McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual
  1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Software
  5. EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE
  6. Manual
McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual

McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual

System protection, a product overview and quick set up in a test environment version 3.6
Hide thumbs
Table of Contents

Advertisement

Quick Links

ePolicy Orchestrator
A product overview and quick set up in a test environment
version 3.6
McAfee
®
System Protection
Industry-leading intrusion prevention solutions
®
Walkthrough Guide
revision 2.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE and is the answer not in the manual?

Questions and answers

Related Manuals for McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE

Summary of Contents for McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE

  • Page 1 Walkthrough Guide revision 2.0 ePolicy Orchestrator ® A product overview and quick set up in a test environment version 3.6 McAfee ® System Protection Industry-leading intrusion prevention solutions...
  • Page 3 Walkthrough Guide revision 2.0 ePolicy Orchestrator ® A product overview and quick set up in a test environment version 3.6 McAfee ® System Protection Industry-leading intrusion prevention solutions...
  • Page 4 For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee pro-+34vide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.

  • Page 5: Table Of Contents

    Installing the agent manually ........38 Enabling the agent on unmanaged McAfee products ....38...
  • Page 6 ® ePolicy Orchestrator 3.6 Walkthrough Guide Contents Distributing the agent using other deployment products ... . . 39 Distributing the agent to WebShield appliances and Novell NetWare servers About deploying packages ......... 40 Package signing and security.
  • Page 7 Add VirusScan Enterprise to the master repositor..... y 95 Pull updates from McAfee source repository ......96 Create a distributed repository .
  • Page 8 S E C T I O N Walkthrough This section provides a walkthrough of conceptual and best practices information. Introduction Installing or Upgrading the Server Organizing the Directory and Repositories Deploying the Agent and Products Rogue System Detection ePolicy Orchestrator Notifications Outbreaks...

  • Page 9: Introduction

    Introduction ePolicy Orchestrator 3.6 is a powerful tool that allows you to manage security policy, assess and enforce policy, identify and take actions on rogue systems, and notify you of certain events that occur, all across your entire network. Components of ePolicy Orchestrator.
  • Page 10 ® ePolicy Orchestrator 3.6 Walkthrough Guide Introduction Components of ePolicy Orchestrator Update repositories. Figure 1-1 ePolicy Orchestrator on your network ePolicy Orchestrator server The center of your managed environment. One server can manage up to 250,000 systems, but you may be restricted by your bandwidth and other considerations. For example, network obstacles like firewalls and proxy servers, geographic locations of sites, and security divisions within your organization.
  • Page 11 Master repository The master repository exists on the ePolicy Orchestrator server and is the central location for all McAfee product updates. The master repository goes to the McAfee Download Site (source repository) at defined times to retrieve all available updates and signatures.

  • Page 12: Policy, Properties, And Events

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Introduction Policy, properties, and events Policy, properties, and events Two main purposes of ePolicy Orchestrator are to enforce policies on the managed systems, and to receive and process properties and events from all of the managed systems.

  • Page 13: Tasks, Services, And Accounts

    Several tasks and services of ePolicy Orchestrator require authentication with specific accounts to complete. This information is useful if you encounter issues with the following tasks. Task Service Account Logging onto the McAfee ePolicy Orchestrator 3.6.0 ePolicy Orchestrator server server Server ( account. NAIMSRV Deploying agents McAfee ePolicy Orchestrator 3.6.0...

  • Page 14: Other Times When Credentials Are Needed

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Introduction Minimum requirements Other times when credentials are needed While performing various tasks in ePolicy Orchestrator, you may be required to provide user credentials. Table 1-1 Tasks and credentials Task Credentials Location stored Logging on to Active Active Directory administrator If the Active Directory Directory containers...

  • Page 15: Installing Or Upgrading The Server

    Installing or Upgrading the Server Whether you are installing ePolicy Orchestrator 3.6 as a new installation or upgrading from prior versions you must understand the minimum system requirements, preparation tasks on your network, and which pieces of information to take to the installation or upgrade.

  • Page 16: Pre-Installation Preparation

    If the standard database does not meet your needs, utilize a Microsoft SQL Server 2000 database. McAfee recommends that a dedicated server is used for the database if you are managing more than 2,000 client systems. Note Update both the ePolicy Orchestrator server system and the ePolicy Orchestrator database server system with the latest Microsoft security updates.
  • Page 17 The default port is . This port cannot be changed after installation. McAfee strongly recommends that you change this to another port due to potential conflicts in many environments. For example, to Note Console-to-Server communication port —...

