Scenario and theory based question on
McAfee ePO
It’s very
easy to learn theory related to any technology but, when we start working on
it, we face issue related to it, if we are new in IT industry we find that theoretical
knowledge is not enough, we need real work experience to deal with daily
activity.
My this blog
will explain what issue a new comer face while working on McAfee EPO and how
they can deal with it. I focus more on day to related issue then the
theoretical knowledge, so let’s start.
What is McAfee EPO server?
The McAfee ePO server is the central software repository for all McAfee product installations, updates, and other content.
1.
How to login in ePO?
Answer: there
is mainly three type of login process
Type 1: To login
in EPO server, you need to click on McAfee icon and EPO console will open where
you need to enter user name and password.
Type 2: Open
Browser and in search URL location you need to enter IP address of the server.
Example: if
IP address of EPO server is 123.156.78.67 then you need to type URL like this.
https:// 123.156.78.67: 8443
After that
you need to enter user name and password.
Type 3: Open
EPO from server name: suppose the EPO server name is abcderf
Open browser
in your computer and type the below URL
https:// abcderf:8443/
Here it’s
important to enter port number: port 8443 which is inbound port used for
console – to - application server communication.
2.
What is your EPO password?
Answer: EPO
password depends on the user management password:
Type 1: The Admin of EPO will add your ID
and will share you the user name and password for the EPO. This is called EPO
authentication method
Type 2: If your ID is added by Windows authentication
method in EPO then windows server password will synchronize with the EPO
password and you need to login in EPO with windows password.
Type 3: certificate based authentication:
User needs
to authenticate digital certificate with browser and user can login without any
password in the EPO.
3.
What is Amcore/Dat and how to check in EPO or server?
Answer:
Amcore and dat contains set of known signatures of malware files.
Dat file is use
with VSE (Virus scan enterprise) and Amcore is used with ENS (Endpoint
Security)
It’s very important that EPO have latest dat
and Amcore, so that all machines connected to EPO must get latest dat and
amcore file, but sometimes dat or Amcore not updated in EPO due to few issue.
Reason 1:
Pull task failed the server task
Reason 2: Due
to network issue.
Solution 1:
Step 1: Check connectivity with EPO server
with McAfee server, you can test it by ping command.
Step 2: If pull take is configured run pull
task,
menu -> master repository
->pull nowà select product (dat, Amcore)-à run
Solution 2:
Go to McAfee website https://www.mcafee.com/enterprise/en-us/downloads/security-updates.html
and download
DAT Package. To download dat for McAfee ePO click on “DAT Package For Use with McAfee ePO” under V2 section of table.
Then open EPO
and click on
menu ->
master repository -> Check in package à select package type à chose fileàNext à current package à save
How to apply policy on single system ?
Answer: To
apply policy on single system first you make a new policy that you want to
apply on the single machine. (If policy
already there no needs to create new policy)
For ex:
Let take an example
to disable the ENS firewall policy on a single machine, to do that first go to
the policy catalog.
Select Endpoint security Firewall from the Product
And select option from the category
You will see
my default policy there Click on duplicate from the action section
Right the name
of the duplicate policy and click ok
Now you can
see new policy in policy catalog
Now click on
that policy, and uncheck Enable firewall option
Then click
on save.
We have
created a policy for disable a Endpoint firewall policy now we need to apply
this policy to a machine to do that go to systems tree option.
Apply
Disabled firewall policy
Search
machine in quick find
Select the
machine
Click on Action
-> modify policy on single systems.
Select product
“Endpoint security firewall”
Click on edit
assignment under Action
In Assigned
policy select the new policy that you created to disable the firewall.
And click on
save.
6.
What is threat report?
we can set Threat event notification email from EPO on daily
basis we will check how many threats come on all the machines in one EPO, and in which how many we need to investigate so that we can protect our environment.
So we make a
report on threats that came on all the machines in our environment on daily or
weekly basis. It helps to identify all the types of attacks that came in our environment
and how we make policy to protect our machines from such attacks or virus.
7.
How to apply filter in system tree?
Answer: To
fetch data from EPO we generally use query and report, but we can apply filter
in System tree also to get data at limited extend.
