1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Software
  5. EPOLICY ORCHESTRATOR 4.0.2 -
  6. Product manual

McAfee EPOLICY ORCHESTRATOR 4.0.2 Product Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

McAfee ePolicy Orchestrator 4.0.2
Product Guide

Advertisement

Table of Contents
loading

Related Manuals for McAfee EPOLICY ORCHESTRATOR 4.0.2

Summary of Contents for McAfee EPOLICY ORCHESTRATOR 4.0.2

  • Page 1 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 2 SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

  • Page 3: Table Of Contents

    Where to find McAfee enterprise product information........
  • Page 4 Active Directory and NT domain synchronization..........43 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 5 Distributing agents............... . 73 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 6 Enabling the agent on unmanaged McAfee products........
  • Page 7 Duplicating a policy on the Policy Catalog page......... 122 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 8 Using local distributed repositories that are not managed........147 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 9 Preparing for roll-up querying............. . 174 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 10 What are rogue systems..............189 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 11 Editing sensor descriptions............208 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 12 Restoring an MSDE database from a backup......... . . 218 McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 13: Introducing Epolicy Orchestrator 4.0.2

    • ePO server — The center of your managed environment. The server delivers security policy and tasks, controls updates, and processes events for all managed systems. • Master repository — The central location for all McAfee updates and signatures, residing on the ePO server. Master repository retrieves user-specified updates and signatures from McAfee or user-defined source sites.

  • Page 14: The Mcafee Agent

    This guide provides information on configuring and using your product. For system requirements and installation instructions, see the Installation Guide . This material is organized in the order that McAfee recommends to set up ePolicy Orchestrator in a production environment for the first time, and is also accessible to anyone seeking specific topics.

  • Page 15: Audience

    Where to find McAfee enterprise product information The McAfee documentation is designed to provide you with the information you need during each phase of product implementation, from evaluating a new product to maintaining existing ones. Depending on the product, additional documents might be available. After a product is released additional information regarding the product is entered into the online Knowledgebase available on McAfee ServicePortal.

  • Page 16: Configuring Epolicy Orchestrator Servers

    Logging on and off from ePO servers Viewing the server version number Working with user accounts Working with permission sets Working with contacts Working with server settings Working with the Server Task Log Working with the Audit Log McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 17: Epo User Accounts

    Consider this as you plan your strategy for granting permissions to the users in your environment. When are permission sets assigned? Global administrators can assign existing permission sets when creating or editing user accounts and when creating or editing permission sets. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 18: Contacts

    • Ports — Specifies the ports used by the server when communicating with agents and the database. • Printing and exporting — Specifies how information is exported to other formats, and the template for PDF exports. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 19: Available Server Tasks And What They Do

    • Event Migration — If you upgrade from a previous ePolicy Orchestrator installation, use this task to migrate events from the old database to the new database, so that you can run queries against your historical data. McAfee recommends scheduling this task to run at off hours as soon as you can after upgrading.

  • Page 20: The Audit Log

    • Detecting Product MAC Address — MAC address of the system hosting the detecting product. • Detecting Product Name — Name of the detecting managed product. • Detecting Product Version — Version number of the detecting product. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 21: Data Exports From Any Table Or Chart

    • HTML — Use this report format to view the exported results as a web page. • PDF — Use this report format when you need to print the results. Exported data can be named and saved to any location, or emailed as attachments. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 22: Myavert Security Threats

    You no longer need to manually search for this information from the press (TV, radio, newspapers), informational web sites, mailing lists, or your peers. You are automatically notified of these threats from McAfee Avert. Protection status and risk assessment...

  • Page 23: Logging Off Of Epo Servers

    Use this task to create a user account. You must be a global administrator to add, edit, or delete user accounts. Task For option definitions, click ? on the page displaying the options. Go to Configuration | Users. Click New User. The New User page appears. Type a user name. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 24: Editing User Accounts

    Use this task to delete a user account. You must be a global administrator to delete user accounts. NOTE: McAfee recommends disabling the Login status of an account instead of deleting it until you are sure all valuable information associated with the account has been moved to other users.

  • Page 25: Creating Permission Sets For User Accounts

    Click edit next to any section with which you want to grant permissions. On the Edit Permission Set page that appears, select the appropriate options, then click Save. Repeat for all sections of the permission set with which you want to grant permissions. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 26: Editing Permission Sets

    Orchestrator. Tasks Creating contacts Editing contacts Deleting contacts Creating contacts Use this task to add email addresses to Contacts. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 27: Editing Contacts

    For example, System Tree sorting server settings are covered in Organizing Systems for Management . Tasks Specifying an email server Configuring the template and location for exported reports Determining which events are forwarded to the server Viewing and changing communication ports McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 28: Specifying An Email Server

    Determining which events are forwarded to the server Use this task to determine which events are forwarded to the server. This selection impacts the bandwidth used in your environment, as well as the results of event-based queries. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 29: Viewing And Changing Communication Ports

    The agent-server communication port is used for agent-server communication; the agent broadcast port is used for SuperAgent wake-up calls. Working with the Server Task Log Use these tasks to view and maintain the Server Task Log. Tasks Viewing the Server Task Log McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 30: Viewing The Server Task Log

    30 days, or by Failed or In Progress task statuses. Task For option definitions, click ? on the page displaying the options. Go to Reporting | Server Task Log. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 31: Purging The Server Task Log

    You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. Go to Reporting | Audit Log. The details of administrator actions are displayed in a table. Figure 5: Audit Log page McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 32: Purging The Audit Log

    For option definitions, click ? on the page displaying the options. Go to Automation | Server Tasks, then click New Task. The Description page of the Server Task Builder wizard appears. Name and describe the task, then click Next. The Actions page appears. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 33: Working With The Event Log

    For option definitions, click ? on the page displaying the options. Go to Reporting | Event Log. Click Purge. In the Actions panel, next to Purge records older than, type a number and select a time unit. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 34: Purging The Event Log On A Schedule

    Use these task to mark threat notifications as read or unread or delete them. Data is sorted by the date the threat was discovered. In addition, you can click the threat name to go to view information from the McAfee Avert website about each threat. NOTE: Each user views a MyAvert page that is unique to their account.