  • Page 18: Upgrading From A Previous Version

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing or Upgrading the Server Upgrading from a previous version E-mail address for Notifications If you want to use the default rules of the ePolicy Orchestrator Notifications feature, you Set E-mail Address can provide an e-mail address on the panel of the installation wizard to which you want to receive notification messages when you enable any of the default rules.

  • Page 19: Information To Have During The Upgrade

    The default port is . This port cannot be changed after installation. McAfee strongly recommends that you change this to another port due to potential conflicts in many environments. For example, to Note Console-to-Server communication port —...

  • Page 20: Upgrading Issues

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing or Upgrading the Server Upgrading from a previous version E-mail address for Notifications To use the default rules of the ePolicy Orchestrator Notifications feature, you can Set E-mail Address provide an e-mail address on the panel of the installation wizard to which you want to receive notification messages when you enable any of the default rules.

  • Page 21: Organizing The Directory And Repositories

    Organizing the Directory and Repositories The ePolicy Orchestrator software requires you to configure and set up several components. Although extensive, the configurations allow you to customize the product specifically for your environment. Carefully planning the implementation of your ePolicy Orchestrator solution is essential before installing the software. You should consider how your: Directory should be organized.

  • Page 22: About Epolicy Orchestrator Roles

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Organizing the Directory and Repositories ePolicy Orchestrator Directory: concepts and roles Lost&Found groups Lost&Found groups store system names whose locations could not be determined by the ePolicy Orchestrator server. The administrator (with appropriate rights) must move the systems in Lost&Found groups to the appropriate place in the Directory to manage them.
  • Page 23 ® ePolicy Orchestrator 3.6 Walkthrough Guide Organizing the Directory and Repositories ePolicy Orchestrator Directory: concepts and roles Global administrators can use the console to deploy agents and security products, change agent or product policies, create and run client tasks for updating DAT files or performing on-demand scans for any node in any site in the Directory.

  • Page 24: Organizing The Directory

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Organizing the Directory and Repositories ePolicy Orchestrator Directory: concepts and roles Global reviewers Global reviewers can view, but not edit, all settings in the console (except for Rogue System Detection), including property settings, policy, and task settings for all nodes in the Directory.

  • Page 25: Environmental Borders

    Borders influence the organization of the Directory differently than the organization of your network topology. McAfee recommends evaluating the following borders in your network and organization, and whether they must be taken into consideration when defining the organization of your Directory.

  • Page 26: Ip Address Filters And Sorting

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Organizing the Directory and Repositories ePolicy Orchestrator Directory: concepts and roles Political Many large networks are divided because different individuals or groups are responsible for managing various portions of the network. Sometimes these borders do not coincide with the topological or geographical borders.
  • Page 27 ® ePolicy Orchestrator 3.6 Walkthrough Guide Organizing the Directory and Repositories ePolicy Orchestrator Directory: concepts and roles Automatically populating the Directory with this method is the result of an algorithm that uses both IP filters you create and domain information for the NT domain to which the new system belongs.

  • Page 28: Repositories

    Source repository The source repository provides all updates for your master repository. The default source repository for clean installations is the McAfee FTP update site (FtpSite), but you can change the source repository or even configure multiple source repositories if you require.

  • Page 29: Distributed Repository

    You do not need to spend additional time creating and configuring repositories or the update tasks. McAfee recommends using SuperAgent repositories and global updating together to ensure your managed environment is up-to-date.
  • Page 30 Once the distributed repository is created, you can use ePolicy Orchestrator to configure managed systems of a specific Directory site or group to update from it. McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. Managing distributed repositories with ePolicy Orchestrator and using global updating, or scheduled replication tasks frequently ensures your managed environment is up-to-date.

  • Page 31: Deploying The Agent And Products

    Systems cannot be managed without an installed agent. Due to the variety of network environments, McAfee provides several methods for you to get the agent on to the systems you want to manage. About the ePolicy Orchestrator agent...