Systems
tree->systems
Preset->this
group and all subgroup
Custom ->add
A new window
will open; you can select property as per your requirement,
for example:
Ex. If you
want to select system names which are communicated in last week
Select last
communication under available properties select last communication from Systems
group.
Then select Is
later than from last communication and select the date and time from the value.
8.
How to apply filter in System Tree?
Answer: To
fetch data from EPO we generally use query and report, but we can apply filter
in System tree also to get data at limited extend.
Systems tree->systems
Preset->this group and all
subgroup
Custom ->add
A new window
will open; you can select property as per your requirement, for example:
Ex. If you
want to select system names which are communicated in last week
Select last
communication under available properties select last communication
from Systems group.
Then select Is
later than from last communication and select the date and time
from the value.
9. How to change policy on single system?
How to disable ENS firewall on one machine
Answer: To
apply policy on single system first you make a new policy that you want to
apply on the single machine. (If policy already there no needs to create new
policy)
For ex:
Let take an example
to disable the ENS firewall policy on a single machine, to do that first go to
the policy catalog.
Select Endpoint
security Firewall from the Product
And select option
from the category
You will see
my default policy there Click on duplicate from the action section
Right the name
of the duplicate policy and click ok
Now you can
see new policy in policy catalog
Now click on
that policy, and uncheck Enable firewall option
Then click
on save.
We have
created a policy for disable a Endpoint firewall policy now we need to apply
this policy to a machine to do that go to systems tree option.
Apply
Disabled firewall policy
Search
machine in quick find
Select the
machine
Click on Action
-> modify policy on single systems.
Select product
“Endpoint security firewall”
Click on edit
assignment under Action
In Assigned
policy select the new policy that you created to disable the firewall.
Assigned
policy : Break inheritance and assign the
policy and settings below
And click on
save.
10. How to remove outdated server tasks from the Server Task Log?
1.
Open the Server Task Log: select Menu → Automation → Server
Task Log.
2.
Click Purge.
3.
In the Purge dialog box, enter a number,
and then select a time unit.
4.
Click OK.
11. Difference between client task and server task
Answer: server tasks - are ePO internal tasks. Depending
on the task, some could run once a day, some runs multiple times in a day. It
can include downloading latest updates, sending automatic email to helpdesk or
administrators, replications, synchronizations with active directory etc. as
you can see these do not affect your users / client systems. Some server tasks
are built in but you may need to configure or create your own.
Client tasks - are what you run on user’s workstations.
Most common is DAT update and when needed, you can upgrade products, for
instance VSE 8.8 patch 7 to VSE 8.8 patch 8 upgrade, or deploying Site Advisor
to client systems. You can of course remove a product which is also a type of
client task. You need to define client tasks in the EPO client task catalog.
In EPO 5.10 we have a separate option of client
task.
Client deployment tasks will cause ePO to
"push" packages to clients. If network bandwidth is a concern, you
should target a smaller batch of systems, tag them and schedule your tasks.
12. How to make policy for client
task and server task?
Answer: For client task, take an example to make a
policy to run scan on workstation:
Step 1: Make a group where you keep all the
workstation for which you want to make task if you do not want to make a new
group apply tag on all the workstations for which you want to make task
Step 2: Click Menu -> Client task catalog
Step 3: Select the product Endpoint security Threat
prevention, under that costume on demand scan.
Step 4: Click on new task, and verify type of scan
now, and click ok
A new windows will open here you enter name of policy
and all the policy details like, do you want to scan boot sector or not, want
to scan archive files archive files or
not. If you want to add files in exception add that in the exception list.
Step 5: Click on save.
Now we have created the rule.
Now we need to assigned that on which we want to scan,
at what time
To do that, click on client task assignment.
Select the product from the top:
And apply the task rules
Here we want to apply only on work stations so go in
tag section Send this task to only computers which have the following criteria
Select has any of these tags option
From their select workstation tag
Select the time when you want to apply this task
Example 2: take an example to make a policy to install
ENS on all the workstation:
Read question 21
13.What is tag? How to create
a new tag?
Answer: Tags
allow users to create labels that can be applied to systems manually or
automatically, based on the criteria assigned to the tag.
