Professional Documents
Culture Documents
0
Evaluation and Walkthrough Guide
COPYRIGHT
Copyright © 2008 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
Global administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Administrator access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
NT domain synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Distributing Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Agent-server communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Repository types and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Policy application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Setting Up Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Notifications and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Query permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Query Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Lab Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Installing and setting up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deploying agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Contents
Components of ePolicy Orchestrator
What's new in this release
New layout for ePolicy Orchestrator
Master repository
The central location for all McAfee product installation, update and signature packages, which
are available to managed systems using distributed repositories and agents.
Web-based consoles
The remote access point to the ePolicy Orchestrator server and reports. Use a browser session
to configure policies, create or edit tasks, and run reports.
Threat notification
An alert message based on threat and compliance events in your environment. ePolicy
Orchestrator can alert you immediately to events in your environment via standard email
message or SNMP trap.
Distributed repository
Repositories, distributed throughout your environment, provide managed systems access to
DAT files, product updates, and product installations. These repositories distribute the impact
of updating managed systems.
McAfee Agent
A vehicle of information and enforcement between the ePolicy Orchestrator server and each
system. The agent retrieves updates, ensures task implementation, enforces policy and forwards
events for each managed system.
Web-based console
ePolicy Orchestrator has moved from the Microsoft Management Console (MMC) to a web-based
architecture.
Directory
The Directory is now the System Tree. Create, populate, and update the System Tree structure
with your Active Directory structure and system placement.
Query system
The ePolicy Orchestrator includes a native query and report system. Included are default queries
and the Query Builder wizard, which allows you to easily create and edit queries. Unlike reports
in previous versions, results are actionable. For example, you can run a query on systems whose
agents haven't communicated with the server in a certain amount of time, then send an agent
wake up call to those systems. Additionally, queries can be run on a schedule.
Dashboards
Dashboards that contain multiple monitors provide a quick overview of system status. Create
monitors for any chart-based query, or select one of the default monitors.
Server tasks
You can chain server task actions and subactions within a single task. For example, you can
schedule a single server task that runs a pull task, followed by a replication task, and then runs
a query against the update status of the distributed repositories and send the results to you
via email.
Tags
Tags are like labels you assign (one or more) to one or more systems manually or based on
criteria at agent-server communication. With tags, you can automatically place systems in the
System Tree based on any combination of system properties by using criteria-based tags and
parallel sorting criteria. Additionally, you can create and run queries on systems based on the
tags applied to them.
Dashboards
Go to Dashboards to view monitors that display the results of a query and are refreshed
automatically or provide convenient status updates. You can choose from a number of default
dashboards, or build your own with monitors created from chart-based queries.
Reporting
Go to Reporting to view and work with data about your managed environment. In this section
of the product, you can work with queries, the different logs that are accessible from the
interface, and MyAvert Security Threats.
Software
Go to Software to view and work with repositories and their contents. All deployment and
updating functionality is located here. In addition to existing functionality, you can now change
credentials on multiple distributed repositories at once, and copy only selected packages during
a pull task.
Systems
Go to Systems to organize and work with the managed systems in your environment. Under
Systems, you can work with and assign policies and client tasks, take actions on systems, set
up the System Tree, its groups, and any synchronization settings or sorting criteria on them.
Network
Go to Network to view and work with items that apply to your broader environment. For example,
if you have multiple ePO servers, you can register them all here for multi-server reporting
purposes.
Automation
Go to Automation to set up those items that run on a schedule or are used in automatic
responses. For example, server tasks and notification rules are both located here.
Configuration
Go to Configuration to set up user accounts, permission sets, contacts, and server settings.
These are the global settings that are necessary for your ePO environment.
Are you configuring the ePO server for the first time?
Contents
ePO user accounts
How permission sets work
Contacts
Global administrators
Global administrators have read and write permissions and rights to all operations. When you
install the server a global administrator account with the user name admin is created.
You can create additional global administrator accounts for people who require global
administrative rights.
Permissions exclusive to global administrators include:
• Create, edit, and delete source and fallback sites.
Contacts
Maintain a list of email addresses that ePolicy Orchestrator uses to send email messages to
specified users in response to events. Currently this list is used by Notifications, queries, and
export functionality.
• Sorting systems into groups automatically — You can now use tags as sorting criteria in
addition to the previous functionalities of IP address sorting. Each type of sorting criteria
can be used alone or in combination.
The System Tree contains all of the systems managed by ePolicy Orchestrator; it is the primary
interface for managing policies and tasks on these systems. You can organize systems into
logical groups (for example, functional department or geographic location) and sort them by
IP address or tags. You can manage policies (product configuration settings) and schedule tasks
(for example, updating virus definition files) for systems at any level of the System Tree.
Before configuring the software to deploy or manage the security software in your environment,
you must plan how to best organize systems for management and select the methods to bring
in and keep systems in the System Tree.
TIP: Many factors can influence how you should create and organize your System Tree. McAfee
recommends taking time to review this entire guide before you begin creating your System
Tree.
Are you setting up the System Tree for the first time?
Contents
The System Tree
Groups
The System Tree is a hierarchical structure that allows you to group your systems within units
called groups.
Groups have these characteristics:
• Groups can be created by global administrators or users with the appropriate permissions.
• A group can include both systems and other groups.
• Groups are administered by a global administrator or a user with appropriate permissions.
Grouping systems with similar properties or requirements into these units allows you to manage
policies for systems in one place, rather than setting policies for each system individually.
As part of the planning process, consider the best way to organize systems into groups prior
to building the System Tree.
Lost&Found group
The System Tree root (My Organization) includes a Lost&Found group. Depending on the
methods for creating and maintaining the System Tree, the server uses different characteristics
to determine where to place systems. The Lost&Found group stores systems whose locations
could not be determined.
The Lost&Found group has the following characteristics:
• It can't be deleted.
• It can't be renamed.
• Its sorting criteria can't be changed (although you can provide sorting criteria for the
subgroups you create within it.)
• It always appears last in the list and is not alphabetized among its peers.
• All users with view permissions to the System Tree can see systems in Lost&Found.
• When a system is sorted into Lost&Found, it is placed in a subgroup named for the system’s
domain. If no such group exists, one is created.
NOTE: If you delete systems from the System Tree, be sure you select the option to remove
their agents. If the agent is not removed, deleted systems reappear in the Lost&Found group
because the agent continues to communicate to the server.
Inheritance
Inheritance is an important property that simplifies policy and task administration. Because of
inheritance, child groups in the System Tree hierarchy inherit policies set at their parent groups.
For example:
• Policies set at the My Organization level of the System Tree are inherited by groups below
it.
• Group policies are inherited by subgroups or individual systems within that group.
Inheritance is enabled by default for all groups and individual systems that you add to the
System Tree. This allows you to set policies and schedule client tasks in fewer places.
However, inheritance can be broken by applying a new policy at any location of the System
Tree (provided a user has appropriate permissions) to allow for customization. You can lock
policy assignments to preserve inheritance.
Administrator access
When planning your System Tree organization, consider the access requirements of those who
must manage the systems.
For example, you may have very decentralized network administration in your organization,
where different administrators have responsibilities over different parts of the network. For
security reasons, you may not have a global administrator account that can access every part
of your network. In this scenario, you may not be able to set policies and deploy agents using
a single global administrator account. Instead, you may need to organize the System Tree into
groups based on these divisions and create accounts and permission sets.
Questions to consider include:
• Who is responsible for managing which systems?
• Who requires access to view information about the systems?
• Who should not have access to the systems and the information about them?
These questions impact both the System Tree organization, and the permission sets you create
and apply to user accounts.
Topological borders
Your network is already defined by NT domains or Active Directory containers. The better
organized your network environment, the easier it is to create and maintain the System Tree
with the synchronization features.
