manualshive.com logo in svg

McAfee ePolicy Orchestrator, Manual, Page: 67 / 126

Share
Download
McAfee ePolicy Orchestrator Manual Download Page 67

64

ePolicy Orchestrator

®

3.6 Walkthrough Guide

ePolicy Orchestrator Notifications

Determining when events are forwarded

6

Scenario two

For this scenario, 50 virus infections are detected in 

Group2C

 and 50 virus infections are 

detected in 

Group3B

 within 60 minutes in a single day.

Conditions of the 

VirusDetected_Directory

 rule are met, sending notification messages (or 

launching registered executables) per the rules’ configurations. This the only rule that 
can be applied to all 100 events. 

Determining when events are forwarded

The ePolicy Orchestrator server receives notifications from the Common Management 
Agent (

CMA

). You must configure its policy pages to forward events either immediately 

to the ePolicy Orchestrator server or only at agent-to-server communication intervals. 

If you choose to have events sent immediately (as set by default in ePolicy Orchestrator 
Agent 3.5.0 McAfee Default policy), the agent forwards all events as soon as they are 
received. If you want all events sent to the ePolicy Orchestrator server immediately so 
that they can be processed by Notifications when the events occur, configure the agent 
to send them immediately.

If you choose not to have events sent immediately, the agent only forwards events 
immediately that are designated by the issuing product as high priority. Other events 
are only sent at the agent-to-server communication intervals. 

If the currently applied named policy is not set for immediate uploading of events, 
either edit the currently applied named policy or create a new named policy for the 

ePO 

Agent 3.5.0 | Configuration

 policy pages. This setting is configured on the 

Events

 tab of 

these policy pages.

Figure 6-2  Console tree

Summary of Contents for ePolicy Orchestrator

Page 1: ...Walkthrough Guide revision 2 0 ePolicy Orchestrator A product overview and quick set up in a test environment version 3 6 McAfee System Protection Industry leading intrusion prevention solutions...

Page 2: ......

Page 3: ...Walkthrough Guide revision 2 0 ePolicy Orchestrator A product overview and quick set up in a test environment version 3 6 McAfee System Protection Industry leading intrusion prevention solutions...

Page 4: ...ellent Chicago Inc Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper 1998 1999 2000 Software copyrighted by Expat maintainers Software copyrighted by The Regents of the Uni...

Page 5: ...concepts and roles 18 About ePolicy Orchestrator roles 19 Organizing the Directory 21 Environmental borders 22 IP address filters and sorting 23 Repositories 25 Source repository 25 Fallback reposito...

Page 6: ...56 Distributing Rogue System sensors 57 Deploying Rogue System sensors 57 Installing the sensor manually 58 Taking actions on detected rogue systems manually 58 Configuring automatic responses for sp...

Page 7: ...ed folder on the system to use as a repository 98 Add the distributed repository to the ePolicy Orchestrator server 99 Replicate master repository data to distributed repository 101 Configure remote s...

Page 8: ...a walkthrough of conceptual and best practices information Introduction Installing or Upgrading the Server Organizing the Directory and Repositories Deploying the Agent and Products Rogue System Detec...

Page 9: ...r all across your entire network Components of ePolicy Orchestrator Policy properties and events Tasks services and accounts Components of ePolicy Orchestrator ePolicy Orchestrator is made up of sever...

Page 10: ...Controls data access to and from the ePolicy Orchestrator database The ePolicy Orchestrator server should be hosted on a dedicated server Typically the ePolicy Orchestrator server is accessed via remo...

Page 11: ...stem a system without an ePolicy Orchestrator agent enters the environment and can then initiate a user defined automatic response on that system such as deploying an agent to it Sensors listen to all...

Page 12: ...n the policy within five minutes New to version 3 6 is the ability to create named policies that you can assign to independent locations of the Directory Properties Properties are collected from each...

