Release Notes for McAfee ePolicy Orchestrator 4.0 Patch 7

This document is a supplement to the McAfee ePolicy Orchestrator 4.0 Release Notes file in the release package, and details fixes included in ePolicy Orchestrator 4.0 Patch 1, Patch 2, Patch 3, Patch 4, Patch 5, Patch 6 and Patch 7. Refer to the online KnowledgeBase article KB65773 at https://mysupport.mcafee.com/ for the most current information regarding this release.

Known issues in this release of the software are described below.

• Issue: ePolicy Orchestrator 4.0 Patch 7 cannot be upgraded to ePolicy Orchestrator 4.5, ePolicy Orchestrator 4.5 Patch 1, or ePolicy Orchestrator 4.5 Patch 2, due to incompatible versions of Java Runtime Environment (JRE). (Reference: 559217)
  Workaround: When upgrading to ePolicy Orchestrator 4.5, upgrade to ePolicy Orchestrator 4.5 Patch 3 or higher.
• Issue: Not all characters are allowed with ePolicy Orchestrator or SQL usernames and passwords, specifically regarding use with the ePolicy Orchestrator installer. (Reference: 387883, 395890)
  Workaround: Here is a list of the allowed and disallowed characters for the usernames and passwords used by the ePolicy Orchestrator 4.0 Patch 7 installer. This list is known to be valid only for the ePolicy Orchestrator Patch 7 installer and might not represent the character sets allowed for previous patch installers.

  • ePO username and password official character set for the Patch 7 installer
    • Allowed:
      • All printable characters with a hex value of 0x20 – 0x7E (ASCII 32 through 126), with exceptions listed below.
    • Exceptions (for both user names and passwords, except as noted):
      • No leading space, trailing spaces, or passwords made up of solely spaces
      • No double quotes (")
      • No leading backslashes, trailing backslashes, or passwords made up of solely backslashes ()
      • No dollar signs ($)
      • No percent signs (%)
      • Usernames cannot contain a colon (:)
      • Usernames cannot contain a semi-colon (;)
  • SQL user name and password official character set for the Patch 7 installer
    • Allowed:
      • All printable characters with a hex value of 0x20 – 0x7E (ASCII 32 through 126), with exceptions listed below.
    • Exceptions (for both usernames and passwords, except as noted):
      • No leading space, trailing spaces, or passwords made up of solely spaces
      • No double quotes (")
      • No single quotes (')
      • No backslashes ()
      • Usernames cannot contain a dollar sign ($)
      • Usernames cannot contain a colon (:)
      • Usernames cannot contain a semi-colon (;)
• Issue: Cluster installation on Windows 2008 server is not supported.
  Workaround: Cluster users should not migrate to Windows 2008 at this time.
• Issue: If the master repository is locked, package check-in fails, causing the installation to fail and roll back.
  Workaround: Ensure that there are no repository actions that conflict with the installer. These actions can be running or be regularly scheduled repository pulls or replications.
• Issue: If a previous Patch installation is successfully completed with a database user configured to use a non-default database schema, the following tables are created:
  
  
  • <schema used>.OrionExtensionsBackup
  • <schema used>.OrionConfigurationBackup.
  
  The existence of these files causes the Patch 7 installation to fail. (Reference: 461433)
  Workaround: Delete these tables and try the installation again.
• Issue: When using ePolicy Orchestrator on Windows 2008 servers, a blank “Domain” selection drop-down list appears when a user tries to browse for systems while adding new systems to the System Tree in the ePolicy Orchestrator console. (Reference: 391040)
  Workaround: On Windows 2008 servers, the McAfee ePolicy Orchestrator 4.0.0 Application Server service must have sufficient permissions to complete the request. For more information, see KB article KB53861.
• Issue: When using ePolicy Orchestrator on Windows 2008 servers, external commands are not executed. (Reference: 433570)
  Workaround: On Windows 2008 servers, the McAfee ePolicy Orchestrator 4.0.0 Application Server service must have sufficient permissions to complete the request. For more information, see KB article KB53862.
• Issue: During a cluster installation, the IP address for a client system appears as 128.0.0.0 after an agent push. (Reference: 435257)
  Workaround: After the first successful communication, the IP address reflects the correct address.
• Issue: When the SQL Server “Nested Triggers” option is disabled, policy assignment timestamps are not updated. This causes ePolicy Orchestrator to fail to deliver full policies to client systems. (Reference: 406765)
  Workaround: Verify that the “Nested Triggers” SQL Server option is enabled for the ePolicy Orchestrator database. For more information, see KB article KB52512.
• Issue: Server tasks failed on systems using AMD processors running Windows 2000 or Windows 2003. (Reference: 468383)
  Workaround: Server tasks can be evoked by removing the /usepmtimer switch from the boot.ini file.