  • Page 35: Configuring Myavert Update Frequency And Proxy Settings

    Task For option definitions, click ? on the page displaying the options. Go to Reporting | MyAvert. Select threat notifications for which protection is available, then click Delete. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 36: Exporting Tables And Charts To Other Formats

    For example, you cannot specify both the Day of Week and Day of Month values. Field Name Allowed Values Allowed Special Characters Seconds 0 - 59 , - * / Minutes 0 - 59 , - * / McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 37 Day of Week field is the third Friday of every month, "2#1" is the first Monday, and "4#5" is the fifth Wednesday. NOTE: If the month does not have fifth Wednesday, the task does not run. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 38: Organizing Systems For Management

    System Tree. TIP: Many factors can influence how you should create and organize your System Tree. McAfee recommends taking time to review this entire guide before you begin creating your System Tree.

  • Page 39: The System Tree

    • It always appears last in the list and is not alphabetized among its peers. • All users with view permissions to the System Tree can see systems in Lost&Found. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 40: Considerations When Planning Your System Tree

    System Tree only once. Because every network is different and requires different policies — and possibly different management — McAfee recommends planning your System Tree before implementing the software. Regardless of the methods you choose to create and populate the System Tree, consider your environment while planning the System Tree.

  • Page 41: Environmental Borders And Their Impact On System Organization

    These borders influence the organization of the System Tree differently than the organization of your network topology. McAfee recommends evaluating these borders in your network and organization, and whether they must be considered when defining the organization of your System Tree.

  • Page 42: Tags And Systems With Similar Characteristics

    • Base System Tree sorting criteria on tags to group systems into desired System Tree groups automatically. Who can use tags Users with appropriate permissions can: • Create and edit tags and tag criteria. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 43: Active Directory And Nt Domain Synchronization

    Active Directory systems structure: Configure the synchronization settings on each group that is a mapping point in the System Tree. At the same location, you can configure whether to: • Deploy agents to discovered systems. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 44 If you choose this synchronization type, be sure to select not to add systems again if they exist elsewhere in the System Tree. This prevents duplicate entries for systems in the System Tree. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 45: Nt Domain Synchronization

    Use this feature to view where systems would be placed during a sort action. The Test Sort page displays the systems and the paths to the location where they would be sorted. Although this page does not display the sorting status of systems, if you select systems on the page McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 46: How Settings Affect Sorting

    IP range or subnet mask in a group’s sorting criteria should cover a unique set of IP addresses. If criteria does overlap, which group those systems end up in depends on the order of the subgroups on the Groups tab. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 47: Tag-Based Sorting Criteria

    If a matching system is still not found, the server searches for a group of the same name as the domain from which the system originates. If such a group is not found, one is created under the Lost&Found group, and the system placed there. Properties are updated for the system. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 48: Working With Tags

    Use these tasks to create and apply tags to systems. Tasks Creating tags with the Tag Builder Excluding systems from automatic tagging Applying tags to selected systems Applying criteria-based tags automatically to all matching McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 49: Creating Tags With The Tag Builder

    In the Action panel, select the desired tag to exclude from the selected systems from the drop-down list, then click OK. Verify the systems have been excluded from the tag: a Go to Systems | Tag Catalog, then select the desired tag in the list of tags. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 50: Applying Tags To Selected Systems

    This removes the tag from systems that don’t match the criteria and applies the tag to systems which match criteria but were excluded from receiving the tag. Click OK. Verify the systems have the tag applied: McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 51: Creating And Populating Groups

    For example, if you use Active Directory in your network, consider importing your Active Directory containers rather than your NT domains. If your Active Directory or NT domain organization McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 52: Creating Groups Manually

    IP address and tag sorting criteria. Although you can create a detailed System Tree with many levels of groups. McAfee recommends that you create only as much structure as is useful. In large networks, it is not uncommon to have hundreds or thousands of systems in the same container.

  • Page 53: Adding Systems Manually To An Existing Group

    If you selected Deploy agents and add systems to the current group, you can enable automatic System Tree sorting. Do this to apply the sorting criteria to these systems. If you selected to deploy agents to the new systems: McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 54: Importing Systems From A Text File

    Importing systems and groups from a text file Use this task to import systems or groups of systems into the System Tree from a text file you have created and saved. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 55: Sorting Systems Into Criteria-Based Groups

    • IP addresses — Use this text box to define an IP address range or subnet mask as sorting criteria. Any system whose address falls within it is sorted into this group. Repeat as necessary until sorting criteria areconfigured for the group, then click Save. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 56 Depending on the server setting for System Tree sorting, these systems are sorted on the next agent-server communication. Otherwise, they can only be sorted with the Sort Now action. Sorting systems manually Use this task to sort selected systems into groups with criteria-based sorting enabled. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 57: Importing Active Directory Containers

    Active Directory containers and System Tree groups to import any new systems found in Active Directory to the appropriate location of the System Tree. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 58 System Tree. TIP: McAfee does not recommend selecting this option, especially if you are only using the Active Directory synchronization as a starting point for security management and use other System Tree management functionalities (for example, tag sorting) for further organizational granularity below the mapping point.

  • Page 59: Importing Nt Domains To An Existing Group

    TIP: McAfee recommends that you do not deploy the agent during the initial import if the container is large. Deploying the 3.62 MB agent package to many systems at once may cause network traffic issues. Instead, import the container, then deploy the agent to groups of systems at a time, rather than all at once.
  • Page 60 TIP: McAfee recommends that you do not deploy the agent during the initial import if the domain is large. Deploying the 3.62 MB agent package to many systems at once may cause network traffic issues. Instead, import the domain, then deploy the agent to smaller groups of systems at a time, rather than all at once.

  • Page 61: Synchronizing The System Tree On A Schedule

    For option definitions, click ? on the page displaying the options. Go to Automation | Server Tasks, then click New Task at the bottom of the page. The Description page of the Server Task Builder appears. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 62: Updating The Synchronized Group With An Nt Domain Manually

    For example, you may need to periodically move systems from the Lost&Found group. Task For option definitions, click ? on the page displaying the options. Go to Systems | System Tree | Systems, then browse to and select the systems. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 63 You may need to click More Actions to access this action. Select whether to enable or disable System Tree sorting on the selected systems when they are moved. Select the group in which to place the systems, then click OK. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 64: Distributing Agents To Manage Systems

    Methods of agent distribution Creating custom agent installation packages Distributing agents Forcing the agent to call in to the server Upgrading existing agents Removing the agent Maintaining the agent Agent command-line options Agent installation command-line options McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 65: Agents And Superagents

    Agent language packages are available for these languages: • Brazilian Portuguese • Italian • Chinese (Simplified) • Japanese • Chinese (Traditional) • Korean • English • Polish • Dutch • Spanish • French (Standard) • Swedish • German (Standard) McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 66: Agent-Server Communication

    • Communication initiated manually from the managed system Agent-to-server-communication interval The agent-to-server-communication interval (ASCI) is set on the General tab of the McAfee Agent policy pages. This setting determines how often the agent calls into the server for data exchange and updated instructions. By default, the ASCI is set to 60 minutes; the agent checks into the server once every hour.