Geographic borders
Managing security is a constant balance between protection and performance. Organize your
System Tree to make the best use of limited network bandwidth. Consider how the server
connects to all parts of your network, especially remote locations that are often connected by
slower WAN or VPN connections, instead of faster LAN connections. You may want to configure
updating and agent-server communication policies differently for remote sites to minimize
network traffic over slower connections.
Grouping systems first by geography provides several advantages for configuring policies:
• You can configure update policies for the group so that all systems update from one or more
distributed software repositories located nearby.
• You can schedule client tasks to run at times better suited to the site’s location.
Political borders
Many large networks are divided by individuals or groups responsible for managing different
portions of the network. Sometimes these borders do not coincide with topological or geographic
borders. Who accesses and manages the segments of the System Tree affects how you structure
it.
Functional borders
Some networks are divided by the roles of those using the network; for example, Sales and
Engineering. Even if the network is not divided by functional borders, you may need to organize
segments of the System Tree by functionality if different groups require different policies.
A business group may run specific software that requires special security policies. For example,
arranging your email Exchange Servers into a group and setting specific exclusions for VirusScan
Enterprise on-access scanning.
If possible, consider using tag-based sorting criteria to automatically populate groups with the
appropriate systems.
Traits of tags
With tags, you can:
• Apply one or more tags to one or more systems.
• Apply tags manually.
• Apply tags automatically, based on user-defined criteria, when the agent communicates with
the server.
• Exclude systems from tag application.
• Run queries to group systems with certain tags, then take direct action on the resulting list
of systems.
• Base System Tree sorting criteria on tags to group systems into desired System Tree groups
automatically.
Types of tags
There are two types of tags:
• Tags without criteria. These tags can be applied only to selected systems in the System Tree
(manually) and systems listed in the results of a query.
• Criteria-based tags. These tags are applied to all non-excluded systems at each agent-server
communication. Such tags use criteria based on any properties sent by agent. They can also
be applied to non-excluded systems on demand.
3 Use the Synchronize Now action to import Active Directory systems (and possibly structure)
into the System Tree according to the synchronization settings.
4 Use an NT Domain/Active Directory Synchronization server task to regularly synchronize
the systems (and possibly the Active Directory structure) with the System Tree according
to the synchronization settings.
Systems only
Use this synchronization type to import systems from an Active Directory container, including
those in non-excluded subcontainers, as a flat list to a mapped System Tree group. You can
then move these to the desired locations in the System Tree by assigning sorting criteria to
groups.
If you choose this synchronization type, be sure to select not to add systems again if they exist
elsewhere in the System Tree. This prevents duplicate entries for systems in the System Tree.
NT domain synchronization
Use your NT domains as a source for populating your System Tree. When you synchronize a
group to an NT domain, all systems from the domain are put in the group as a flat list. You can
manage those systems in the single group, or you can create subgroups for more granular
organizational needs. Use a method, like automatic sorting to populate these subgroups
automatically.
If you move systems to other groups or subgroups of the System Tree, be sure to select to not
add the systems when they already exist elsewhere in the System Tree.
Unlike Active Directory synchronization, only the system names are synchronized with NT domain
synchronization — the system description is not synchronized.
When deploying agents throughout your environment for the first time:
1 Configure agent policy settings for the System Tree groups to which you are distributing
agents.
2 Distribute agents with the chosen methods to the desired locations.
Contents
Agents and SuperAgents
Agent-server communication
Agent activity logs
Agent policy settings
Methods of agent distribution
After the initial agent-server communication, the agent retrieves the new package that
corresponds to the in-use locale and applies it. In this way, the agents retrieve only language
packages for the locales being used on each managed system.
NOTE: The interface continues to appear in the current language until the new language package
has been applied.
Multiple language packages can be stored on managed systems to allow users to switch
languages by changing the locale. If a locale is selected for which a language package is not
available locally, the interface appears in English.
Agent language packages are available for these languages:
Agent-server communication
During agent-server communication, the agent and server exchange information using SPIPE,
a proprietary network protocol used by ePolicy Orchestrator for secure network transmissions.
At each communication, the agent collects its current system properties, as well as any events,
and sends them to the server. The server sends any new or changed policies, tasks, and
repository list to the agent. The agent then enforces the new policies locally on the managed
system.
Agent-server communication can be initiated in these ways:
• Agent-to-server communication interval (ASCI)
• Agent-initiated communication after agent startup
• Agent wake-up calls
• Communication initiated manually from the managed system
Agent-to-server-communication interval
The agent-to-server-communication interval (ASCI) is set on the General tab of the McAfee
Agent policy pages. This setting determines how often the agent calls into the server for data
exchange and updated instructions. By default, the ASCI is set to 60 minutes; the agent checks
into the server once every hour.
When deciding whether to modify this policy setting, you must consider your organization’s
threat response requirements, available bandwidth, total number of managed systems, and the
hardware hosting the server. Be aware that ASCI communication can generate significant
network traffic, especially in a large network. In such a case, you probably have agents in
remote sites connecting over slower network connections. For these agents, you may want to
set a less frequent ASCI. The following table lists general ASCI recommendations for common
network connection speeds.
NOTE: For complete information on balancing bandwidth, server hardware, and ASCI
determination, see the ePolicy Orchestrator 4.0.2 Hardware Sizing and Bandwidth Usage Guide.
Wake-up calls
Wake-up calls prompt the agents to call in to the server. Wake-up calls can be sent manually
or scheduled as a client task. These are useful when you have made policy changes or checked
in updates that you want to apply to the managed systems sooner than the next ASCI.
Wake-up calls can also configured on query results which are scheduled in the Server Task
Builder wizard.
Best practices
To deploy sufficient numbers of SuperAgents to the appropriate locations, first determine the
broadcast segments in your environment and select a system (preferably a server) in each to
host a SuperAgent. Be aware that agents in broadcast segments without SuperAgents do not
receive the broadcast wake-up call, and therefore, do not call in to the server.
Similar to the regular agent wake-up call, the SuperAgent wake-up call uses the SPIPE protocol.
Ensure the agent wake-up communication port (8081 by default) and the agent broadcast
communication port (8082 by default) are not blocked.
Proxy settings
To access the McAfee update sites, the agent must be able to access the Internet. Use the
agent policy settings to configure proxy server settings for the managed systems. The Proxy
tab of the McAfee Agent policy pages includes settings to:
• Use Internet Explorer proxy settings.
• Configure custom proxy settings.
• Disable any proxy use.
The default setting is Use Internet Explorer Proxy Settings, allowing an agent to use the
current proxy server location and credential information currently configured in the Internet
Explorer browser installed on that system. However, you may need to use ePolicy Orchestrator
to configure custom proxy server settings for systems in your network. For example, maybe
they use a different browser and don’t have Internet Explorer installed.
The following table details the advantages and disadvantages of the different methods to
distribute the agent.
Table 1: Advantages and disadvantages of agent distribution methods
Method Advantages Disadvantages
Deploying agents while Automatic; no other steps are required. If you are creating sites by importing large NT
creating Directory domains or Active Directory containers, too
much network traffic may be generated for your
resources.
Deploying agents from This is an efficient method for distributing You must embed user credentials with
ePolicy Orchestrator the agent, assuming you used a phased administrator rights to the desired systems.
approach for large deployments. Also, you must ensure that systems running
Microsoft XP Service Pack 2, have the
FRAMEPKG.EXE file added to the firewall
exceptions list.
Using login scripts This is an efficient method for an Systems that don’t log on to the network
environment where systems log on to the frequently, may not be running the most
network frequently. You do the work up-to-date agent.
once, and the agent is deployed
automatically.
Installing manually This is an efficient method if you are not This is not a time-efficient method if you have
using ePolicy Orchestrator to deploy the many systems.
agent.
