Upload
others
View
23
Download
0
Embed Size (px)
Citation preview
P a g e | 1
ePO Endpoint Deployment Kit – EEDK
Getting started guide
Revision Draft 001, Date 20161101
By Steen Pedersen, Principal Architect, Intel Security
P a g e | 2
Notices Copyright Copyright © 2016 Intel Security - All rights reserved. This document contains proprietary information of Intel Security and is subject to a license agreement or nondisclosure agreement. No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into another language, in any form or by any means, without the prior written consent of Intel Security. For information, please contact:
Intel Security
Steen Pedersen, Principal Architect, [email protected] Trademarks This document may make reference to other software and hardware products by name. In most if not all cases, the companies that manufacture these other products claim these product names as trademarks. It is not the intention of Intel Security to claim these names or trademarks as its own.
Disclaimer The information contained in this document is subject to change without notice. INTEL SECURITY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Intel Security shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. Intel Security reserves the right to add, subtract or modify features or functionality, or modify the product, at its sole discretion, without notice. Intel Security makes no commitment, implied or otherwise, to support any functionality or technology discussed or referenced in this document.
P a g e | 3
Contents Notices ......................................................................................................................................................... 2
Disclaimer .................................................................................................................................................... 2
Contents ...................................................................................................................................................... 3
1 Introduction ............................................................................................................................................ 5
1.1 WARNING ........................................................................................................................................ 5
1.2 Additional information about Intel Security products ........................................................................ 5
2 What is EEDK ........................................................................................................................................... 6
3 Common Use Cases ................................................................................................................................. 7
4 Build an ePO package .............................................................................................................................. 8
4.1 Understand the EEDK GUI ................................................................................................................ 8
5 EEDK - ePO Endpoint Deployment Kit .................................................................................................... 10
5.1 Download EEDK ............................................................................................................................. 10
5.2 McAfee Profiler ePO Package ......................................................................................................... 10
5.3 GetSusp ePO package .................................................................................................................... 10
5.4 Consolidate and migrate to other ePO server ................................................................................. 10
6 Important points and common issues ................................................................................................... 11
6.1 Verify the content placed in the ePO package ................................................................................. 11
6.2 Missing Build directory ................................................................................................................... 11
6.3 Make sure new packages is replicated ............................................................................................ 12
6.4 Check the content of the ePO package ........................................................................................... 12
6.5 Windows 10 - EEDK missing some DLL files for performing build ..................................................... 13
7 Examples for Windows .......................................................................................................................... 14
7.1 Example of simple Batch script for EEDK ......................................................................................... 14
7.2 Example of Batch script with parameters for EEDK ......................................................................... 14
7.3 Example of VBScript ....................................................................................................................... 15
7.4 Using AutoIT script and CustomProps ............................................................................................. 15
7.5 Generate an EICAR test file on Windows ......................................................................................... 17
7.6 Access Protection rule test ............................................................................................................. 17
7.7 Copy VSE log files to collection point .............................................................................................. 18
7.8 GetSusp with encrypted upload to FTPS server ............................................................................... 18
8 Examples for Linux ................................................................................................................................ 21
P a g e | 4
8.1 Generate an EICAR test file on Linux ............................................................................................... 21
9 Share for central collection point .......................................................................................................... 22
9.1 Test share with System Account ..................................................................................................... 23
10 Tools...................................................................................................................................................... 24
10.1 Tools for Hash MD5, SH1, SHA256 .................................................................................................. 24
10.2 GetSusp ......................................................................................................................................... 24
10.3 GetClean ........................................................................................................................................ 27
10.4 Sigcheck – Sysinternals/Microsoft .................................................................................................. 27
11 Acronyms and Terms ............................................................................................................................. 30
P a g e | 5
1 Introduction This document contains getting started information and tip using ePO Endpoint Deployment Kit – EEDK.
With focus on Windows with a few examples for Linux and MacOS.
