must type in the database name or the instance name. (557952)
  • When adding components, like a scan engine or scan controller, make sure the time on all systems are correct. If the time is not correct, SSL certificates might be out of synchronization and components might not connect properly. (580831)
  • When installing on Microsoft Windows 2008 R2, a message might appear stating the current security policy setting will not allow credentialed scanning of Windows 2000 and earlier hosts. For more information, refer to McAfee Knowledge Base article KB 54661. (575241)
  • When upgrading, multiple active sessions on the server can cause the upgrade to fail. You can close all running McAfee Vulnerability Manager components using the Task Manager or you can restart the server. (586528)
  • When upgrading scan engines, a scan controller is automatically selected during the upgrade process. If you choose to deselect the scan controller from the scan engine upgrade and connect the scan engine to a scan controller on another system, the scan engine might not communicate with the scan controller. Use the following steps to resolve this issue.
    1. Open the configuration manager.
    2. Expand Foundstone Systems and select the scan controller.
    3. Click Edit.
    4. Select Any from the IP Address list.
    5. Click OK.

Scan and scan configuration issues


  • Scanning two or more assets with the same NetBIOS name using the same scan configuration can cause tickets generated for discovered vulnerabilities to be automatically closed. If two or more assets share the same NetBIOS name, all scan data is reconciled to one asset. If one asset has vulnerabilities and the second asset does not, tickets generated by the first asset will be automatically closed because those vulnerabilities were not found on the second asset. You can use asset tagging to identify each asset as unique, do not have assets with duplicate NetBIOS names in your scan configurations, or create a ticketing rule to match assets based on NetBIOS name and MAC address. (483964)
  • When scanning web applications with different scan configurations, make sure the same URL is used in all scan configurations. Using a URL, an IP address, or adding a path to the URL are considered separate assets in McAfee Vulnerability Manager, and each will use a web application license. Tickets are generated for each asset, even if the asset resolves to the same host. (569081)
  • When removing Informational Crawl-Only vulnerabilities from an Informational Web Crawl scan configuration, the web application vulnerabilities are listed in different vulnerability categories. So deselecting the web application vulnerability in one category does not remove it from the scan configuration. To remove a web application vulnerability from a scan configuration you must deselect it from all categories before saving the scan configuration. (589747)
  • When McAfee Vulnerability Manager is installed on a system running Microsoft Windows Server 2008 R2, scanning an asset running Microsoft Windows 2000 does not use the credentials in the scan configuration. This is caused by a security setting in Microsoft Windows Server 2008 R2. These security settings do not allow Windows Server 2008 R2 to communicate with Windows 2000. Refer to the Microsoft Knowledgebase for solutions. (575241)
  • When creating a PCI scan configuration, select the Reports tab before saving the scan configuration. Skipping the Reports tab when creating a PCI scan configuration will result in a vulnerability report being generated, not a PCI compliance report. (589658)
  • During a web application scan, any errors that occur on the logon page might return a Not Challenged result. For example, the logon was successful but the logon page redirects to a page that is not accessible. (581201)
  • When creating a web application scan configuration, selecting a credential set and manually typing credentials might result in only some of the credential names appearing in the User Credentials Used section of the report. (589780)
  • If the organization administrator tries to create a new scan by right-clicking in the Name/Description pane (right pane) of the Users/Groups page, an error message displays stating the user does not have sufficient access rights to create a scan. Create a new scan by right-clicking in the organization tree (left pane). (587306)
  • When scheduling a scan configuration and selecting a timezone, if the user's system is not set to the correct local time, the local time in the timezone drop-down box might be incorrect. (572869)
  • If Use Asset Settings is selected in a web application scan, no web configuration settings are displayed in the Scan Configuration History section of the report. (565580)
  • When using form authentication in a web application scan, form authentication might be applied to any page with a form, not just the pages assigned in the scan configuration. (588696)
  • When running a scan with Perform SSH Key Collection enabled, the scan status is not properly updated. The scan status might remain at zero for the duration of the scan and then update to 100%. (586629)

Report issues


  • If you receive a report generation fail message when creating a large report, the issue could be with the upload limit in IIS 7.5. By default, IIS 7.5 limits the upload to 30 MB. When installing McAfee Vulnerability Manager, this limit should be increased to 300 MB. In some installation scenarios, the larger upload limit is not set. If your reports are not appearing in the enterprise manager after the scan completes, you can either retrieve the compressed report files from the report server or you can manually increase the IIS 7.5 upload limit. (580626, 589314)
    1. Open the Server Manager on the system running the enterprise manager.
    2. Under Roles, select Web Server (IIS).
    3. Expand Web Server (IIS) and select Internet Information Services (IIS) Manager.
    4. Under Connections, select the web server you want to update.
    5. Under IIS, double-click Request Filtering.
    6. Right-click and select Edit Feature Settings.
    7. Change the Maximum allowed content length to 300 MB (300000000).
    8. Click OK.
  • The configuration manager allows you to change the maximum number of concurrent reports being generated. The default setting is 2. Increasing this number might cause report generation to fail. Reduce the maximum number of concurrent reports being generated or accept the default setting. (551095)
  • The severity ratings for the vulnerabilities in the PCI Vulnerability chart might be different from the severity ratings for the vulnerabilities in the table below the chart. The severity ratings for the vulnerabilities in the table come from the FoundScore risk rating, and might be different from the PCI risk rating. (589757)
  • The FoundScore might not appear on the Risk By Foundscore View in a dashboard report if there is only one scan run in an organization or workgroup. (589734)
  • When generating large reports with all report types selected (CSV, HTML, PDF, and XML), the reports might be too large to post to the enterprise manager. If your reports are not appearing in the enterprise manager after the scan completes, retrieve the compressed report files from the report server. (589314)
  • If you see an Error - Unknown Error message while trying to save an asset report template, check the date and time on the Generation tab. A date and time set in the past will cause this error. (588639)

