background image

62

ePolicy Orchestrator

®

3.6 Walkthrough Guide

ePolicy Orchestrator Notifications

About Notifications

6

When events occur on systems in your environment, they are delivered to the ePolicy 
Orchestrator server, and the notification rules (associated with the group or site that 
contains the affected systems and each parent above it) are applied to the events. If the 
conditions of any such rule are met, a notification message is sent, or an external 
command is run, per the rule’s configurations.

This design allows you to configure independent rules at the different levels of the 
Directory. These rules can have different:

„

Thresholds used to send a notification message. For example, a site administrator 
wants to be notified if viruses are detected on 100 systems within 10 minutes on 
the site, but a global administrator does not want to be notified unless viruses are 
detected on 1000 systems within the same amount of time within the entire 
environment.

„

Recipients for the notification message. For example, a site administrator wants to 
receive a notification message only if a specified number of virus detection events 
occur within the site. Or, a global administrator wants each site administrator to 
receive a notification message if a specified number of virus detection events occur 
within the entire Directory.

Throttling and aggregation

You can configure when notification messages are sent by setting thresholds based on 

aggregation

 and 

throttling

Aggregation

Use aggregation to determine the thresholds of events at which the rule sends a 
notification message. For example, you can configure the same rule to send a 
notification message when the ePolicy Orchestrator server receives 100 virus detection 
events from different systems within an hour 

or

 

whenever it has received 1000 virus 

detection events altogether from any system.

Throttling

Once you have configured the rule to notify you of a possible outbreak situation, you 
may want to use throttling to ensure you do not get too many notification messages. If 
you are administering a large network, then you may be receiving tens of thousands of 
events during an hour, creating thousands of notification messages based on such a 
rule. ePolicy Orchestrator Notifications allows you to throttle the number of notification 
messages you receive based on a single rule. For example, you can specify in this same 
rule that you don’t want to receive more than one notification message in an hour.

When using throttling, the notification message received contains a summary of events 
that occurred within the throttling period that would have triggered the rule otherwise.

Содержание ePolicy Orchestrator

Страница 1: ...Walkthrough Guide revision 2 0 ePolicy Orchestrator A product overview and quick set up in a test environment version 3 6 McAfee System Protection Industry leading intrusion prevention solutions...

Страница 2: ......

Страница 3: ...Walkthrough Guide revision 2 0 ePolicy Orchestrator A product overview and quick set up in a test environment version 3 6 McAfee System Protection Industry leading intrusion prevention solutions...

Страница 4: ...ellent Chicago Inc Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper 1998 1999 2000 Software copyrighted by Expat maintainers Software copyrighted by The Regents of the Uni...

Страница 5: ...concepts and roles 18 About ePolicy Orchestrator roles 19 Organizing the Directory 21 Environmental borders 22 IP address filters and sorting 23 Repositories 25 Source repository 25 Fallback reposito...

Страница 6: ...56 Distributing Rogue System sensors 57 Deploying Rogue System sensors 57 Installing the sensor manually 58 Taking actions on detected rogue systems manually 58 Configuring automatic responses for sp...

Страница 7: ...ed folder on the system to use as a repository 98 Add the distributed repository to the ePolicy Orchestrator server 99 Replicate master repository data to distributed repository 101 Configure remote s...

Страница 8: ...a walkthrough of conceptual and best practices information Introduction Installing or Upgrading the Server Organizing the Directory and Repositories Deploying the Agent and Products Rogue System Detec...

Страница 9: ...r all across your entire network Components of ePolicy Orchestrator Policy properties and events Tasks services and accounts Components of ePolicy Orchestrator ePolicy Orchestrator is made up of sever...

Страница 10: ...Controls data access to and from the ePolicy Orchestrator database The ePolicy Orchestrator server should be hosted on a dedicated server Typically the ePolicy Orchestrator server is accessed via remo...

Страница 11: ...stem a system without an ePolicy Orchestrator agent enters the environment and can then initiate a user defined automatic response on that system such as deploying an agent to it Sensors listen to all...