  • Page 67: Superagents And Broadcast Wake-Up Calls

    SuperAgent wake-up call to SuperAgents in the selected System Tree segment. When SuperAgents receive this wake-up call they send broadcast wake-up calls to all the agents in their network broadcast segments. This reduces network traffic. This is beneficial in large McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 68 Similar to the regular agent wake-up call, the SuperAgent wake-up call uses the SPIPE protocol. Ensure the agent wake-up communication port (8081 by default) and the agent broadcast communication port (8082 by default) are not blocked. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 69: Agent Activity Logs

    You can define a size limit of this log file. On the Logging tab of the McAfee Agent policy pages, you can configure the level of agent activity that is recorded.
  • Page 70 Agent policy settings use Notifications, enabling immediate uploading of higher severity events is necessary for those features to function as intended. You can enable immediate uploading of events on the Events tab of the McAfee Agent policy pages. Full and minimal properties...

  • Page 71: Security Keys

    Proxy settings To access the McAfee update sites, the agent must be able to access the Internet. Use the agent policy settings to configure proxy server settings for the managed systems.The Proxy tab of the McAfee Agent policy pages includes settings to: •...

  • Page 72: Master Repository Key Pair

    These are the public keys that agents use to verify content from other master repositories in your environment or McAfee source sites. Each agent reporting to this server uses the keys in this list to verify content that originates from other ePO servers in your organization, or from McAfee owned sources.

  • Page 73: Creating Custom Agent Installation Packages

    Use any of these tasks to distribute agents across your environment. The methods you choose depend on the requirements in your environment. Tasks Deploying the agent with ePolicy Orchestrator Installing the agent with login scripts Installing the agent manually Enabling the agent on unmanaged McAfee products McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 74: Deploying The Agent With Epolicy Orchestrator

    System Tree. However, McAfee does not recommend this procedure if you are creating your System Tree by importing large NT domains or Active Directory containers. This can generate too much network traffic.
  • Page 75 Go to Systems | System Tree, then select the groups or system to which you want to deploy the agent. Click Deploy Agents. The Deploy McAfee Agent page appears. Figure 16: Deploy McAfee Agent page Select the desired Agent version from the drop-down list.

  • Page 76: Installing The Agent With Login Scripts

    Best practices McAfee recommends you first create segments of your System Tree that use either network domain names or sorting filters that add the expected systems to the desired groups. If you don’t, all systems are added to the Lost&Found group and you must move them later manually.

  • Page 77: Installing The Agent Manually

    Double-click FRAMEPKG.EXE and wait a few moments while the agent is installed. Within ten minutes, the agent calls in to the ePO server for the first time. As needed, bypass the ten-minute interval by forcing the agent to call in with the command line. CMDAGENT/p McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 78: Enabling The Agent On Unmanaged Mcafee Products

    Before purchasing ePolicy Orchestrator, you may have already been using McAfee Enterprise products in your network. Some of the more recent McAfee products that use the AutoUpdate updater, such as VirusScan Enterprise, install with the agent in a disabled state. To start managing these products with ePolicy Orchestrator, you can enable the agent that is already on the system.

  • Page 79: Using Other Deployment Products

    Novell NetWare servers. Instead, use a login script or manual installation. These systems require different agents, which can be downloaded from the McAfee web site. These agent installation packages are not installed on the ePO server by default.

  • Page 80: Upgrading Agents Using Login Scripts Or Manual Installation

    Best practices information You can use the deployment task to upgrade agents. McAfee releases newer versions of the agent periodically. You can deploy and manage these newer versions of the agent with ePolicy Orchestrator. When available, you can download the agent installation package from the McAfee update site and check it into the master repository.

  • Page 81: Removing The Agent

    More Actions). In the Action panel, select Remove agent, then click OK. The selected systems are deleted from the System Tree and their agents are removed at their next agent-server communication. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 82: Removing Agents When Deleting Groups From The System Tree

    Sending manual wake-up calls to a group Sending wake-up calls on a schedule Viewing the agent activity log Viewing of the agent and product properties Running agent tasks from the managed system Working with security keys McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 83: Sending Manual Wake-Up Calls To Systems

    Tree. This is useful when you make policy changes and you want agents to call in for an update. Before you begin Before sending the agent wake-up call to systems, make sure that wake-up support for the systems’ groups is enabled and applied on the General tab of the McAfee Agent policy pages (enabled by default). Task For option definitions, click ? on the page displaying the options.

  • Page 84: Sending Wake-Up Calls On A Schedule

    Maintaining the agent Before you begin Before sending the agent wake-up call to such a group, make sure that wake-up support for the group is enabled and applied on the General tab of the McAfee Agent policy pages (enabled by default). Task For option definitions, click ? on the page displaying the options.

  • Page 85: Viewing The Agent Activity Log

    If you can’t view the log remotely, verify that the Enable remote access to log option is selected on the Logging tab of the McAfee Agent policy pages. Viewing of the agent and product properties Use this task to verify that the properties match the policy changes you have made.

  • Page 86: Running Agent Tasks From The Managed System

    NOTE: The agent interface is available on the managed system only if you selected Show McAfee system tray icon on the General tab of the McAfee Agent policy pages. Tasks Running an update manually Sending full properties to the ePO server...
  • Page 87 Use this task to prompt an agent to enforce all configured policies on the managed system. Task Right-click the McAfee tray icon on the desired system, and select McAfee Agent | Status Monitor. The Agent Status Monitor appears. Click Enforce Policies.