Including the agent on an Prevents the bandwidth impact that other If you do not use images consistently, this
image forms of distribution can cause. Reduces method would not be efficient to ensure
the overhead by integrating the task into coverage.
another.
Enabling the agent on Saves significant bandwidth and time. The disabled agent may be out-of-date and
unmanaged McAfee require you run the deployment task to upgrade
products the agent to the current release. You cannot
change the agent installation folder without
removing and reinstalling the agent. Agents
that you enable may be located in a different
folder than agents that you deploy in your
network by some other method.
Contents
Repository types and what they do
How repositories work together
Master repository
The master repository maintains the latest versions of security software and updates for your
environment. This repository is the source for the rest of your environment.
The master repository is configured when ePolicy Orchestrator is installed. However, you must
ensure that proxy server settings are configured correctly. By default, ePolicy Orchestrator uses
Microsoft Internet Explorer proxy settings.
Distributed repositories
Distributed repositories host copies of your master repository’s contents. Consider using
distributed repositories and placing them throughout your network strategically to ensure
managed systems are updated while network traffic is minimized, especially across slow
connections.
As you update your master repository, ePolicy Orchestrator replicates the contents to the
distributed repositories.
Replication can occur:
• Automatically when specified package types are checked in to the master repository with
global updating enabled.
• On a recurring schedule with Replication tasks.
• Manually, by running a Replicate Now task.
A large organization can have multiple locations with limited bandwidth connections between
them. Distributed repositories help reduce updating traffic across low-bandwidth connections,
or at remote sites with a large number of client systems. If you create a distributed repository
in the remote location and configure the systems within the remote location to update from
this distributed repository, the updates are copied across the slow connection only once — to
the distributed repository — instead of once to each system in the remote location.
If global updating is enabled, distributed repositories update managed systems automatically,
as soon as selected updates and packages are checked into the master repository. You do not
need to spend additional time creating and configuring repositories or the update tasks.
Source site
The source site provides all updates for your master repository. The default source site is the
McAfeeHttp update site, but you can change the source site or create multiple source sites if
you require. McAfee recommends using the McAfeeHttp or McAfeeFtp update sites as your
source site.
NOTE: Source sites are not required. You can download updates manually and check them in
to your master repository. However, using a source site automates this process.
McAfee posts software updates to these sites regularly. For example, DAT files are posted daily.
Update your master repository with updates as they are available.
Use pull tasks to copy source site contents to the master repository.
The McAfee update sites provide detection definition (DAT) and scanning engine file updates,
as well as some language packs. You must check in all other packages and updates, including
service packs and patches, to the master repository manually.
Fallback site
The fallback site is a source site that’s been enabled as the fallback, from which managed
systems can retrieve updates when their usual repositories are inaccessible. For example, when
network outages or virus outbreaks occur, accessing the established location may be difficult.
Therefore, managed systems can remain up-to-date in such situations. The default fallback site
is the McAfee HTTP (McAfeeHttp) update site. You can enable only one fallback site.
If managed systems use a proxy server to access the Internet, you must configure agent policy
settings for those systems to use proxy servers when accessing this fallback site.
Are you configuring policies and tasks for the first time?
Contents
Extensions and what they do
Policy management
Policy application
Client tasks and what they do
Policy management
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that
the managed security software products are configured and perform accordingly.
Some policy settings are the same as the settings you configure in the interface of the product
installed on the managed system. Other policy settings are the primary interface for configuring
the product or component. The ePolicy Orchestrator console allows you to configure policy
settings for all products and systems from a central location.
Policy categories
Policy settings for most products are grouped by category. Each policy category refers to a
specific subset of policy settings. Policies are created by category. In the Policy Catalog page,
policies are displayed by product and category. When you open an existing policy or create a
new policy, the policy settings are organized across tabs.
how you implement agent-server communication). This interval is set to occur once every 60
minutes by default.
Once the policy settings are in effect on the managed system, the agent continues to enforce
policy settings locally at a regular interval. This enforcement interval is determined by the Policy
enforcement interval setting on the General tab of the McAfee Agentpolicy pages. This
interval is set to occur every five minutes by default.
Policy settings for McAfee products are enforced immediately at the policy enforcement interval
and at each agent-server communication if policy settings have changed.
NOTE: There is a delay of up to three minutes after the interval before policies for Symantec
AntiVirus products are enforced. The agent first updates the GRC.DAT file with policy information,
then the Symantec AntiVirus product reads the policy information from the GRC.DAT file, which
occurs approximately every three minutes.
Policy application
Policies are applied to any system by one of two methods, inheritance or assignment.
Inheritance
Inheritance determines whether the policy settings and client tasks for a group or system are
taken from its parent. By default, inheritance is enabled throughout the System Tree.
When you break this inheritance by assigning a new policy anywhere in the System Tree, all
child groups and systems that are set to inherit the policy from this assignment point do so.
Assignment
You can assign any policy in the Policy Catalog to any group or system (provided you have the
appropriate permissions). Assignment allows you to define policy settings once for a specific
need, then apply the policy to multiple locations.
When you assign a new policy to a particular group of the System Tree, all child groups and
systems that are set to inherit the policy from this assignment point do so.
Assignment locking
You can lock the assignment of a policy on any group or system (provided you have the
appropriate permissions). Assignment locking prevents other users:
• With appropriate permissions at the same level of the System Tree from inadvertently
replacing a policy.
• With lesser permissions (or the same permissions but at a lower level of the System Tree)
from replacing the policy.
Assignment locking is inherited with the policy settings.
Assignment locking is valuable when you want to assign a certain policy at the top of the System
Tree and ensure no other users replace it anywhere in the System Tree.
Assignment locking only locks the assignment of the policy, but does not prevent the policy
owner from making changes to its settings. Therefore, if you intend to lock a policy assignment,
ensure that you are the owner of the policy.
Policy ownership
All policies for products and features to which you have permissions are available from the
Policy Catalog page. To prevent any user from editing other users’ policies, each policy is
assigned an owner — the user who created it.
Ownership provides that no one can modify or delete a policy except its creator or a global
administrator. Any user (with appropriate permissions) can assign any policy in the Policy
Catalog page, but only the owner or a global administrator can edit it.
If you assign a policy that you do not own to managed systems, be aware that if the owner of
the named policy modifies it, all systems where this policy is assigned receive these modifications.
Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you
first duplicate the policy, then assign the duplicate to the desired locations. This provides you
ownership of the assigned policy.
Contents
Deployment packages for products and updates
Product and update deployment
Detection definition (DAT) files The regular, daily DAT files released by McAfeeFtp and McAfeeHttp update sites,
McAfee. and the McAfee website. Use a pull task
File type: ZIP
to download DAT files directly into the
master repository, or download and check
them into the master repository manually.
Scanning engine The updated scanning engine for McAfeeFtp and McAfeeHttp update sites,
McAfee anti-virus products, such as and the McAfee website. Use a pull task
File type: ZIP
VirusScan Enterprise. Engines are to download engine files directly into the
usually updated once or twice a year. master repository, or download and check
them into the master repository manually.
SuperDAT (SDAT.EXE) files The SuperDAT files contain both DAT McAfee website. Download and check
and engine files in one update package. SuperDAT files into the master repository
File type: SDAT.EXE
If bandwidth is a concern, McAfee manually.
recommends updating DAT and engine
files separately.
Supplemental detection The EXTRA.DAT files address one or McAfee website. Download and check
definition (EXTRA.DAT) files more specific threats that have supplemental virus definition files in to the
appeared since the last DAT file was master repository manually.
File type: EXTRA.DAT
posted. If the threat has a high severity,
distribute the EXTRA.DAT immediately,
rather than wait until that signature is
added to the next DAT file. EXTRA.DAT
files are from the McAfee website. You
can distribute them through ePolicy
Orchestrator. Pull tasks do not retrieve
EXTRA.DAT files.