Page 13: ...icatingSuperAgent repositories McAfee Framework Service ePolicy Orchestrator server account Then the local system account installs them Accessing ePolicy Orchestrator Notification McAfee ePolicy Orche...

Page 14: ...ly specifying the user name and password Credentials with administrator rights to the desired systems Stored in the encrypted CONSOLE INI file Note These are the minimum requirements The number of sys...

Page 15: ...ocated in the Hardware Sizing and Bandwidth Usage White Paper Installing for the first time Installing or upgrading the ePolicy Orchestrator server is straight forward using a standard installation wi...

Page 16: ...server systems and scan for viruses Install and or update firewall software on the ePolicy Orchestrator server system For example Desktop Firewall 8 5 Notify the network staff of the ports you intend...

Page 17: ...te with the server The default port is 81 This port can be changed after installation Agent Wake Up communication port This is the port used to send agent wakeup calls The default port is 8081 This po...

Page 18: ...n Pilot 1 0 or later Evaluation versions of ePolicy Orchestrator 3 6 This section provides information on Preparation Information to have during the upgrade Upgrading issues Preparation Before upgradi...

Page 19: ...be changed after installation Agent Wake Up communication port This is the port used to send agent wakeup calls The default port is 8081 This port can be changed after installation Agent Broadcast co...

Page 20: ...ation and procedures to upgrade to ePolicy Orchestrator 3 6 see the ePolicy Orchestrator 3 6 Installation Guide Upgrading issues If your agents are not upgrading to version 3 5 agents and you re runni...

Page 21: ...e groupings in one place rather than having to set policies for individual systems It can also make visually browsing your Directory much easier Before discussing Directory organization further it is...

Page 22: ...llows you to set policies and schedule scan tasks in fewer places However inheritance can be turned off at any location of the Directory to allow for customization About ePolicy Orchestrator roles If...

Page 23: ...abs in the Events dialog box if using ePolicy Orchestrator authentication Import events into ePolicy Orchestrator databases and limit events that are stored there Create rename or delete sites Site ad...

Page 24: ...the best way to divide systems into sites and groups prior to building the Directory Sites A site is a primary level unit immediately under the Directory root in the console tree Traits of sites inclu...

Page 25: ...domains or Active Directory containers The better organized your network environment the easier it is to create and use the Directory Geographical If your organization includes facilities in multiple...

Page 26: ...its reflect your needs to organize systems for policy management consider using them to create your Directory structure by setting IP address filters for sites and groups ePolicy Orchestrator provides...

Page 27: ...domain name match in any site the server adds the system to the global Lost Found Best practices information This feature is useful when not using ePolicy Orchestrator to deploy agents to systems on y...

Page 28: ...be checked into the master repository manually Fallback repository The fallback repository is a repository from which managed systems can retrieve updates when their usual repositories are not accessi...

Page 29: ...onnect for updates Servers are better than workstations because they are more likely to be running all the time Types of distributed repositories ePolicy Orchestrator supports four different types of...

Page 30: ...e unable to utilize SuperAgent repositories create a UNC shared folder to host a distributed repository on an existing server Be sure to enable sharing across the network for the folder so that the eP...

Page 31: ...stalled agent Due to the variety of network environments McAfee provides several methods for you to get the agent on to the systems you want to manage About the ePolicy Orchestrator agent Consider the...

Page 32: ...agent retrieves only language packages for the locales being used on each managed system Multiple language packages can be stored on managed systems at the same time to allow users to switch between a...

Page 33: ...om agent installation package FRAMEPKG EXE with embedded administrator credentials if users do not have local administrator permissions The user account credentials you embed are used to install the a...

Page 34: ...communication interval ASCI is set on the General tab of the ePO Agent 3 5 0 policy pages This setting determines how often the agent calls into the server for data exchange and updated instructions B...

Page 35: ...calls can be sent manually or scheduled as a task and are useful when you have made policy changes or checked in updates to the master repository that you want to be applied to the managed systems so...