Страница 12: ...n the policy within five minutes New to version 3 6 is the ability to create named policies that you can assign to independent locations of the Directory Properties Properties are collected from each...

Страница 13: ...icatingSuperAgent repositories McAfee Framework Service ePolicy Orchestrator server account Then the local system account installs them Accessing ePolicy Orchestrator Notification McAfee ePolicy Orche...

Страница 14: ...ly specifying the user name and password Credentials with administrator rights to the desired systems Stored in the encrypted CONSOLE INI file Note These are the minimum requirements The number of sys...

Страница 15: ...ocated in the Hardware Sizing and Bandwidth Usage White Paper Installing for the first time Installing or upgrading the ePolicy Orchestrator server is straight forward using a standard installation wi...

Страница 16: ...server systems and scan for viruses Install and or update firewall software on the ePolicy Orchestrator server system For example Desktop Firewall 8 5 Notify the network staff of the ports you intend...

Страница 17: ...te with the server The default port is 81 This port can be changed after installation Agent Wake Up communication port This is the port used to send agent wakeup calls The default port is 8081 This po...

Страница 18: ...n Pilot 1 0 or later Evaluation versions of ePolicy Orchestrator 3 6 This section provides information on Preparation Information to have during the upgrade Upgrading issues Preparation Before upgradi...

Страница 19: ...be changed after installation Agent Wake Up communication port This is the port used to send agent wakeup calls The default port is 8081 This port can be changed after installation Agent Broadcast co...

Страница 20: ...ation and procedures to upgrade to ePolicy Orchestrator 3 6 see the ePolicy Orchestrator 3 6 Installation Guide Upgrading issues If your agents are not upgrading to version 3 5 agents and you re runni...

Страница 21: ...e groupings in one place rather than having to set policies for individual systems It can also make visually browsing your Directory much easier Before discussing Directory organization further it is...

Страница 22: ...llows you to set policies and schedule scan tasks in fewer places However inheritance can be turned off at any location of the Directory to allow for customization About ePolicy Orchestrator roles If...

Страница 23: ...abs in the Events dialog box if using ePolicy Orchestrator authentication Import events into ePolicy Orchestrator databases and limit events that are stored there Create rename or delete sites Site ad...

Страница 24: ...the best way to divide systems into sites and groups prior to building the Directory Sites A site is a primary level unit immediately under the Directory root in the console tree Traits of sites inclu...

Страница 25: ...domains or Active Directory containers The better organized your network environment the easier it is to create and use the Directory Geographical If your organization includes facilities in multiple...

Страница 26: ...its reflect your needs to organize systems for policy management consider using them to create your Directory structure by setting IP address filters for sites and groups ePolicy Orchestrator provides...

Страница 27: ...domain name match in any site the server adds the system to the global Lost Found Best practices information This feature is useful when not using ePolicy Orchestrator to deploy agents to systems on y...

Страница 28: ...be checked into the master repository manually Fallback repository The fallback repository is a repository from which managed systems can retrieve updates when their usual repositories are not accessi...

Страница 29: ...onnect for updates Servers are better than workstations because they are more likely to be running all the time Types of distributed repositories ePolicy Orchestrator supports four different types of...

Страница 30: ...e unable to utilize SuperAgent repositories create a UNC shared folder to host a distributed repository on an existing server Be sure to enable sharing across the network for the folder so that the eP...

Страница 31: ...stalled agent Due to the variety of network environments McAfee provides several methods for you to get the agent on to the systems you want to manage About the ePolicy Orchestrator agent Consider the...

Страница 32: ...agent retrieves only language packages for the locales being used on each managed system Multiple language packages can be stored on managed systems at the same time to allow users to switch between a...

Страница 33: ...om agent installation package FRAMEPKG EXE with embedded administrator credentials if users do not have local administrator permissions The user account credentials you embed are used to install the a...

Страница 34: ...communication interval ASCI is set on the General tab of the ePO Agent 3 5 0 policy pages This setting determines how often the agent calls into the server for data exchange and updated instructions B...