  • Page 88: Working With Security Keys

    Using the same ASSC key pair for all servers and agents Use this task to ensure that all ePO servers and agents use the same ASSC key pair. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 89 Generating and using new ASSC keys Use this task to generate new agent-server secure communication (ASSC) keys. Do this if you discover a key has been compromised. McAfee recommends creating and using new ASSC keys routinely, for example every three months.
  • Page 90 Agents begin using the new key pair after the next update task for the agent completes. At any time, you can see which agents are using any of the ASSC key pairs in the list. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 91 The server signs all unsigned content that is checked in to the repository with the master repository private key. Agents use the master repository public key to validate content retrieved from repositories in your organization or McAfee source sites. The master repository key pair is unique for each installation. If you use multiple servers, each uses a different key.
  • Page 92 10 Repeat until all master repository public keys used in your environment have been imported into each server. After the next agent update task completes, agents recognize content signed by master repository private keys across your environment. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 93 Maintaining the agent Backing up and restoring security keys Use these tasks to back up and restore the security keys. McAfee recommends periodically backing up all of the security keys and storing them in a secure network location so that they can be restored easily in the unexpected event any are lost from the ePO server.

  • Page 94: Agent Command-Line Options

    Use the Command Agent (CMDAGENT.EXE) tool to perform selected agent tasks from the managed system. CMDAGENT.EXE is installed on the managed system at the time of agent installation. Perform this task locally on managed systems using this program or the McAfee tray icon.
  • Page 95 12 languages with locale IDs, the software appears in English. If you install multiple language versions, the locale selected in operating system determines the language version that displays. FRAMEPKG /INSTALL=AGENT /USELANGUAGE 0404 Sample: McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 96: Creating Repositories

    The master repository maintains the latest versions of security software and updates for your environment. This repository is the source for the rest of your environment. There is one master repository for each ePolicy Orchestrator server. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 97 Source sites are not required. You can download updates manually and check them in to your master repository. However, using a source site automates this process. McAfee posts software updates to these sites regularly. For example, DAT files are posted daily. Update your master repository with updates as they are available.

  • Page 98: Types Of Distributed Repositories

    Managed systems only need to “see” the system hosting the repository. • SuperAgents and global updating use a proprietary network protocol, SPIPE. TIP: McAfee recommends combining SuperAgent repositories and global updating to ensure your managed environment is up-to-date. FTP repositories If you are unable to use SuperAgent repositories, use an existing FTP server to host a distributed repository.

  • Page 99: Repository Branches And Their Purposes

    System Tree group to update from it. TIP: McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. This and using global updating, or scheduled replication tasks frequently, ensures your managed environment is up-to-date. Use unmanaged distributed repositories only if your network or organizational policy do not allow managed distributed repositories.

  • Page 100: How Repositories Work Together

    The master repository replicates the packages to distributed repositories in the network. The managed systems in the network retrieve updates from a close repository. If managed systems can’t access the distributed repositories or the master repository, they retrieve updates from the fallback site. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 101: Ensuring Access To The Source Site

    Use these tasks to configure both Internet Explorer and ePolicy Orchestrator to use Internet Explorer proxy settings. If a source site must be accessed via the Internet, such as the McAfee update sites, the master repository uses proxy settings to retrieve packages. If your organization uses proxy servers to connect to the Internet, you must use the proxy server.

  • Page 102: Configuring Custom Proxy Settings For The Master Repository

    For option definitions, click ? on the page displaying the options. Go to Software | Master Repository, then click Configure Proxy Settings. The Configure Proxy Settings page appears. Select Configure the proxy settings manually. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 103: Working With Source And Fallback Sites

    You can edit settings, delete existing source and fallback sites, or switch between them. McAfee recommends using the default source and fallback sites. If you require different sites for this purpose, you can create new ones.

  • Page 104: Creating Source Sites

    • If you selected UNC, type the user account information in Domain, User name, Password, and Confirm password. To test the user account you specified, click Test Credentials. Click Next. The Summary page appears. Click Save to add the site to the list. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 105: Editing Source And Fallback Sites

    Use these tasks to create and configure repositories on systems hosting SuperAgents. You cannot create these until agents have been distributed to the desired systems. Tasks Creating SuperAgent repositories Selecting which packages are replicated to SuperAgent repositories McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 106: Creating Superagent Repositories

    This task assumes that you know where the desired systems are located in the System Tree. McAfee recommends that you create a “SuperAgent” tag so that you can easily locate the systems with the Tag Catalog page, or by running a query.

  • Page 107: Deleting Superagent Distributed Repositories

    Task For option definitions, click ? on the page displaying the options. Open the desired McAfee Agent policy pages (in edit mode) from the desired assignment point in the System Tree or from the Policy Catalog page. On the General tab, deselect Use systems running SuperAgents as distributed repositories, then click Save.

  • Page 108: Creating A Folder Location On An Ftp, Http Server Or Unc Share

    • If you selected UNC, whether to use the credentials of the logged-on account, or type user account information in Domain, User name, Password, and Confirm password. Click Test Credentials. After a few seconds, a confirmation message appears that the site is accessible to systems using the authentication information. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 109: Enabling Folder Sharing For Unc And Http Repositories

    Configure share permissions as needed. Systems updating from the repository require only read access, but administrator accounts, including the account used by the ePolicy Orchestrator server service, require write access. See your Microsoft Windows documentation to configure appropriate security settings for shared folders. Click OK. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 110: Editing Distributed Repositories

    Importing source sites from the SITEMGR.XML file Exporting the repository list SITELIST.XML file Use this task to export the repository list (SITELIST.XML) file to a file for manual delivery to systems, or for import during the installation of supported products. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 111: Exporting The Repository List Sitemgr.xml File For Backup Or Use By Other Servers

    Use this task to import distributed repositories from a repository list file. This is valuable after reinstalling a server, or if you want one server to use the same distributed repositories as another server. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 112: Importing Source Sites From The Sitemgr.xml File

    You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. Go to Software | Distributed Repositories, then click Change Credentials. The Repository Type page of the Change Credentials wizard appears. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 113 Next. The Repository Selection page appears. Select the desired distributed repositories, then click Next. The Credentials page appears. Edit the credentials as needed, then click Next. The Summary page appears. Review the information, then click Save. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 114: Managing Products With Policies And Client Tasks

    The extensions contain the files, components, and information necessary to manage such a product. Extensions replace the NAP files of previous releases. What functionality extensions add When a managed product extension is installed, functionalities added can include: McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 115: Policy Management

    NOTE: A McAfee Default policy exists for each category. You cannot delete, edit, export or rename these policies, but you are not required to assign the McAfee Default policies to any groups or systems. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 116: Policy Application

    The frequency of this communication is determined by the Agent-to-server-communication interval settings on the General tab of the McAfee Agentpolicy pages, or the Agent Wakeup task schedule (depending on how you implement agent-server communication). This interval is set to occur once every 60 minutes by default.

