Rogue System Detection - McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual

®
ePolicy Orchestrator 3.6 Walkthrough Guide
S T E P
3

Rogue System Detection

Providing a sample virus detection
Now that you have configured the feature and created a rule to trigger on event files
from VirusScan Enterprise, you are ready to provide an event file that triggers the rule.
1 Download . to one of the workstation test systems. Each time you
EICAR COM
download this file, you are creating a sample detection, At press time, this file was
available on the .
EICAR ORG
http://www.eicar.org/anti_virus_test_file.htm
This file is not a virus.
Note
2 The on-access scanner detects and quarantines the
time that . is downloaded, and an event file capturing this information is
EICAR COM
sent to the ePolicy Orchestrator server.
3 Within minutes a notification message is created and sent to the inbox of the e-mail
message recipient you provided earlier.
Congratulations! You successfully configured the product to send messages to a
specific individual, created a rule to send a notification message based on events from
VirusScan Enterprise, and tested the rule to ensure that it works.
In any managed network, at any given time, there are inevitably a small number of
systems that do not have an ePolicy Orchestrator agent on them. These can be
systems that frequently log on and off the network, such as test servers, laptop
systems, or wireless devices. End users also uninstall or disable agents on their
workstations. These unprotected systems are the Achilles heel of any anti-virus and
security strategy and are the entry points by which viruses and other potentially harmful
programs can gain access to your network.
The Rogue System Detection system helps you monitor all the systems on your
network—not only the ones ePolicy Orchestrator manages already, but the rogue
systems as well. A rogue system is any system that is not currently managed by an
ePolicy Orchestrator agent but should be. Rogue System Detection integrates with
your ePolicy Orchestrator server to provide real-time detection of rogue systems by
means of a sensor placed on each network broadcast segment. The sensor listens to
network broadcast messages and spots when a new system has connected to the
network.
When the sensor detects a new system on the network, it sends a message to the
Rogue System Detection server. The Rogue System Detection server then checks with
the ePolicy Orchestrator server to determine whether the newly-identified system has
an active agent installed and is managed by ePolicy Orchestrator. If the new system is
unknown to ePolicy Orchestrator, Rogue System Detection allows you to take any
number of remediation steps, including alerting network and anti-virus administrators
or automatically deploying an ePolicy Orchestrator agent to the system.
web site:
EICAR
118
Advanced Feature Evaluations
Rogue System Detection
test virus at the same
9