Страница 35: ...calls can be sent manually or scheduled as a task and are useful when you have made policy changes or checked in updates to the master repository that you want to be applied to the managed systems so...

Страница 36: ...ns first analyze the divisions of broadcast segments in your environment and select a system preferably a server to host the SuperAgent Any agents that do not have a SuperAgent in the local broadcast...

Страница 37: ...a backup copy is made AGENT_ COMPUTER _BACKUP LOG Distributing agents Due to the variety of scenarios and requirements of different environments there are several methods you can use to distribute the...

Страница 38: ...his is an efficient method if you are not using ePolicy Orchestrator to deploy the agent or if you have many Windows 95 and Windows 98 systems and do not want to enable file and print sharing on them...

Страница 39: ...stem name or IP address If the systems are properly connected over the network your credentials have sufficient rights and the Admin shared folder is present you should see a Windows Explorer dialog b...

Страница 40: ...onto the network If no agent is present the batch file can install the agent before allowing the system to log on Within ten minutes of being installed the agent calls into the server for updated poli...

Страница 41: ...products that use the AutoUpdate updater such as VirusScan Enterprise install with the agent in a disabled state When you want to start managing these products with ePolicy Orchestrator you do not ne...

Страница 42: ...n use many of these tools such as Microsoft Systems Management Server SMS IBM Tivoli or Novell ZENworks to deploy agents Configure your deployment tool of choice to distribute the FRAMEPKG EXE agent i...

Страница 43: ...lobal administrators can check these package types into the master repository with pull tasks or manually Table 4 3 Supported packaged types Package type Description Origination Virus definition DAT f...

Страница 44: ...trieve EXTRA DAT files McAfee web site Download and check supplemental virus definition files into the master repository manually Product deployment packages File type PKGCATALOG Z A product deploymen...

Страница 45: ...s cannot be reordered once they are checked in You must remove them and check them back in in the proper order If you check in a package that supersedes an existing package the existing package is rem...

Страница 46: ...ed systems In addition to potentially overwhelming the ePolicy Orchestrator server or your network deploying products to many systems can make troubleshooting problems complicated Consider a phased ro...

Страница 47: ...ine packages are released less frequently Create and schedule additional update tasks for products that do not use the agent for Windows Use the Run missed task option This can be useful if systems ar...

Страница 48: ...tory from which to update Pull tasks Use pull tasks to update your master repository with DAT and engine update packages from the source repository DAT and engine files must be updated often McAfee re...

Страница 49: ...ory that are not yet in the distributed repository Full replication copies the entire contents of the master repository Repository selection New distributed repositories are added to the repository li...

Страница 50: ...ble bandwidth isn t wasted transferring unnecessary files You can use selective updating with both global updating and update tasks You can also use this feature to selectively update only those compo...

Страница 51: ...t to a temporary folder on your ePolicy Orchestrator server 3 In the console tree select Repository 4 In the details pane under AutoUpdate Tasks click Check in package The Check in package wizard appe...

Страница 52: ...ful 13 If you are using distributed repositories in your environment be sure to replicate the package to them Configuring the deployment task to install products on client systems To deploy products u...

Страница 53: ...ugh ePolicy Orchestrator The products listed are those for which you have already checked in a PKGCATALOG Z file to the master repository If you do not see the product you want to deploy listed here y...

Страница 54: ...or Scheduler dialog box select the Schedule tab 11 Deselect Inherit to enable scheduling options 12 Schedule as desired 13 Click OK to save your changes In the task list on the Tasks tab of the detail...

Страница 55: ...ems by means of a sensor placed on at least one system within each network broadcast segment typically a subnet The sensor listens to network broadcast messages and spots when a new system has connect...

Страница 56: ...munication to the server by only relaying new system detections and to ignore any re detected systems for a user configurable time For example the Rogue System sensor detects itself among the list of...

Страница 57: ...e sensors in each subnet results in traffic sent from each sensor to the server While maintaining as many as five or ten sensors in a broadcast segment should not cause any bandwidth issues you should...

