P a g e | 1

ePO Endpoint Deployment Kit – EEDK

Getting started guide

Revision Draft 001, Date 20161101

By Steen Pedersen, Principal Architect, Intel Security

steen.pedersen@intel.com

P a g e | 2

Notices Copyright Copyright © 2016 Intel Security - All rights reserved. This document contains proprietary information of Intel Security and is subject to a license agreement or nondisclosure agreement. No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into another language, in any form or by any means, without the prior written consent of Intel Security. For information, please contact:

Intel Security

Steen Pedersen, Principal Architect, steen.pedersen@intel.com Trademarks This document may make reference to other software and hardware products by name. In most if not all cases, the companies that manufacture these other products claim these product names as trademarks. It is not the intention of Intel Security to claim these names or trademarks as its own.

Disclaimer The information contained in this document is subject to change without notice. INTEL SECURITY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Intel Security shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. Intel Security reserves the right to add, subtract or modify features or functionality, or modify the product, at its sole discretion, without notice. Intel Security makes no commitment, implied or otherwise, to support any functionality or technology discussed or referenced in this document.

P a g e | 3

Contents Notices ......................................................................................................................................................... 2

Disclaimer .................................................................................................................................................... 2

Contents ...................................................................................................................................................... 3

1 Introduction ............................................................................................................................................ 5

1.1 WARNING ........................................................................................................................................ 5

1.2 Additional information about Intel Security products ........................................................................ 5

2 What is EEDK ........................................................................................................................................... 6

3 Common Use Cases ................................................................................................................................. 7

4 Build an ePO package .............................................................................................................................. 8

4.1 Understand the EEDK GUI ................................................................................................................ 8

5 EEDK - ePO Endpoint Deployment Kit .................................................................................................... 10

5.1 Download EEDK ............................................................................................................................. 10

5.2 McAfee Profiler ePO Package ......................................................................................................... 10

5.3 GetSusp ePO package .................................................................................................................... 10

5.4 Consolidate and migrate to other ePO server ................................................................................. 10

6 Important points and common issues ................................................................................................... 11

6.1 Verify the content placed in the ePO package ................................................................................. 11

6.2 Missing Build directory ................................................................................................................... 11

6.3 Make sure new packages is replicated ............................................................................................ 12

6.4 Check the content of the ePO package ........................................................................................... 12

6.5 Windows 10 - EEDK missing some DLL files for performing build ..................................................... 13

7 Examples for Windows .......................................................................................................................... 14

7.1 Example of simple Batch script for EEDK ......................................................................................... 14

7.2 Example of Batch script with parameters for EEDK ......................................................................... 14

7.3 Example of VBScript ....................................................................................................................... 15

7.4 Using AutoIT script and CustomProps ............................................................................................. 15

7.5 Generate an EICAR test file on Windows ......................................................................................... 17

7.6 Access Protection rule test ............................................................................................................. 17

7.7 Copy VSE log files to collection point .............................................................................................. 18

7.8 GetSusp with encrypted upload to FTPS server ............................................................................... 18

8 Examples for Linux ................................................................................................................................ 21

P a g e | 4

8.1 Generate an EICAR test file on Linux ............................................................................................... 21

9 Share for central collection point .......................................................................................................... 22

9.1 Test share with System Account ..................................................................................................... 23

10 Tools...................................................................................................................................................... 24

10.1 Tools for Hash MD5, SH1, SHA256 .................................................................................................. 24

10.2 GetSusp ......................................................................................................................................... 24

10.3 GetClean ........................................................................................................................................ 27

10.4 Sigcheck – Sysinternals/Microsoft .................................................................................................. 27

11 Acronyms and Terms ............................................................................................................................. 30

P a g e | 5

1 Introduction This document contains getting started information and tip using ePO Endpoint Deployment Kit – EEDK.

With focus on Windows with a few examples for Linux and MacOS.