The EEDK tool, shared EEDK packaged, additional EEDK information and tools can be found at the McAfee
Tool Exchange community: https://community.mcafee.com/community/archives/toolexchange
1.1 WARNING EEDK is a very powerful tool and packaged created and deployed must be done with care. Deployment
of to 1 or 100.000 systems can be done with very few clicks.
1.2 Additional information about Intel Security products Please use the Intel Security Expert Center and Communities as source of technical information.
https://community.mcafee.com/community/business/expertcenter
Community: https://community.mcafee.com/community/business
P a g e | 6
2 What is EEDK The EEDK - ePO Endpoint Deployment Kit is a tool which can build ePO Packages which makes it possible
to deploy tools or applications to any systems managed by ePO. Windows, Mac OS and Linux. The package
can be a single file or collection of files from a “source” folder.
Flow of use:
Start EEDKChose single file or
Folder with files
Command line to execute + option for
parameters
Set software package properties
Select OS SupportSpecify "Build
Folder" in Tools -> Options
Build Package
Result in build folder:
<Product Name>.ZIP
Check package into ePO Master Repository
Create McAfee Agent Deployment
Task for the package
Now task can be deployed to all
managed systems
P a g e | 7
3 Common Use Cases Common Use Cases:
Special removal of 3rd part antivirus
Collection of additional information on endpoint and send it back to ePO in Agent CustomProps which
is searchable in ePO SQL database
ePO migration or consolidation – Deploy McAfee Agent from new/other ePO server
Forensic tool
GetSusp
o Collection on normal fil server
o Upload results and samples to FTPS server
Deployment of 3rd party agents
P a g e | 8
4 Build an ePO package
4.1 Understand the EEDK GUI
1. A source file or directory containing files. All files from the directory will be included in the package.
2. Product Name: Must be 8 character product name which can include letters, numbers and
underscores.
3. Product ID: This is a 4 digit number that will be unique to this version of your product
4. Product Version: This will be displayed in the ePO console Master Repository as the product
version number, both major and minor.
5. Product Description: This is the text that will be displayed in the ePO console Master Repository as
the product name.
6. Command to Run: This is the command that will be executed by the agent once the file(s) have
been downloaded. This command should contain the script/executable to be run along with any
command line options. Command line options can also be provided in the McAfee Agent
Deployment Task build in ePO console.
7. Product Detection Key: This is the registry key is used by the agent to determine if a product is
installed. It is combined with the key value.
8. Product Detection Value: This is the registry value is used by the agent to determine if a product is
installed. It is combined with the key value. Note: Leave these with default or some keys and value
which does not exist will make the package execute every time scheduled by the Assignment.
9. The OS Support specify which OS the package will be accepted and executed on.
P a g e | 9
10. Before “Build Package” can be executed the Build (Target) Directory must be specified in the
P a g e | 10
5 EEDK - ePO Endpoint Deployment Kit How to get access to EEDK and different tools.
5.1 Download EEDK EEDK is a great tool to create your own ePO deployable packages:
https://community.mcafee.com/docs/DOC-3401#/
Very useful for packing and deploying McAfee Agents to a new ePO server from an old ePO
server.
5.2 McAfee Profiler ePO Package Deploy McAfee Profiler using ePO: https://community.mcafee.com/docs/DOC-3891 only
relevant for VirusScan Enterprise 8.8. (VSE).
Now it is easy to deploy and run McAfee Profiler on a few selected systems without being in
front of the system or doing Remote Desktop.
5.3 GetSusp ePO package It is also good to be aware of the GetSusp ePO package.
http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp-ePO.zip
Can be deployed and place the reports and samples on an UNC share using the --zippath=<drive
and path> parameter in the Deploy task.
5.4 Consolidate and migrate to other ePO server Deploy specific McAfee Agent from other ePO servers. This is often used for migration to other
ePO server and consolidation to a central ePO server
Command line: FramePkg.exe /INSTALL=AGENT /FORCEINSTALL /SILENT
P a g e | 11
6 Important points and common issues There are several things which can go wrong when working with ePO deployable content. This section
covers some of the common issues and how to address these.