Страница 58: ...n agent installed with a network login script at its initial logon Since the initial agent call to the server may take up to ten minutes the rogue system sensor detects the system before the agent com...

Страница 59: ...at are not really rogue systems The grace period is disabled by default so all systems without agents are classified as Rogue No Agent You might consider enabling the grace period if you are configuri...

Страница 60: ...you allow Rogue system Detection to pick systems automatically on the subnet you can specify criteria for choosing systems You can specify any or all of the criteria listed here when configuring autom...

Страница 61: ...t table Some of these are covered in greater detail in following sections Table 5 4 Available manual actions Action Description Add to ePO tree Adds a system node to a Rogue System site in the Directo...

Страница 62: ...uters and printers For example in your organization you may reserve a range of IP addresses within each subnet for network equipment such as routers switches and printers You can create an automatic r...

Страница 63: ...cy Orchestrator server you can easily save your exceptions list to an XML file This XML exceptions list preserves your exceptions information so you can re import it if needed For instructions see the...

Страница 64: ...t Although almost any anti virus software product is supported events from VirusScan Enterprise 8 0i include the IP address of the source attacker so that you can isolate the system infecting the rest...

Страница 65: ...otification message if a specified number of virus detection events occur within the entire Directory Throttling and aggregation You can configure when notification messages are sent by setting thresh...

Страница 66: ...message when 100 virus infection events have been received from any product within 60 minutes For reference purposes each rule is named VirusDetected_ node name where nodename is the name of the node...

Страница 67: ...ent to server communication intervals If you choose to have events sent immediately as set by default in ePolicy Orchestrator Agent 3 5 0 McAfee Default policy the agent forwards all events as soon as...

Страница 68: ...ng The types of events both product and server that could generate and send a notification message in your environment Who should receive which notifications For example it may not be necessary to not...

Страница 69: ...f Notifications For instructions see the ePolicy Orchestrator 3 6 Product Guide Default rules ePolicy Orchestrator provides six default rules that you can enable for immediate use while you learn more...

Страница 70: ...ns sent Virus detected and not removed Virus Detected and Not Removed events from any product Sends a notification message When the number of events exceeds 1000 within an hour At most once every two...

Страница 71: ...ing the column title 1 In the console tree select Notifications under the desired Directory in the console tree 2 Select the Log tab then click List 3 Click any column title for example Notification T...

Страница 72: ...ate multiple conditions on which to filter the Notification List You can filter notification log items based on Sites Received products Actual event categories Priority of the notification message Rul...

Страница 73: ...mponents This is a list of products and components for which you can configure rules and a list of all possible event categories Dr Ahn Desktop Firewall Entercept ePO Server ePO Agent GroupShield Domi...

Страница 74: ...us detected heuristic and removed Unwanted program detected heuristic and NOT removed Unwanted program detected heuristic and removed Intrusion detected System Compliance Profiler rule violation Non c...

Страница 75: ...llowing topics Tasks to do on a daily or weekly basis to stay prepared Checklist Are you prepared for an outbreak Other methods to recognize an outbreak Checklist You think an outbreak is occurring Ta...

Страница 76: ...es them in an Inactive Agents group Table 7 2 Suggested client tasks Client task Task type Description Daily DAT only client update task agent Update Update DATs every day for products using the CMA c...

Страница 77: ...ms are up to date with the latest patches and Service Packs Generally Microsoft releases these on a monthy basis You can use McAfee System Compliance Profiler to ensure all of your systems are complia...

Страница 78: ...ata that can help identify if an outbreak is occurring Virus detection events The following events are indicators that a virus has been detected A notification message is received from the ePolicy Orc...

Страница 79: ...EXTRA DAT and full virus definition DAT files Update the virus scanning engine Perform an on demand scan of infected systems Run anti virus coverage reports to ensure that anti virus coverage on infe...

Страница 80: ...E C T I O N 2 Lab Evaluation This section provides instructions for setting up a simple ePolicy Orchestrator implementation in a lab environment Installing and setting up Advanced Feature Evaluations...