Product deployment packages A product deployment package contains Product CD or downloaded product ZIP
the installation software of a McAfee file. Check product deployment packages
File type: ZIP
product. in to the master repository manually. For
specific locations, see the documentation
for that product. Only the agent and
System Compliance Profiler deployment
packages are checked in to the master
repository as part of the ePO server
installation.
Agent installation package An agent installation package contains Master repository — checked in at
the installation software for the agent. installation. For future versions of the
File type: ZIP
agent, you must check agent installation
packages in to the master repository
manually.
Agent language packages An agent language package contains Master repository — checked in at
files necessary to display agent installation. For future versions of the
File type: ZIP
information in a local language. agent, you must check agent language
packages into the master repository
manually.
Must be manually checked in to the master repository. DAT and engine update packages can be copied from the
source site automatically with a pull task. All other update
packages must be checked in to the master repository
manually.
Can be replicated to the distributed repositories and Can be replicated to the distributed repositories and
installed on managed systems with global updating. installed automatically on managed systems with global
updating.
If not implementing global updating for product If not implementing global updating for product updating,
deployment, a deployment task must be configured and an update client task must be configured and scheduled
scheduled for managed systems to retrieve the package. for managed systems to retrieve the package.
Contents
Notifications and how it works
Events that occur on systems in your environment are delivered to the server, and the notification
rules (associated with the group that contains the affected systems and each parent above it)
are triggered by the events. If the conditions of any such rule are met, a notification message
is sent, or an external command is run, per the rule’s configurations.
This design allows you to configure independent rules at the different levels of the System Tree.
These rules can have different:
• Thresholds for sending a notification message. For example, an administrator of a particular
group wants to be notified if viruses are detected on 100 systems within 10 minutes on the
group, but a global administrator does not want to be notified unless viruses are detected
on 1000 systems within the entire environment in the same amount of time.
• Recipients for the notification message. For example, an administrator for a particular group
wants to receive a notification message only if a specified number of virus detection events
occur within the group. Or, a global administrator wants each group administrator to receive
a notification message if a specified number of virus detection events occur within the entire
System Tree.
Aggregation
Use aggregation to determine the thresholds of events at which the rule sends a notification
message. For example, configure the same rule to send a notification message when the server
receives 1000 virus detection events from different systems within an hour and whenever it
has received 100 virus detection events from any system.
Throttling
Once you have configured the rule to notify you of a possible outbreak, use throttling to ensure
you do not receive too many notification messages. If you are administering a large network,
then you may be receiving tens of thousands of events during an hour, creating thousands of
notification messages based on such a rule. Notifications allows you to throttle the number of
notification messages you receive based on a single rule. For example, you can specify in this
same rule that you don’t want to receive more than one notification message in an hour.
Scenario one
For this scenario, 100 virus detections are detected in Subgoup2C within 60 minutes in a single
day.
Conditions of the rules VirusDetected_Subgroup2C, VirusDetected_Group2, and
VirusDetected_MyOrganization are met, sending notification messages (or launching
registered executables) per the rules’ configurations.
Scenario two
For this scenario, 50 virus detections are detected in Subgroup2C and 50 virus infections are
detected in Subgroup3B within 60 minutes in a single day.
Conditions of the VirusDetected_MyOrganization rule are met, sending notification messages
(or launching registered executables) per the rules’ configurations. This is the only rule that
can be applied to all 100 events.
Contents
Queries
Query Builder
Multi-server roll-up querying
Queries
Queries are configurable objects that retrieve and display data from the database. The results
of queries are displayed in charts and tables. Any query’s results can be exported to a variety
of formats, any of which can be downloaded or sent as an attachment to an email message.
Some queries can be used as dashboard monitors.
Exported results
Query results can be exported to four different formats. Exported results are historical data and
are not refreshed like when using queries as dashboard monitors. Like query results and
query-based monitors displayed in the console, you can drill down into the HTML exports for
more detailed information.
Unlike query results in the console, data in exported reports is not actionable.
Reports are available in several formats:
• CSV — Use this format to use the data in a spreadsheet application (for example, Microsoft
Excel).
• XML — Use this format to transform the data for other purposes.
• HTML — Use this report format to view the exported results as a web page.
• PDF — Use this report format when you need to print the results.
Query permissions
Use query permissions to assign specific levels of query functionality to permission sets, which
are assigned to individual users.
Available permissions include:
• No permissions — The Query tab is unavailable to a user with no permissions.
• Use public queries — Grants permission to use any queries that have been created and
made public by users with the same permissions.
• Use public queries; create and edit personal queries — Grants permission to use any
queries that have been created and made public by users with the same permissions, as
well as the ability to use the Query Builder wizard to create and edit personal queries.
• Edit public queries; create and edit personal queries; make personal queries public
— Grants permission to use and edit any public queries, create and edit any personal queries,
as well as the ability to make any personal query available to anyone with access to public
queries.
NOTE: To run some queries, you also need permissions to the feature sets associated with their
result types. Also, in a query’s results pages, the available actions to take on the resulting items
depend on the feature sets a user has permission to.
Query Builder
ePolicy Orchestrator provides an easy, four-step wizard with which to create and edit custom
queries. With the wizard you can configure which data is retrieved and displayed, and how it
is displayed.
Result types
The first selection you make in the Query Builder wizard is a result type. This selection identifies
what type of data the query will be retrieving. This selection determines what the available
selections are in the rest of the wizard.
Result types include:
• Audit Log Entries — Retrieves information on changes and actions made by ePO users.
• Compliance History — Retrieves information on compliance counts over time. This query
type and its results depend on a Run Query server task that generates compliance events
from the results of a (Boolean pie chart) query. Additionally, when creating a Compliance
History query, be sure the time unit matches the schedule interval for the server task. McAfee
recommends creating the Boolean pie chart query first, followed by the server task that
generates the compliance events, and finally the Compliance History query.
• Events — Retrieves information on events sent from managed systems.
• Managed Systems — Retrieves information about systems running the McAfee Security
Agent.
• Notifications — Retrieves information on sent notifications.
• Repositories — Retrieves data on repositories and their status.
• Rolled-up Compliance History — Retrieves information on compliance counts over time from
registered ePO servers. This query depends on server tasks being run on this ePO server
and the registered servers.
• Rolled-up Managed Systems — Retrieves summary information on systems from registered
ePO servers.
Chart types
ePolicy Orchestrator provides a number of charts and tables to display the data it retrieves.
These and their drill-down tables are highly configurable.
NOTE: Tables do not include drill-down tables.
Chart types include:
• Bar chart
• Boolean pie chart
• Grouped bar chart
• Grouped summary table
• Line chart
• Pie chart
• Summary table
• Table
Table columns
Specify columns for the table. If you select Table as the primary display of the data, this
configures that table. If you selected a type of chart as the primary display of data, this configures
the drill-down table.
Query results displayed in a table are actionable. For example, if the table is populated with
systems, you can deploy or wake up agents on those systems directly from the table.
Filters
Specify criteria by selecting properties and operators to limit the data retrieved by the query.
How it works
To roll up data for use by roll-up queries, you must register each server (including the local
server) you want to include in the querying.
Once the servers are registered, you must configure Data Roll Up server tasks on the reporting
server (the server that performs the multi-server reporting). Data Roll Up server tasks retrieve
the information from all databases involved in the reporting, and populates the eporollup_ tables
on the reporting server. The roll-up queries target these database tables on the reporting server.
NOTE: Use of the Rolled Up Compliance History type of query, requires an additional query (on
Managed Systems with a Boolean pie chart) and an additional Run Query server task (with the
subaction to generate a compliance event) to run on each server whose data you want to
include in the Rolled Up Compliance History type of query.