The EEDK tool, shared EEDK packaged, additional EEDK information and tools can be found at the McAfee

Tool Exchange community: https://community.mcafee.com/community/archives/toolexchange

1.1 WARNING EEDK is a very powerful tool and packaged created and deployed must be done with care. Deployment

of to 1 or 100.000 systems can be done with very few clicks.

1.2 Additional information about Intel Security products Please use the Intel Security Expert Center and Communities as source of technical information.

https://community.mcafee.com/community/business/expertcenter

Community: https://community.mcafee.com/community/business

P a g e | 6

2 What is EEDK The EEDK - ePO Endpoint Deployment Kit is a tool which can build ePO Packages which makes it possible

to deploy tools or applications to any systems managed by ePO. Windows, Mac OS and Linux. The package

can be a single file or collection of files from a “source” folder.

Flow of use:

Start EEDKChose single file or

Folder with files

Command line to execute + option for

parameters

Set software package properties

Select OS SupportSpecify "Build

Folder" in Tools -> Options

Build Package

Result in build folder:

<Product Name>.ZIP

Check package into ePO Master Repository

Create McAfee Agent Deployment

Task for the package

Now task can be deployed to all

managed systems

P a g e | 7

3 Common Use Cases Common Use Cases:

Special removal of 3rd part antivirus

Collection of additional information on endpoint and send it back to ePO in Agent CustomProps which

is searchable in ePO SQL database

ePO migration or consolidation – Deploy McAfee Agent from new/other ePO server

Forensic tool

GetSusp

o Collection on normal fil server

o Upload results and samples to FTPS server

Deployment of 3rd party agents

P a g e | 8

4 Build an ePO package

4.1 Understand the EEDK GUI

1. A source file or directory containing files. All files from the directory will be included in the package.

2. Product Name: Must be 8 character product name which can include letters, numbers and

underscores.

3. Product ID: This is a 4 digit number that will be unique to this version of your product

4. Product Version: This will be displayed in the ePO console Master Repository as the product

version number, both major and minor.

5. Product Description: This is the text that will be displayed in the ePO console Master Repository as

the product name.

6. Command to Run: This is the command that will be executed by the agent once the file(s) have

been downloaded. This command should contain the script/executable to be run along with any

command line options. Command line options can also be provided in the McAfee Agent

Deployment Task build in ePO console.

7. Product Detection Key: This is the registry key is used by the agent to determine if a product is

installed. It is combined with the key value.

8. Product Detection Value: This is the registry value is used by the agent to determine if a product is

installed. It is combined with the key value. Note: Leave these with default or some keys and value

which does not exist will make the package execute every time scheduled by the Assignment.

9. The OS Support specify which OS the package will be accepted and executed on.

P a g e | 9

10. Before “Build Package” can be executed the Build (Target) Directory must be specified in the

P a g e | 10

5 EEDK - ePO Endpoint Deployment Kit How to get access to EEDK and different tools.

5.1 Download EEDK EEDK is a great tool to create your own ePO deployable packages:

https://community.mcafee.com/docs/DOC-3401#/

Very useful for packing and deploying McAfee Agents to a new ePO server from an old ePO

server.

5.2 McAfee Profiler ePO Package Deploy McAfee Profiler using ePO: https://community.mcafee.com/docs/DOC-3891 only

relevant for VirusScan Enterprise 8.8. (VSE).

Now it is easy to deploy and run McAfee Profiler on a few selected systems without being in

front of the system or doing Remote Desktop.

5.3 GetSusp ePO package It is also good to be aware of the GetSusp ePO package.

http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp-ePO.zip

Can be deployed and place the reports and samples on an UNC share using the --zippath=<drive

and path> parameter in the Deploy task.

5.4 Consolidate and migrate to other ePO server Deploy specific McAfee Agent from other ePO servers. This is often used for migration to other

ePO server and consolidation to a central ePO server

Command line: FramePkg.exe /INSTALL=AGENT /FORCEINSTALL /SILENT

P a g e | 11

6 Important points and common issues There are several things which can go wrong when working with ePO deployable content. This section

covers some of the common issues and how to address these.