Страница 81: ...Install the ePolicy Orchestrator server and console 2 Create your Directory of managed systems 3 Deploy agents to the systems in your Directory 4 Set up master and distributed repositories 5 Set Virus...

Страница 82: ...deploy the agent to systems outside the local NT domain where the ePolicy Orchestrator server resides you must create a trusted connection between the domains This connection is required for the serve...

Страница 83: ...e Admin share folder is present and you see a Windows Explorer dialog box 4 Install Microsoft updates on Windows 95 Windows 98 or Windows Me client systems If your test systems are running Windows 95...

Страница 84: ...e files from the McAfee web site 1 From the system on which you plan to install the ePolicy Orchestrator server and console open a web browser and go to http www mcafeesecurity com us downloads evals...

Страница 85: ...the product evaluation 5 On Installation Options select Install Server and Console and click Next You can also change the installation folder if desired 6 If you see a message box stating that your se...

Страница 86: ...og box type the e mail address to which the default notification rules send messages once they are enabled This e mail address is used by the ePolicy Orchestrator Notifications feature This feature is...

Страница 87: ...on your network you must add those systems to your ePolicy Orchestrator Directory After installing the server you initially have one system in the Directory the ePolicy Orchestrator server itself To o...

Страница 88: ...nvironment is controlled by Active Directory and if you want portions of your ePolicy Orchestrator Directory to mirror portions of your Active Directory Option C Manually add individual systems to you...

Страница 89: ...lows you to import all systems in an Active Directory container and its sub containers into your Directory with just a few clicks Use this feature if you organized your test client systems into Active...

Страница 90: ...p down list then click Next 8 On the Active Directory Authentication panel type Active Directory user credentials with administrative rights for the Active Directory server 9 In the Active Directory S...

Страница 91: ...onsider populating the Directory automatically by importing your NT domains or Acitve Directory containers as shown in the previous sections However for testing purposes in a small lab environment you...

Страница 92: ...es of systems that belong to this site c Click OK to save the IP settings and close the IP Management dialog box 5 Click OK to close the New Group dialog box The group is added to the Groups to be add...

Страница 93: ...cy Orchestrator server for updates and new instructions Deploying the agent from the ePolicy Orchestrator server requires the following A network account with administrator privileges You must specify...

Страница 94: ...ent You can deploy agents with the default policy settings However for testing purposes modify the policy settings to allow the agent tray icon to display in the Windows system tray on the client syst...

Страница 95: ...end of the Configuration row 4 Select the name of the new policy for example New Agent Policy from the Policy Name drop down list 5 Click Apply Now your policies are set and your agents are ready to d...

Страница 96: ...ed status In the meantime you can check the ePolicy Orchestrator server for events which can alert you of failed agent installations To view server events 1 In the console tree of the ePolicy Orchestr...

Страница 97: ...ent 2 Run FRAMEPKG EXE by double clicking it Wait a few moments while the agent installs At some random interval within ten minutes the agent reports back to the ePolicy Orchestrator server for the fi...

Страница 98: ...e quickly from local servers than across a WAN to your ePolicy Orchestrator server Domains and Active Directory containers can be geographically separated and connected via a WAN In this case create a...

Страница 99: ...VirusScan 4 5 1 to these systems To do this repeat the same procedure above to check in the VirusScan 4 5 1 deployment package to the software repository The 4 5 1 package is also called PkgCatalog z...

Страница 100: ...how to do this To initiate manual pull from the McAfee source repository 1 In the console tree select Repository 2 In the details pane select Pull now The Pull Now wizard appears 3 Click Next 4 Selec...

Страница 101: ...repository on the ePolicy Orchestrator server You can use FTP HTTP or UNC to replicate data from the master repository to your distributed repositories This guide describes creating a UNC share distri...

Страница 102: ...ory pane 3 Click Next at the first page of the wizard Caution Creating a UNC share in this way could be a potential security problem in a production environment because it allows everyone on your netw...

Страница 103: ...t the share is accessible to client systems If your site is not verified check that you typed the UNC path correctly on the previous wizard page and that you configured sharing correctly for the folde...