Types of tags:
There
are two types of tags:
- Tags without criteria - These
tags can be applied only to selected systems in the System Tree (manually)
and systems listed in the results of a query (manually or on a scheduled
basis).
- Criteria-based tags - These
tags are applied to all non-excluded systems at each agent-server
communication. Such tags use criteria based on any properties sent by
agent. They can also be applied to all non-excluded systems on-demand.
To create
new tag go
1.
Log on to the ePO console.
2.
Click Menu, Systems, Tag
Catalog.
3.
In the Tag
Catalog, click New Tag.
4.
Under Description,
type a name and description, and then click Next.
5.
Under Criteria,
select and configure the appropriate criteria, and then click Next.
Under Evaluation,
select whether all systems are evaluated against the tag's criteria only
when the Run Tag Criteria action is taken, or on every agent-server
communication. Then click Next.
1.
Under Preview,
verify the information about this page.
NOTE: If the tag has criteria, this page displays the number of systems that receive this tag when evaluated against its criteria.
NOTE: If the tag has criteria, this page displays the number of systems that receive this tag when evaluated against its criteria.
2.
Click Save.
The tag is added to the list of tags on the Tag Catalog page.
The tag is added to the list of tags on the Tag Catalog page.
14. If you are not able to
login in the EPO and you are getting database related error? What steps you will
take to resolve this issue?
Answer: Login
in EPO server and check all EPO related services are running or not, it happens
when event parse services gets stop.
If services
are running find then check at network level.
15.You have created a new
group in systems tree, how you will apply policy in that group from existing
group? How to modify policy on single system?
Answer: First
create a duplicate policy that you want to apply on any group.
Modify that
as per your requirements.
Go in system
tree
Select the
machine on which you want to modify the policy
Click Action
-> agent->modify policy on single System
Select
product from the top
Click on the
edit assignment on the policy that you want to edit
Select the
policy that you have created
And save
Apply policy
on a group.
Suppose you
have made a group and you have moved few machines in that group. Now you want
to apply policy on those groups. How we can do that?
First go in
policy catalog and make policy for them by duplicating any existing policy
Then go in
policy assignment group select the group that you have created by default it
will inherit its parent policy so click on edit assignment and break
inheritance and select the policy that you have created newly and click on save
button
16. Make a tag to install ENS
Answer: Read question 21
17. How to create a new supper
agent?
Answer: First make a policy to create super- agent than apply
that policy on that machine which you want to use as super- agent
Go to policy catalog
Productà agent
Select General from category
Make duplicate of default policy
Click on new policy that you just created
Click Super agent
Check convert agent to super agent
Now save
Apply this policy to the machine that you want to make super
agent.
18. If McAfee agent is not
communicating with EPO what steps you need to do ?
Answer: Ping
that machine from the EPO
If it’s not
working we need to check on machine
Check all
services are running of that machine, if services where down check Microsoft
events logs and try to find why services where down
Check agent
is updated or not
Check ports
8081 8082 is open or not by using telnet command from the machine
Click on
McAfee try icon -> McAfee Agent status monitor
1. Right Click McAfee agent tray icon
2. Click on McAfee Agent Status Monitor
3. Click on Collect and Send Props
4. Click On Check New Policies
5. Click on Enforce Policies
6. Wait for 2 mins and check if issue still
occurs.
Check the
log files is it showing any error or not
If
everything is fine please reinstall the agent.
Even after
that it’s not communicating read the logs of Threat prevention and agent you
may get error.
19. If one agent handler is
down how you will check and what steps you will take to communicate it with EPO.
Answer: Check
it is down or not if it is down then
Step 1:Login
in agent handler server setting and check all services are running or not, if
any service is down restart that service, “ and investigate why that service
was down to check that,
Step 2: Check
event logs in mcafee EPO, and Microsoft events logs
Step 3: Check
ports by using telnet command,
20. How to Check- in ENS new
updated product or patch in EPO
Answer: Download
setup file from support.mcafee.com
Step 1: MenuàSoftwareà master rePOsitory-> check in à select product or update option -> select the product from the browser -> next
New here you
need to select current ( if you are doing for testing select evaluation) and
save.