  • Page 32: Agent Language Packages

    Deploying the Agent and Products ePolicy Orchestrator agent <system_drive>\program files\mcafee\common framework On the client system, if you are upgrading the agent from version 2.5.1, the new agent is also installed after the existing agent is uninstalled, by default in this location: <system_drive>\program files\network associates\common framework...
  • Page 33 3.6 Walkthrough Guide Deploying the Agent and Products ePolicy Orchestrator agent By default, the agent installation package is installed in this location: C:\PROGRAM FILES\MCAFEE\EPO\3.6.0\DB\SOFTWARE\CURRENT\ ePOAGENT3000\INSTALL\0409\FRAMEPKG.EXE This is the installation package that the ePolicy Orchestrator server uses to deploy agents. The default agent installation package contains no embedded user credentials. When executed on the system, the installation uses the account of the currently logged-on user.

  • Page 34: Agent-Server Communication

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products ePolicy Orchestrator agent Next Create Package 6 Click . The dialog box appears, showing the progress of the creation. Next Finish 7 Click , then You can distribute the custom installation package file as needed. If you plan to deploy the custom installation package with ePolicy Orchestrator, check the package into your master repository.

  • Page 35: Superagents And Broadcast Wakeup Calls

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products ePolicy Orchestrator agent For complete information on balancing bandwidth, server hardware, and ASCI, see the ePolicy Orchestrator 3.6 Hardware Sizing and Bandwidth Usage white paper. Note Agent-server communication after agent startup After the installation, or if the agent service is stopped and restarted, the agent calls into the server at a randomized interval within ten minutes.
  • Page 36 ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products ePolicy Orchestrator agent Instead of sending agent wakeup calls from the server to every agent, the server sends the SuperAgent wakeup call to SuperAgents in the selected Directory segment. When SuperAgents receive this wakeup call, they send broadcast wakeup calls to all the agents in their network broadcast segments.

  • Page 37: Agent Activity Logs

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products Distributing agents Agent activity logs The agent log files are useful when determining agent status or troubleshooting problems. There are two log files that record agent activity, both are located in the agent installation folders on the managed system running Windows 95, Windows 98, or Windows NT systems.

  • Page 38: Deploying The Agent From Epolicy Orchestrator

    Deploying the agent from ePolicy Orchestrator Installing the agent with login scripts Installing the agent manually Enabling the agent on unmanaged McAfee products Including the agent on an image Distributing the agent using other deployment products Distributing the agent to WebShield appliances and Novell NetWare servers Deploying the agent from ePolicy Orchestrator You can use ePolicy Orchestrator to deploy agents to your systems.
  • Page 39 Note Directory. However, McAfee does not recommend this procedure if you are creating your Directory by importing large NT domains or Active Directory containers. This can generate too much network traffic.

  • Page 40: Installing The Agent With Login Scripts

    Best practices information McAfee recommends that you first create segments of your Directory that use either network domain names or IP address filters that add the expected systems to the desired sites and groups when the agents call into the server for the first time automatically.

  • Page 41: Installing The Agent Manually

    Enabling the agent on unmanaged McAfee products Before purchasing ePolicy Orchestrator, you may have already been using McAfee products in your network. Some of the more recent McAfee products that use the AutoUpdate updater, such as VirusScan Enterprise, install with the agent in a disabled state.

  • Page 42: Including The Agent On An Image

    Novell NetWare servers. Instead, use a method such as a login script or manual installation. These systems require different agents, which can be downloaded from the McAfee web site. These agent installation packages are not installed on the ePolicy Note Orchestrator server by default.

  • Page 43: About Deploying Packages

    About deploying packages About deploying packages The ePolicy Orchestrator deployment infrastructure supports deploying products and ePolicy Orchestrator components. Each McAfee product that ePolicy Orchestrator can deploy provides a product deployment package ( .z) file. ePolicy Orchestrator can deploy these PKGCATALOG packages to any of your managed systems, once they are checked into the master repository.

  • Page 44: Package Signing And Security

    168-bit 3DES encryption. A key is used to encrypt or decrypt sensitive data. You are notified when you check in packages that are not signed by McAfee. If you are confident of the content and validity of the package, continue with the check-in. These packages are secured in the same manner described above, but are signed by ePolicy Orchestrator when they are checked in.

  • Page 45: Legacy Product Support

    Using digital signatures guarantees that packages originated from McAfee or were checked in by you, and that they have not been tampered with or corrupted. The agent only trusts package catalog files signed by ePolicy Orchestrator or McAfee. This protects your network from receiving packages from unsigned or untrusted sources.

