Revision B

McAfee Data Loss Prevention Endpoint for

Windows 11.0.300 Release Notes
(McAfee ePolicy Orchestrator)

Contents
About this release
What's new
Resolved issues
Installation information
Known issues
Getting product information by email
Where to find product documentation

About this release

This document contains important information about the current release. We recommend that you read the
whole document.
Release build — 11.0.300
• McAfee Data Loss Prevention Endpoint (McAfee DLP Endpoint) client 11.0.300.842 for Microsoft Windows
®

• McAfee Data Loss Prevention (McAfee DLP) extension 11.0.300.13 for McAfee ePolicy Orchestrator
® ® ®

(McAfee ePO )
® ™

This release was developed for use with:

Software Tested version
McAfee ePO • 5.3.3 HF1230649
• 5.9.1

McAfee Agent for Windows

®

• 5.0.6
• 5.5.0

For information on all supported platforms, environments, and operating systems see KB68147

1
 Compatibility with other McAfee Products
The following McAfee products and versions have been tested for compatibility with this release.

McAfee product Tested version

McAfee Application Control 7.0.1, 8.0 HF5, and 8.1
®

McAfee Client Proxy 2.3.3 and 2.3.4

®

McAfee Data Exchange Layer (DXL) 3.1, 4.0, and 4.1

®

McAfee Threat Intelligence Exchange (TIE) for Endpoint Security 10.2.3

®

McAfee Drive Encryption 7.1.3, 7.2.4, and 7.2.5

®

McAfee Endpoint Security 10.2.2, 10.5.3, and 10.5.4

®

McAfee File and Removable Media Protection (FRP) 4.3.1.Hotfix 2, 5.0.5, and 5.0.6
®

McAfee Host Intrusion Prevention 8.0 Patches 8, 9, 10, and 11

®

McAfee Management of Native Encryption (MNE) 3.0.1, 4.1.3, and 4.1.4

®

McAfee Policy Auditor 6.2

®

McAfee Risk Advisor 2.7.2

®

McAfee Rogue System Detection (RSD) 5.0.5

®

McAfee SiteAdvisor Enterprise 3.5 Patch 5

® ®

McAfee Virtual Technician 8.1.0

®

McAfee VirusScan Enterprise 8.8 Patches 8, 9, 10, and 11

® ®

McAfee DLP Endpoint is also compatible with the latest release of the WebMER tool.

Tested software
McAfee DLP supports the following third-party software products. These versions have been tested for
compatibility with this release.

Application type Software Tested Versions

Cloud applications Box 4.0.7848.0
Dropbox 44.4.58
Backup and Sync from Google (Google 3.39.8370.7843
Drive)
iCloud 6.2.2.39
Microsoft OneDrive 18.025.0204.0009
Syncplicity 5.2.0.11540
Security and encryption applications Boldon James Email and Office 3.11
Classifier
Boldon James File Classifier 3.10.1
Microsoft Rights Management Service 1.0.2004.0, 1.0.3274.818
(RMS) client
Seclore FileSecure Policy Server 2.78.0.0
Seclore Desktop Client 3.6.2
Stormshield Data Security 9.1.20688
Titus Classification Suite 4.7 HF 3
Titus SDK 3.1.13.4

2
 Application type Software Tested Versions
TrueCrypt 7.0.1
Office and productivity applications Adobe Acrobat Pro X and XI
Adobe Reader 11.0.10 and DC 2018.009.20044
Google Chrome, 32-bit and 64-bit 65.0.3325.146
Lotus Notes client software 8.5.3 and 9.0.1
Microsoft Edge Microsoft Edge 38-41.
Internet Explorer 11
Microsoft Office, 32-bit and 64-bit 2010, 2013 SP1, and 2016
Microsoft Outlook, 32-bit and 64-bit 2010, 2013 SP1, and 2016
Microsoft SharePoint 2010, and 2013
Mozilla Firefox, 32-bit and 64-bit 48–58
Virtual operating systems XenApp 6.5 FP2
XenDesktop 7.6 Patch 3 (PVS), 7.11

Purpose
This release adds enhancements and fixes problems that were reported in the previous version.

Rating — High Priority

Mandatory Critical High Priority Recommended

• High priority for all environments.

• Failure to apply a High Priority update might result in potential business impact.

• Most patches and hotfixes are considered High Priority.

For more information, see KB51560.

What's new
The current release of the product includes these enhancements and changes.

Microsoft Windows 10 RS4 support

This McAfee DLP Endpoint release supports Microsoft Windows 10 RS4 (Spring Creators Update) 32-bit and
64-bit operating systems.

McAfee DLP extension improvements

Rule and rule set descriptions Rule rules and rule sets now have a description field. The maximum length for
a rules description is now 2000 characters.

Event parser enhancement The McAfee DLP event parser has improved performance for McAfee DLP
Discover events.

Rest API - decrypt evidence The McAfee DLP REST API feature has been enhanced with the addition of a script
to decrypt evidence files.