Contents
What are rogue systems
How detected systems are matched and merged
Rogue System Detection states
The Detected Systems homepage displays information on each of these states via corresponding
status monitors. This page also displays the 25 subnets with the most rogue system interfaces
in the Top 25 Subnets list and the adjacent Rogue System Interfaces by Subnet table.
Contents
Dashboards and how they work
Setting up a single ePolicy Setting up multiple ePolicy Orchestrator servers In a test environment, one
Orchestrator server. consoles. server is enough.
Running SQL 2005 Express Running SQL Server databases or remote Using the SQL 2005 Express
database (an installation option database servers. database packaged with ePolicy
for ePolicy Orchestrator 4.0) on Orchestrator is simpler for
the same server as ePolicy testing in a small (fewer than
Orchestrator. 500 systems) lab network.
Using ePolicy Orchestrator to Using login scripts or third-party tools to deploy Manually installing the agent is
deploy agents and VirusScan agents and VirusScan Enterprise. also covered.
Enterprise.
Setting up a simple network Setting up UNIX, Linux, or NetWare environments. These examples use NT domains
environment with NT domains and Active Directory to illustrate
and Active Directory. key product features.
See the ePolicy Orchestrator 4.0 Installation Guide for complete software and hardware
requirements for the ePolicy Orchestrator server and agent. See the VirusScan Enterprise 8.5
Installation Guide for software and hardware requirements for VirusScan Enterprise 8.5.
Contents
Installing and setting up
Creating your System Tree
Deploying agents in your System Tree
Setting up a master repository
Setting up a distributed repository
Using VirusScan Enterprise with ePolicy Orchestrator
Maintaining and monitoring your environment
Tasks
Configuring your network
Getting installation files from McAfee
Installing the ePO server
Starting ePolicy Orchestrator for the first time
Task
1 Create trusted domain connections to any remote NT domains.
To deploy the agent to systems outside the local NT domain (where the ePolicy Orchestrator
server resides), you must create a trusted connection between the domains. This connection
is required for the server to deploy agents and install software on remote systems. See
your Microsoft Windows documentation for instructions. You must also have a user account
with administrator rights in the remote domain.
From the system where you plan to install the ePolicy Orchestrator server, ping client
systems where you plan to deploy agents.
• On the server, open a command window (Start | Run) and type cmd at the prompt.
• Type ping commands to test the system name and IP address:
• ping MyComputer
• ping 192.168.14.52
4 Confirm that client NT Admin$ share folders are accessible from the server.
From the system on which you plan to install the ePolicy Orchestrator server, test access
to the default Admin$ share folder on each client system. This access is required for the
ePolicy Orchestrator server to install agents, and testing confirms your administrator
credentials.
• On the ePolicy Orchestrator server, open a command window (Start | Run).
• Type the path to the client Admin$ share (use system name or IP address):
• \\MyComputer\Admin$
• \\192.168.14.52\Admin$
If systems are properly connected over the network and your credentials have sufficient
rights, the Admin$ share folder is present and you see a Windows Explorer dialog box.
Task
1 From the system on which you plan to install the ePolicy Orchestrator server, open a web
browser and go to https://secure.nai.com/apps/download/free_evaluations/default.asp.
2 Select ePolicy Orchestrator Enterprise Edition 4.0.0 under Free Product Evaluations
and click the TRY link.
3 Fill out the form and follow directions to download the EPO400E.ZIP file.
4 Repeat step 1, select McAfee VirusScan Enterprise 8.5i under Free Product Evaluations
and click the TRY link.
5 Fill out the form and follow directions to download the VSE85iEML.ZIP file.
6 Extract the contents of the downloaded .ZIP files into a temporary folder on the system
you plan to use as your test ePolicy Orchestrator server.
NOTE: You need to access files in these folders at various times during the deployment
process covered in this guide.
Task
1 Log on to the desired system using a user account with local administrator permissions.
2 Run SETUP.EXE using one of these methods:
• From the product CD, select the desired language in the autorun window, then select
Install ePolicy Orchestrator 4.0.
• From software downloaded from the McAfee website, go to the location containing the
extracted files and double-click SETUP.EXE.
NOTE: If any prerequisite software is missing from the installation target computer, a list
of those items appears.
3 Click Install. The installation process for each software item not listed as Optional begins
automatically. For optional items, a dialog box appears where you can allow installation or
reject it. Accept the installation of SQL Server 2005 Express.
4 When the Welcome window of the ePolicy Orchestrator Installation Wizard appears, click
Next.
5 In the End User License Agreement dialog box, select the appropriate license type and
the location where you purchased the software. The license type must match the license
you purchased. If you are unsure, contact the person who sold you the software.
6 Accept the agreement and click OK to continue. The Choose Destination Location
dialog box appears.
7 Accept the default installation path or click Browse to select a different location. If the
location does not yet exist, type the path of the intended location in the Browse dialog
box, then click Next. The Set Administrator Information dialog box appears
8 Type and verify the password for logging on to ePolicy Orchestrator, then click Next.
9 In the Set Database Information dialog box, identify the type of account and
authentication details that the ePolicy Orchestrator server will use to access the database.
a Use the drop-down list to select a server. If SQL Express was installed, the name of the
database is <computername>\ EPOSERVER.
b Select the type of authentication:
• Windows authentication(Recommended): Specify the NetBIOS name of the
Domain associated with the desired domain administrator user account, then provide
and verify a password.
• SQL authentication: Provide the User name that the ePolicy Orchestrator software
will use to access the database, then provide a password. If the installer cannot
identify the port used for communication to and from the server, you may be
prompted to provide that information. Otherwise, the SQL server TCP port field shows
the port and is disabled.
10 Click Next.
11 Set the HTTP Configuration. Designate the port to be used by each function, then click
Next.
NOTE: It is basically safe to accept all default settings. If you choose default port 80 for
Agent-to-Server communication and IIS is installed on the server, you will receive an error
indicating that the port is in use. Either disable IIS or choose another port.
Function Port
Agent Broadcast communication port Configurable port used to send SuperAgent wake-up
calls.
Sensor-to-Server communication port Configurable port used by the Rogue System Sensor to
report host-detected messages to the Rogue System
Detection server using SSL.
Security Threats communication port Port 8801. Non- configurable port used by McAfee Avert
Labs to provide information on security threats and the
required DAT and engine versions to protect against
them.
12 In the Default Notification Email Address dialog box, configure the recipient of ePolicy
Orchestrator notifications or leave the default. For a new recipient, complete these options:
a Provide the default destination for messages.
b Select Setup email server settings now, otherwise leave the default address.
c Type the Fully Qualified Domain Name (FQDN) of the mail server and specify the Port
to use for email.
d Select This server requires authentication if needed, then type the User name
and Password required to access the server.
e Click Next.
For more information, see the Notifications chapter in the ePolicy Orchestrator 4.0 Product
Guide.
13 In the Set Windows Authentication dialog box, specify the WINS server or Domain
to be used with ePolicy Orchestrator, then click Next.
14 In the Start Copying Files dialog box, click Install to begin the installation.
15 In the Installation Complete dialog box, view the Readme file for the steps to start the
software, then click Finish to complete the installation.
Task
1 Open an Internet browser and go to the URL of the server. The Log On to ePolicy
Orchestrator dialog box appears.
2 Type your User name and Password.
NOTE: Passwords are case-sensitive.
• Manually add individual systems to your System Tree. While this method can be too slow
when deploying ePolicy Orchestrator in a live network, it is fast enough for adding a handful
of systems in your test network.
Tasks
Adding existing NT domains or Active Directory containers automatically
Adding groups and systems manually
Organizing server and workstations into groups
Organizing systems with tags
Task
1 Go to Systems | System Tree | Group, then select or create a group in the System
Tree.
2 With My Organization in the System Tree selected, click New Subgroup.
3 Name the group MyNetwork and click OK.
4 Select the MyNetwork group in the System Tree, and next to Synchronization type click
Edit. The Synchronization Settings page for the selected group appears.