Page 36: ...ns first analyze the divisions of broadcast segments in your environment and select a system preferably a server to host the SuperAgent Any agents that do not have a SuperAgent in the local broadcast...

Page 37: ...a backup copy is made AGENT_ COMPUTER _BACKUP LOG Distributing agents Due to the variety of scenarios and requirements of different environments there are several methods you can use to distribute the...

Page 38: ...his is an efficient method if you are not using ePolicy Orchestrator to deploy the agent or if you have many Windows 95 and Windows 98 systems and do not want to enable file and print sharing on them...

Page 39: ...stem name or IP address If the systems are properly connected over the network your credentials have sufficient rights and the Admin shared folder is present you should see a Windows Explorer dialog b...

Page 40: ...onto the network If no agent is present the batch file can install the agent before allowing the system to log on Within ten minutes of being installed the agent calls into the server for updated poli...

Page 41: ...products that use the AutoUpdate updater such as VirusScan Enterprise install with the agent in a disabled state When you want to start managing these products with ePolicy Orchestrator you do not ne...

Page 42: ...n use many of these tools such as Microsoft Systems Management Server SMS IBM Tivoli or Novell ZENworks to deploy agents Configure your deployment tool of choice to distribute the FRAMEPKG EXE agent i...

Page 43: ...lobal administrators can check these package types into the master repository with pull tasks or manually Table 4 3 Supported packaged types Package type Description Origination Virus definition DAT f...

Page 44: ...trieve EXTRA DAT files McAfee web site Download and check supplemental virus definition files into the master repository manually Product deployment packages File type PKGCATALOG Z A product deploymen...

Page 45: ...s cannot be reordered once they are checked in You must remove them and check them back in in the proper order If you check in a package that supersedes an existing package the existing package is rem...

Page 46: ...ed systems In addition to potentially overwhelming the ePolicy Orchestrator server or your network deploying products to many systems can make troubleshooting problems complicated Consider a phased ro...

Page 47: ...ine packages are released less frequently Create and schedule additional update tasks for products that do not use the agent for Windows Use the Run missed task option This can be useful if systems ar...

Page 48: ...tory from which to update Pull tasks Use pull tasks to update your master repository with DAT and engine update packages from the source repository DAT and engine files must be updated often McAfee re...

Page 49: ...ory that are not yet in the distributed repository Full replication copies the entire contents of the master repository Repository selection New distributed repositories are added to the repository li...

Page 50: ...ble bandwidth isn t wasted transferring unnecessary files You can use selective updating with both global updating and update tasks You can also use this feature to selectively update only those compo...

Page 51: ...t to a temporary folder on your ePolicy Orchestrator server 3 In the console tree select Repository 4 In the details pane under AutoUpdate Tasks click Check in package The Check in package wizard appe...

Page 52: ...ful 13 If you are using distributed repositories in your environment be sure to replicate the package to them Configuring the deployment task to install products on client systems To deploy products u...

Page 53: ...ugh ePolicy Orchestrator The products listed are those for which you have already checked in a PKGCATALOG Z file to the master repository If you do not see the product you want to deploy listed here y...

Page 54: ...or Scheduler dialog box select the Schedule tab 11 Deselect Inherit to enable scheduling options 12 Schedule as desired 13 Click OK to save your changes In the task list on the Tasks tab of the detail...

Page 55: ...ems by means of a sensor placed on at least one system within each network broadcast segment typically a subnet The sensor listens to network broadcast messages and spots when a new system has connect...

Page 56: ...munication to the server by only relaying new system detections and to ignore any re detected systems for a user configurable time For example the Rogue System sensor detects itself among the list of...

Page 57: ...e sensors in each subnet results in traffic sent from each sensor to the server While maintaining as many as five or ten sensors in a broadcast segment should not cause any bandwidth issues you should...

Page 58: ...n agent installed with a network login script at its initial logon Since the initial agent call to the server may take up to ten minutes the rogue system sensor detects the system before the agent com...