Step 2: Now
we need to make task to install on all the machines
Menuà Client taskàclients task Assignment à Create New task à from product select McAfee agent àtask type à product deployment à click on create new task à write the name of task à -à select target platform à select the product components you
want to install à save
Step 3: Assign
the task.
clients task
Assignment à from product select McAfee agent àtask type à product deployment à Now select the schedule type,
effective period… etc à save.
Note: If you
want to install ENS just by Using Tag then select “ has any of these tags” from
tag.Has any of these tags Has any of these tags
22.How to Create and download
agent installation package
Answer: Click
on New Systems in the systems tree
Select Create
URL for client-side agent download
Click OK
You will get
a URL
You just
need to share it with user and user can download agent from the URL.
23. How to configure and
install agent handler? Add agent handler in EPO. Explain in details.
Answer: Download agent
handler setup from Support.mcafee.com In this example I will install agent
handler in the same server that we are using for EPO.
To download agent handler
you can download mcafee EPO setup because EPO package contacts mcafee agent
setup also
Run the setup file of
agent handler where setup file type will be application.
Steps :
Click on Next à select language à accept agreement àSelect location à next
Enter IP of EPO server
EPO server PORT :9443
Admin user Name
Admin password
Now we need
to enter windows authentication or SQL Authentication
Then click on nextà install
Click on finish
Now we have install agent
handler
Login in EPO
Menu à configuration à agent handler
Here you can see the
agent handler that you have install
Now if you want to allow
the user to access agent handler by public internet.
Click on Menuà configuration à agent handler à New assignment
Write the name
In agent criteria select
System tree location
After that select agent
priority as per your requirement (if you will select all agent handlers then
all agent handlers will have same priority) OR you can customize handle list
where you can give priority of agent handler.
Now go to system tree then
click on new systems.
Here if you have to make
a setting in such a way that user first downloads the agent from the agent
handler and if it gets failed then download from EPO
Click on new systems in system tree then
Select “Create and download agent installation package” from “How
to add systems “
And from “assign
to agent handler”
Now save
24. Difference between Adaptive
Threat prevention and Threat prevention.
Answer: McAfee Advanced Threat
Defense provides these features.
·
Detection of file downloads — Detects when
a user tries to download a file from an external resource.
·
Analysis of the file for malware — verifies
if the file contains any known malware.
·
Block future downloads of the same file —
Prevents future downloads of the file or its variants if the file is found to
be malicious.
·
Identify and remediate affected hosts — identifies
the host that executed the malware, and also detects the hosts to which it has
spread. Then, Advanced Threat Defense shares the report with your
other security products. This allows you to quarantine the affected hosts until
they are clean.
·
Local blacklist — Checks for a known
malware using a local blacklist.
·
Cloud-lookups — Integrates with
the McAfee® Global Threat Intelligence™ (McAfee GTI) to detect
malware that has already been identified by organizations throughout the globe.
·
Emulation capabilities — Integrates
with McAfee® Gateway Anti-Malware Engine for emulation capabilities.
·
Signature-based detection — Includes
the McAfee® Anti-Malware Engine for signature-based detection.
·
Sandboxing capability (Dynamic analysis) —
Analyzes the file by executing it in a virtual sandbox environment to determine
whether the file is malicious.
Overview of Threat Prevention
McAfee
Endpoint Security Threat Prevention prevents threats from accessing
systems, scans files automatically when they are accessed, and runs targeted
scans for malware on client systems.
Endpoint
Security Threat Prevention detects threats based on security content
files. Security content updates are delivered automatically to target specific
vulnerabilities and block emerging threats from executing.
Threat
Prevention protects your environment from the following:
- Viruses, worms, and trojan horses
- Access point violations
- Buffer overflow exploits
- Illegal API use
- Network intrusions
- Potentially unwanted code
and programs
- Vulnerability focused
detection
- Zero-day exploit detection
You use McAfee ePO to
deploy and manage Threat Prevention on client systems.
25. Explain modules of ENS.
Answer:
Endpoint Security consists of these security modules:
·
Threat Prevention — Prevents threats from
accessing systems, scans files automatically when they are accessed, and runs
targeted scans for malware on client systems.
·
Firewall — Monitors communication between
the computer and resources on the network and the Internet. Intercepts
suspicious communications.