For more information and sample code for the REST API see KB87855.

3
 McAfee DLP extension enhancements to comply with privacy regulations
The following enhancements have been added to comply with recent legal and regulatory requirements:
• Ability to purge evidence files

• Ability to disable reporting of short match string

• Encryption of short match string before inserting into the database

• Simplifying the detection of personal information by extending the number of built-in classifications and
validation algorithms

Purge evidence task The ability to purge unwanted incidents has long been a feature of McAfee DLP. Because
the evidence files were stored on the network share path defined in DLP Settings, they were not deleted when
incidents were purged.

The server task that purges incident history now purges related evidence files as well. To delete evidence files
related to incidents that were purged with previous McAfee DLP versions, use the DLP delete unassociated evidence
files server task.

Extended built-in classifications and validation algorithms More than 20 new built-in advanced pattern
definitions have been added. These include tax ID, social security, and national ID numbers for Belgium, Czech
Republic/Slovakia, Finland, Greece, Holland, Hungary, Ireland, Italy, Russia, Romania, Sweden, and Switzerland.

When working with older McAfee DLP products, evaluating an advanced pattern in combination with a regular
expression might result in a false-positive. When the older McAfee DLP product doesn't support the new
validation algorithm, the validation algorithm is ignored. If the regular expression matches but the value isn't
valid based on the validation algorithm, the positive match reported is a false positive.

Disable reporting of short match string A setting on the Evidence Copy Service page of the client configuration
gives you the option to not report the short match string in the incident details. The setting works in real time: if
you change the setting, it only affects incidents reported by McAfee DLP Endpoint client from that point
forward.

Encrypt short match string Short match strings are now encrypted at the event parser before being stored in
the database. The Incident Details page automatically decrypts them for display in the Evidence | Short Match String
field.

The benefit of encrypting the short match string at the event parser is that it also encrypts new incident
information reported by older versions of McAfee DLP Endpoint, McAfee DLP Prevent, and McAfee DLP Monitor.

McAfee DLP Endpoint client improvements

Windows Server 2016 support McAfee DLP Endpoint client now supports Windows Server 2016.

McAfee DLP Endpoint client running on Windows servers doesn't support endpoint file system scans or network
communication protection rules.

Migrate web protection logs to use Windows Trace Preprocessor (WPP) technology McAfee DLP has
improved performance for web protection rules by logging web protection with WPP software tracing.

Whitelisted URL support Google Chrome and Microsoft Edge (versions 40+) now support whitelisted URLs in
web protection rules. Enter the URLs you want to whitelist on the Web Protection page of the client configuration.

Direct access to McAfee DLP Endpoint end user console The McAfee DLP Endpoint end user console can
now be activated either from the McAfee System Tray or directly. To activate the console directly, navigate to C:
\Program Files\McAfee\DLP\Agent\Tools\and select DlpConsoleRunner.exe.

Google Chrome advanced protection — Added support for Chrome v64 and v65 This release provides
advanced protection support for the Google Chrome browser versions 64 and 65. Advanced protection uses
code injection to support blocking of file uploads and text posting with Chrome.

4
 Google Chrome standard protection — Changed to not use code injection Standard protection for Google
Chrome no longer uses code injection to monitor uploading files and text posting and relies only on the
standard Chrome extension APIs. It is automatically activated when McAfee DLP Endpoint is not injecting code
into new Chrome versions not officially supported by McAfee DLP. The code change also provides protection for
future Chrome versions, which will prevent code injection. For more information, see Reducing Chrome crashes
caused by third-party software.

For Chrome standard protection the Web protection evaluation settings in Policy Catalog | Windows Client Configuration |
Web Protection are ignored. The following applies to Standard Chrome protection:
• When evaluating text posting with Chrome, the web protection rule evaluates the Web Address (URL)
condition with the HTTP request URL.

• When evaluating file upload with Chrome, the web protection rule evaluates the Web Address (URL)
condition with the browser address bar URL

The McAfee DLP Chrome extension doesn't run in Chrome incognito windows. You can disable Chrome incognito
windows in Policy Catalog | Windows Client Configuration | Operational Mode and Modules.

Resolved issues
The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the
Release Notes for the specific release.
Table 3-1 McAfee DLP Endpoint client: protection rule issues
Reference Issue description
1202634 Screen capture protection rules now block capturing protected content from the preview pane of
Windows Explorer.
1210486 Web protection rules no longer cause false positives for emails sent by iNotes (Domino Web
Access).
Resolution of the issue involved improving the signature building algorithm to correctly identify all
files. False positives were more frequent for smaller files.

1218035 Web protection rules no longer fail to upload images when you post to an intranet using Mozilla
Firefox.
1221439 Screen capture protection rules now block Lightshot screenshots. The software was added to an
alternative screen capture prevention list.
1221520 Removable storage protection rules now block files protected with McAfee File and Removable
®

Media Protection (FRP) versions 5.0.x.