6.1 Verify the content placed in the ePO package It is critical to be able to verify and test the content (scripts and executables) before building the ePO

package. As it is rather difficult to test the ePO packaged during deployment so it is important to test and

verify it before building the ePO package.

6.1.1 Test the scripts for EEDK with SYSTEM account The McAfee Agent is running as a SYSTEM account and will execute the ePO deployment tasks with local

SYSTEM account. This means that all scripts and executables packed by EEDK will be executed on the

endpoint as local SYSTEM account. Therefor it is recommend that the any scripts and executables are

tested running as SYSTEM account before they are being built into an ePO package by EEDK.

Test the script running it as local SYSTEM account:

• Use PSEXEC.exe from Microsoft Sysinternals to open a system prompt (requires local

administrator privileges)

– Start CMD.EXE with “Run as Administrator”

– From this command line run: psexec.exe /s /i cmd.exe

– the command prompt that opens runs as local system

– Verify with the whoami command

– Test script can now be tested in this new command prompt

• SYSTEM account has several limitations

– Cannot interact with the user interface

– It does not have the same User space in registry

6.2 Missing Build directory The error: Setting Not Validated –Build: “” does not exist.

This is a common mistake where the Build Folder has not been specified or pointing to a directory which

does not exist. Choose Tools and then Options in EEDK GUI and specify a directory where the package

can be build.

P a g e | 12

6.3 Make sure new packages is replicated When the new ePO package is checked into the Master Repository on the ePO Server it is only available

on the repository on the ePO server and the Agent Handlers.

A common mistake is to start McAfee Agent Deployment tasks right away on some pilot endpoints to

verify the package deployed using ePO is working. Often this deployment is not working and nothing

happens on the endpoints as these endpoints are using other repositories where the new ePO package

is not available yet.

To address this it is important that the Master Repository is replicated to all repositories except

SuperAgent Lazy Cache where replication is not recommended as the Lazy Cache function automatically

will pick up the new content when it is requested by an endpoint. (Note it can take up to 30 min for the

SuperAgent lazy cache to flush and the repository will contain the information about the updated content

in the Master Repository.) For all none Lazy Cache repository make sure to start a repository replication

from ePO to the new ePO package distributed and available on all repositories.

6.4 Check the content of the ePO package Before checking in the new ePO package into Master Repository it is recommended to verify the content

of the package - the .ZIP file generated in the Build directory by EEDK.

There has been seen situations where the ZIP package has been created but did not contain the files

selected in the EEDK tool.

The ePO package .ZIP file should contain all the files selected by the EEDK tool and a few control files.

Example of a simple ePO package named EICARTES1000.ZIP with a CMD script. The ZIP file contains 3

files.

drop_test_file.cmd (the script)

EICARTES1000-det.mcs (added by EEDK for detection if “your application” is installed)

PkgCatalog.z (details about the files in the package for integrity verification)

P a g e | 13

The PkgCatalog.z and the <package name>-det.mcs fil is created by EEDK tool. These two files are always

added to the ePO package generated by EEDK.

PkgCatalog.z is encrypted file which contains information about all the files in the package.

<package name>-det.mcs contains information about the registry key which can be used to verify if the

application deployed in the package is installed. IMPORTANT: This is very useful if your package contains

an application installation and you only want the McAfee Agent to download and attempt the installation

if the application is not already installed.

6.5 Windows 10 - EEDK missing some DLL files for performing build Issue has been seen on Windows 10. When EEDK tool is set to build the package it fails with a missing DLL

file failure needed for ePOSign.exe.

Windows 10 (Please add two runtime files msvcp71.dll and msvcr71.dll to the directory for where

EEDK.EXE and ePOSIgn.EXE is located). These files can be found in the McAfee Agent 4.8 folder or HIPS

8.0 folder.