  • Page 117: Client Tasks And What They Do

    Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you first duplicate the policy, then assign the duplicate to the desired locations. This provides you ownership of the assigned policy.

  • Page 118: Bringing Products Under Management

    Use this task to view the groups and systems where a policy is assigned. This list shows the assignment points only, not each group or system that inherits the policy. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 119: Viewing The Settings Of A Policy

    Use this task to view assignments where policy enforcement, per policy category, is disabled. Task For option definitions, click ? on the page displaying the options. Go to Systems | Policy Catalog, then select the desired Product and Category. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 120: Viewing Policies Assigned To A Group

    The desired policy row, under Ineritance Source, displays the name of the group from which the policy is inherited. Viewing and resetting broken inheritance Use this task to view where policy inheritance is broken. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 121: Working With The Policy Catalog

    You can create policies before or after a product is deployed. Task Go to Systems | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for that category appear in the details pane. Figure 23: Policy Catalog page McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 122: Duplicating A Policy On The Policy Catalog Page

    Use this task to rename a policy. Your user account must have appropriate permissions to edit policy settings for the desired product. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 123: Deleting A Policy From The Policy Catalog

    If you delete a policy that is applied to the My Organization group, the McAfee Default policy of this category is assigned.

  • Page 124: Sharing Policies Between Epo Servers

    Click Export next to Product policies at the top of the page. The Download File page appears. Right-click the link and select Save Target As. Name the policy XML file and save it to the desired location. Ensure that this location is accessible to the target ePolicy Orchestrator server. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 125: Assigning A Policy To A Group Of The System Tree

    Select the desired system, then click Modify Policies on a Single System. The Policy Assignment page for that system appears. Select the desired Product. That product’s policy categories are listed with the system’s assigned policy. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 126: Assigning A Policy To Multiple Managed Systems Within A Group

    Enforcing policies for a product on a system Use this task to enable or disable policy enforcement for a product on a system. Policy enforcement is enabled by default, and is inherited in the System Tree. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 127: Copying And Pasting Assignments

    For option definitions, click ? on the page displaying the options. Go to Systems | System Tree | Systems, then select the desired group under System Tree. The systems belonging to the selected group appear in the details pane. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 128: Working With Client Tasks

    Tasks), This policy controls the enforcement status of other policies. Confirm the replacement of assignments. Working with client tasks Use these tasks to create and maintain client tasks. Tasks Creating and scheduling client tasks Editing client tasks Deleting client tasks McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 129: Creating And Scheduling Client Tasks

    For option definitions, click ? on the page displaying the options. Go to Systems | System Tree | Client Tasks, then select the desired group in the System Tree. Click Delete next to the desired client task. Click OK. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 130: Frequently Asked Questions

    What are the McAfee Default and My Default policies? Upon installation, each policy category contains at least two policies. These are named McAfee Default and My Default. These are the only policies present for first-time installations. The configurations for both, initially, are the same.

  • Page 131: Deploying Software And Updates

    Manually moving DAT and engine packages between branches Deleting DAT or engine packages from the master repository Deployment packages for products and updates The ePolicy Orchestrator deployment infrastructure supports deploying products and components, as well as updating both. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 132 Deploying Software and Updates Deployment packages for products and updates Each McAfee product that ePolicy Orchestrator can deploy provides a product deployment package ZIP file. ePolicy Orchestrator can deploy these packages to any of your managed systems, once they are checked in to the master repository. The ZIP file contains the product installation files, which are compressed in a secure format.

  • Page 133: Product And Update Deployment

    A key is used to encrypt or decrypt sensitive data. You are notified when you check in packages that are not signed by McAfee. If you are confident of the content and validity of the package, continue with the checkin. These packages are secured in the same manner described above, but are signed by ePolicy Orchestrator when they are checked in.

  • Page 134: Deployment Tasks

    As you deploy to each group, monitor the deployment, run reports to confirm successful installations, and troubleshoot any problems with individual systems. If you are deploying McAfee products or components that are installed on a subset of your managed systems: Use a tag to identify these systems.

  • Page 135: Global Updating

    NOTE: When using global updating, McAfee recommends scheduling a regular pull task (to update the master repository) at a time when network traffic is minimal. Although global updating is much faster than other methods, it increases network traffic during the update.

  • Page 136: Pull Tasks

    Thursday. You can also use the Pull Now task to check updates in to the master repository immediately. For example, when McAfee alerts you to a fast-spreading virus and releases a new DAT file to protect against it. If a pull task fails you must check the packages in to the master repository manually.

  • Page 137: Replication Tasks

    New distributed repositories are added to the repository list file containing all available distributed repositories. The agent of a managed system updates this file each time it communicates with the ePO server. The agent performs repository selection each time the agent (McAfee Framework Service) service starts and when the repository list changes.

  • Page 138: Server Task Log

    You can also tightly control which distributed repositories agents use for updating by enabling or disabling distributed repositories in the agent policy settings. McAfee does not recommend disabling repositories in the policy settings. Allowing agents to update from any distributed repository ensures they receive the updates.

  • Page 139: Using The Product Deployment Task To Deploy Products To Managed Systems

    Next to Check in package to this branch, select the desired branch. If there are requirements in your environment to test new packages before deploying them throughout the production environment, McAfee recommends using the Evaluation branch whenever checking in packages. Once you finish testing the packages, you can move them to the Current branch on the Software | Master Repository tab.

  • Page 140: Configuring The Deployment Task For Groups Of Managed Systems

    For option definitions, click ? on the page displaying the options. Go to Systems | System Tree | Client Tasks, then select a group in the System Tree. Click New Task, then name the task and select Product Deployment (McAfee Agent) from the Task type drop-down list.

  • Page 141: Deploying Update Packages Automatically With Global Updating

    Next to Inheritance, select whether this system should inherit the task’s schedule and settings from the parent group of the System Tree. Select McAfee Agent from the Product drop-down list, then select Product Deployment from the Type drop-down list. Click Next. The Configuration page appears.