  • Page 46: Deployment Task

    As you deploy to each group, monitor the deployment, run reports to confirm successful installations, and troubleshoot any problems with individual systems. If you chose to deploy server-based McAfee products, deploy them to specific systems, rather than groups or sites. Update tasks...

  • Page 47: Global Updating

    When using global updating, McAfee recommends scheduling a regular pull task (to update the master repository) at a time when network traffic is minimal. Although...

  • Page 48: Pull Tasks

    Use pull tasks to update your master repository with DAT and engine update packages from the source repository. DAT and engine files must be updated often. McAfee releases new DAT files daily and engine files less frequently. Deploy these packages to managed systems as soon as possible to protect them against the latest threats.

  • Page 49: Replication Tasks

    Full replication copies the entire contents of the master repository. McAfee recommends scheduling a daily incremental replication task and a weekly full replication task. This maximizes network bandwidth efficiency by updating only essential, incremental changes during the week and guarantees completeness.

  • Page 50: Repository Selection By Agents

    You can also tightly control which distributed repositories agents use for updating by enabling or disabling distributed repositories in the agent policy settings. McAfee does not recommend disabling repositories in the policy settings. Allowing agents to update from any distributed repository ensures they receive the updates.

  • Page 51: Checking In Product Deployment Packages Manually

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products Checking in product deployment packages manually Checking in product deployment packages manually Check in the product deployment package files to the master repository PKGCATALOG to be able to deploy them using ePolicy Orchestrator. You must be a global administrator to check in product deployment packages.

  • Page 52: Configuring The Deployment Task To Install Products On Client Systems

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products Configuring the deployment task to install products on client systems Repository Software Repositories Master 11 In the console tree, select Figure 4-4 Packages list 12 In the details pane, scroll through the list and locate the product and version of the deployment package to verify the action was successful.
  • Page 53 ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products Configuring the deployment task to install products on client systems Task Inherit Schedule Settings 3 Select the tab and deselect under Figure 4-6 ePolicy Orchestrator Scheduler dialog box Schedule Settings, Enable (scheduled task runs at specified time) 4 Under select...
  • Page 54 ® ePolicy Orchestrator 3.6 Walkthrough Guide Deploying the Agent and Products Configuring the deployment task to install products on client systems ePolicy Orchestrator Scheduler Schedule 10 In the dialog box, select the tab. Inherit 11 Deselect to enable scheduling options. 12 Schedule as desired.

  • Page 55: Rogue System Detection

    Rogue System Detection Even though you already use ePolicy Orchestrator to manage your security products, your protection is only as good as your coverage. Deploying agents to the systems you know about in your network and keeping them up-to-date is only part of a comprehensive strategy.
  • Page 56 For example, if a system on the network happens to be browsing McAfee, packets appear on the local network with the IP address belonging to mcafee.com. The sensor detects systems on your local network only, so it ignores all such unicast packets because their sources cannot be guaranteed to be a local system.
  • Page 57 ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection The sensor packages the gathered information about the detected system into an XML message. It sends this message via secure HTTPS to the ePolicy Orchestrator server for processing. The server then queries the ePolicy Orchestrator database to determine whether the system is a rogue system.

  • Page 58: Machine Status And Rogue Type

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection Machine status and rogue type Machine status and rogue type are classifications ePolicy Orchestrator uses to determine which systems are rogue systems. Each detected system is listed in the Machine List table with a status and, if classified as a rogue system, a rogue type.

  • Page 59: Subnet Status

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection The following table lists and describes each rogue type and its description: Table 5-2 Types of rogue systems Rogue Type Description No Agent The detected system has no agent installed. This is the most common rogue type.

  • Page 60: Distributing Rogue System Sensors

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection Distributing Rogue System sensors Distributing Rogue System sensors The sensor reports only on detections occurring within its local broadcast segment. You must install at least one sensor per broadcast segment in your network for coverage. Depending on your network configuration, a broadcast segment may or may not be the same as a subnet.

  • Page 61: Installing The Sensor Manually

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection Taking actions on detected rogue systems manually For instructions, see the ePolicy Orchestrator 3.6 Product Guide. Installing the sensor manually If you do not want to deploy sensors from the ePolicy Orchestrator console, you can perform the installation manually.