P a g e | 14

7 Examples for Windows

7.1 Example of simple Batch script for EEDK Simple batch script

@echo off :: Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 :: ################################################ :: Set environment to current product folder pushd "%~dp0" :: Get software package source directory and set as variable SRCDIR SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %argC%==0 GOTO INSTALL if %1==uninstall GOTO UNINSTALL :INSTALL %comspec% /c %systemroot%\system32\msiexec.exe /i "%SRCDIR%\McProfilerSetup.msi" /quiet GOTO END :UNINSTALL %comspec% /c %systemroot%\system32\MsiExec.exe /X{McProfilerSetup.msi} /quiet :END goto EOF :: Exit and pass proper exit to agent :: ################################################ :EOF Exit /B 0

7.2 Example of Batch script with parameters for EEDK

Usage of parameters in the command line option in ePO Client Task.

REM McAfee REM Sets our environment to the current product folder REM ################################################ pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a REM Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 REM Work goes here REM ################################################

P a g e | 15

if %argC%==0 GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT REM %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Save "C:\\Profiler.mpr" /Time 5 /Silent %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent /Time 10 /Save ""C:\\Profiler_%COMPUTERNAME%.mpr"" GOTO END :RUN_WITH_PARAM set cmdstr=%* %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent %cmdstr%" GOTO END REM Example: %ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe /Silent /Time 5 /Save "C:\\Profiler.mpr" REM Exit with proper exit code for McAfee Agent REM ################################################ :END popd Exit /B 0

7.3 Example of VBScript Finally managed to create a package using this wonderful tool which will run a executable that will make

a port exception for the ePO agent wake-up call.

Basically, the visual basic script called run_invisible as shown below.

Set WshShell = CreateObject("WScript.Shell") WshShell.RUN "cmd /c netsh firewall add portopening protocol=TCP port=8081 name=McAfeeAgentWake-UpCalls scope=custom addresses=10.1.2.32", 0

This script creates the firewall exception using cmd running silently.

7.4 Using AutoIT script and CustomProps AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and

general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control

manipulation in order to automate tasks in a way not possible or reliable with other languages.

https://www.autoitscript.com/site/

Example of autoit script

;============================================================================= ; Author: Steen Pedersen ; AutoIt script written 20150816 ; Intel Security Professional Services ; Identify Systems Install Date and write to CustomProps3

P a g e | 16

;============================================================================= ;#include <StringConstants.au3> ;#include <MsgBoxConstants.au3> #include <Date.au3> Func DetectInfrastructure() If @ProcessorArch = "X86" Then $HKLM = "HKEY_LOCAL_MACHINE" EndIf If @ProcessorArch = "X64" Then $HKLM = "HKEY_LOCAL_MACHINE64" EndIf EndFunc ;Temp Strings Local $HKLM, $CustomProps, $McAfee_reg, $install_date_value, $install_date DetectInfrastructure() $CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps" If @ProcessorArch = "X86" Then $CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps" $McAfee_reg=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator" EndIf If @ProcessorArch = "X64" Then $CustomProps=$HKLM&"\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\CustomProps" $McAfee_reg=$HKLM&"\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator" EndIf ;MsgBox(4096, "CustomProps", $CustomProps) ;DEBUG $install_date_value= RegRead($HKLM&"\SOFTWARE\Microsoft\Windows NT\CurrentVersion" , "InstallDate") $install_date = _DateAdd( 's',$install_date_value, "1970/01/01 00:00:00") ;MsgBox(4096, "CustomProps", $install_date) ;DEBUG ;MsgBox($MB_SYSTEMMODAL, "Read", $CustomProps+$TRDLPS) ;MsgBox($MB_SYSTEMMODAL, "Customprops", $CustomProps) ;Clear CustomProps ;RegWrite($CustomProps, "CustomProps1", "REG_SZ", "") ;RegWrite($CustomProps, "CustomProps2", "REG_SZ", "") RegWrite($CustomProps, "CustomProps3", "REG_SZ", $install_date_value&" - "&$install_date) ;RegWrite($CustomProps, "CustomProps4", "REG_SZ", "") ;Send Communication to ePO $MAAGENT_PATH = RegRead($McAfee_reg&"\Agent", "Installed Path") $MAAGENT_CMDAGENT = $MAAGENT_PATH & "\CMDAGENT.EXE" ;MsgBox(4096, "CMDAGENT", $MAAGENT_CMDAGENT) ;DEBUG Run($MAAGENT_CMDAGENT & " /P") ;if @error then ; MsgBox(4096, "Run CMDAGENT", @error)

P a g e | 17

;EndIf

7.5 Generate an EICAR test file on Windows A very simple example of creating an EICAR test fil on a Window system for test purposes.

Will drop an eicar.com in %TEMP% folder or create an EICAR test file if a path and filename specified as

command line parameter in the McAfee Agent Deployment Task

REM #################################################################### REM Intel Security - Write eicar test file to specifed location REM Sets our environment to the current product folder REM Information about EICAR http://www.eicar.org/86-0-Intended-use.html REM #################################################################### pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %*!==! GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT SET Target_file=%TEMP%\eicar.com GOTO WRITE_TARGET_FILE :RUN_WITH_PARAM SET Target_file=%* GOTO WRITE_TARGET_FILE :WRITE_TARGET_FILE REM Write the Eicar test file to specified folder echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>%target_file% REM Exit with proper exit code for McAfee Agent REM #################################################################### :END popd Exit /B 0

7.6 Access Protection rule test Script will attempt to write a %ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt which will

create an Access Protection event. If a path and filename is added as parameter in the McAfee

Deployment Task it will drop a file in the path and filename specified. This can be used for other test.

REM #################################################################### REM Intel Security - Write test file to VSE file location REM Sets our environment to the current product folder REM ####################################################################

P a g e | 18

pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a if %*!==! GOTO RUN_DEFAULT GOTO RUN_WITH_PARAM :RUN_DEFAULT SET Target_file=%ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt GOTO WRITE_TARGET_FILE :RUN_WITH_PARAM SET Target_file=%* GOTO WRITE_TARGET_FILE :WRITE_TARGET_FILE REM Write the test file to folder echo Just some text >"%target_file%" REM Exit with proper exit code for McAfee Agent REM #################################################################### :END popd Exit /B 0

7.7 Copy VSE log files to collection point Simple script which will collect VSE log files to a central collection point. In this example a UNC share.

Later there are examples with FTPS collection points

@echo off :: Get number of input parameters set argC=0 for %%x in (%*) do Set /A argC+=1 :: Set environment to current product folder pushd "%~dp0" :: Get software package source directory and set as variable SRCDIR ::SET SRCDIR= ::for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a set cmdstr=%* MD %cmdstr%\%COMPUTERNAME% %comspec% /c COPY %PROGRAMDATA%\McAfee\DesktopProtection\*.* %cmdstr%\%COMPUTERNAME% :END goto EOF :: Exit and pass proper exit to agent :EOF Exit /B 0

7.8 GetSusp with encrypted upload to FTPS server Script which will collect VSE log files and FTPS these to a central collection point FTPS server. So this script

would be able to cover multiple domains and external systems (if these are communicating with an

Internet facing Agent Handler and the FTPS server is available on the Internet). McAfee Tool Exchange

P a g e | 19

will contain a ZIP package with ePO Package FTPS_GET100x.zip and information about how to setup a

FTPS server using FileZilla.

@echo off REM Intel Security 2016 – Steen Pedersen REM Sets our environment to the current product folder REM ################################################ REM 1. Parameter = local dir REM 2. Parameter = IP and port for FTPS server REM 3. Parameter = FTPS username REM 4. Parameter = FTPS password REM 5. Parameter = Folder name for the Files on the FTPS Server REM REM Example FTPS_GETSUSP %TEMP% 172.16.214.212:990 ftp_username ftp_password GetSusp_Collector REM pushd "%~dp0" SET SRCDIR= for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a REM Work goes here REM ################################################ if "%*" == "" (EXIT /B 0) Else (set cmdstr=%*) if "%5" == "" (set dir_group=GetSusp) Else (set dir_group=%5) if "%4" == "" (EXIT /B 0) set ftppass=%4 set ftpuser=%3 set ftphost=%2 set localdir=%1 set ZIPPATH=%localdir%\%COMPUTERNAME% echo ------------------ REM Finalize target FTPS dir REM set ftpdir=%COMPUTERNAME%/%dir_group%/%current_date_time% set ftpdir=%COMPUTERNAME%/%dir_group% setlocal enableDelayedExpansion REM GOTO EOF REM Run Getsusp first ECHO Run GetSusp and save result in %ZIPPATH% %COMSPEC% /C "%SRCDIR%\getsusp.exe" --SILENT --EPO --ZIPPATH=%ZIPPATH% ECHO Result = %ERRORLEVEL% goto upload_result IF %ERRORLEVEL%=3 DO ( Echo Got returncode 3 run GetSusp goto upload_result ) ECHO Nothing collected GOTO EOF :upload_result REM *************COPY Results******************** REM Create Directory

P a g e | 20

ECHO Create Directory on FTPS server curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs echo Localdir = %ZIPPATH% Echo Copy files for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do ( set FILENAME="%ZIPPATH%\%%x" echo !FILENAME! curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% ) REM ****** COPY Logs directiry ********* Set ZIPPATH=%ZIPPATH%\Logs set ftpdir=%ftpdir%\Logs curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do ( set FILENAME="%ZIPPATH%\%%x" echo !FILENAME! curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% ) :EOF REM Exit with proper exit code for McAfee Agent REM ################################################ popd Exit /B 0

P a g e | 21

8 Examples for Linux A few simple examples for Linux

8.1 Generate an EICAR test file on Linux A very simple example of creating an EICAR test fil on a Linux system which can generate a virus alert for

test purposes. Test file will be dropped in /tmp/eicar.com

#!/bin/sh # Intel Security - Steen Pedersen - Write test eicar to /tmp/eicar.com # Information about eicar got to www.eicar.org echo 'K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com echo test2> /tmp/test2.txt exit 0

P a g e | 22

9 Share for central collection point A share must be available to collect the reports centrally. The security permission on this share

must be set so it is possible for the SYSTEM account to create, write and modify files in this

share. The scripts are launched as a SYSTEM account, as this is the McAfee Agent handling the

ePO Client Task execution on the endpoint.

The following steps provides information about how to configure a shared folder with the

permission set needed for this to work (Windows 2008 R2)

1. Create a Report folder for the share on the file server

2. Right-click the Report folder and select Properties.

3. Select the Sharing tab and then click Advanced sharing. Select the Sharing this folder option.

4. Add the share name report$ and click Apply. The $ ensures that the share is hidden.

5. Click Permissions and allow Full Control to Everyone. Click OK twice.

6. Click the Security tab and then click Advanced.

7. On the Permissions tab, click Change Permissions and deselect the Include inheritable

permissions from the object’s parent option.

A confirmation message explains the effect this change will have on the folder.

8. Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all

permissions eliminated.

9. Click Add to select an object type.

10. In the Enter the object name to select text box, type Domain Computers,

(Click Check Names to verify the name of the object)

then click OK to display the Permission Entry dialog box.

In the Allow column, select List folder/Read data, Read attributes, Read extended

attributes, Create files/Write data, Write attributes, Write extended attributes,

Create folders/Append data, Delete subfolders and files and Delete.

Verify that the Apply to option says This folder, subfolders and files, then click OK.

The Advanced Security Settings dialog box now includes Domain Computers.

11. Click Add to select an object type.

12. In the Enter the object name to select text box, type Administrators, then click OK to display

the Permission Entry dialog box. Set the Full control permissions.

13. Click OK twice to close the dialog box and then Close to close the File/Folder Properties.

P a g e | 23

Another option is creating a Null Session Share. For information read:

http://support.microsoft.com/kb/124184

https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20End

point%20Manager/page/Creating%20a%20Null%20Session%20Share

9.1 Test share with System Account The ability for the SYSTEM account to write to the share can be tested. This can be done by using PSEXEC.

PSEXEC can be downloaded from this site: http://technet.microsoft.com/en-

us/sysinternals/bb897553.aspx

Run this command line: psexec.exe /s /i cmd.exe

From this new command line running as SYSTEM it is possible to verify the write permission to the

network share. Use command line: echo test >\\win-srv001\report$\t0.txt Then verify that the t0.txt file

is created on the share.

P a g e | 24

10 Tools Important tools with notes and links

10.1 Tools for Hash MD5, SH1, SHA256

Download GetSusp http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

FAQs for GetSusp https://kc.mcafee.com/corporate/index?page=content&id=KB69385

Introduction to GetClean

1.0

https://kc.mcafee.com/corporate/index?page=content&id=KB73044

GetClean Product Guide https://kc.mcafee.com/corporate/index?page=content&id=PD23191

SysInternal Sigcheck

Use -h

https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

Microsoft tool to collect

Get MD5 SHA

File Checksum Integrity

Verifier (FCIV)

https://support.microsoft.com/en-us/kb/841290

10.2 GetSusp GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically

submit samples to McAfee Labs. To find suspicious files, GetSusp uses heuristics and compares samples

against the Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect

computer, use GetSusp first.

Download GetSusp

The build below is for McAfee ePO administrators.

Download GetSusp-ePO

10.2.1 How to use GetSusp http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx

For a list of Frequently Asked Questions on GetSusp, see article KB69385.

Features

Delivered as a single executable file with no installation required.

P a g e | 25

Option to run in different modes – GUI and command Line.

Can submit samples or only a MD5 list of the files to McAfee Labs for analysis.

Leverages GTI File Reputation to determine if the sample is suspicious.

Records system and installed McAfee product information date of execution and details of suspected

files.

GetSusp supports Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8.

How to use McAfee GetSusp

1. Download the latest version of GetSusp. When prompted, choose to save the executable file to a

convenient location on your hard disk. We recommend creating a folder specifically for GetSusp.

2. Once downloaded, launch the GetSusp.exe file.

3. The McAfee GetSusp Interface will be displayed.

4. If necessary, click the preferences to specify your email address to receive an acknowledgement from

McAfee Labs for sample submissions. By default, suspicious files are submitted to McAfee Labs in online

mode.

P a g e | 26

5. Click the Scan Now button to begin scanning the system. A EULA is prompted for user acceptance every

time a scan is initiated. The license agreement must be accepted in order to proceed.

6. A typical GetSusp system scan takes around three to five minutes. A summary is provided at the end of

the scan, and the scan report is launched.

P a g e | 27

7. Visit the McAfee malware community site or contact McAfee technical support for help in

troubleshooting your machine or removing malware.

10.3 GetClean GetClean is a McAfee Labs initiative to minimize false-positive detections in the field. The GetClean

program aims to prevent false positives on your COE (Common Operating Environment) image files. To

achieve this, a tool with the same name is executed on COE computers or known clean software

repositories to harvest clean files.

GetClean uses Global Threat Intelligence (GTI) for file reputation lookup and reports only files that are

unknown to McAfee Labs, or falsely classified. You can also submit metadata, or samples and metadata,

to McAfee Labs. This greatly reduces the number of files you need to submit and eliminates duplicate

submissions. The average GetClean scan time on a computer is 60-90 minutes, and the average .zip file

size of samples collected is 200-350 MB. The McAfee Labs dedicated Whitelisting team analyzes,

validates, and processes the files you submit before adding them to the GTI whitelist and to the McAfee

Labs test systems, where they are scanned before each new DAT release.

Introduction to GetClean 1.0: https://kc.mcafee.com/corporate/index?page=content&id=KB73044

GetClean Product Guide: https://kc.mcafee.com/corporate/index?page=content&id=PD23191

10.4 Sigcheck – Sysinternals/Microsoft Download SigCheck 2.x

http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx

http://www.ghacks.net/2013/10/28/use-microsofts-sigcheck-2-0-check-files-folder-virustotal/

P a g e | 28

Introduction Sigcheck is a command-line utility that shows file version number, timestamp information, and

digital signature details, including certificate chains. It also includes an option to check a file’s

status on VirusTotal, a site that performs automated file scanning against over 40 antivirus

engines, and an option to upload a file for scanning.

usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][n]][-f catalog file]

<file or directory>

-a Show extended version information

-c CSV output with comma delimiter

-ct CSV output with tab delimiter

-e Scan executable images only (regardless of their extension)

-f Look for signature in the specified catalog file

-h Show file hashes

-i Show catalog name and image signers

-m Dump manifest

-n Only show file version number

-q Quiet (no banner)

-r Disable check for certificate revocation

-s Recurse subdirectories

-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have

non-zero detection, otherwise show only unsigned files.

-

v[rn]

Query VirusTotal ( www.virustotal.com) for malware based on file hash. Add 'r'

to open reports for files with non-zero detection. Files reported as not previously

scanned will be uploaded to VirusTotal unless the 'n' option is specified. Note

scan results may not be available for five of more minutes.

-vt Before using VirusTotal features, you must accept VirusTotal terms of service.

See: https://www.virustotal.com/en/about/terms-of-service/. If you haven't

accepted the terms and you omit this option, you will be interactively prompted.

One way to use the tool is to check for unsigned files in your \Windows\System32 directories

with this command:

sigcheck -u -e c:\windows\system32

You should investigate the purpose of any files that are not signed.

Pasted from <http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx>

Skip the EULA license message when running SysInternal tools

-accepteula

P a g e | 29

Pasted from <http://forum.sysinternals.com/eula-prompt-when-running-pstools_topic8783_page7.html>

Example for checking windows systems32 folder. List hashes and Virus total results.

sigcheck -accepteula -h –u -s -e -vt -ct c:\windows\system32 >sig1.csv

P a g e | 30

11 Acronyms and Terms ePO ePolicy Orchestrator

AH Agent Handler: Component of ePO used to communicate with agents installed on endpoints

MA McAfee Agent

SA McAfee SuperAgent

VSE McAfee VirusScan Enterprise

HIPS Host Intrusion Prevention

EEDK ePO Endpoint Deployment Kit

FIM File Integrity Monitor

MAC McAfee Application Control

MCC McAfee Change Control

MDE McAfee Device Encryption (previously known as EEPC)

EEPC Endpoint Encryption for PC (now named MDE)

MOVE Management for Optimized Virtual Environments

MVM McAfee Vulnerability Manager

DLPE Data Loss Prevention for Endpoints (previously known as HDLP)

HDLP Host Data Loss Prevention (now named DLPE)

NDLP Network Data Loss Prevention

FRP McAfee File and Removable Media Protection (previously known as EEFF)

EEFF McAfee Endpoint Encryption for Files and Folders (now named FRP)

EERM Endpoint Encryption for Removable Media (now named FRP)

NSP Network Security Platform

PA Policy Auditor

RA Risk Advisor

SIEM Security Information and Event Management (Nitro)

Admin: ePO administrator or network administrator (previously Global Admin)

ASCI: Agent-server communication interval

ASSC: Agent-to-server secure communication

Agent: McAfee software used to manage point products on endpoint machines

P a g e | 31

GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO

Policy: Settings and configurations applied to point-products on endpoint machines

Repository: Collection of the software used to deploy and update point-products on endpoint machines

RSD Rogue System Detection Sensor

CEE Complete Protection Enterprise Suite

PBA Pre-Boot Authentication – Small OS loaded before the Windows OS

AD Active Directory

ALDU Add Local Domain User

BIOS Basic Input/Output System

DN Domain Name

DE Drive Encryption

DEAgent Drive Encryption Agent

EFI Extensible Firmware Interface

GPT GUID Partition Table

LDAP Lightweight Directory Access Protocol

MBR Master Boot Record

NIST National Institute of Standards and Technology

OS Operating System

OU Organizational Unit

SSO Single Sign On

UBP User-Based Policy

UEFI Unified Extensible Firmware Interface