Loading...

Knowledge Center


Important information about the 6000 Anti-Malware Scan Engine update for Endpoint Security
Technical Articles ID:   KB88809
Last Modified:  10/19/2018
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee Anti-Malware Scan Engine (Scan Engine) 6000 update for ENS 10.x

Summary

This article contains information about the 6000 Scan Engine release schedule for ENS 10.x endpoints, and instructions on how to evaluate V3 DAT packages containing this engine during the beta and elective update periods.

6000 Scan Engine Improvements
The 6000 Scan Engine includes the following improvements:
  • Enhanced JavaScript engine, stabilization, and performance improvements. JavaScript processing capability was added in the 5900 Scan Engine.
  • Augmented VBA Macro file handling to improve detection capabilities on malware hidden in VBA Macros.
  • Added internal APIs for file, directory, process, and registry handling to enable safer DAT content authoring.
  • Added support for 64-bit binary disassembly.
  • Enhanced ELF Handler, to improve detection capabilities on 64-bit ELF binaries.
  • Improved DAT initialization performance to tackle increasing DAT content.
  • Miscellaneous fixes of defects and customer escalations
Release Schedule
Phase Start Date End Date Common Updater site
6000 Scan Engine Beta for Endpoint Security August 21, 2018 No end date http://betaupdate.mcafee.com
6000 Scan Engine Elective Update for Endpoint Security October 3, 2018 No end date http://update.nai.com/products/commonupdater3
6000 Scan Engine Managed Throttled Update for Endpoint Security October 11, 2018 October 31, 2018 http://update.nai.com/products/commonupdater
Or
http://update.nai.com/products/commonupdater2
6000 Scan Engine General Availability (GA) for Endpoint Security November 1, 2018 No end date http://update.nai.com/products/commonupdater
Or
http://update.nai.com/products/commonupdater2

NOTE: This Scan Engine update is mandatory and is contained within the V3 DAT package. ENS endpoints that are currently running the 5900 Scan Engine, and that were not selected for update during the managed throttled update, will complete updating to the 6000 Scan Engine via the V3 DAT released on the GA date of November 1, 2018. When the GA date is reached, the 5900 Scan Engine will no longer be present in the V3 DAT released that day.

How to Evaluate the 6000 Scan Engine
During the beta and elective update periods, V3 DATs containing only the 6000 Scan Engine are made available from the above Beta and CommonUpdater3 sites referenced for these phases. They also will persist in these locations until a subsequent engine release cycle replaces them. Keep any test nodes intended to evaluate the 6000 Scan Engine pointed at one of these repositories until November 1, 2018, to avoid rolling back to the 5900 Scan Engine during the managed throttled update period. For more information on how content throttling works, refer to the "Frequently Asked Questions" section below.

Follow the instructions below to configure ePolicy Orchestrator (ePO) to download and test V3 DATs containing the 6000 Scan Engine, or to revert clients to update with the standard V3 DAT where the release is managed:

To set up a repository, pull of the V3 DAT evaluation package to the Evaluation Branch:
  1. In ePO, select Menu, Configuration, Server Settings.
  2. Select Source Sites, and then click Edit, Add Source Site.
  3. Type a source site name, select HTTP, and click Next.
  4. In the URL field, ensure that DNS Name is selected as the default and type one of the following repositories:
    • betaupdate.mcafee.com
    • update.nai.com/products/commonupdater3
  5. Type 80 for the Port and click Next.
  6. Continue clicking Next until the last screen, and then click Save.
  7. Click Enable Fallback, and then click Save.
  8. Select Menu, Automation, Server Tasks.
  9. Select the Update Master Repository task and click Edit.
  10. Click Next to navigate to the Actions tab, and then click +.
  11. In the new Actions section, select Repository Pull.
  12. Select the source site created in step 3 as the Source site, select Evaluation for Branch, and click Save.
  13. Select the Update Master Repository task and click Run.
To change the McAfee Agent policy to pull client updates from the Evaluation Branch:
  1. In ePO, edit the McAfee Agent General policy assigned to the endpoints you are using for evaluation.
  2. Click the Updates tab.
  3. Select Evaluation from the AMCore Content Package drop-down list, and then click Save.
To revert the McAfee Agent policy on completion of the evaluation:
  1. In ePO, edit the McAfee Agent General policy assigned to the endpoints you were using for evaluation.
  2. Click the Updates tab.
  3. Select Current from the AMCore Content Package drop-down list, and then click Save.
  4. If no longer required, you can delete the source site set up for evaluation.

Frequently Asked Questions
  • Do I need to change anything to update the Scan Engine?
    No. For ENS customers, the Scan Engine update occurs automatically with no option to opt out. No additional action is required to update the Scan Engine. The instructions provided in this article apply to customers interested in evaluating the Scan Engine before or during the managed throttled update running from October 11, 2018 to October 31, 2018.
     
  • What is a managed throttled update?
    A managed throttled update uses randomization to control the number of client nodes that receive an upgraded component (in this case the 6000 Scan Engine) via content updates. During a throttle period, the number of client nodes that receive the new component version increases daily according to a velocity set by McAfee. After the throttle period, every client node that supports the new component will receive the updated version by default during their next update. There is no action needed on the client node receiving the update.
     
  • How does the managed throttled update work?
    The throttle period is divided into three phases with a different rate of deployment:
    The first week, only a few machines receive the upgrade each day (approximately 0.5% of the unupgraded client base per day); these machines are randomly selected.
    In the second week, more machines receive the upgrade each day (approximately 1% of the unupgraded client base per day); these machines are also randomly selected.
    In the third week, the rate of deployment is increased so that most of the upgrades are complete across all machines (approximately 10% of the unupgraded client base per day).
    Finally, when the throttle is disabled after release on October 31, 2018, on the following day's V3 content (November 1, 2018), all remaining unupgraded clients that support the new component will receive the upgrade.

    NOTE: During the throttle period, if a new machine has a fresh product installation (that is, not from an upgrade), it always takes the new engine version, never the old one.

  • How do you roll back to the 5900 Scan Engine?
    The concept of engine updates has changed with AMCore technology; they are no longer separate packages from content. When AMCore content requires an update to any one of its engines used during scanning, the engine update is included in the V3 content update releases.
    A decision to roll back any component included in the V3 content would be taken and enacted by McAfee should such a response be required. The rollback would take effect in a subsequent V3 content release.
     
  • When will the 5900 Scan Engine be End of Life?
    The previous 5900 Scan Engine reaches End of Life (EOL) six months after the elective update for the 6000 Scan Engine is made available. The EOL date for the 5900 Scan Engine will be announced soon; however, this concept only applies to legacy V2 products where the Scan Engine is deployed as a separate package.
     
  • Does this release schedule apply to VirusScan Enterprise?
    No. This schedule applies only to ENS endpoints.
     
  • Do the ENS 10.x updates include the 6000 Scan Engine update?
    Yes. Customers currently using ENS 10.x who update to the next ENS 10.x version, including all updates, will receive an update to the 6000 Scan Engine. No additional action is required to update the Scan Engine.

Feedback and Questions
For any feedback or questions about the 6000 Scan Engine, contact Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.