6.1 Verify the content placed in the ePO package It is critical to be able to verify and test the content (scripts and executables) before building the ePO
package. As it is rather difficult to test the ePO packaged during deployment so it is important to test and
verify it before building the ePO package.
6.1.1 Test the scripts for EEDK with SYSTEM account The McAfee Agent is running as a SYSTEM account and will execute the ePO deployment tasks with local
SYSTEM account. This means that all scripts and executables packed by EEDK will be executed on the
endpoint as local SYSTEM account. Therefor it is recommend that the any scripts and executables are
tested running as SYSTEM account before they are being built into an ePO package by EEDK.
Test the script running it as local SYSTEM account:
• Use PSEXEC.exe from Microsoft Sysinternals to open a system prompt (requires local
administrator privileges)
– Start CMD.EXE with “Run as Administrator”
– From this command line run: psexec.exe /s /i cmd.exe
– the command prompt that opens runs as local system
– Verify with the whoami command
– Test script can now be tested in this new command prompt
• SYSTEM account has several limitations
– Cannot interact with the user interface
– It does not have the same User space in registry
6.2 Missing Build directory The error: Setting Not Validated –Build: “” does not exist.
This is a common mistake where the Build Folder has not been specified or pointing to a directory which
does not exist. Choose Tools and then Options in EEDK GUI and specify a directory where the package
can be build.
P a g e | 12
6.3 Make sure new packages is replicated When the new ePO package is checked into the Master Repository on the ePO Server it is only available
on the repository on the ePO server and the Agent Handlers.
A common mistake is to start McAfee Agent Deployment tasks right away on some pilot endpoints to
verify the package deployed using ePO is working. Often this deployment is not working and nothing
happens on the endpoints as these endpoints are using other repositories where the new ePO package
is not available yet.
To address this it is important that the Master Repository is replicated to all repositories except
SuperAgent Lazy Cache where replication is not recommended as the Lazy Cache function automatically
will pick up the new content when it is requested by an endpoint. (Note it can take up to 30 min for the
SuperAgent lazy cache to flush and the repository will contain the information about the updated content
in the Master Repository.) For all none Lazy Cache repository make sure to start a repository replication
from ePO to the new ePO package distributed and available on all repositories.
6.4 Check the content of the ePO package Before checking in the new ePO package into Master Repository it is recommended to verify the content
of the package - the .ZIP file generated in the Build directory by EEDK.
There has been seen situations where the ZIP package has been created but did not contain the files
selected in the EEDK tool.
The ePO package .ZIP file should contain all the files selected by the EEDK tool and a few control files.
Example of a simple ePO package named EICARTES1000.ZIP with a CMD script. The ZIP file contains 3
files.
drop_test_file.cmd (the script)
EICARTES1000-det.mcs (added by EEDK for detection if “your application” is installed)
PkgCatalog.z (details about the files in the package for integrity verification)
P a g e | 13
The PkgCatalog.z and the <package name>-det.mcs fil is created by EEDK tool. These two files are always
added to the ePO package generated by EEDK.
PkgCatalog.z is encrypted file which contains information about all the files in the package.
<package name>-det.mcs contains information about the registry key which can be used to verify if the
application deployed in the package is installed. IMPORTANT: This is very useful if your package contains
an application installation and you only want the McAfee Agent to download and attempt the installation
if the application is not already installed.
6.5 Windows 10 - EEDK missing some DLL files for performing build Issue has been seen on Windows 10. When EEDK tool is set to build the package it fails with a missing DLL
file failure needed for ePOSign.exe.
Windows 10 (Please add two runtime files msvcp71.dll and msvcr71.dll to the directory for where
EEDK.EXE and ePOSIgn.EXE is located). These files can be found in the McAfee Agent 4.8 folder or HIPS
8.0 folder.
