McAfee ePolicy Orchestrator 4.
COPYRIGHT Copyright © 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents Introducing ePolicy Orchestrator 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 ePolicy Orchestrator 4.0 components and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 The ePO server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 The McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Working with contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Creating contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Editing contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Deleting contacts. . . . . . . .
Contents Active Directory synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 NT domain synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Criteria-based sorting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 How settings affect sorting. . . . . . . . . . . .
Contents Deploying the agent with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Installing the agent with login scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Installing the agent manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Enabling the agent on unmanaged McAfee products. . . . . . . . . . . . . . . . .
Contents Creating source sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Editing source and fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Deleting source or fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Using SuperAgents as distributed repositories. . . . . . . . . . .
Contents Editing a policy’s settings from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Renaming a policy from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Deleting a policy from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Working with policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Checking in engine, DAT and EXTRA.DAT update packages manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Updating managed systems regularly with a scheduled update task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Confirming that clients are using the latest DAT files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Evaluating new DATs and engines before distribution. . . . . . . . . . . . . . . . . . . . . . . . .
Contents Registering ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Creating a Data Roll Up server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Working with queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Creating custom queries. . . . . . . . . . . . . . .
Contents Performing weekly maintenance of MSDE databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Performing regular maintenance of SQL Server databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Backing up ePolicy Orchestrator databases regularly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Backing up a SQL database--see your SQL documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introducing ePolicy Orchestrator 4.0 ePolicy Orchestrator 4.0 provides a scalable platform for centralized policy management and enforcement of your security products and the systems on which they reside. It also provides comprehensive reporting and product deployment capabilities, all through a single point of control. Contents ePolicy Orchestrator 4.0 components and what they do Using this guide Where to find McAfee enterprise product information ePolicy Orchestrator 4.
Introducing ePolicy Orchestrator 4.0 Using this guide The ePolicy Orchestrator server can segment the user population into discrete groups for customized policy management. Each server can manage up to 250,000 systems. The McAfee Agent The agent is installed on the systems you intend to manage with ePolicy Orchestrator. While running silently in the background, the agent: • Gathers information and events from managed systems and sends them to the ePolicy Orchestrator server.
Introducing ePolicy Orchestrator 4.0 Where to find McAfee enterprise product information 6 Deploy software and updates — Once your update repositories and policy settings are created and configured, deploy the products, components, and updates to the desired systems with ePolicy Orchestrator. 7 Configure advanced features — Once your managed environment is up and running, you can configure and implement ePolicy Orchestrator’s advanced features, like Notifications, queries and dashboards.
Configuring ePolicy Orchestrator Servers The ePO server is the center of your managed environment, providing a single location from which to administer system security throughout your network. If your organization is very large or divided into multiple large sites, consider installing a separate server at each site. This can reduce network traffic when managing agents, sending updates, and replicating to distributed repositories within a local LAN.
Configuring ePolicy Orchestrator Servers ePO user accounts Working with the Event Log Working with MyAvert Security Threats Exporting tables and charts to other formats Allowed Cron syntax when scheduling a server task ePO user accounts User accounts provide a means for users to access and use the software. They are associated with permission sets, which define what users are allowed to do with the software.
Configuring ePolicy Orchestrator Servers Contacts What happens when I install new products? When a new product extension is installed it may add one or more groups of permissions to the permission sets. For example, when you install a VirusScan Enterprise extension, a VirusScan Enterprise section is added to each permission set. Initially, the newly added section is listed in each permission set with no permissions yet granted.
Configuring ePolicy Orchestrator Servers Available server tasks and what they do • Repository Packages — Specifies whether any package can be checked in to any branch. Only agents later then version 3.6 can retrieve packages other than updates from branches other than Current. • Security Keys — Specifies and manages the agent-server secure communication keys, repository keys. • System Tree Sorting — Specifies whether and how System Tree sorting is enabled in your environment.
Configuring ePolicy Orchestrator Servers The Audit Log The Audit Log Use the Audit Log to maintain and access a record of all ePO user actions. The Audit Log entries display in a sortable table. For added flexibility, you can also filter the log so that it only displays failed actions, or only entries that are within a certain age. The Audit Log displays seven columns: • Action — The name of the action the ePO user attempted. • Completion Time — The time the action finished.
Configuring ePolicy Orchestrator Servers Data exports from any table or chart • Engine Version — Version number of the detecting product’s engine (if applicable). • Event Category — Category of the event. Possible categories depend on the product. • Event Generated Time (UTC) — Time in Coordinated Universal Time that the event was detected. • Event ID — Unique identifier of the event. • Event Received Time (UTC) — Time in Coordinated Universal Time that the event was received by the ePO server.
Configuring ePolicy Orchestrator Servers MyAVERT Security Threats MyAVERT Security Threats The MyAvert Security Threats page informs you of the top ten medium-to-high-risk threats for corporate users. You no longer need to manually search for this information from the press (TV, radio, newspapers), informational web sites, mailing lists, or your peers. You are automatically notified of these threats from McAfee Avert.