Page 59: ...at are not really rogue systems The grace period is disabled by default so all systems without agents are classified as Rogue No Agent You might consider enabling the grace period if you are configuri...

Page 60: ...you allow Rogue system Detection to pick systems automatically on the subnet you can specify criteria for choosing systems You can specify any or all of the criteria listed here when configuring autom...

Page 61: ...t table Some of these are covered in greater detail in following sections Table 5 4 Available manual actions Action Description Add to ePO tree Adds a system node to a Rogue System site in the Directo...

Page 62: ...uters and printers For example in your organization you may reserve a range of IP addresses within each subnet for network equipment such as routers switches and printers You can create an automatic r...

Page 63: ...cy Orchestrator server you can easily save your exceptions list to an XML file This XML exceptions list preserves your exceptions information so you can re import it if needed For instructions see the...

Page 64: ...t Although almost any anti virus software product is supported events from VirusScan Enterprise 8 0i include the IP address of the source attacker so that you can isolate the system infecting the rest...

Page 65: ...otification message if a specified number of virus detection events occur within the entire Directory Throttling and aggregation You can configure when notification messages are sent by setting thresh...

Page 66: ...message when 100 virus infection events have been received from any product within 60 minutes For reference purposes each rule is named VirusDetected_ node name where nodename is the name of the node...

Page 67: ...ent to server communication intervals If you choose to have events sent immediately as set by default in ePolicy Orchestrator Agent 3 5 0 McAfee Default policy the agent forwards all events as soon as...

Page 68: ...ng The types of events both product and server that could generate and send a notification message in your environment Who should receive which notifications For example it may not be necessary to not...

Page 69: ...f Notifications For instructions see the ePolicy Orchestrator 3 6 Product Guide Default rules ePolicy Orchestrator provides six default rules that you can enable for immediate use while you learn more...

Page 70: ...ns sent Virus detected and not removed Virus Detected and Not Removed events from any product Sends a notification message When the number of events exceeds 1000 within an hour At most once every two...

Page 71: ...ing the column title 1 In the console tree select Notifications under the desired Directory in the console tree 2 Select the Log tab then click List 3 Click any column title for example Notification T...

Page 72: ...ate multiple conditions on which to filter the Notification List You can filter notification log items based on Sites Received products Actual event categories Priority of the notification message Rul...

Page 73: ...mponents This is a list of products and components for which you can configure rules and a list of all possible event categories Dr Ahn Desktop Firewall Entercept ePO Server ePO Agent GroupShield Domi...

Page 74: ...us detected heuristic and removed Unwanted program detected heuristic and NOT removed Unwanted program detected heuristic and removed Intrusion detected System Compliance Profiler rule violation Non c...

Page 75: ...llowing topics Tasks to do on a daily or weekly basis to stay prepared Checklist Are you prepared for an outbreak Other methods to recognize an outbreak Checklist You think an outbreak is occurring Ta...

Page 76: ...es them in an Inactive Agents group Table 7 2 Suggested client tasks Client task Task type Description Daily DAT only client update task agent Update Update DATs every day for products using the CMA c...

Page 77: ...ms are up to date with the latest patches and Service Packs Generally Microsoft releases these on a monthy basis You can use McAfee System Compliance Profiler to ensure all of your systems are complia...

Page 78: ...ata that can help identify if an outbreak is occurring Virus detection events The following events are indicators that a virus has been detected A notification message is received from the ePolicy Orc...

Page 79: ...EXTRA DAT and full virus definition DAT files Update the virus scanning engine Perform an on demand scan of infected systems Run anti virus coverage reports to ensure that anti virus coverage on infe...

Page 80: ...E C T I O N 2 Lab Evaluation This section provides instructions for setting up a simple ePolicy Orchestrator implementation in a lab environment Installing and setting up Advanced Feature Evaluations...

Page 81: ...Install the ePolicy Orchestrator server and console 2 Create your Directory of managed systems 3 Deploy agents to the systems in your Directory 4 Set up master and distributed repositories 5 Set Virus...