  • Page 62: Configuring Automatic Responses For Specific Events

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection Configuring automatic responses for specific events Configuring automatic responses for specific events You can configure automatic responses so that ePolicy Orchestrator responds automatically to the Rogue System Detection events. There are two specific Rogue System Detection events for which you can configure automatic responses: Rogue Machine Detected.
  • Page 63 ® ePolicy Orchestrator 3.6 Walkthrough Guide Rogue System Detection Configuring automatic responses for specific events Table 5-5 Actions available for automatic responses Action Description Unmark for Action Deselects systems that you have already marked for action. Unmark as Exception Deselects systems that you have already marked as exceptions. Import and export exceptions from and to an XML file To prevent having to identify systems as exceptions again if you need to reinstall the ePolicy Orchestrator server, you can easily save your exceptions list to an XML file.

  • Page 64: Epolicy Orchestrator Notifications

    Outbreak situations. For example, 1000 virus detected events are received within five minutes. Compliance events from McAfee System Compliance Profiler. For example, systems are found that are not current with the latest Microsoft patches. High-level compliance of ePolicy Orchestrator server events. For example, a replication task did not complete.

  • Page 65: Throttling And Aggregation

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications About Notifications When events occur on systems in your environment, they are delivered to the ePolicy Orchestrator server, and the notification rules (associated with the group or site that contains the affected systems and each parent above it) are applied to the events. If the conditions of any such rule are met, a notification message is sent, or an external command is run, per the rule’s configurations.

  • Page 66: Notification Rules And Directory Scenarios

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications About Notifications Notification rules and Directory scenarios To show how this feature functions with the Directory, two scenarios are used. For both scenarios, we can assume that each group, site, and the Directory root of the console tree has a similar rule configured.

  • Page 67: Determining When Events Are Forwarded

    If you choose to have events sent immediately (as set by default in ePolicy Orchestrator Agent 3.5.0 McAfee Default policy), the agent forwards all events as soon as they are received. If you want all events sent to the ePolicy Orchestrator server immediately so that they can be processed by Notifications when the events occur, configure the agent to send them immediately.

  • Page 68: Determining Which Events Are Forwarded

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Determining which events are forwarded Determining which events are forwarded Along with being able to determine when events are forwarded to the server, you can also select which events are forwarded. If you choose not to select which events are forwarded, all events are forwarded.

  • Page 69: Rules

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Rules Rules Rules allow you to define when, how, and to whom, notifications are sent, as well as any executables you want to run when the rule is triggered. You can create or edit rules once you have made some specific configurations to the feature.

  • Page 70: Creating Rules

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Viewing the history of Notifications Table 6-1 Default notification rules Rule name Associated events Configurations Virus Detected and Not Virus detected and Sends a notification message: Removed not removed events from When the number of events exceeds any product.

  • Page 71: Notification Summary

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Viewing the history of Notifications Notification summary Notification Summary page allows you to view a summary of the number of notifications sent by product, category, priority, or rule name: Notifications 1 In the console tree, select Summary 2 Select the tab, then click...
  • Page 72 ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Viewing the history of Notifications Actual number of events Actual products Number of computers Selected products Affected computer IP Actual categories addresses Affected computer names Selected categories Source computers Actual threat or rule names Notification status Selected threat or rule names Notification type...

  • Page 73: Product And Component List

    ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Viewing the history of Notifications Product and component list You can configure rules to generate notification messages for specific event categories for specific products and components. This is a list of products and components for which you can configure rules and a list of all possible event categories.
  • Page 74 ® ePolicy Orchestrator 3.6 Walkthrough Guide ePolicy Orchestrator Notifications Viewing the history of Notifications Event categories for which rules can be configured: Access Protection rule violation System Compliance Profiler rule violation detected and blocked Non-compliant computer detected Access Protection rule violation Normal operation detected and NOT blocked On-access scan disabled...

  • Page 75: Outbreaks

    Outbreaks The most effective response to viruses is to know your system, have current anti-virus software installed, detect outbreaks early, then respond quickly and efficiently. An effective strategy includes both prevention as well as response. The ePolicy Orchestrator software can help reduce the costs of managing an outbreak. When you use ePolicy Orchestrator, you can manage all of your sites from a central location, which makes management easier, more efficient, and ensures consistently applied policies across your enterprise.
  • Page 76 Server task Description Daily DAT & engine pull Performs a repository pull for updated weekly DATs or engine task files from the default source repository on the McAfee FTP Hourly site. The task is scheduled as , every hours. Daily incremental...