P a g e | 14
7 Examples for Windows
7.1 Example of simple Batch script for EEDK Simple batch script
@echo off :: Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 :: ################################################ :: Set environment to current product folder pushd "%~dp0" :: Get software package source directory and set as variable SRCDIR SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %argC%==0 GOTO INSTALL if %1==uninstall GOTO UNINSTALL :INSTALL %comspec% /c %systemroot%\system32\msiexec.exe /i "%SRCDIR%\McProfilerSetup.msi" /quiet GOTO END :UNINSTALL %comspec% /c %systemroot%\system32\MsiExec.exe /X{McProfilerSetup.msi} /quiet :END goto EOF :: Exit and pass proper exit to agent :: ################################################ :EOF Exit /B 0
7.2 Example of Batch script with parameters for EEDK
Usage of parameters in the command line option in ePO Client Task.
REM McAfee REM Sets our environment to the current product folder REM ################################################ pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a REM Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 REM Work goes here REM ################################################
P a g e | 15
if %argC%==0 GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT REM %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Save "C:\\Profiler.mpr" /Time 5 /Silent %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent /Time 10 /Save ""C:\\Profiler_%COMPUTERNAME%.mpr"" GOTO END :RUN_WITH_PARAM set cmdstr=%* %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent %cmdstr%" GOTO END REM Example: %ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe /Silent /Time 5 /Save "C:\\Profiler.mpr" REM Exit with proper exit code for McAfee Agent REM ################################################ :END popd Exit /B 0
7.3 Example of VBScript Finally managed to create a package using this wonderful tool which will run a executable that will make
a port exception for the ePO agent wake-up call.
Basically, the visual basic script called run_invisible as shown below.
Set WshShell = CreateObject("WScript.Shell") WshShell.RUN "cmd /c netsh firewall add portopening protocol=TCP port=8081 name=McAfeeAgentWake-UpCalls scope=custom addresses=10.1.2.32", 0
This script creates the firewall exception using cmd running silently.
7.4 Using AutoIT script and CustomProps AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and
general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control
manipulation in order to automate tasks in a way not possible or reliable with other languages.
https://www.autoitscript.com/site/
Example of autoit script
;============================================================================= ; Author: Steen Pedersen ; AutoIt script written 20150816 ; Intel Security Professional Services ; Identify Systems Install Date and write to CustomProps3
P a g e | 16
;============================================================================= ;#include <StringConstants.au3> ;#include <MsgBoxConstants.au3> #include <Date.au3> Func DetectInfrastructure() If @ProcessorArch = "X86" Then $HKLM = "HKEY_LOCAL_MACHINE" EndIf If @ProcessorArch = "X64" Then $HKLM = "HKEY_LOCAL_MACHINE64" EndIf EndFunc ;Temp Strings Local $HKLM, $CustomProps, $McAfee_reg, $install_date_value, $install_date DetectInfrastructure() $CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps" If @ProcessorArch = "X86" Then $CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps" $McAfee_reg=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator" EndIf If @ProcessorArch = "X64" Then $CustomProps=$HKLM&"\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\CustomProps" $McAfee_reg=$HKLM&"\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator" EndIf ;MsgBox(4096, "CustomProps", $CustomProps) ;DEBUG $install_date_value= RegRead($HKLM&"\SOFTWARE\Microsoft\Windows NT\CurrentVersion" , "InstallDate") $install_date = _DateAdd( 's',$install_date_value, "1970/01/01 00:00:00") ;MsgBox(4096, "CustomProps", $install_date) ;DEBUG ;MsgBox($MB_SYSTEMMODAL, "Read", $CustomProps+$TRDLPS) ;MsgBox($MB_SYSTEMMODAL, "Customprops", $CustomProps) ;Clear CustomProps ;RegWrite($CustomProps, "CustomProps1", "REG_SZ", "") ;RegWrite($CustomProps, "CustomProps2", "REG_SZ", "") RegWrite($CustomProps, "CustomProps3", "REG_SZ", $install_date_value&" - "&$install_date) ;RegWrite($CustomProps, "CustomProps4", "REG_SZ", "") ;Send Communication to ePO $MAAGENT_PATH = RegRead($McAfee_reg&"\Agent", "Installed Path") $MAAGENT_CMDAGENT = $MAAGENT_PATH & "\CMDAGENT.EXE" ;MsgBox(4096, "CMDAGENT", $MAAGENT_CMDAGENT) ;DEBUG Run($MAAGENT_CMDAGENT & " /P") ;if @error then ; MsgBox(4096, "Run CMDAGENT", @error)
P a g e | 17
;EndIf
7.5 Generate an EICAR test file on Windows A very simple example of creating an EICAR test fil on a Window system for test purposes.