Page 82: ...deploy the agent to systems outside the local NT domain where the ePolicy Orchestrator server resides you must create a trusted connection between the domains This connection is required for the serve...

Page 83: ...e Admin share folder is present and you see a Windows Explorer dialog box 4 Install Microsoft updates on Windows 95 Windows 98 or Windows Me client systems If your test systems are running Windows 95...

Page 84: ...e files from the McAfee web site 1 From the system on which you plan to install the ePolicy Orchestrator server and console open a web browser and go to http www mcafeesecurity com us downloads evals...

Page 85: ...the product evaluation 5 On Installation Options select Install Server and Console and click Next You can also change the installation folder if desired 6 If you see a message box stating that your se...

Page 86: ...og box type the e mail address to which the default notification rules send messages once they are enabled This e mail address is used by the ePolicy Orchestrator Notifications feature This feature is...

Page 87: ...on your network you must add those systems to your ePolicy Orchestrator Directory After installing the server you initially have one system in the Directory the ePolicy Orchestrator server itself To o...

Page 88: ...nvironment is controlled by Active Directory and if you want portions of your ePolicy Orchestrator Directory to mirror portions of your Active Directory Option C Manually add individual systems to you...

Page 89: ...lows you to import all systems in an Active Directory container and its sub containers into your Directory with just a few clicks Use this feature if you organized your test client systems into Active...

Page 90: ...p down list then click Next 8 On the Active Directory Authentication panel type Active Directory user credentials with administrative rights for the Active Directory server 9 In the Active Directory S...

Page 91: ...onsider populating the Directory automatically by importing your NT domains or Acitve Directory containers as shown in the previous sections However for testing purposes in a small lab environment you...

Page 92: ...es of systems that belong to this site c Click OK to save the IP settings and close the IP Management dialog box 5 Click OK to close the New Group dialog box The group is added to the Groups to be add...

Page 93: ...cy Orchestrator server for updates and new instructions Deploying the agent from the ePolicy Orchestrator server requires the following A network account with administrator privileges You must specify...

Page 94: ...ent You can deploy agents with the default policy settings However for testing purposes modify the policy settings to allow the agent tray icon to display in the Windows system tray on the client syst...

Page 95: ...end of the Configuration row 4 Select the name of the new policy for example New Agent Policy from the Policy Name drop down list 5 Click Apply Now your policies are set and your agents are ready to d...

Page 96: ...ed status In the meantime you can check the ePolicy Orchestrator server for events which can alert you of failed agent installations To view server events 1 In the console tree of the ePolicy Orchestr...

Page 97: ...ent 2 Run FRAMEPKG EXE by double clicking it Wait a few moments while the agent installs At some random interval within ten minutes the agent reports back to the ePolicy Orchestrator server for the fi...

Page 98: ...e quickly from local servers than across a WAN to your ePolicy Orchestrator server Domains and Active Directory containers can be geographically separated and connected via a WAN In this case create a...

Page 99: ...VirusScan 4 5 1 to these systems To do this repeat the same procedure above to check in the VirusScan 4 5 1 deployment package to the software repository The 4 5 1 package is also called PkgCatalog z...

Page 100: ...how to do this To initiate manual pull from the McAfee source repository 1 In the console tree select Repository 2 In the details pane select Pull now The Pull Now wizard appears 3 Click Next 4 Selec...

Page 101: ...repository on the ePolicy Orchestrator server You can use FTP HTTP or UNC to replicate data from the master repository to your distributed repositories This guide describes creating a UNC share distri...

Page 102: ...ory pane 3 Click Next at the first page of the wizard Caution Creating a UNC share in this way could be a potential security problem in a production environment because it allows everyone on your netw...

Page 103: ...t the share is accessible to client systems If your site is not verified check that you typed the UNC path correctly on the previous wizard page and that you configured sharing correctly for the folde...