5 Next to Synchronization type, select NT Domain or Active Directory. The NT Domain
or Active Directory page appears.
6 Select these options on the page:
1 Select Move systems from their 1 Select Move systems from their
current System Tree location to current System Tree location to
the synchronized group. the synchronized group.
2 Type the name of your domain or click 2 In Active Directory domain, type
Browse to select a domain accessible the fully-qualified domain name of
by the ePolicy Orchestrator server. your Active Directory domain.
3 In Active Directory credentials,
type the Active Directory user
credentials that ePolicy Orchestrator
uses to retrieve the Active Directory
information.
4 Next to Container, click Browse and
select a source container in the Select
Active Directory Container dialog
box, then click OK.
8 Click Save. All your systems have been added to the System Tree. To manage them you
need to deploy a McAfee agent to them. See the Deploying Agents section for details.
Task
1 Go to Systems | System Tree | Group, then select a group in the System Tree, under
which to create another group.
2 Click New Subgroup at the bottom of the page. The New Subgroup dialog box appears.
3 Type a name for the group, then click OK. The new group appears in the System Tree.
4 Repeat as necessary until you are ready to populate the groups with systems.
5 Select a group in the System Tree and click New Systems.
6 Under Systems to add, type the name of your systems (NetBIOS names) separated by
spaces, or click Browse to locate the systems by Domain.
7 Click OK to save the changes.
Task
1 Go to Systems | System Tree | Group, then select a group in the System Tree, under
which to create a New Systems Go Here group.
2 Click New Subgroup at the bottom of the page. The New Subgroup dialog box appears.
3 Type New Systems Go Here, then click OK. The new group appears in the System Tree.
4 Select the New Systems Go Here group in the System Tree, and next to Sorting Criteria
click Edit.
5 Select Systems that match any of the criteria below (IP addresses and/or tags)
and click Add Tag.
6 Select Workstation, click the plus sign, then select the Server.
7 Click Save.
8 In the Sorting Order list for the group that contains the New Systems Go Here group, click
the Move Up link for New Systems Go Here until it is at the top of the list. Now the New
Systems Go Here group is the first to be evaluated once systems get to the System Tree.
Task
1 Go to Systems | Tag Catalog.
2 Click New Tag.
3 Name the tag Low Disk Space, and click Next.
4 Under Available Properties, click Free Disk Space (MB).
5 From the comparison value list, select Less than or Equals.
6 Under Value type 1024 (1024 MB = 1 GB).
7 Click Next, then select On each agent-server communication and when a "Run Tag
Criteria" action is taken.
8 Click Next, then click Save.
Every time a system calls in to ePolicy Orchestrator as part of the normal communication interval,
it will be evaluated against this tag and it will be applied to them if they have one gigabyte or
less free hard drive space.
From the System Tree, you can install the agent on each system in a group at once. To do this,
send an agent install command to the group. Because of inheritance, you can specify an agent
installation at the parent group level and all child systems inherit the command.
Alternatively, if you do not plan to use ePolicy Orchestrator to deploy the agent, you can install
the agent manually from the client system.
Tasks
Configuring the agent policy settings before deployment
Deploying agents
Monitoring agent installations
Installing agents manually on client systems
Task
1 Go to Systems | Policy Catalog, then from the Product list select McAfee Agent.
2 For the My Default policy, click Edit.
3 Under General Options, select Show the McAfee system tray icon.
4 Click Save.
Deploying agents
Deploy agents to all your test systems in a group at once by initiating the agent installation at
the group level in the System Tree. This method uses Windows NT push technology.
Task
1 Go to Systems | System Tree, then select the group to which you want to deploy the
agent.
2 Click Deploy Agents. The Deploy McAfee Agent page appears.
3 Specify Credentials for agent installation that have rights to the systems. These
credentials, typically that of a domain administrator, are used to copy the agent package
to the client system's ADMIN$ share folder and run the agent installation files.
4 Click OK to send the agent installation package to the selected systems. After the installation
is complete, agents call back in to the ePO server with their properties within 10 minutes.
This time can vary depending on your environment. For deployments of less than 100
systems on a 100Mbit network, all systems should be installed and calling in within about
20 minutes.
TIP: If agents are not installing on client systems, be sure that you can browse to the
ADMIN$ share on those systems from the ePO server using the credentials you provided
and that you have added the FRAMEPKG.EXE file to the firewall exceptions list..
Task
1 Go to Reporting | Audit Log.
2 View any audit log where the success type is Failure and where the action type is Deploy
Agents.
When agent deployment is complete and the agents have called back to the ePO server for the
first time, the systems in your System Tree display information about the system. If the agents
have been installed and the System Tree does not reflect this, manually refresh the System
Tree by clicking the refresh button in the top right of the browser window.
You can also watch the installation from any of your client systems. The default policy suppresses
the installation interface; however, you can open the Task Manager on the client system and
watch the CPU usage spike briefly as the installation begins. After the agent is installed and
running, two new services appear in the Processes window: UPDATERUI.EXE and
FRAMEWORKSERVICE.EXE. Also, because of we modified the agent policy before deploying,
the agent icon appears in the system tray after installation.
Task
1 Go to Systems | System Tree and click New Systems.
2 Select Create and download agent installation package, deselect Use Credentials,
then click OK.
3 Right-click the FramePkg link and save the file to a location for distribution to client
systems.
4 Copy the FRAMEPKG.EXE file to the local client or to a network folder accessible from the
client.
5 Double-click FRAMEPKG.EXE and wait a few moments while the agent is installed. Within
ten minutes, the agent calls in to the ePolicy Orchestrator server for the first time.
6 As needed, bypass the ten-minute interval by forcing the agent to call in by running the
CMDAGENT/p command.
Tasks
Adding VirusScan to the master repository
Pulling updates from the McAfee source repository
Task
1 Go to Software and click Check in Package.
2 Browse to the location of the VSE85iEML.zip file.
3 Click Next, then click Save.
Task
1 Go to Software | Master Repository, then click Pull Now at the bottom of the page.
The Pull Now wizard appears.
2 Click Next to accept the default settings on the first page.
3 Click Next to accept the default settings on the next page.
4 Click Start Pull. You are taken to the Server Task Log where you can drill into the task
for details or watch the summary. Refreshing this page updates the status. Depending on
your available download bandwidth and the number of packages that your repository is
updating, the initial pull task usually takes between 5 and 30 minutes
Tasks
Creating a shared folder for the repository
Adding the distributed repository to the ePO server
Replicating master repository data to a distributed repository
Configuring remote sites to use the distributed repository
Task
1 From the system on which you plan to host the repository, create a new folder.
2 Right-click the folder and select Sharing.
3 On the Sharing tab, select Share this folder.
4 Click OK.
Task
1 Go to Software | Distributed Repositories.
2 Click New Repository.
3 Name the repository TestRepository, select UNC, and click Next.
4 Type the UNC path name and click Next.
5 Type the download credentials for the UNC share.
NOTE: Click Test Credentials to check them. If the test fails, check that the system, share
name, and credentials are correct, that the credentials give access to the UNC share, and
that the UNC share is accessible from the ePO server's network.
Task
1 Go to Software | Distributed Repositories.
2 Click Replicate Now.
NOTE: For this button to be enabled, you must have at least one distributed repository.
Task
1 Go to Systems | Policy Catalog and select McAfee Agent.
2 Click Edit for the My Default policy.
3 On the Repositories tab, disable all repositories except TestRepository, and click Save.
4 Go to Systems | System Tree | Policies.
5 Select the RemoteLocation group in the System Tree and click Edit Assignment for
the General Category.
6 Select Break inheritance and assign the policy and settings below, then click Save.
After the policy is applied, when the systems in the RemoteLocation group require updates,
they retrieve them from the distributed repository.