Will drop an eicar.com in %TEMP% folder or create an EICAR test file if a path and filename specified as
command line parameter in the McAfee Agent Deployment Task
REM #################################################################### REM Intel Security - Write eicar test file to specifed location REM Sets our environment to the current product folder REM Information about EICAR http://www.eicar.org/86-0-Intended-use.html REM #################################################################### pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %*!==! GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT SET Target_file=%TEMP%\eicar.com GOTO WRITE_TARGET_FILE :RUN_WITH_PARAM SET Target_file=%* GOTO WRITE_TARGET_FILE :WRITE_TARGET_FILE REM Write the Eicar test file to specified folder echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>%target_file% REM Exit with proper exit code for McAfee Agent REM #################################################################### :END popd Exit /B 0
7.6 Access Protection rule test Script will attempt to write a %ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt which will
create an Access Protection event. If a path and filename is added as parameter in the McAfee
Deployment Task it will drop a file in the path and filename specified. This can be used for other test.
REM #################################################################### REM Intel Security - Write test file to VSE file location REM Sets our environment to the current product folder REM ####################################################################
P a g e | 18
pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %*!==! GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT SET Target_file=%ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt GOTO WRITE_TARGET_FILE :RUN_WITH_PARAM SET Target_file=%* GOTO WRITE_TARGET_FILE :WRITE_TARGET_FILE REM Write the test file to folder echo Just some text >"%target_file%" REM Exit with proper exit code for McAfee Agent REM #################################################################### :END popd Exit /B 0
7.7 Copy VSE log files to collection point Simple script which will collect VSE log files to a central collection point. In this example a UNC share.
Later there are examples with FTPS collection points
@echo off :: Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 :: Set environment to current product folder pushd "%~dp0" :: Get software package source directory and set as variable SRCDIR ::SET SRCDIR= ::for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a set cmdstr=%* MD %cmdstr%\%COMPUTERNAME% %comspec% /c COPY %PROGRAMDATA%\McAfee\DesktopProtection\*.* %cmdstr%\%COMPUTERNAME% :END goto EOF :: Exit and pass proper exit to agent :EOF Exit /B 0
7.8 GetSusp with encrypted upload to FTPS server Script which will collect VSE log files and FTPS these to a central collection point FTPS server. So this script
would be able to cover multiple domains and external systems (if these are communicating with an
Internet facing Agent Handler and the FTPS server is available on the Internet). McAfee Tool Exchange
P a g e | 19
will contain a ZIP package with ePO Package FTPS_GET100x.zip and information about how to setup a
FTPS server using FileZilla.