Page 104: ...ion to save time and bandwidth 6 Click Finish to begin replication The Server Task Log appears 7 Monitor the status of the task until it completes If you browse to your ePOShare folder now you can see...

Page 105: ...n if not specifically configured to do this On the other hand if the distributed repository were unavailable for any reason the client could still update from other repositories on the network if nece...

Page 106: ...tems are added to your Directory and they all have ePolicy Orchestrator agents installed on them You ve defined your VirusScan Enterprise policies for servers and workstations You are now ready to hav...

Page 107: ...stall VirusScan Enterprise on all client systems in your test site The deployment occurs the next time the agents call back to the ePolicy Orchestrator server for updated instructions You can also ini...

Page 108: ...that the VirusScan Enterprise deployment is set to install rather than ignore The agents then pull the VirusScan Enterprise PkgCatalog z file from the repository and install VirusScan Enterprise Note...

Page 109: ...ur before the database has been updated with the new status To run a Product Protection Summary report 1 In the console tree select Reporting ePO Databases ePO_ePOServer ePOServer is the name of the e...

Page 110: ...e to perform an update task To create and run a client update task 1 In the console tree right click Directory All Tasks Schedule task 2 In the Schedule Task dialog box type a name into the New Task N...

Page 111: ...o do this 1 From the console tree select the ePolicy Orchestrator server then select the General tab 2 Under MyAVERT Security Threats check which DAT file version is Current in Repository This should...

Page 112: ...edule a pull task to update master repository daily Pull tasks update your master software repository with the latest DAT and engine updates from the source repository By default your source repositor...

Page 113: ...tory are also automatically replicated to your distributed repository To do this create a replication task and schedule it to occur every day after the scheduled pull task you already created To sched...

Page 114: ...console to update your master software repository with the new DAT files ePolicy Orchestrator s global updating feature does the rest updating the DAT files for all systems running active communicatin...

Page 115: ...following policy then select the policy you created earlier to display the agent system tray icon from the drop down list 6 Provide a New policy name for the policy for example SuperAgent Policy then...

Page 116: ...the change Now that you have SuperAgents deployed to subnets your network and global updating enabled any time you change the DAT files engine files or VirusScan Enterprise 8 0i files in your master...

Page 117: ...ver The ability to set aggregation and throttling controls on a per rule basis allows you to define when and when not notification messages are sent Although you can create any number of rules to noti...

Page 118: ...izard If you did not change the default address in the wizard the address is Administrator example com If the address for Administrator is one that you are not able to view the mail sent to it then cl...

Page 119: ...ave the default Directory for the Defined At text box You can define rules for the Directory or any site within the Directory 3 Provide a name for the rule in the Rule Name text box For example Virus...

Page 120: ...This specifies that the e mail address you configured for the Administrator contact is sent the notification message you are about to configure 9 Type a Subject for the e mail that will be sent to Adm...

Page 121: ...uently log on and off the network such as test servers laptop systems or wireless devices End users also uninstall or disable agents on their workstations These unprotected systems are the Achilles he...

Page 122: ...sensor policy speed up this process for this purpose of this guide 1 In the console tree select Directory 2 In the details pane select the Policy tab then select Rogue System Sensor 1 0 0 3 Click Edi...

Page 123: ...ormation about the sensor and how it functions see Chapter 11 Rogue System Detection in the ePolicy Orchestrator 3 6 Product Guide Depending on how you have your test environment set up you may have m...

Page 124: ...to view a summary of detected systems Now that the sensor is deployed and installed you are ready to configure a response for the feature to take on a rogue when one is detected S T E P 6 Configure an...

Page 125: ...ty list 6 Select is for the Comparison and No Agent for the Value 7 Under Actions change the default Send E mail action to Push ePO Agent as the Method and accept the default Parameters 8 Click OK 9 S...

Page 126: ...is list take a five minute break to provide time for the agent installation 4 Once the agent installation completes the system has a Rogue Type of Managed You are not finished yet You still must place...

Reviews:

No comments