NOTE: Forcing updates from certain repositories is shown here only for the purpose of
simulating distributed repositories in a lab network. This is not something you would do in
a production environment, where you would want to have some repository redundancy
available for failover. Because of faster local network connections, client systems would
likely update from a local distributed repository, rather than over a WAN to the master
repository, even if not specifically configured to do this. On the other hand, if the distributed
repository were unavailable for any reason, the client could still update from other
repositories on the network if necessary.
Tasks
Setting VirusScan Enterprise policies before deploying
Deploying VirusScan Enterprise to client systems
Task
1 Go to Systems | System Tree | Policies and select the My Organization group in the
System Tree.
2 Select VirusScan Enterprise 8.5.0 from the Product list.
3 Next to User Interface Policies, click the My Default link under Policy.
4 Select settings for Workstation, and under System tray icon select Show the system
tray icon with minimal menu option.
5 Click Save.
on them. You have defined your VirusScan Enterprise policies for servers and workstations.
Now, use this task to deploy VirusScan Enterprise on all the client systems in your test network.
For convenience you can deploy VirusScan Enterprise from the My Organization level of the
System Tree to install it on all the systems in your System Tree at once.
If you want, you can send the agents an immediate agent wake-up call. This forces the agents
to check in immediately with the ePolicy Orchestrator server, rather than wait for the next
regularly scheduled agent callback, which by default could be as long as 60 minutes. When the
agents call back, they see that the VirusScan Enterprise deployment is set to install rather than
ignore. The agents then pull the VirusScan Enterprise setup file from the repository and install
VirusScan Enterprise.
You can send an agent wake-up call to any group or individual system in your System Tree.
Since we want to wake up all systems in the System Tree, we will initiate a single group wake-up
action from the My Organization level.
NOTE: Performing an immediate wake-up call to all systems in your System Tree is not a good
idea for a production server with thousands of systems. Typically you would wake up individual
groups and randomize the call over several minutes to reduce the number of simultaneous
requests across the network. Refer to the ePolicy Orchestrator 4.0 Product Guide for more
details on agent wake-up.
Task
1 Go to Systems | System Tree | Client Tasks and select the My Organization group
in the System Tree.
2 Click New Task.
3 Name the task Deploy VirusScan Enterprise 8.5, select Product Deployment (McAfee
Agent) under type, then click Next.
4 Select VirusScan Enterprise 8.5.0 under Products and be sure the Action is set to
Install.
5 Click Next.
6 Set the Schedule type to Run Immediately and click Save. You have now configured
your default deployment task to install VirusScan Enterprise on all client systems in your
test site. The deployment occurs the next time the agents call back to the ePolicy
Orchestrator server for updated instructions.
7 (Optional) Initiate an agent wake-up call to have the deployment occur immediately.
a Go to Systems | System Tree | Group and select the My Organization group in
the System Tree.
b Click Wake Up Agents.
c Click OK.
8 To verify that the VirusScan Enterprise 8.5 software was successfully installed on your
client systems, check the following:
The MCSHIELD.exe process is running and visible in Under Systems | System Tree | Systems the properties
the Processes tab of your Windows Task Manager. of a selected system indicates that VirusScan is installed.
A VirusScan folder has been added under C:\Program Run a query to list the systems with VirusScan
Files\McAfee. Enterprise 8.5.
A VirusScan icon appears under the McAfee icon in the NOTE: To verify any installation information, the ePolicy
system tray. You might need to restart for the icon to Orchestrator server needs to communicate with the
appear. agents after the installation is complete. In the
communication after installation, the agents send up
properties showing that VirusScan Enterprise is installed
and the ePolicy Orchestrator stores those properties in
the database. The data in the ePO server is only as
fresh as the last communication with the client systems.
Tasks
Creating a query to confirm your coverage
Creating a dashboard to track coverage
Updating DAT files with a client update task
Verifying that VirusScan has updated to the latest DATs
Task
1 Go to Reporting and click New Query.
2 Select Managed Systems, then click Next.
3 Under Display Results as, select Boolean Pie Chart.
4 For Label for matching slice, type Using VSE 8.5; for Label for non-matching slice,
type: Not using VSE 8.5.
5 Click Configure Criteria.
6 Under Available Properties, scroll down to the grouping for VirusScan Enterprise
Properties and click Product Version (VirusScan Enterprise) to add it to the right-hand
pane.
7 In the right-hand pane under Comparison for Product Version (VirusScan Enterprise),
select Equals; under Value for Product Version (VirusScan Enterprise), type 8.5.
8 Click OK, then click Next.
9 Under Available Columns, select the following:
• Computer Properties: IP Address
• Computer Properties: User Name
• VirusScan Enterprise Properties: Product Version
10 Click Next, then click Run. A pie chart that reflects the deployment of VirusScan 8.5 in
your environment should appear. You can click on the segments of the pie chart to drill
down into them.
If you have a red pie slice, click it to see which systems do not have VirusScan Enterprise
8.5. You can save this query by clicking Save. (You have to create a query and have it
successfully run to save it.) After saving the query, it will show up in the query list under
My Queries.
TIP: If no information is shown except for the system name when you drill down, this
usually indicates that the agent has not yet successfully communicated with the ePO server.
You might want to find out if the agent is installed properly.
Task
1 Go to Dashboards, then select Manage Dashboards from the Options list.
2 Click Edit, then from the Size list select a layout so that a New Monitor button appears.
3 Click New Monitor.
4 In the New Monitor section, select Queries from the Category list, select VSE: Version
8.5 Compliance from the Monitor list, then click OK. The VSE: Version 8.5 Compliance
monitor appears in the Dashboard.
5 Click Save, then click Close. The VSE: Version 8.5 Compliance monitor has a pie chart
display of systems that meet VirusScan 8.5 compliance. This monitor now appears in the
dashboard and is refreshed at the default setting of every five minutes.
Use this task to schedule a regular automatic client update task to occur daily, repeated at 2
hour intervals, and then wake up the managed systems to receive the new task.
Task
1 Go to Systems | System Tree | Client Tasks, and select My Organization in the
System Tree.
2 Click New Task.
3 Name the task Update my Client Systems, select Update (McAfee Agent) under type,
then click Next.
4 Select All Packages under Package Types, then click Next.
5 Select the following options:
• Schedule Type: Daily
• Options: Run missed tasks X minutes delay and set delay to 5.
• Schedule: Repeat and set to 1:00 AM and 11:00 PM every 2 hours.
6 Click Next, then click Save.
7 Go to Systems | System Tree | Group, and select My Organization in the System
Tree.
8 Click Wake Up Agents, then click OK.
Task
1 Go to Reporting and click New Query.
2 Select Managed Systems, then click Next.
3 Under Display Results as, select Boolean Pie Chart.
4 For Label for matching slice, type: DAT up-to-date; for Label for non-matching slice,
type: DAT not up-to-date.
5 Click Configure Criteria.
6 Under Available Properties, scroll down to the grouping for VirusScan Enterprise
Properties and click DAT Version (VirusScan Enterprise) to add it to the right-hand
pane.
7 In the right-hand pane under Comparison for DAT Version (VirusScan Enterprise), select
Is within X versions of repository; under Value for DAT Version (VirusScan Enterprise),
type 0.
Tasks
Scheduling a pull task to update the master repository daily
Scheduling a replication task to update your distributed repository
Scheduling task chaining to update master and distributed repositories
Task
1 Go to Automation | Server Tasks.
2 Click the Edit link for the Update Master Repository server task.
3 Select Enabled, and click the Next.
The server action is Repository Pull and the source we are pulling from is the McAfeeHttp
source site, depositing pulled files into the Current branch of the master repository. Note
that this task is set to pull All packages.