Issues that are resolved in this release are listed below.

1. Issue: Server tasks that were scheduled for months with fewer than 31 days were sometimes set with the incorrect dates. (Reference: 552863) Resolution: Server task schedules are now set with the correct date.
2. Issue: The Compliance History query for rolled-up reporting for multiple servers displayed the incorrect time. (Reference: 551204) Resolution: The Compliance History report now shows the correct time.
3. Issue: Replication could fail on servers with multiple processors when the thread count was calculated by the server to be over 64. (Reference: 516237) Resolution: The thread count is now throttled to 64 and replication succeeds under these conditions.
4. Issue: An unexpected error occurred when drilling down into report detail if VirusScan Enterprise reported an incorrect engine version. (Reference: 555522) Resolution: An error no longer occurs if an incorrect engine version exists in the report.
5. Issue: A restart of the ePolicy Orchestrator Application Server service caused a master repository timestamp update when no update actually occurred, making it appear that distributed repositories were out-of-date. (Reference: 532615) Resolution: A restart of this service no longer causes the master repository to appear updated.
6. Issue: Active Directory synchronization was non-functional in ePolicy Orchestrator 4.0 Patch 6. (Reference: 537748) Resolution: Active Directory synchronization now works correctly.
7. Issue: An aborted replication server task was logged to the server task log as successful. (Reference: 498794) Resolution: An aborted replication server task is no longer logged as successful.
8. Issue: An out-of-memory condition on the ePolicy Orchestrator server can cause invalid policy to be sent to and rejected by a McAfee Agent. (Reference: 521023) Resolution: Out-of-memory conditions are now logged and agent to server communication is now rejected if a policy cannot be generated.
9. Issue: Certain error conditions sometimes caused ePolicy Orchestrator server performance to degrade. (Reference: 520398) Resolution: These error conditions no longer cause ePolicy Orchestrator server performance degradation.
10. Issue: ePolicy Orchestrator 4.0 Patch 6 included a change to preserve event files that could not be successfully processed, causing event files to accumulate. (Reference: 555190) Resolution: Events that fail to be processed are now deleted by default. To preserve failed events, the following registry value should be created, and the Event Parser service restarted.
    HKEY_LOCAL_MACHINESOFTWARENetwork AssociatesePolicy OrchestratorEventParserDeleteFailedEvents
    Type: REG_SZ
    Data: 0
11. Issue: The ePolicy Orchestrator Application Server crashed if proxy authentication for MyAvert Security Threats was configured with empty passwords. (Reference: 539673) Resolution: The ePolicy Orchestrator Application Server no longer crashes when configured with empty passwords.
12. Issue: Exporting the result of the ePO Compliance History report did not show a link to the exported file. (Reference: 559193) Resolution: Exporting the result of the ePO Compliance History report now correctly shows a link to the exported file.
13. Issue: Global Updating was triggered twice when a package was checked in and the "Move the existing package to the Previous branch" option was enabled. (Reference: 536950) Resolution: Global Updating is triggered only once in this scenario.
14. Issue: In ePolicy Orchestrator 4.0 Patch 6, importing a list of systems from a text file with the option to "Move systems from their current System Tree location to the synchronized group" failed if there were systems that existed elsewhere in the directory and needed to be moved. (Reference: 551506) Resolution: Importing a list of systems now works correctly in this scenario.