Enterprise manager issues


  • The workgroup administrator cannot see web application configurations in use from a configuration created by the organization administrator. When an organization administrator creates a web application configuration and makes it available to workgroup administrators, the assets or scan configurations associated with this web application configuration are not visible to the workgroup administrators. Only the organization administrator can view which assets and scan configurations are associated with the web application configuration, since multiple workgroups could be using it, and that information should not be accessible to other workgroups. (589931)
  • Trying to remove an asset from a group using the Remove from Group feature might not work. If the Remove from Group feature does not work, then move the asset to the root organization. (590250)
  • Selecting a scan from the drop-down list from a dashboard page might cause an invalid checksum error in the enterprise manager. Click the Back button in your web browser to return to the enterprise manager. (589181)
  • Importing CIDR formatted IP addresses from a file only works when adding IP addresses to a scan configurations. In other areas, like creating an asset filter in an asset template or importing into an organization or workgroup, trying to import CIDR formatted IP addresses from a file does not work. (588924, 514838)
  • When trying to create a group with an existing name, the new group is not created and no message displays that the name is already in use. (580879)
  • If communication settings between components are changed (like the enterprise manager and report server), users that were logged on before the changes were made will experience failures in the enterprise manager until they log out and then log on again. (555725)
  • Turning off SSL means session cookies will be transmitted unsecured. Using SSL is recommended. (551733)

Scan engine and scan controller issues


  • The scan controller is a new component for McAfee Vulnerability Manager 7.0. If you are upgrading and a Scan Engine cannot communicate with any Scan Controller warning message appears in the configuration manager, you must manually assign a scan controller to the scan engine. (589928)
  • After upgrading a FS-850 scan engine from Foundstone 6.5 to McAfee Vulnerability Manager 7.0, the scan engine still shows that port 3800 is open for FoundScan. The FoundScan console is no longer used by McAfee Vulnerability Manager. Even though port 3800 is listed as open in the Remote Method Invocation (RMI), port 3800 is not open. (590067)
  • When the global administrator assigns a scan engine to an organization, the scan engine also appears in the workgroups. The organization administrators must make sure the scan engine is properly assigned within their organization. (587688)
  • If a scan engine is assigned to multiple organizations, the scan engine cannot be unassigned from any organization if the scan engine is in use. (587469)

Ticketing and notification issues


  • When email notifications are enabled for the organization administrator, the scan started email notification might not display the IP range. (589932)
  • When the organization administrator assigns a ticket to a user and then the user updates the ticket (like marking as false positive or complete), the ticket due date might be changed to 01/01/1970. (583897)
  • When installing McAfee Vulnerability Manager, the organization administrator account is created with only the logon information. If you enable email notifications, the organization administrator account settings must be updated to include an email address. (531535)

Documentation issues


  • The Product Guide is missing a topic about trusting shell targets. When a scan engine cannot authenticate to an untrusted shell target, the scan will fail and an error message appears in the Application Status. The product does allow you to trust unknown remote-shell targets, but this is not recommended for security reasons. If you trust unknown shell targets, you could provide root user authentication to the wrong person. The following workflow is recommended for trusting shell targets.
    1. Create a discovery scan and add shell targets.
    2. On the Settings tab, select Optimize.
    3. Select Perform SSH Key Collection.
    4. Complete the scan configuration and run the scan.
    5. After the scan completes, select Manage | Assets.
    6. Select the shell assets you want to mark as trusted systems. You can select a single asset, or use the Ctrl key or Shift key to select multiple assets on the page.
    7. Right-click and select Mark as Trusted. If you need to remove an asset from the trusted list, right-click the asset and select Remove Trust.
    8. Create a vulnerability scan, add your trusted shell targets, and include shell credentials.

Other issues


  • After recreating SSL certificates, SSL connection errors will appear in the log file while the new certificates are distributed and installed. (587790)
  • When importing data from another McAfee Vulnerability Manager 7.0 database using data synchronization, the workgroup administrator role might not be imported. To create a new workgroup administrator, you must create the administrator role for the workgroup. (587254)
  • After a data synchronization completes and a Completed with Errors message displays, run the data synchronization again. (587328)
  • The system running FSUpdate must have SQL Client Tools installed for the update to function properly. If you are manually downloading and applying the update, it must be done on the system running the scan controller. (573265)

Resolved issues

Issues from previous releases of the software that are resolved in this release are listed below.


  • Issue

    When importing IP addresses from a text file into a scan configuration, any IP address using the CIDR format (i.e. 123.45.67.89/24) will cause an error and the IP addresses will not be imported.

    Resolution

    Importing CIDR formatted IP addresses from a text file into a scan configuration functions properly.

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

For option definitions, click ? in the interface.

  1. Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
  2. Under Self Service, access the type of information you need:
    For user documentation For the KnowledgeBase

    1. Click Product Documentation.
    2. Select a Product, then select a Version.
    3. Select a product document.

    • Click Search the KnowledgeBase for answers to your product questions.
    • Click Browse the KnowledgeBase for articles listed by product and version.

License attributions

COPYRIGHT

COPYRIGHT

Copyright © 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.