  • Page 77: Checklist - Are You Prepared For An Outbreak

    Your Microsoft products running on managed systems are up-to-date with the latest patches and Service Packs. (Generally, Microsoft releases these on a monthy basis.) You can use McAfee System Compliance Profiler to ensure all of your systems are compliant to the latest Microsoft patches and Service Packs.

  • Page 78: E-Mail Utilization Key Indicators

    Microsoft Exchange Performance Monitor counters register a change in the e-mail utilization levels. McAfee Outbreak Manager notifies you via e-mail that a potential outbreak may be indicated. McAfee Outbreak Manager analyzes incoming e-mail messages and identifies behaviors that are indicative of an outbreak.
  • Page 79 Run anti-virus coverage reports to ensure that anti-virus coverage on infected systems is complete. If you do not have a McAfee anti-virus product installed or do not have the ePolicy Orchestrator agent deployed to each system, you must manually scan the system...
  • Page 80 S E C T I O N Lab Evaluation This section provides instructions for setting up a simple ePolicy Orchestrator implementation in a lab environment. Installing and setting up Advanced Feature Evaluations...

  • Page 81: Installing And Setting Up

    Installing and setting up This section describes how to install and deploy ePolicy Orchestrator in a test environment. It provides easy steps to get ePolicy Orchestrator 3.6 up and running quickly, and presents important features of the product. The steps, divided into two sections, are: Installation and Setup Install the ePolicy Orchestrator server and console.

  • Page 82: Setting Up A Lab Environment

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up What is covered and what is not covered This section of the guide does not cover everything that ePolicy Orchestrator can do, for example, many advanced features and installation scenarios typical in real-world deployments.
  • Page 83 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up 2 Test network connectivity. From the system where you plan to install the ePolicy Orchestrator server, ping client systems where you plan to deploy agents. Start On the server, open a command window ( ) and type at the prompt.
  • Page 84 Before you start installing, get the installation files for ePolicy Orchestrator and VirusScan Enterprise from the McAfee web site or your product CD, if you have one. If you want to use the 30-day evaluation versions for your tests, download them from the McAfee web site.
  • Page 85 6 If you see a message box stating that your server does not have a static IP address, ignore it by clicking While McAfee recommends installing ePolicy Orchestrator on a system with a static IP address in your production environment, a DHCP-assigned IP address can be used for testing purposes.
  • Page 86 Some HTTP ports (ports 80 and 81 in particular), are commonly used by many HTTP applications and services. Because of this, port 80 may already be in use and not available. McAfee recommends changing the port number to avoid any conflicts. Next 13 Click to save the port information.
  • Page 87 Now your server is installed and running. Open the ePolicy Orchestrator console to begin using ePolicy Orchestrator to manage policies on your network. To open the console from your ePolicy Orchestrator server: Start Programs | McAfee | ePolicy Orchestrator 3.6.0 Console 1 Click the button, then select Start Page...

  • Page 88: Add Systems To Your Directory

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Other typical methods of grouping include, but are not limited to: Geographical divisions. If you have locations in various portions of the world, or in multiple time zones, you may want to divide your ePolicy Orchestrator Directory according to those divisions.
  • Page 89 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Add Sites Send agent package 9 In the dialog box, make sure that is NOT selected and click to create and populate the sites in the Directory. Although you can deploy agents at this point, you will do that in a later step once we have modified the agent policy settings.
  • Page 90 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up To add Active Directory containers and sub-containers to your Directory: Directory New | Site 1 Right-click , and select Add Sites 2 In the dialog box, click New Site Container1 3 In the dialog box, type a name for the site, for example , then click...
  • Page 91 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Finish 12 Click The Active Directory systems have been imported into the Lost&Found group of the site to which you imported them. If your Active Directory container included sub-containers, the Lost&Found group retains the Active Directory hierarchy. 13 Click and drag the top of this structure from the Lost&Found group, to the site above Container1 it.

  • Page 92: Organize Systems Into Groups For Servers And Workstations

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Organize systems into groups for servers and workstations Depending on how you’ve created your sites, and populated the Directory, you may need to create additional groups and to further levels of organization in your Directory. For example, by operating system.
  • Page 93 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up IP Integrity warning While dragging systems into groups, ignore the message if you see it by clicking To create additional groups and subgroups as needed: Repeat all these steps to create a server group for your site, as well as additional server and workstation groups for other sites, if you have them.