@echo off REM Intel Security 2016 – Steen Pedersen REM Sets our environment to the current product folder REM ################################################ REM 1. Parameter = local dir REM 2. Parameter = IP and port for FTPS server REM 3. Parameter = FTPS username REM 4. Parameter = FTPS password REM 5. Parameter = Folder name for the Files on the FTPS Server REM REM Example FTPS_GETSUSP %TEMP% 172.16.214.212:990 ftp_username ftp_password GetSusp_Collector REM pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a REM Work goes here REM ################################################ if "%*" == "" (EXIT /B 0) Else (set cmdstr=%*) if "%5" == "" (set dir_group=GetSusp) Else (set dir_group=%5) if "%4" == "" (EXIT /B 0) set ftppass=%4 set ftpuser=%3 set ftphost=%2 set localdir=%1 set ZIPPATH=%localdir%\%COMPUTERNAME% echo ------------------ REM Finalize target FTPS dir REM set ftpdir=%COMPUTERNAME%/%dir_group%/%current_date_time% set ftpdir=%COMPUTERNAME%/%dir_group% setlocal enableDelayedExpansion REM GOTO EOF REM Run Getsusp first ECHO Run GetSusp and save result in %ZIPPATH% %COMSPEC% /C "%SRCDIR%\getsusp.exe" --SILENT --EPO --ZIPPATH=%ZIPPATH% ECHO Result = %ERRORLEVEL% goto upload_result IF %ERRORLEVEL%=3 DO ( Echo Got returncode 3 run GetSusp goto upload_result ) ECHO Nothing collected GOTO EOF :upload_result REM *************COPY Results******************** REM Create Directory
P a g e | 20
ECHO Create Directory on FTPS server curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs echo Localdir = %ZIPPATH% Echo Copy files for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do ( set FILENAME="%ZIPPATH%\%%x" echo !FILENAME! curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% ) REM ****** COPY Logs directiry ********* Set ZIPPATH=%ZIPPATH%\Logs set ftpdir=%ftpdir%\Logs curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do ( set FILENAME="%ZIPPATH%\%%x" echo !FILENAME! curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% ) :EOF REM Exit with proper exit code for McAfee Agent REM ################################################ popd Exit /B 0
P a g e | 21
8 Examples for Linux A few simple examples for Linux
8.1 Generate an EICAR test file on Linux A very simple example of creating an EICAR test fil on a Linux system which can generate a virus alert for
test purposes. Test file will be dropped in /tmp/eicar.com
#!/bin/sh # Intel Security - Steen Pedersen - Write test eicar to /tmp/eicar.com # Information about eicar got to www.eicar.org echo 'K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com echo test2> /tmp/test2.txt exit 0
P a g e | 22
9 Share for central collection point A share must be available to collect the reports centrally. The security permission on this share
must be set so it is possible for the SYSTEM account to create, write and modify files in this
share. The scripts are launched as a SYSTEM account, as this is the McAfee Agent handling the
ePO Client Task execution on the endpoint.
The following steps provides information about how to configure a shared folder with the
permission set needed for this to work (Windows 2008 R2)
1. Create a Report folder for the share on the file server
2. Right-click the Report folder and select Properties.
3. Select the Sharing tab and then click Advanced sharing. Select the Sharing this folder option.
4. Add the share name report$ and click Apply. The $ ensures that the share is hidden.
5. Click Permissions and allow Full Control to Everyone. Click OK twice.
6. Click the Security tab and then click Advanced.
7. On the Permissions tab, click Change Permissions and deselect the Include inheritable
permissions from the object’s parent option.
A confirmation message explains the effect this change will have on the folder.
8. Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all
permissions eliminated.
9. Click Add to select an object type.
10. In the Enter the object name to select text box, type Domain Computers,
(Click Check Names to verify the name of the object)
then click OK to display the Permission Entry dialog box.
In the Allow column, select List folder/Read data, Read attributes, Read extended
attributes, Create files/Write data, Write attributes, Write extended attributes,
Create folders/Append data, Delete subfolders and files and Delete.
Verify that the Apply to option says This folder, subfolders and files, then click OK.
The Advanced Security Settings dialog box now includes Domain Computers.
11. Click Add to select an object type.
12. In the Enter the object name to select text box, type Administrators, then click OK to display
the Permission Entry dialog box. Set the Full control permissions.
13. Click OK twice to close the dialog box and then Close to close the File/Folder Properties.
P a g e | 23
Another option is creating a Null Session Share. For information read:
http://support.microsoft.com/kb/124184
https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20End
point%20Manager/page/Creating%20a%20Null%20Session%20Share
9.1 Test share with System Account The ability for the SYSTEM account to write to the share can be tested. This can be done by using PSEXEC.