  • Page 142: Deploying Update Packages With Pull And Replication Tasks

    Use these tasks to implement a task-based updating strategy once you have created your repository infrastructure. You must rely on these tasks if you are not using global updating in your environment. Before you begin Make sure repositories are created and in locations available to managed systems. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 143: Using Pull Tasks To Update The Master Repository

    Replicating packages from the master repository to distributed repositories Using pull tasks to update the master repository Use either of these tasks to update the contents of the master repository from the McAfee update site or a user-configured source site.
  • Page 144 For option definitions, click ? on the page displaying the options. Go to Software | Master Repository, then click Pull Now at the bottom of the page. The Pull Now wizard appears. Select the source site from the list of available repositories. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 145: Replicating Packages From The Master Repository To Distributed Repositories

    Description page of the Server Task Builder wizard appears. Name and describe the task. Choose whether to enable or disable the task, then click Next. The Actions page appears. Disabled tasks can be run manually, but do not run at scheduled times. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 146 Repositories page of the Replicate Now wizard appears. Select which distributed repositories participate in the replication, then click Next. If you are not sure which distributed repositories need to be updated, replicate to them all. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 147: Configuring Agent Policies To Use A Distributed Repository

    Use this task to customize how agents select distributed repositories. Task For option definitions, click ? on the page displaying the options. On the Repositories tab in the McAfee Agent | General policy pages, select Use this repository list. Under Repository selection, specify the method to sort repositories: •...

  • Page 148: Checking In Engine, Dat And Extra.dat Update Packages Manually

    Go to Software | Master Repository, then click Check In Package. The Check In Package wizard appears. Select the package type, then browse to and select the desired package file. Click Next. The Package Options page appears. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 149: Updating Managed Systems Regularly With A Scheduled Update Task

    Updating managed systems regularly with a scheduled update task Use this task to create and configure update tasks. If you are not using global updating., McAfee recommends using a daily Update client task to ensure systems are up-to-date with the latest DAT and engine files.

  • Page 150: Evaluating New Dats And Engines Before Distribution

    Create or select a group in the System Tree to serve as an evaluation group, and create a McAfee Agent policy for the systems to use only the Evaluation branch. (In the Repository Branch Update Selection section of the Updates tab.) The policies take affect the next time the agent calls into the server.

  • Page 151: Deleting Dat Or Engine Packages From The Master Repository

    For option definitions, click ? on the page displaying the options. Go to Software | Master Repository. The Packages in Master Repository table appears. In the row of the desired package, click Delete. The Delete Package dialog box appears. Click OK. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 152: Sending Notifications

    Create notification rules. Contents Notifications and how it works Planning Determining how events are forwarded Setting up ePO Notifications Creating and editing Notification rules Viewing the history of Notifications Product and component list Frequently asked questions McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 153: Notifications And How It Works

    For both scenarios, we can assume that each group of the System Tree has a similar rule configured. Each rule is configured to send a notification message when 100 virus detection events have been received from any product within 60 minutes. For reference purposes, each McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 154 Subgroup3B within 60 minutes in a single day. Conditions of the VirusDetected_MyOrganization rule are met, sending notification messages (or launching registered executables) per the rules’ configurations. This is the only rule that can be applied to all 100 events. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 155: Default Rules

    Non-compliant computer Non-Compliant Computer Sends a notification message when any events are detected Detected events. received from the Generate Compliance Event server task. Planning Before creating rules that send notifications, save time by planning: McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 156: Determining How Events Are Forwarded

    Use this task to determine whether events are forwarded immediately or only at the agent-to-server communication interval. If the currently applied policy is not set for immediate uploading of events, either edit the currently applied policy or create a new McAfee Agent policy. This setting is configured on the Events tab. Task For option definitions click ? on the page displaying the options.

  • Page 157: Determining Which Events Are Forwarded

    Use this task to ensure all desired administrators have the appropriate permissions to Notifications. Task For option definitions click ? on the page displaying the options. Go to Configuration | Permission Sets. Click New Permission Set, or select an existing one. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 158: Working With Snmp Servers

    For option definitions click ? on the page displaying the options. Go to Automation | SNMP Servers, then click New SNMP Server at the bottom of the page. the New SNMP Server page appears. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 159 This file allows your network management program to decode the data in the SNMP traps into meaningful text. For instructions on importing and implementing .MIB files, see the product documentation for your network management program. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 160: Working With Registered Executables And External Commands

    Type a name for the registered executable. Type the path or browse to and select the registered executable you want a rule to execute when triggered, then click Save. The new registered executable appears in the Registered Executables list. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 161 Adding external commands for use with registered executables Use this task to add commands, and configure their arguments, for existing registered executables. Before you begin You must have appropriate permissions to perform this task. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 162 You must have appropriate permissions to perform this task. Task For option definitions click ? on the page displaying the options. Go to Automation | External Commands, then click Delete next to the desired command.. When prompted, click OK. Click OK. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 163: Creating And Editing Notification Rules

    Type a description in the Notes text box. Click ... next to the Defined at text box, then select the desired System Tree group to which the rule applies from the Select Tree Group dialog box. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 164: Setting Filters For The Rule

    Next to Aggregation, select whether to Send a notification for every event, or to Send a notification if multiple events occur within a defined amount of time. If you select the latter, define this amount of time in minutes, hours, or days. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 165: Configuring The Notifications For The Rule

    Select the desired language in which you want the variables to appear from the Replace variables with their values in drop-down list. c Select the Variables to include in the SNMP trap. • Notification rule name • Rule group • Rule defined at • Selected products McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 166: Viewing The History Of Notifications

    System Tree. In this version of ePolicy Orchestrator, you can now display the information in the Notification Log as a summary table, pie chart, or bar chart. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 167: Viewing The Details Of Notification Log Entries

    When you purge items from the Notification Log, all entries are purged that meet the time criteria, regardless of which part of the System Tree they originated. Before you begin You must have permissions to perform this task. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 168: Product And Component List

    Can I create a rule that generates multiple types of notifications? Yes. Notifications for ePolicy Orchestrator supports any combination of the following notification targets for each rule: • Email (including standard SMTP, SMS, and text pager). • SNMP servers (via SNMP v1 traps). McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 169 Sending Notifications Frequently asked questions • Any external tool installed on the ePolicy Orchestrator server. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 170: Querying The Database

    To get you started, McAfee includes a set of default queries which provide the same information as the default reports of previous versions. Are you setting up queries for the first time? When setting up queries for the first time: Understand the functionality of queries and the Query Builder wizard.

  • Page 171: Public And Personal Queries

    Query Builder wizard to create and edit personal queries. • Edit public queries; create and edit personal queries; make personal queries public — Grants permission to use and edit any public queries, create and edit any personal queries, McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 172: Query Builder

    (Boolean pie chart) query. Additionally, when creating a Compliance History query, be sure the time unit matches the schedule interval for the server task. McAfee recommends creating the Boolean pie chart query first, followed by the server task that generates the compliance events, and finally the Compliance History query.