  • Page 94: Configure The Agent Policy Settings Before Deployment

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up From the Directory in the console tree, you can install the agent on each system in a site at once. To do this, send an agent install command to the site. Because of inheritance, you can specify an agent installation at the parent site (or group) level and all child nodes inherit the command.

  • Page 95: Deploy Agents

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up General Show Agent tray icon 6 On the tab, select Figure 8-4 General tab Apply All Close Policy 7 Click , then click . The new policy is created and added to the Catalog page.
  • Page 96 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up 4 Repeat these steps for other sites. The agent installations begin immediately. Deploying agents to systems running Windows 95, Windows 98, or Windows Me When deploying agents to systems running Windows 95, Windows 98, or Windows Me remember that the installation does not complete until the next time the system logs back onto the network.

  • Page 97: Installing Agent Manually On Client Systems

    By default, is located in the following folder on your ePolicy Orchestrator FRAMEPKG server: C:\Program Files\Mcafee\ePO\3.6.0\DB\Software\Current\ EPOAGENT3000\Install\0409 To install the agent manually: 1 Copy the file to the local client or network folder accessible from the FRAMEPKG.EXE...

  • Page 98: Add Virusscan Enterprise To The Master Repositor

    McAfee ATALOG IEVAL (see Get installation files from McAfee on page 81). To check in the VirusScan Enterprise 8.0i package to your master repository: Repository 1 In the console tree, select Check in Package...

  • Page 99: Pull Updates From Mcafee Source Repository

    VirusScan 4.5.1 installation files. Pull updates from McAfee source repository Use the McAfee HTTP or FTP site as your source repository, from which you can update your master repository with the latest DAT and engine files. Initiate a pull from the...
  • Page 100 7 Monitor the task status until it completes. Now you have checked in VirusScan Enterprise to your master repository and also updated the master repository with the latest DAT and engine files from the McAfee source repository. The systems located in the same domain as your ePolicy...

  • Page 101: Create A Distributed Repository

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems But where do other systems get their software and updates? If these systems are located in different subnets or a WAN-connected location, it may be more efficient to create a distributed repository that is more easily accessible to these systems.

  • Page 102: Add The Distributed Repository To The Epolicy Orchestrator Server

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems 4 Click to accept all other defaults and enable sharing for this folder. Creating a UNC share in this way could be a potential security problem in a production environment, because it allows everyone on your network access to the share.
  • Page 103 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Name 4 Type a . Note this is the name that appears in the repository list in the ePolicy Orchestrator console. It does not need to be the same as the name of the shared folder that actually hosts the repository.

  • Page 104: Replicate Master Repository Data To Distributed Repository

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Replicate master repository data to distributed repository Now you have created a UNC share on a system to host a distributed repository, and added the repository location to your ePolicy Orchestrator database. Now, all that is missing in the new repository is data.
  • Page 105 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Duplicate the following policy 5 Select , then select the policy you created earlier (to display the agent system tray icon) from the drop-down list. New policy name 6 Provide a for the policy (for example,...
  • Page 106 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems 1 In the console tree, select your workstations group. Policies 2 In the details pane, select the tab. VirusScan Enterprise 8.0.0 Edit User Interface Policies 3 Select , then click at the end of the...
  • Page 107 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Task Inherit Schedule Settings 3 Click the tab and deselect under Figure 8-9 ePolicy Orchestrator Scheduler dialog box Schedule Settings, Enable (scheduled task runs at specified time) 4 Under select Settings...
  • Page 108 ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Task Inherit Schedule Settings 3 Click the tab and deselect under Schedule Settings, Enable (scheduled task runs at specified time) 4 Under select Settings 5 Click the button.
  • Page 109 Once the report has generated, the results should show the number of servers and workstations on which VirusScan 4.5.1 and VirusScan Enterprise 8.0i are currently installed. If you later deploy other products, such as McAfee Desktop Firewall, they show up in this report as well.
  • Page 110 DAT file update. You will likely be required to do this at some point; for example, if McAfee releases updated DAT files in response to a newly-discovered virus and you want your client systems to update without waiting for their regularly scheduled task.

  • Page 111: Schedule Automatic Repository Synchronization

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Installing agent manually on client systems Enable 8 Select Settings Inherit Update 9 Click , then deselect on the tab. This task updates only the following components 10 Ensure that is selected.