15. Issue: Key indexes in the ePolicy Orchestrator database sometimes became fragmented, degrading ePolicy Orchestrator server performance and throughput. (Reference: 548979) Resolution: Updates to key indexes in the database are now optimized, minimizing database fragmentation and ePolicy Orchestrator server performance degradation.
16. Issue: The Replication Timeout feature would wait until active site replications finished before terminating the replication task, prolonging the length of the task. (Reference: 524935) Resolution: The Replication Timeout feature now aborts active site replications and ends the task sooner.
17. Issue: The rollup product properties DATVer and DatDate might not have been collected for all point-products. (Reference: 509934) Resolution: These properties are now collected for all point-products that provide them.
18. Issue: When packages were manually checked into the ePolicy Orchestrator master repository, a temporary copy was sometimes retained on the ePolicy Orchestrator server. (Reference: 518502) Resolution: The temporary package copies are now removed when they are no longer needed.
19. Issue: Rollup queries on managed systems reported the first octet of a system's IP address incorrectly. (Reference: 576502) Resolution: IP addresses are now correct in rollup queries.
20. Issue: Editing of a distributed repository caused that repository to become disabled in agent policies configured for "New repositories to be excluded by default." (Reference: 564182) Resolution: Only adding a new repository, and not editing an existing one, now causes the repository to be excluded by default in appropriate agent policies.
21. Issue: The System Tree filter of the Notification Log only worked when the console language was English. (Reference: 500684) Resolution: The System Tree filter now works for all console languages.
22. Issue: An unexpected error occured if the Client Tasks list had an invalid task. (Reference: 473690) Resolution: Client Tasks list now displays valid tasks as well as invalid tasks marked as "(Invalid)".
23. Issue: In the Audit Log, the message "View Audit Log" did not log the user name. (Reference: 500488) Resolution: The user name is now logged and displayed in the Audit Log.
24. Issue: The order of subqueries and subtasks was rearranged and run out of order. (Reference: 524774) Resolution: Subqueries and subtasks are no longer rearranged or run out of order.
25. Issue: An unexpected error sometimes occured when a HIPS query was modified. (Reference: 513559) Resolution: Additional retry attempts to the database have been added after a query deadlock occurs.
26. Issue: Field names were incorrect and the date format wrong when reports were exported to .CSV format from a line chart. (Reference: 539323) Resolution: When data is exported from a line chart to .CSV format, the column headers are correctly displayed for date and time fields.
27. Issue: An Automatic Response that filters on the timestamp property "Is Between" caused an exception error. (Reference: 513851) Resolution: A triggered event based on a timestamped property that is filtered with "Is between" now performs without error.
28. Issue: The exported ServerTask Log Report showed garbage characters under the Message column instead of double-byte characters, e.g. Japanese characters. (Reference: 526428) Resolution: Entries made to the server task log after applying this Patch now properly escape double-byte characters and write to the database correctly. When the information is retrieved from the database, the characters are properly displayed in exported and on-screen formats.
29. Issue: The Patch installer asked for the event parser to application server communication port, even if it was already specified. (Reference: 526698) Resolution: This port number is now requested only if it was never provided previously.