PSEXEC can be downloaded from this site: http://technet.microsoft.com/en-
us/sysinternals/bb897553.aspx
Run this command line: psexec.exe /s /i cmd.exe
From this new command line running as SYSTEM it is possible to verify the write permission to the
network share. Use command line: echo test >\\win-srv001\report$\t0.txt Then verify that the t0.txt file
is created on the share.
P a g e | 24
10 Tools Important tools with notes and links
10.1 Tools for Hash MD5, SH1, SHA256
Download GetSusp http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx
FAQs for GetSusp https://kc.mcafee.com/corporate/index?page=content&id=KB69385
Introduction to GetClean
1.0
https://kc.mcafee.com/corporate/index?page=content&id=KB73044
GetClean Product Guide https://kc.mcafee.com/corporate/index?page=content&id=PD23191
SysInternal Sigcheck
Use -h
https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
Microsoft tool to collect
Get MD5 SHA
File Checksum Integrity
Verifier (FCIV)
https://support.microsoft.com/en-us/kb/841290
10.2 GetSusp GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically
submit samples to McAfee Labs. To find suspicious files, GetSusp uses heuristics and compares samples
against the Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect
computer, use GetSusp first.
Download GetSusp
The build below is for McAfee ePO administrators.
Download GetSusp-ePO
10.2.1 How to use GetSusp http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx
For a list of Frequently Asked Questions on GetSusp, see article KB69385.
Features
Delivered as a single executable file with no installation required.
P a g e | 25
Option to run in different modes – GUI and command Line.
Can submit samples or only a MD5 list of the files to McAfee Labs for analysis.
Leverages GTI File Reputation to determine if the sample is suspicious.
Records system and installed McAfee product information date of execution and details of suspected
files.
GetSusp supports Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8.
How to use McAfee GetSusp
1. Download the latest version of GetSusp. When prompted, choose to save the executable file to a
convenient location on your hard disk. We recommend creating a folder specifically for GetSusp.
2. Once downloaded, launch the GetSusp.exe file.
3. The McAfee GetSusp Interface will be displayed.
4. If necessary, click the preferences to specify your email address to receive an acknowledgement from
McAfee Labs for sample submissions. By default, suspicious files are submitted to McAfee Labs in online
mode.
P a g e | 26
5. Click the Scan Now button to begin scanning the system. A EULA is prompted for user acceptance every
time a scan is initiated. The license agreement must be accepted in order to proceed.
6. A typical GetSusp system scan takes around three to five minutes. A summary is provided at the end of
the scan, and the scan report is launched.
P a g e | 27
7. Visit the McAfee malware community site or contact McAfee technical support for help in
troubleshooting your machine or removing malware.
10.3 GetClean GetClean is a McAfee Labs initiative to minimize false-positive detections in the field. The GetClean
program aims to prevent false positives on your COE (Common Operating Environment) image files. To
achieve this, a tool with the same name is executed on COE computers or known clean software
repositories to harvest clean files.
GetClean uses Global Threat Intelligence (GTI) for file reputation lookup and reports only files that are
unknown to McAfee Labs, or falsely classified. You can also submit metadata, or samples and metadata,
to McAfee Labs. This greatly reduces the number of files you need to submit and eliminates duplicate
submissions. The average GetClean scan time on a computer is 60-90 minutes, and the average .zip file
size of samples collected is 200-350 MB. The McAfee Labs dedicated Whitelisting team analyzes,
validates, and processes the files you submit before adding them to the GTI whitelist and to the McAfee
Labs test systems, where they are scanned before each new DAT release.