Table 3-2 McAfee DLP Endpoint client: email issues

Reference
1212281 Email destinations in the DLP Incident Manager now display both display name and email
address (name<xx@yyy.com) for Sender, To, Cc, and Bcc.
1213882 Email protection rules always report recipient email address, even when configuration is
Outlook Object Model (OOM).
There is a fallback mechanism for getting the address when McAfee DLP Endpoint client
fails to open the address book, but it occasionally failed when configured as OOM, with the
reported address being NONE. The recommended workaround was to use Messaging
Application Programming Interface (MAPI) instead. With the new fallback mechanism,
either interface can be used.

1219212, When an email protection rule excludes local users, McAfee DLP Endpoint no longer blocks
1226793 emails to those users when they are in a user group, even if the group also contains
external users.

5
 Table 3-2 McAfee DLP Endpoint client: email issues (continued)
Reference
1219558 Email protection rules that don't scan attachments now improve performance over rules
that do scan attachments.
1223965 Content classifications using proximity to a dictionary definition no longer cause false
negatives when used in email subjects.
1227930 An email protection rule containing a tag for a registered document no longer gives a false
positive when the registered document is not attached. The issue only occurred when the
classification field was specified as Subject and the email subject field contained text.

Table 3-3 McAfee DLP Endpoint client: performance issues

Reference Issue description
1220733 McAfee DLP Endpoint client no longer causes Microsoft Outlook to crash when it sends encrypted
emails.
1220753 McAfee DLP Endpoint client no longer resets the default forms in Microsoft Outlook.
1223385 DoctorClient.exe and Google Chrome run together normally when McAfee DLP Endpoint client is
installed. The issue of Chrome crashing due to an out of memory error has been resolved.
1224447 SYSPREP images with Out-of-Band Emission (OOBE) selected now start normally when McAfee
DLP Endpoint is installed. Access protection no longer blocks setupcl.exe from writing registry
values.
1225248 DLP now reports correct URL information when it uploads files from Chrome incognito mode.
1225688 Installing McAfee DLP Endpoint client no longer removes third-party Google Chrome extensions.

If Chrome is opened after McAfee DLP Endpoint is installed, but before the initial policy arrives
(typically a few seconds), the extensions are removed but can be restored by restarting Chrome.

1225864 Microsoft update KB4056894 (Meltdown/Spectre) is installed successfully when McAfee DLP
Endpoint is already installed on the system.
1228621 McAfee DLP Endpoint client no longer crashes when a network cable is disconnected and
reconnected.

Table 3-4 McAfee DLP Endpoint client: miscellaneous issues

Reference Issue description
1214174 McAfee DLP policies are applied (replace a previous policy) even when ModificationTime or
RevisionID match.
The issue can occur when policies are created using a policy assignment rule plus McAfee
ePO tag or restoring policies from dlpConfig.backup. The new mechanism reliably
identifies policies by checking more parameters.

1214262, 1218222 UAS attached storage can now be blocked with Plug and Play device control rules. Use the
predefined device class SCSI Adapter with description USB Attached SCSI (UAS) Mass
Storage Device.

This feature is not supported in the McAfee DLP Endpoint client 11.0.300 release. It
requires a client hotfix update.

1218560 Croatian JMBG numbers are now included in the built-in advanced pattern definitions.

Table 3-5 McAfee ePO extension issues

Reference Issue description
1204432 Encrypted evidence files can now be opened without McAfee ePO using a REST API script.
1211949 Non-global administrators can now open the Case Management console.
1218040 Host names in URL lists no longer require a top level domain.

6
 Table 3-5 McAfee ePO extension issues (continued)
Reference Issue description
1221508 Removable storage device groups can now be created by users with full policy manager
permissions.
1222345 A leading semicolon in a keyword value no longer causes policy corruption. Semicolons
are used as separators between multiple keywords. A leading semicolon (which could
occur accidentally during editing) causes an empty string, which is now ignored to prevent
policy corruption.
1229003, 1229287 Serial and user pair definitions import normally. They no longer generate an error
message.
1230997 When creating an exception for an email protection rule enforced on McAfee Network DLP
using the formula: Classification of | Headers | contains one of (OR), McAfee DLP no longer
blocks saving the exception and displays the message Classification of 'Headers'
is not supported in products other than McAfee DLP Prevent. The exception
can now be saved.

Installation information
For information about installing or upgrading McAfee DLP 11.0.300 (11.0 Patch 3) software, see the McAfee
Data Loss Prevention 11.0 Installation Guide.

Known issues
For a list of known issues in this product release, see this McAfee Knowledge Base article: KB89301.

Getting product information by email

The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help you
increase the functionality and protection capabilities of your McAfee products.
To receive SNS email notices, go to the SNS Subscription Center at https://sns.secure.mcafee.com/signup_login
to register and select your product information options.

Where to find product documentation

Go to docs.mcafee.com to find the product documentation for this product.

Go to support.mcafee.com to find supporting content on released products, including technical articles.

7
Copyright © 2018 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.

B00