  • Page 112: Schedule A Pull Task To Update Master Repository Daily

    Pull tasks update your master software repository with the latest DAT and engine updates from the source repository. By default, your source repository is the McAfee web site. Let’s create a scheduled pull task to pull the latest updates from the McAfee web site once per day.

  • Page 113: Schedule A Replication Task To Update Your Distributed Repository

    10 Select in the drop-down list. Current 11 Leave the destination branch set to 12 If you have older versions of McAfee products, such as VirusScan 4.5.1, in your test Support Legacy product update network, select Finish 13 Click . Wait a moment while the task is created.

  • Page 114: Use Superagents To Wake Up All Agents On The Network

    The global updating feature is useful in a virus outbreak situation. Assume that McAfee’s AVERT team has posted updated DAT files in response to a newly-discovered virus. With global updating enabled, you simply initiate a pull task from your ePolicy Orchestrator console to update your master software repository with the new DAT files.

  • Page 115: Convert An Agent On Each Subnet Into A Superagent

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Installing and setting up Use SuperAgents to wake up all agents on the network Convert an agent on each subnet into a SuperAgent You can turn any regular ePolicy Orchestrator agent into a SuperAgent. Use the ePolicy Orchestrator Agent policy pages to do this.

  • Page 116: Enable Global Updating On Epolicy Orchestrator Server

    VirusScan Enterprise. Please refer to the ePolicy Orchestrator 3.6 Product Guide, the VirusScan Enterprise 8.0i Product Guide, and the VirusScan Enterprise 8.0i Configuration Guide for complete information on advanced product features. These and other helpful resources are available for download from the McAfee web site.

  • Page 117: Advanced Feature Evaluations

    Advanced Feature Evaluations This section of the guide demonstrates how you can configure and use two of the advanced features not covered in the previous section: ePolicy Orchestrator Notification. Rogue System Detection on page 118. ePolicy Orchestrator Notification Real-time information about threat and compliance activity on your network is essential to your success.
  • Page 118 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations ePolicy Orchestrator Notification Notifications Configuration | Basic Configuration 1 Click in the console tree, then select the tab in the details pane. Figure 9-1 Basic Configuration E-mail Server 2 Under , type the name of a mail server to which the ePolicy Orchestrator From server can route, and the desired e-mail address that you want to appear in the line of the message.
  • Page 119 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations ePolicy Orchestrator Notification S T E P Create a rule for any VirusScan Enterprise event You can create a variety of rules to handle nearly any category of events that are received from your managed security products.
  • Page 120 Throttling receiving another message ( ). Throttling is almost always recommended by McAfee to prevent a flood of messages during an outbreak situation. Figure 9-3 Set Thresholds page Send a notification for every event Next...

  • Page 121: Rogue System Detection

    ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection S T E P Providing a sample virus detection Now that you have configured the feature and created a rule to trigger on event files from VirusScan Enterprise, you are ready to provide an event file that triggers the rule. 1 Download to one of the workstation test systems.
  • Page 122 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection In this section, you will: Configure Rogue System Detection sensor policy. Deploy the Rogue System Detection sensor Configure an automatic response. Rogue detection and remediation. S T E P Configure Rogue System Detection sensor policy Before deploying the Rogue System Detection sensor, you should first configure the sensor policy.
  • Page 123 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection S T E P Deploy the Rogue System Detection sensor The sensor is the distributed portion of the Rogue System Detection architecture. Sensors detect the systems, routers, printers, and other network devices connected to your network.
  • Page 124 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection Next 6 Click , then select the checkbox next to the desired system to which you want Mark for Deployment Next Sensor Deployment: to deploy a sensor, click , then click .The Review and Approve...
  • Page 125 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection This response checks the detected system for an agent of another ePolicy Orchestrator server. Figure 9-5 Automatic Responses page Add Automatic Response Add or Edit Automatic Response 3 Click to display the page.
  • Page 126 ® ePolicy Orchestrator 3.6 Walkthrough Guide Advanced Feature Evaluations Rogue System Detection S T E P Rogue detection and remediation Now you need to introduce a system into the test environment that does not have an agent. You can do this by several methods, such as joining a laptop to the test network, or by moving a system from an outside domain to the test domain you created earlier.

This manual is also suitable for:

Epolicy orchestrator

Table of Contents