·
Web Control — Monitors web searching and
browsing activity on client systems and blocks websites and downloads based on
safety rating and content.
·
Adaptive Threat Protection — Analyzes
content from your enterprise and decides how to respond based on file
reputation, rules, and reputation thresholds. Adaptive Threat
Protection is an optional Endpoint Security module.
Apart from this there ENS platform that suppose
all this products
26. What are the different
types of scanning in McAfee?
Answer:
The on-demand scan detection list is cleared when the next on-demand scan
starts.
On
demand can be Full Scan and Quick Scan
1.
The on-demand scanner uses the following
criteria to determine if the item must be scanned:
o The file extension matches the configuration.
o The file hasn't been cached, excluded, or previously
scanned (if the scanner uses the scan cache).
If the file
meets the scanning criteria, the scanner compares the information in the item
to the known malware signatures in the currently loaded AMCore content files.
·
If the file is clean, the result is cached, and
the scanner checks the next item.
·
If the file contains a threat, the scanner
responds with the configured action.
For
example, if the action is to clean the file, the scanner:
a.
Uses information in the currently loaded AMCore
content file to clean the file.
b.
Records the results in the activity log.
c.
Notifies the user that it detected a threat in
the file, and includes the item name and the action taken.
How
on-access scanning works
The
on-access scanner examines files as the user accesses them, providing
continuous, real-time detection of threats.
Read scan
When Read scan is selected and an attempt is
made to read, open, or execute a file:
Write scan
The scanner examines the file only after it is
written to disk and closed. When write scan is selected and a file is written
to disk:
How the
script scanner works
The Threat Prevention script scanner
intercepts and scans scripts before they are executed.
27.Difference between high
risk and low risk scanning ?
Answer: Scan
on read is enabled on high risk scanning but in low risk scanning scan on read
is disabled.
28.What steps you will take
when a virus attack will take place in your environment ?
Answer: Isolate
the machine from the network.
Run full scan
on the machine.
Check log
files. (threat events log)
If any file
not deleted or clean by AV please investigate that file.
Check source
and destination machines related to that event
Do more
investigating on that file from your side on internet
File source
destination and other machines involved in that investigate those machines also
Also check
files in quarantine in sand box in AV
Collect the
sample file and submit with vender
If extra dat
is related check in that in EPO after testing.
If AV is not
able to clean that file reimage that machine.
29. Difference between ATP and
TIE and Active response and ATD and Threat prevention ?
Answer:
ATP:
Adaptive Threat Protection. McAfee Endpoint Security
Adaptive Threat Protection (ATP) analyzes content from your enterprise and
decides what to do based on file reputation, rules, and reputation thresholds.
... Configure queries, reports, and dashboards to monitor threat activity
within your environment.
TIE:
McAfee Threat Intelligence Exchange (TIE) provides a
framework personalized to your environment where your security products
collectively pinpoint threats and act as a unified threat defense system.
ATD:
McAfee® Advanced Threat Defense enables organizations to
detect advanced, evasive malware and convert threat information into immediate
action and protection. Unlike traditional sandboxes, it includes additional
inspection capabilities that broaden detection and expose evasive threats
McAfee Active Response
McAfee Active Response delivers continuous detection of
and response to advanced security threats to help security
practitioners monitor security posture, improve threat detection, and expand
incident response capabilities through forward-looking discovery,
detailed analysis, forensic investigation, comprehensive ...
(DXL)
The Data Exchange Layer (DXL) communication fabric connects
and optimizes security actions across multiple vendor products, as well as
internally developed and open source solutions. Enterprises gain secure,
real-time access to new data and lightweight, instant interactions with other
products.
Threat
Prevention protects your environment from the following:
·
Viruses, worms, and trojan horses
·
Access point violations
·
Buffer overflow exploits
·
Illegal API use
·
Network intrusions
·
Potentially unwanted code and programs
·
Vulnerability focused detection
·
Zero-day exploit detection
·
Access Protection — Protect against
unwanted changes to client systems by restricting access to specified files,
shares, registry keys, registry values, and preventing or restricting processes
and services from executing threat behavior.