  • Page 173: Multi-Server Roll-Up Querying

    Managed Systems with a Boolean pie chart) and an additional Run Query server task (with the subaction to generate a compliance event) to run on each server whose data you want to include in the Rolled Up Compliance History type of query. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 174: Preparing For Roll-Up Querying

    Best practices McAfee recommends creating a Roll Up Data server task on this server for each registered servers. This task would include each of the desired Roll Up Data actions, each targeting only one of the registered servers.

  • Page 175: Working With Queries

    Select the desired Data Roll Up actions, and select the desired registered server to which it applies. NOTE: McAfee recommends creating one server task per registered server, and configuring it to run both Roll Up Data actions. Click Next. The Schedule page appears.

  • Page 176: Running An Existing Query

    Go to Automation | Server Tasks, then click New Task. The Description page of the Task Builder wizard appears. Name and describe the task, then click Next. The Actions page appears. Select Run Query from the drop-down list. Select the desired query to run. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 177 • Edit Description — Overwrites the existing system description in the database for all systems in the query results. This option is only valid for queries that result in a table of systems. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 178: Making Personal Queries Public

    Select the new query in the Queries list, then click Edit. The Query Builder wizard appears with settings identical to those of the query that was the source for the duplicate. Edit the query as desired, then click Save. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 179: Sharing A Query Between Epo Servers

    Options menu. The Export page appears. Select whether the data files are exported individually or in a single archive (ZIP) file. If needed, select whether to export the chart data only, or the chart data and drill-down tables. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 180: Default Queries And What They Display

    (For example, VirusScan enterprise queries all begin with “VSE”). This section of the document covers McAfee Agent, and ePO queries only. See the product documentation of any others for information on their default queries.

  • Page 181: Epo: Compliance History Query

    Use this query, with its default settings, to show which managed systems in your environment are compliant or non-compliant by versions VirusScan Enterprise, McAfee Agent, and DAT files. This query only considers systems that have communicated with the server in the last 24 hours.

  • Page 182: Epo: Distributed Repository Status Query

    Roll Up Data (Local ePO Server) server task. Query results This query returns a line chart. Details depend on how you’ve configured the Data Rollup: Compliance History server task. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 183: Epo: Systems Per Top-Level Group Query

    The results of the query are displayed in a pie chart, which you can use to drill down into the details of the events and the systems on which they occurred. Comparable report in ePolicy Orchestrator 3.6 This query replaces all or part of: • Number of Infections for the Past 24 Hours McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 184: Assessing Your Environment With Dashboards

    • Quick System Search — A text-based search field that allows you to search for systems by system name, IP address, MAC address, or user name. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 185: Setting Up Dashboard Access And Behavior

    Assessing Your Environment With Dashboards Setting up dashboard access and behavior • McAfee Links — Hyperlinks to McAfee sites, including ePolicy Orchestrator Support, Avert Labs WebImmune, and Avert Labs Threat Library. Setting up dashboard access and behavior Use these tasks to ensure users have the appropriate access to dashboards, and how often dashboards are refreshed.

  • Page 186: Working With Dashboards

    Click Save, then select whether to make this dashboard active. Active dashboards display on the tab bar of Dashboards. Making a dashboard active Use this task to make a dashboard part of your active set. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 187: Selecting All Active Dashboards

    The selected dashboards appear on the tab bar whenever you go to the Dashboards section of the product. Making a dashboard public Use this task to make a private dashboard public. Public dashboards can be used by any user with permissions to public dashboards. McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 188 Go to Dashboards, then select Manage Dashboards from the Options drop-down list. Select the desired dashboard from the Available Dashboards list, then click Make Public. Click OK when prompted. The dashboard appears in the Public Dashboards list on the Manage Dashboards page. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 189: Detecting Rogue Systems

    Even in a managed network environment, some systems might not have an active McAfee Agent on them. These can be systems that frequently log on and off the network, including test servers, laptops, or wireless devices.

  • Page 190: How The Rogue System Sensor Works

    • The sensor reports any system the first time it is detected on the network. • For each detected system, the sensor adds the MAC address to the packet filter, so that it is not detected again, until the user configured time elapses. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 191: Data Gathering And Communications To The Server

    IP address. TIP: Installing sensors on DHCP servers can improve coverage of your network. However, it is still necessary to install sensors in broadcast segments that use static IP address, or that have McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 192: How Detected Systems Are Matched And Merged

    Rogue System Detection categorizes systems, sensors and subnets on your network with different states to make monitoring and managing your network easier. These states determine the following: • Overall system status • Rogue System Sensor status • Subnet status McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 193: Overall System Status

    Rogue and Inactive categories. Exceptions Exceptions are systems that don’t need a McAfee Agent, such as routers, printers, or systems from which you no longer want to receive detection information. Identify these systems and mark them as exceptions to prevent them from being categorized as rogue systems. Mark a system as an exception only when it does not represent a vulnerability in your environment.

  • Page 194: Rogue System Sensor Status

    Rogue systems are systems that are not managed by your ePO server. There are three rogue states: • Alien agent — These systems have a McAfee Agent that is not in the local ePO database. • Inactive agent — These systems have a McAfee Agent in the ePO database that has not communicated in a specified time.

  • Page 195: Subnet Status

    The Rogue Sensor Blacklist is different than the Exceptions list, in that systems on the Exceptions list are those that either can’t have an agent on them, or that you don’t want categorized as Rogue, such as printers or routers. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 196: Rogue System Detection Policy Settings

    Managing Products with Policies and Client Tasks . TIP: McAfee recommends that you configure policy settings before you deploy sensors to your network. Doing so ensures that the sensors work according to your intended use. For example, DHCP monitoring is disabled by default.

  • Page 197: Rogue System Detection Permission Sets

    Permission set Rights Rogue System Detection • Create and edit Rogue System information; manage sensors. • Create and edit Rogue System information; manage sensors; Deploy McAfee Agents and Add to System Tree. • No permissions. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 198: Setting Up Rogue System Detection

    • To create a new policy, click New Policy and, from the Create a policy based on this existing policy drop-down list, select an existing policy on which to base the new policy. Name the new policy and click OK. Configure the desired settings and click Save. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 199: Configuring Server Settings For Rogue System Detection

    Use this task to edit the matching settings for Rogue System Detection. Matching settings are user-configured and have these important functions: • They define the properties that determine how newly detected interfaces are matched with existing systems. • They specify static IP ranges for matching. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 200: Editing Sensor Settings

    In Static IP Ranges for Matching, type the static IP ranges to use when matching on static IP addresses. In Alternative McAfee Agent Ports, specify any alternate ports you want to use when querying detected systems to check for a McAfee Agent.