4 Click Next.
This task is set to run every day at 1:00 AM. Change this time if you want or modify the
schedule type to check every few hours.
5 Click Next, then click Save.
Task
1 Go to Automation | Server Tasks.
2 Click the New Task.
3 Name the task Replicate to distributed repositories, and click Next.
4 For the first Action select Repository Replication, then click Next.
This task is set to run every day at 1:00 AM.
5 Change the time from 1:00 AM to 2:00 AM so the replication occurs about an hour after
the pull task runs.
6 Click Save.
Task
1 Go to Automation | Server Tasks.
2 Click the Edit link for the Update Master Repository server task.
3 Click Next.
4 Click the + sign next to the right of Repository Pull. This adds a new action row for the
task.
Tasks
Converting an agent on each subnet into a SuperAgent
Enabling global updating on the ePO server
Use this task to create a policy for SuperAgents and then apply it to a single test system.
Task
1 Go to Systems | Policy Catalog and select McAfee Agent.
2 Click New Policy.
3 Create the policy based on McAfee Default, name the policy SuperAgent, and click OK.
4 In the policy page select these options:
• Show the McAfee system tray icon (Windows only)
• Convert agents to SuperAgents (Windows only)
5 Click Save. With this policy in place you now need to assign it to a single system.
6 Go to Systems | System Tree and select the RemoteLocation group.
7 Select the checkbox of a system to make it a SuperAgent, then select More Actions |
Modify Policies on a Single Systems.
8 In the policy assignment page under Product, select McAfee Agent, and click Edit
Assignment.
9 Select Break inheritance and assign the policy and settings below, and under
Assigned Policy select SuperAgent.
10 Click Save, then click Close.
You have changed the policy assignment for a system and it needs to communicate with the
ePO server to get the new policy. You can either wake it up manually or you can wait for the
scheduled agent-to-server-communication interval (ASCI). After the system communication,
the policy is enforced and that agent becomes a SuperAgent. The color of the agent icon changes
to reflect its new status.
Task
1 Go to Configuration | Server Settings.
2 Select Global Updating, then click Edit.
3 Under Status, select Enabled.
4 Change the Randomization interval (minutes) to 0. This tells agents to update
immediately after the SuperAgent wake-up call. If you are working with more than 100
systems, you should introduce randomized delay to avoid bandwidth issues during the
client updates.
5 Click Save.
Now any time DAT or engine files in your master repository change, the changes automatically
replicate to your distributed repositories. After that replication is complete, SuperAgents receive
a wake-up call and in turn send out a wake-up call to all agents in the local subnet. Those
agents then run an update using an authorized repository. This global update process should
take no longer than one hour.
Tasks
Configuring Notifications
Creating a rule for any VirusScan event
Providing a sample virus detection
Configuring Notifications
Before setting up any rules, you must define who is going to receive the notification message
and what the message communicates. Use this task to specify to whom to send the email
notification.
Task
1 Go to Configuration | Server Settings | Email Server.
2 Under SMTP server name, type the name of a mail server to which ePolicy Orchestrator
can route, and under From address type the email address you want to appear in the
From line of the message.
3 Click Save, then click Contacts at the top of the tab. This page allows you to specify all
the addresses to include in the address book from which you select recipients during rule
create.
Task
1 Go to Automation | Notification Rules, then click New Rule.
2 Type a unique name for the rule, Virus Detected, then click Next.
3 On the Filters page under Products, select VirusScan, and under Categories select Any
category, then click Next.
4 Click Next to accept the default settings on the Thresholds page.
TIP: The Thresholds page allows you to limit the number of notification messages you
receive for the rule. For example, you can define any rule to send you messages only when
the number of events or the number of affected systems has reached a specified number
within a specified timeframe (Aggregation). You can further limit the number of messages
that are sent by specifying an amount of time to elapse before receiving another message
6 Click Next, then click Save. The rule now appears in the Notification Rules list.
Task
• Download EICAR.COM to one of the workstation test systems. Each time you download this
file, you create a sample detection. The file is at:
http://www.eicar.org/anti_virus-test_file.htm.
NOTE: This file is not a virus.
The on-access scanner detects and quarantines the EICAR test virus when EICAR.COM is
downloaded, and an event is sent to ePolicy Orchestrator. Because the event is handled and
not critical, it is uploaded on the next ACSI. Within a few minutes of receipt of the event by
the ePO server, a notification message is sent to the email recipient you indicated.
server to determine whether the newly-identified system has an active agent installed and is
managed by ePolicy Orchestrator. If the new system is unknown to ePolicy Orchestrator, Rogue
System Detection allows you to take any number of remediation steps, including alerting network
and anti-virus administrators or automatically deploying an ePolicy Orchestrator agent to the
system.
Tasks
Configuring a Rogue System Detection sensor policy
Deploying the Rogue System Detection sensor
Configuring an automatic response
Reacting to Rogue detection and remediation
Task
1 Go to Systems | Policy Catalog, then from the Product drop-down list select Rogue
System Detection 2.0.0, and from the Category drop-down list select General. All
created policies for Rogue System Detection appear.
2 Edit an existing policy, or create a new policy.
• To edit an existing policy, locate the policy and click Edit in its row.
• To create a new policy, click New Policy and, from the Create a policy based on
this existing policy drop-down list, select an existing policy on which to base the new
policy. Name the new policy and click OK.
3 Configure any settings and click Save.
Managed Systems for Subnet xxx.xxx.xxx.xxx page Go to Network | Detected Systems and click any
subnet category in the Subnet Status monitor, then
select any subnet and click View Managed Systems.
Systems Details page Go to Systems | System Tree | Systems and click any
system.
Task
1 Select the systems where you want to install sensors, then click Rogue Sensor Install.
• In the Systems Details page, you can install the sensor only from the system you are
viewing.
• In the Managed Systems for Subnet xxx.xx.xx.x page, select the systems where
you want to install sensors.
• In the Systems page, select a group in the System Tree and select the systems where
you want to install sensors.
NOTE: If the button is not visible, click More Actions and select Rogue Sensor Install.
Task
1 Go to Automation | Responses and click New Response. The Response Builder
wizard opens.
2 In the Description page:
a Type a name for the new response, and any notes.
b From the Event group drop-down list, select Rogue System Events.
c From the Event type drop-down list, select an event type.
Table 2: Event type option definitions
Option Definition
Add to Exceptions Triggers a response any time a system is added to the Exceptions
list.
Subnet Falls Into Uncovered State Triggers a response any time a subnet does not have any active
sensors monitoring it.
Rogue System Detected Triggers a response any time a rogue system is detected.
Add to System Tree Adds the detected system to the System Tree.
Delete Detected System Removes the detected system associated with this event.
Action Result
Query Agent Opens the Query McAfee Agent Results page, which provides the name and IP
address of the detected system and details about the agent installed on it.
Remove from Exceptions Removes the detected system from the Exceptions list.
Send Email Sends an email to user-configured recipients with a customized subject and
message.
6 In the Summary page review the response details, then click Save.
Task
1 Add a system that does not have an ePolicy Orchestrator agent to the test network.
2 Go to the Machine tab, then click List. When the sensor has detected a rogue system, it
reports back to the server and places the system in the Machine List. Once it appears in
this list, take a five minute break to provide time for the agent installation. When the agent
installation is complete, the system has a Rogue Type of Managed.
3 When the system’s Rogue Type changes to Managed, it is placed in Rogue Systems under
Lost&Found in the System Tree. The Lost&Found group is a holding place for systems
ePolicy Orchestrator has discovered, but doesn’t know where to place within the System
Tree.
4 Click and drag the system to a site or group in your ePolicy Orchestrator Directory.
Congratulations! You have successfully configured the sensor, deployed the sensor, configured
an automatic response taken on the rogue you introduced, and placed the newly managed
system into its appropriate spot in the System Tree.