·
Exploit Prevention — Threat
Prevention uses signatures in content updates to protect against these
exploits:
o Buffer Overflow Protection — Stop
exploited buffer overflows from executing arbitrary code.
o Illegal API Use — Protect against
malicious API calls being made by unknown or compromised applications running
on the system.
o Network Intrusion Prevention (Network IPS) —
Protect against network denial-of-service attacks and bandwidth-oriented
attacks that deny or degrade network traffic.
o Expert Rules — Provide additional
parameters and allow more flexibility than the Access Protection custom rules.
But, to create Expert Rules, you must understand
the McAfee proprietary syntaxes.
Detect
threats when they occur in your environment using these Threat Prevention features.
·
On-Access Scan — Scan for threats as files
are read from, or written to, disk. Run scans only when the system is idle.
Integrates with Antimalware Scan Interface (AMSI) to provide better enhanced
scanning for threats in non-browser-based scripts.
·
On-Demand Scan — Run or schedule
predefined scans, including scans of spyware-related registry entries that
weren't previously cleaned.
·
Potentially Unwanted Programs — Detect
potentially unwanted programs, such as spyware and adware, and prevent them
from running in your environment.
·
Quarantine — Quarantine infected items,
attempt to clean or repair them, or automatically delete them.
·
Dashboards and monitors — Display
statistics about Threat Prevention, including scan duration, content
update status, and applications with the most exploits.
·
Queries and reports — Retrieve detailed
information about Threat Prevention, including threat count, scan
completion, detection response, false positive mitigation events,
and McAfee GTI sensitivity level.
·
Early Load Anti-Malware — Provide support
for the ELAM feature included with Windows 8 and later releases. ELAM collects
the list of device drivers loaded during the boot cycle and scans them once the
scanning services are running.
30. How to block multiple hash in ATP ?
Answer: 1. In McAfee ePO, select Menu → Systems → TIE Reputations.
2. Click the File Overrides or Certificate Overrides tab.
3. From the Actions menu, select Import Reputations.
4. In the Import Reputations dialog box, specify whether to import an
XML file with one or more reputations, or a single reputation.
<?xml version="1.0" encoding="UTF-8"?>
<TIEReputations>
<FileReputation>
<FileName>HackIt.exe</FileName>
<SHA1Hash>0x98AF3632E17677A8A23739F720B1A2F215CB8836</SHA1Hash>
<MD5Hash>0xDEF30CBEA881149C2AFFDF9A059FB751</MD5Hash>
<SHA256Hash>0xEF127619BAC9E6790FBC925C339111806DA71FAA0CFA0A1E630BEF32B8B1DF91</SHA256Hash>
<ReputationLevel>15</ReputationLevel>
</FileReputation>
<FileReputation>
<FileName>trayMan.dll</FileName>
<SHA1Hash>0x7F618396A910908019B5580B4DA9031AF4A433CA</SHA1Hash>
<MD5Hash>0xB2B3DAE040F6B5AE1DF52B0CD7631A18</MD5Hash>
<SHA256Hash>0xAF37EBACF8697B55A82E5FA0D742E65ABE0953BA6B09EABA6B35B5B1958F37EC</SHA256Hash>
<ReputationLevel>15</ReputationLevel>
<Comment>Comment for ALTTAB</Comment>
</FileReputation>
</TIEReputations>
Certificate reputations
For each certificate, include its SHA-1 hash and Public Key SHA-1
values in hexadecimal encoding. Include the certificate name to
Identify it in reports.
Setting Numeric value
Known trusted installer
100 All files created by that file are trusted.
Known trusted
99 It is a trusted file or certificate.
Most likely trusted
85 It is almost certain that the file or certificate is trusted.
Might be trusted
70 It seems a benign file or certificate.
Unknown
50 The reputation provider has encountered the file or certificate
before but the provider
Might be malicious
30 It seems a suspicious file or certificate.
Most likely malicious
15 It is almost certain that the file or certificate is malicious.
Known malicious
1 It is a malicious file or certificate.
Not Set 0 The file or certificate's reputation hasn't been determined
yet.
Not Available — The reputation provider hasn't been queried about the
specific item. This reputation label also appears for disabled reputation providers
or providers with pending reputation reports.