Introduction to GetClean 1.0: https://kc.mcafee.com/corporate/index?page=content&id=KB73044
GetClean Product Guide: https://kc.mcafee.com/corporate/index?page=content&id=PD23191
10.4 Sigcheck – Sysinternals/Microsoft Download SigCheck 2.x
http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx
http://www.ghacks.net/2013/10/28/use-microsofts-sigcheck-2-0-check-files-folder-virustotal/
P a g e | 28
Introduction Sigcheck is a command-line utility that shows file version number, timestamp information, and
digital signature details, including certificate chains. It also includes an option to check a file’s
status on VirusTotal, a site that performs automated file scanning against over 40 antivirus
engines, and an option to upload a file for scanning.
usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][n]][-f catalog file]
<file or directory>
-a Show extended version information
-c CSV output with comma delimiter
-ct CSV output with tab delimiter
-e Scan executable images only (regardless of their extension)
-f Look for signature in the specified catalog file
-h Show file hashes
-i Show catalog name and image signers
-m Dump manifest
-n Only show file version number
-q Quiet (no banner)
-r Disable check for certificate revocation
-s Recurse subdirectories
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.
-
v[rn]
Query VirusTotal ( www.virustotal.com) for malware based on file hash. Add 'r'
to open reports for files with non-zero detection. Files reported as not previously
scanned will be uploaded to VirusTotal unless the 'n' option is specified. Note
scan results may not be available for five of more minutes.
-vt Before using VirusTotal features, you must accept VirusTotal terms of service.
See: https://www.virustotal.com/en/about/terms-of-service/. If you haven't
accepted the terms and you omit this option, you will be interactively prompted.
One way to use the tool is to check for unsigned files in your \Windows\System32 directories
with this command:
sigcheck -u -e c:\windows\system32
You should investigate the purpose of any files that are not signed.
Pasted from <http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx>
Skip the EULA license message when running SysInternal tools
-accepteula
P a g e | 29
Pasted from <http://forum.sysinternals.com/eula-prompt-when-running-pstools_topic8783_page7.html>
Example for checking windows systems32 folder. List hashes and Virus total results.
sigcheck -accepteula -h –u -s -e -vt -ct c:\windows\system32 >sig1.csv
P a g e | 30
11 Acronyms and Terms ePO ePolicy Orchestrator
AH Agent Handler: Component of ePO used to communicate with agents installed on endpoints
MA McAfee Agent
SA McAfee SuperAgent
VSE McAfee VirusScan Enterprise
HIPS Host Intrusion Prevention
EEDK ePO Endpoint Deployment Kit
FIM File Integrity Monitor
MAC McAfee Application Control
MCC McAfee Change Control
MDE McAfee Device Encryption (previously known as EEPC)
EEPC Endpoint Encryption for PC (now named MDE)
MOVE Management for Optimized Virtual Environments
MVM McAfee Vulnerability Manager
DLPE Data Loss Prevention for Endpoints (previously known as HDLP)
HDLP Host Data Loss Prevention (now named DLPE)
NDLP Network Data Loss Prevention
FRP McAfee File and Removable Media Protection (previously known as EEFF)
EEFF McAfee Endpoint Encryption for Files and Folders (now named FRP)
EERM Endpoint Encryption for Removable Media (now named FRP)
NSP Network Security Platform
PA Policy Auditor
RA Risk Advisor
SIEM Security Information and Event Management (Nitro)
Admin: ePO administrator or network administrator (previously Global Admin)
ASCI: Agent-server communication interval
ASSC: Agent-to-server secure communication
Agent: McAfee software used to manage point products on endpoint machines
P a g e | 31
GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO
Policy: Settings and configurations applied to point-products on endpoint machines
Repository: Collection of the software used to deploy and update point-products on endpoint machines
RSD Rogue System Detection Sensor
CEE Complete Protection Enterprise Suite
PBA Pre-Boot Authentication – Small OS loaded before the Windows OS
AD Active Directory
ALDU Add Local Domain User
BIOS Basic Input/Output System
DN Domain Name
DE Drive Encryption
DEAgent Drive Encryption Agent
EFI Extensible Firmware Interface
GPT GUID Partition Table
LDAP Lightweight Directory Access Protocol
MBR Master Boot Record
NIST National Institute of Standards and Technology
OS Operating System
OU Organizational Unit
SSO Single Sign On
UBP User-Based Policy
UEFI Unified Extensible Firmware Interface