  • Page 201: Setting Up Automatic Responses To Rogue System Detection Events

    Deploy Agent Deploys a McAfee Agent to the detected system. Query Agent Opens the Query McAfee Agent Results page, which provides the name of IP address of the detected system and details about the agent installed on it. Remove from Exceptions Removes the detected system from the Exceptions list.

  • Page 202: Working With Detected Systems

    From the Detected Systems Details page, you can only add the detected system you are viewing. Click Add to Exceptions. Adding systems to the Rogue Sensor Blacklist Use this task to add detected systems to the Rogue Sensor Blacklist. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 203: Editing System Comments

    Files are exported in the Comma Separated Value format. The file name for your Exceptions list is predefined as RSDExportedExceptions.csv. You can change the name of the file after it has been exported to your local system. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 204: Importing Systems To The Exceptions List

    Systems Details page. Go to Systems | System Tree | Systems and click any system. Systems page. Go to Systems | System Tree. Task For option definitions, click ? on the page displaying the options. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 205: Removing Systems From The Exceptions List

    Systems page. Go to Systems | System Tree. Task For option definitions, click ? on the page displaying the options. Select the detected systems you want to remove from the Rogue Sensor Blacklist. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 206: Viewing Detected Systems And Their Details

    Go to Systems | Policy Catalog, then from the Product drop-down list select Rogue System Detection 2.0.0, and from the Category drop-down list select General. All created policies for Rogue System Detection appear in the details pane. Locate the desired policy and click Edit in its row. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 207: Installing Sensors

    Use this task to create a query that can run as a server task action to install sensors on managed systems. Task For option definitions, click ? on the page displaying the options. Go to Reporting | Queries, then click New Query in the Queries pane. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 208: Editing Sensor Descriptions

    Click Save and specify the name of your query, and any notes, then click Save again. TIP: McAfee recommends using a product specific prefix when naming your queries to keep them organized and make them easier to find. For example, RSD: QueryName.

  • Page 209: Removing Sensors

    If the Rogue Sensor Remove button is not visible, click More Actions and select Rogue Sensor Remove. In the Action pane, click OK. Using client tasks to remove sensors Use this task to create a client task to remove sensors from systems on your network. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 210: Working With Subnets

    Go to Network | Detected Systems and click any category in the Subnet Status monitor, then click any system. Detected Subnets page. Go to Network | Detected Systems and click any category in the Subnet Status monitor. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 211: Ignoring Subnets

    Go to Network | Detected Systems and click any subnet category in the Subnet Status monitor, then click any system. Detected Subnets page. Go to Network | Detected Systems and click any subnet category in the Subnet Status monitor. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 212: Viewing Detected Subnets And Their Details

    This parameter takes affect only when running in command-line --console mode, which also requires the command-line switch. Sample syntax: sensor.exe --server “MyServerName” --console Unregisters the sensor with the Windows Service Control Manager. --uninstall --version Prints the version of the sensor and exits. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 213: Default Rogue System Detection Queries

    RSD: Subnet Coverage Returns the details of detected subnets on your network, in pie chart format. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 214: Appendix: Maintaining Epolicy Orchestrator Databases

    To keep your database from growing too large and to keep performance optimized, perform regular database maintenance on it. McAfee recommends doing this daily, if possible, or weekly at the very least. Performing this maintenance regularly can help keep the size of your database down and thereby improve database performance.

  • Page 215: Performing Regular Maintenance Of Sql Server Databases

    This can cause the log to swell in size. NOTE: If you choose not to use simple recovery, then you need to regularly back up the transaction log. See the SQL or MSDE documentation for setting the recovery model to simple. McAfee ePolicy Orchestrator 4.0.2 Product Guide...

  • Page 216: Backing Up Epolicy Orchestrator Databases Regularly

    Backing up ePolicy Orchestrator databases regularly Backing up ePolicy Orchestrator databases regularly McAfee recommends that you back up ePolicy Orchestrator databases regularly to protect your data and guard against hardware and software failure. You may need to restore from a backup, such as if you ever need to reinstall the server.

  • Page 217: Changing Sql Server Information

    Restart the system to apply the changes. Restoring ePolicy Orchestrator databases If you have been backing up your database regularly as McAfee recommends, then restoring it is easy. You should not need to do this very often, or ever. Aside from software or hardware failure, you need to restore the database from a backup if you want to upgrade your server or database server hardware.

  • Page 218: Restoring A Sql Database--See Your Sql Documentation

    You cannot use it to change the location of the database. Task Stop the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the SQL Server (MSSQLSERVER) service is running. For instructions, see the operating system product documentation.
  • Page 219 69, agent distribution agent distribution agent-to-server communication interval deploying from ePolicy Orchestrator deploying SuperAgents FRMINST.EXE command-line 81, duplicating policies before assigning methods 72, importing Active Directory containers McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 220 Detected Systems list, removing systems from defined detections for updates configuring RSD policies history, queries per product query settings for rogue systems dashboards subnet status and rogue systems active set McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 221 Rogue System Blacklist criteria-based rogue system status defined Exceptions list deleting from System Tree adding systems importing NT domains compared to Rogue Sensor Blacklist moving systems manually events and automatic responses operating systems and McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 222 Notification Log deployment tasks for configuring Detected Systems list purging notifications Exceptions list viewing 166, global updating and Notification Rule Builder wizard installing products on notification rules policy assignment creating and editing policy management on McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 223 24, 25, supported packages permissions updates assigning for notifications McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 224 Rogue System Detection compliance settings installing sensors configuring server settings Query Builder wizard deploying sensors about events, configuring responses creating custom queries operating system support result types policy configuration policy settings McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 225 SITEMGR.XML proxy, and master repositories product updates and types of pulling from 143, working with switching to fallback Server Task Builder wizard update packages and server task log SPIPE about SQL servers (See databases) McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 226 McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 227 SuperAgents and 67, user accounts to System Tree groups about when to send changing passwords WAN connections and geographical borders creating WebShield appliances, agent deployment and creating permission sets for Windows (See operating systems) McAfee ePolicy Orchestrator 4.0.2 Product Guide...
  • Page 228 Index McAfee ePolicy Orchestrator 4.0.2 Product Guide...

Table of Contents