ePolicy Orchestrator 4.0 Patch 7 installation prerequisites

• You must have one of the following installed prior to upgrading to ePolicy Orchestrator 4.0 Patch 7:
  • ePolicy Orchestrator 4.0 (build 1015)
  • ePolicy Orchestrator 4.0 Patch 1 (build 1083)
  • ePolicy Orchestrator 4.0 Patch 2 (build 1113)
  • ePolicy Orchestrator 4.0 Patch 3 (build 1151)
  • ePolicy Orchestrator 4.0 Patch 4 (build 1186 or 1221)
  • ePolicy Orchestrator 4.0 Patch 5 (build 1298)
  • ePolicy Orchestrator 4.0 Patch 6 (build 1333)
• You must be logged on to the ePolicy Orchestrator 4.0 server as a local administrator on the system.
• You must know the user name and password for at least one global administrator that is valid for the ePolicy Orchestrator 4.0 server you are trying to upgrade.
• The ePolicy Orchestrator and SQL Server services must be running during this upgrade (except when the automated upgrade stops and starts your ePO services).

Before installing ePolicy Orchestrator 4.0 Patch 7

1. Back up your ePolicy Orchestrator server and ePolicy Orchestrator database before upgrading to ePolicy Orchestrator 4.0 Patch 7. For more information, see KB article KB51438.
2. Be sure that there are no repository pulls or replications tasks currently running or scheduled to run during the installation.
   Important: If the master repository is locked, package checkins fail, causing the installation to fail and roll back.
3. Warn other ePolicy Orchestrator users that during the installation process they might see changing content or be logged out of their current ePolicy Orchestrator console session.

Installing ePolicy Orchestrator 4.0 Patch 7

1. Copy the upgrade installation zip file to a temporary directory.
2. Extract the contents of the zip file into the temporary directory.
3. From the extracted files, run Setup.exe.
4. Click Next.
5. Type the ePolicy Orchestrator credentials for a global administrator.
   Note: McAfee recommends use an existing global administrator account with a simple password when you install this Patch. If the user is not a global administrator or the password includes characters other than those listed in the official character set (see Known Issues above) the installation will fail.
6. Click Next.
7. Choose the port for the Event Parser-to-Application Server communication, then click Next.
   Note: This step is required when installing over ePolicy Orchestrator 4.0 RTW only, not when installing over Patches.
8. Choose the port for the Sensor-to-Server communications, then click Next.
   Important: If prompted for a port for the Sensor-to-Server communications, you must specify an unused port.
9. When the installation is complete, click Finish.
10. Manually determine if any extension upgrades failed, because individual extension upgrade failures do not cause the ePolicy Orchestrator 4.0 Patch 7 installation to fail. A record of the failed extension check-ins can be found in %TEMP%NAILogsEPO400-Checkin-Falure.log file. Any failed extensions can be checked in again through the management console after the Patch installation is complete.

ePolicy Orchestrator software provides high availability for server clusters with Microsoft Cluster Server (MSCS) software. Removing the Generic Service resources

1. In Cluster Administrator, take the ePolicy Orchestrator service resources offline by right-clicking each resource and selecting Take Offline.
   • McAfee ePolicy Orchestrator 4.0.0 Server.
   • McAfee ePolicy Orchestrator 4.0.0 Application Server.
   • McAfee ePolicy Orchestrator 4.0.0 Event Parser.
2. Delete the ePolicy Orchestrator service resources by right-clicking each resource and selecting Delete.
   Important: Do not remove the Data Drive, ePolicy Orchestrator IP Address, or ePolicy Orchestrator Network Name resources; they are required to install the Patch successfully.

Installing ePolicy Orchestrator 4.0 Patch 7 on each node Run the ePolicy Orchestrator Patch 7 setup on each node. McAfee strongly recommends that you install the Patch on one node at a time, and that all other nodes are shut down.

1. Make sure the following services are running in the Service Control Manager: (If they are not running, start them manually.)
   • McAfee ePolicy Orchestrator 4.0.0 Application Server service
   • McAfee ePolicy Orchestrator 4.0.0 Event Parser service
   • McAfee ePolicy Orchestrator 4.0.0 Server service.
2. In the Patch 7 installation folder, run Setup.exe.
3. Complete the installation wizard until the installation is complete on the node.
   Note: Upgrading from ePolicy Orchestrator 4.0: When installing on the first node of the cluster, you are prompted for the Event Parser-to-Application Server and Sensor-to-Server ports. You must specify unused ports.
   Note: Upgrading from ePolicy Orchestrator 4.0 Patch 1: When installing on the first node of the cluster, you are prompted for the Sensor-to-Server port. You must specify an unused port.
4. Shut down the node.
5. Bring up the next node and repeat these tasks.

Testing ePolicy Orchestrator 4.0 clustered server installation When the ePolicy Orchestrator cluster is set up, test its functionality by bringing the ePO group online.

1. Turn on all nodes.
2. Select the ePO group, and select Bring online.
3. Right-click any of the resources for the ePO group, then select Initiate Failure. A series of messages reports the progress of the failure of the resource and its restoration.
4. Check that you can restart the Cluster Service on the Active Node, which causes the Passive Node to become the Active Node and the new owner of the resources.

1. Go to https://mysupport.mcafee.com and select Read Product Documentation under Self Service.
2. Select <Product Name> | <Product Version> and select the required document from the list of documents.