Страница 104: ...ion to save time and bandwidth 6 Click Finish to begin replication The Server Task Log appears 7 Monitor the status of the task until it completes If you browse to your ePOShare folder now you can see...

Страница 105: ...n if not specifically configured to do this On the other hand if the distributed repository were unavailable for any reason the client could still update from other repositories on the network if nece...

Страница 106: ...tems are added to your Directory and they all have ePolicy Orchestrator agents installed on them You ve defined your VirusScan Enterprise policies for servers and workstations You are now ready to hav...

Страница 107: ...stall VirusScan Enterprise on all client systems in your test site The deployment occurs the next time the agents call back to the ePolicy Orchestrator server for updated instructions You can also ini...

Страница 108: ...that the VirusScan Enterprise deployment is set to install rather than ignore The agents then pull the VirusScan Enterprise PkgCatalog z file from the repository and install VirusScan Enterprise Note...

Страница 109: ...ur before the database has been updated with the new status To run a Product Protection Summary report 1 In the console tree select Reporting ePO Databases ePO_ePOServer ePOServer is the name of the e...

Страница 110: ...e to perform an update task To create and run a client update task 1 In the console tree right click Directory All Tasks Schedule task 2 In the Schedule Task dialog box type a name into the New Task N...

Страница 111: ...o do this 1 From the console tree select the ePolicy Orchestrator server then select the General tab 2 Under MyAVERT Security Threats check which DAT file version is Current in Repository This should...

Страница 112: ...edule a pull task to update master repository daily Pull tasks update your master software repository with the latest DAT and engine updates from the source repository By default your source repositor...

Страница 113: ...tory are also automatically replicated to your distributed repository To do this create a replication task and schedule it to occur every day after the scheduled pull task you already created To sched...

Страница 114: ...console to update your master software repository with the new DAT files ePolicy Orchestrator s global updating feature does the rest updating the DAT files for all systems running active communicatin...

Страница 115: ...following policy then select the policy you created earlier to display the agent system tray icon from the drop down list 6 Provide a New policy name for the policy for example SuperAgent Policy then...

Страница 116: ...the change Now that you have SuperAgents deployed to subnets your network and global updating enabled any time you change the DAT files engine files or VirusScan Enterprise 8 0i files in your master...

Страница 117: ...ver The ability to set aggregation and throttling controls on a per rule basis allows you to define when and when not notification messages are sent Although you can create any number of rules to noti...

Страница 118: ...izard If you did not change the default address in the wizard the address is Administrator example com If the address for Administrator is one that you are not able to view the mail sent to it then cl...

Страница 119: ...ave the default Directory for the Defined At text box You can define rules for the Directory or any site within the Directory 3 Provide a name for the rule in the Rule Name text box For example Virus...

Страница 120: ...This specifies that the e mail address you configured for the Administrator contact is sent the notification message you are about to configure 9 Type a Subject for the e mail that will be sent to Adm...

Страница 121: ...uently log on and off the network such as test servers laptop systems or wireless devices End users also uninstall or disable agents on their workstations These unprotected systems are the Achilles he...

Страница 122: ...sensor policy speed up this process for this purpose of this guide 1 In the console tree select Directory 2 In the details pane select the Policy tab then select Rogue System Sensor 1 0 0 3 Click Edi...

Страница 123: ...ormation about the sensor and how it functions see Chapter 11 Rogue System Detection in the ePolicy Orchestrator 3 6 Product Guide Depending on how you have your test environment set up you may have m...

Страница 124: ...to view a summary of detected systems Now that the sensor is deployed and installed you are ready to configure a response for the feature to take on a rogue when one is detected S T E P 6 Configure an...

Страница 125: ...ty list 6 Select is for the Comparison and No Agent for the Value 7 Under Actions change the default Send E mail action to Push ePO Agent as the Method and accept the default Parameters 8 Click OK 9 S...

Страница 126: ...is list take a five minute break to provide time for the agent installation 4 Once the agent installation completes the system has a Rogue Type of Managed You are not finished yet You still must place...

Отзывы: