Mcafee Epo 4.0 Documentation

8/3/2019 Mcafee Epo 4.0 Documentation

1/36

Confidential Taarak India Pvt. Ltd

A-22 Green Prak New Delhi 110016

Phone:- 01146105555 Fax 011-26561953 5/14/2009

McAfee ePolicy Orchestrator 4.0 Documentation

Customer Honda Motors and Scooters India Ltd

Title Mcafee epolicy orchestratoe 4.0

Document Name Mcafee EPO 4.0 Document

Preparation

Action NamePrepared By Deepak Chauhan

Reviewed by Gurvinder Singh


2/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Table of Content

Overview of EPO 4.032. Installation Process 4

3. Login Process ..................................................................................................... 104. How to add software Packages .............................................................................. 11

5. Create schedule Update Task ................................................................................ 13

6. Create and modify Policy...................................................................................... 16

7. Configuring the Deployment task to install products on a managed system ................. 188. Modify policy on a Single System .......................................................................... 21

9. Modify Tasks on a Single System........................................................................... 25

10. Disaster Recovery ............................................................................................ 34


3/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Overview of EPO 4.0

ePolicy Orchestrator 4.0 components and what they do

The ePolicy Orchestrator software is comprised of these components:

ePO server The center of your managed environment. The server delivers security policyand tasks, controls updates, and processes events for all managed systems.

Master repository The central location for all McAfee updates and signatures, residing onthe ePO server. Master repository retrieves user-specified updates and signatures from

McAfee or user-defined source sites.

Distributed repositories placed strategically throughout your environment to provideaccess

for managed systems to receive signatures, product updates, and product installations with

Minimal bandwidth impact. Depending on how your network is set up, you can set upSuper Agent, HTTP, FTP, or UNC share distributed repositories.

McAfee Agent A vehicle of information and enforcement between the ePO server andeach managed system. The agent retrieves updates, ensures task implementation, enforces

policies and forwards events for each managed system.

The ePO serverThe ePO server provides management, reporting, and enforcement capabilities and

includes:

A robust database that accrues information about product operation on the client

systemsin your network.

A querying system that lets you monitor the security status in your company, andquickly

act on gathered data.

A software repository that stores the products and product updates (for example, DAT

files)

that you deploy to your network.

The ePolicy Orchestrator server can segment the user population into discrete groups for

customized policy management. Each server can manage up to 250,000 systems.

The McAfee Agent

The agent is installed on the systems you intend to manage with ePolicy Orchestrator.While running silently in the background, the agent:

Gathers information and events from managed systems and sends them to the ePolicy

Orchestrator server.


4/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Installs products and updates on managed systems. Enforces policies and tasks on managed systems and sends events back to the ePO server.You can deploy the agent from the console (to Windows systems) or copy the agent installation

package onto removable media or into a network share for manual or login script installation

on your systems. Agents must be installed manually on UNIX systems.

2. Installation P rocess

NOTE: The installation process may require you to restart the system.

TaskI. Log on to the desired computer using an account with local administrator permissions.

II. If you are using Microsoft SQL Server 2000 as the ePolicy Orchestrator database, verify

that the SQL Server 2000 service is running.

iii.Run SETUP.EXE. From the product CD, select the desired language in the ePolicy Orchestrator autorun

Window, then select Install ePolicy Orchestrator 4.0.

From software downloaded from the McAfee website, go to the location containing the

Extracted files and double-click SETUP.EXE.


5/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

NOTE: If any prerequisite software is missing from the installation target computer, alist of those items appears. Click Install. The installation process for each software

item not listed as Optional begins automatically. For optional items, a dialog boxappears where you can allow installation or reject it.

NOTE: You must install the SQL 2005 Backwards Compatibility package before upgrading

an ePolicy Orchestrator installation if your are using a remote database server or a local

SQL 2005 server that does not already have it installed.

vi . After completing prerequisite installations, the Welcome window of the ePolicy Orchestrator

Installation wizard appears. Click Next to review the license.


6/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

v. In the End User License Agreement dialog box, select the appropriate license type and thelocation where you purchased the software. The license type you select must match the license

you purchased. If you are unsure which license you purchased, contact your account manager.

vi . Accept the agreement and click OK to continue. A warning message notifies you whichproducts are no longer supported with this version of the software. These products are not

migrated to the ePolicy Orchestrator 4.0 Repository when you click Next.


7/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

vi i In the Choose Destination Location dialog box, accept the default installation path or click

Browse to select a different location, then click Next.

viii.If installing on a cluster server, the Set Database and Virtual Server Settings dialog box

appears. Otherwise the Set Administrator Information dialog box appears.

ix . In the Set Administrator I nformation dialog box, type and verify the password for

logging on to this ePolicy Orchestrator server for the first time, then click Next. For securityreasons, ePolicy Orchestrator does not allow accounts with blank passwords.


8/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

x. In the Set Database I nformation dialog box, identify the type of account and

authentication details that the ePolicy Orchestrator server will use to access the database.Indicate whether ePolicy Orchestrator will use a Windows NT user account or a SQL Server user

account. McAfee recommends using Windows NT authentication.

xi. Click Next to display the HTTP Configuration dialog box. The values that were set during

the original installation cannot be changed here.

Configure the Port..


9/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

xii. Click Next. In the Default Notification Email Address dialog box, type the email address

for the recipient of messages from ePolicy Orchestrator Notifications, or keep the defaultaddress. Changing the address is not required at this time.

xiii. In the Start Copying Fi les dialog box, click Install to begin the installation.


10/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

xiv. In the Installation Complete dialog box, click Finish to complete the installation.

3. Login P rocess

Logging on to ePO serversUse this task to log on to the ePO server. You must have valid credentials to do this. You can log

on to multiple ePO servers by opening a new browser session for each ePO server.

Taski. Open an Internet browser and go to the URL of the server. The Log On to ePolicy

Orchestrator dialog box appears. Configuring ePolicy Orchestrator Servers

MyAVERT Security Threats

ii. Type the User name and Password of a valid account.

NOTE: Passwords are case-sensitive.

iii. Select the Language you want the software to display.

iv . Click Log On.


11/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

4. How to add software Packages

Checking in packages manually

Use this task to manually check in the deployment packages to the master repository so that

ePolicy Orchestrator can deploy them.Before you begin

You must have the appropriate permissions to perform this task.NOTE: You cannot check in packages while pull or replication tasks are running.

TaskDeploying Software and Updates Checking in packages manually

i. Go to Software | Master Repository, then click Check In Package.


12/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

The Check In Package wizard appears.

ii. Select the package type, then browse to and select the desired package file.

iii. Click Next. The Package Options page appears.


13/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iv. Click Save to begin checking in the package. Wait while the package checks in.

The new package appears in the Packages in Master Repository list on the MasterRepository tab.

5. Create schedule Update Task


14/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

i. Click Edit

ii. Select Unable and click next


15/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iii. Select THHP and FTP mcafee site and click next

iv. Set the time and save the configuration


16/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

6. Create and modify Po licy

i. Go to Systems > Policy Select Product

ii. Click Edit Assignment


17/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iii. Click New Policy

iv. Enter the poli cy Name


18/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

v. Now you can modify the policy

7. Configuring the Deployment task to install products on a managed system

i. Go to system > Client Task > click new task


19/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

ii. Enter the task name >select the product

iii. Choose products and components which you need deploy > click next


20/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iv. Select schedule type and time > click next

V. Now click to save


21/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

8. Modify po licy on a Single System

i. On quick Systems search > enter the system name > click Go

ii. Click on the system name


22/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iii. Click More action and select the >modify policy on single system

iv. Select the product


23/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

v. Click on edit

vi . Choose the second option in the inherit from: > select the policy


24/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

vi i. Click save

Policy has been modify


25/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

9. Modify Tasks on a Single System

i. On quick Systems search > enter the system name > click Go

ii. Click on the system name


26/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

iii. Click More action and select the >modify policy on single system

iv. Click on edit


27/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

v. Uncheck the task and schedule setting

VI. Select the product and next if you want to change time schedule > or click to save


28/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Introducing Host Intrusion

Prevention

McAfee Host Intrusion Prevention is a host-based intrusion detection and prevention system that protectssystem resources and applications from external and internal attacks.

Host Intrusion Prevention protects against unauthorized viewing, copying, modifying, and deleting ofinformation and the compromising of system and network resources and applications that store and deliverinformation. It accomplishes this through an innovative combination of host intrusion prevention systemsignatures (HIPS), network intrusion prevention system signatures (NIPS), behavioral rules, and firewall rules.Host Intrusion Prevention is fully integrated with ePolicy Orchestrator and uses the ePolicy Orchestratorframework for delivering and enforcing policies. The division of Host Intrusion Prevention functionality into IPS,Firewall, Application Blocking, and General features provides greater control in delivering policy protectionsand protection levels to the users.Protection is provided as soon as Host Intrusion Prevention is installed. The default protection settings requirelittle or no tuning and allow for a rapid, large-scale deployment. For greater protection, edit and add policies totune the deployment.

IPS feature


29/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that mightresult in malicious activity. Host Intrusion Prevention determines which process is using a call, the securitycontext in which the process runs, and the resource being accessed. A kernel-level driver, which receivesredirected entries in the user-mode system call table, monitors the system call chain. When calls are made, thedriver compares the call request against a database of combined signatures and behavioral rules to determine

whether to allow, block, or log an action.

Signature rulesSignature rules are patterns of characters than can be matched against a traffic stream. For example, asignature rule might look for a specific string in an HTTP request. If the string matches one in a known attack,

action is taken. These rules provide protectionagainst known attacks.


30/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

A reaction is what a client does when it recognizes a signature of a specific severity. A client reacts in one ofthree ways: Ignore No reaction; the event is not logged and the process is not prevented. Log The event is logged but the process is not prevented. Prevent The event is logged and the process is prevented.A security policy may state, for example, that when a client recognizes an Information level signature, it logs theoccurrence of that signature and allows the process to behandled by the operating system; and when itrecognizes a High level signature, itprevents the process.


31/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009


32/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Exception rulesAn exception is a rule for overriding blocked activity. In some cases, behavior that a signature defines as anattack may be part of a users normal work routine or an activity that is legal for a protected application. Tooverride the signature, you can create an exceptionthat allows legitimate activity. For example, an exceptionmight state that for a particular client, a process is ignored. You can create these exceptions manually, or placeclients in Adaptive mode and allow them to create client exception rules. To ensure that some signatures are

never overridden, edit the signature and disable theAllow Client Rules options. You can track the clientexceptions in the ePolicy Orchestrator console, viewing them in a regular and aggregated view. Use theseclient rules to create new policies or add them to existing policies that you can apply to other clients.

Firewall featureThe Host Intrusion Prevention Firewall feature acts as a filter between a computer and the network or Internetit is connected to. The Firewall Rules policy uses static packet filtering with top-down rule matching. When apacket is analyzed and matched to a firewall rule, with criteria such as IP address, port number, and packettype, the packet is allowed or blocked. If no matching rule is found, the packet is dropped. The current versionFirewall Rules policy uses both stateful packet filtering and stateful packet inspection.Other features include:

A Quarantine Mode into which client computers can be placed and to which you can apply a strict set offirewall rules that defines with whom quarantined clients can and cannot communicate. Connection Aware Groups that let you create specialized rule groups based on a specific connection type foeach network adapter.


33/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

Firewall rulesYou can create firewall rules as simple or complex as you need. Host Intrusion Prevention supports rulesbased on: Connection type (network or wireless). IP and non-IP protocols. Direction of the network traffic (incoming, outgoing, or both). Applications that generated the traffic. Service or port used by a computer (as the recipient or the sender). Service or port used by a remote computer (as the sender or the recipient).

Source and destination IP addresses. Time of day or week that the packet was sent or received.


34/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

10. Disaster Recovery

-------------------------------------------------------------------------------------------------------------------------------

Backup ProcedureThe standard backup / restore method is commonly used as a simple method of allowing for

disaster Recovery in ePolicy Orchestrator and database files.

1 Stop the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the SQL Server

(MSSQLSERVER) service is running.

2 Close all ePolicy Orchestrator consoles and remote console

This tool cannot change the database location.

3 Double-click DBBAK.EXE. If you are upgrading from version 4.0.x,

4 Type the Database Server Name.

5 Select NT Authentications or SQL Account.


35/36



Phone:- 01146105555 Fax 011-26561953 5/14/2009

If you select SQL Account, type a user Name and Password for this database.

6 Type the Backup File path, then click Backup.

7 Click OK when the backup process is done.

8 Start the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the MSSQLSERVER

service is running.

Restore Procedure

1 Stop the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the SQL Server

(MSSQLSERVER) service is running.

2 Close all ePolicy Orchestrator consoles and remote consoles.ote

This tool cannot change the database location.

3 Double-click DBBAK.EXE. If you are upgrading from version 3.0.x, the default location is:

C:\PROGRAM FILES\NETWORK ASSOCIATES\EPO\3.0.X

4 Type the Database Server Name.

5 Select NT Authentications or SQL Account.If you select SQL Account, type a user Name and Password for this database.

6 Type the Restore File path, and then click Restore.

7 Click OK when the backup process is done.

8 Start the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the MSSQLSERVER

service is running.


36/36

Common Tasks

Some of the common task information is available at below given URLs.

Mcafee Support Center:http://www.mcafee.com/us/enterprise/support/index.html

Query about Mcafee Products :http://knowledge.mcafee.com/

Mcafee online Support can be accessed at:http://mysupport.mcafee.com/eservice_enu

McAfee Super-Dat can be downloaded fromhttp://www.mcafee.com/us/enterprise/downloads/index.html

Documents

Mcafee Epo 4.0 Documentation