Configuring ePolicy Orchestrator Servers Viewing the server version number 2 Type the User name and Password of a valid account. NOTE: Passwords are case-sensitive. 3 Select the Language you want the software to display. 4 Click Log On. Logging off of ePO servers Use this task to log off of ePO servers. Log off from the ePO server whenever you finish using the software. Task • To log off from the server, click Log Off at the top of any page, or close the browser.
Configuring ePolicy Orchestrator Servers Working with permission sets 4 Select whether to enable or disable the logon status of this account. If this account is for someone who is not yet a part of the organization you may want to disable it. 5 Select whether the new account uses ePO authentication or Windows authentication, and provide the required credentials. 6 Optionally, provide the user’s full name, email address, phone number, and a description in the Notes text box.
Configuring ePolicy Orchestrator Servers Working with permission sets Editing permission sets Deleting permission sets Creating permission sets for user accounts Use this task to create a permission set. Before you begin You must be a global administrator to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Permission Sets, then click New Permission Set.
Configuring ePolicy Orchestrator Servers Working with contacts Editing permission sets Use this task to edit a permission set. Only global administrators can edit permission sets. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Permission Sets, then select the permission set you want to edit in the Permission Sets list. Its details appear to the right. 2 Click Edit next to any section from which you want to grant permissions.
Configuring ePolicy Orchestrator Servers Working with server settings 1 Go to Configuration | Contacts, then click New Contact. Figure 2: New Contact page 2 Type a first name, last name, and email address for the contact. 3 Click Save. The new contact appears on the Contacts page. Editing contacts Use this task to edit information in an existing entry on the Contacts page. Task For option definitions, click ? on the page displaying the options.
Configuring ePolicy Orchestrator Servers Working with server settings Specifying an email server Use this task to specify an email server that ePolicy Orchestrator usea to send email messages. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Server Settings, then click Email Server in the Settings list. 2 Click Edit. The Edit Email Server page appears. 3 Type the SMTP server name and SMTP server port.
Configuring ePolicy Orchestrator Servers Working with the Server Task Log Before you begin You must be a global administrator to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page. The Edit Event Filtering page appears. Figure 3: Edit Event Filtering page 2 Select the events you want the agent to forward to the server, then click Save.
Configuring ePolicy Orchestrator Servers Working with the Server Task Log Filtering the Server Task Log Purging the Server Task Log Viewing the Server Task Log Use this task to review the status of server tasks and long-running actions. The status of each server task appears in the Status column: • Completed — Task completed successfully. • Failed — Task was started but did not complete successfully. • In progress — Task has started but not finished.
Configuring ePolicy Orchestrator Servers Working with the Audit Log 2 Select the desired filter from the Filter drop-down list. Purging the Server Task Log As the Server Task Log grows, you can purge items older than a user-configurable number of days, weeks, months, or years. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Server Task Log, then click Purge. 2 In the Action panel, type a number of days, weeks, months, or years.
Configuring ePolicy Orchestrator Servers Working with the Audit Log 2 Click any of the column titles to sort the table by that column (alphabetically). 3 From the Filter drop-down list, select an option to narrow the amount of visible data. You can remove all but the failed actions, or only show actions that occurred within a selected amount of time. 4 Click any entry to view its details. Figure 6: Audit Log Entry Details page Purging the Audit Log Use this task to purge the Audit Log.
Configuring ePolicy Orchestrator Servers Working with the Event Log 3 Select Purge Audit Log from the drop-down list. 4 Select whether to purge by age or from a queries results. If you purge by query, you must pick a query that results in a table of Audit Log entries. 5 Click Next. The Schedule page appears. 6 Schedule the task as needed, then click Next. The Summary page appears. 7 Review the task’s details, then click Save.
Configuring ePolicy Orchestrator Servers Working with MyAvert Security Threats 4 Click OK. Records older than the specified age are deleted permanently. Purging the Event Log on a schedule Use this task to purge the Event Log with a scheduled server task. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Automation | Server Tasks, then click New Task.
Configuring ePolicy Orchestrator Servers Working with MyAvert Security Threats Configuring MyAvert update frequency and proxy settings Use this task to configure proxy settings adn the update frequency for MyAvert Security Threats. Task 1 Go to Configuration | Server Settings, select MyAvert Security Threats, then click Edit. 2 Choose how often you want the MyAvert threat notifications updated. 3 Then choose whether to use a proxy to access this service.
Configuring ePolicy Orchestrator Servers Exporting tables and charts to other formats Exporting tables and charts to other formats Use this task to export data for other purposes. You can export to HTML and PDF finals for viewing formats, or to CSV or XML files for using and transforming the data in other applications. Task For option definitions, click ? on the page displaying the options. 1 From the page displaying the data (tables or charts), select Export Table or Export Data from the Options menu.
Configuring ePolicy Orchestrator Servers Allowed Cron syntax when scheduling a server task Field Name Allowed Values Allowed Special Characters Hours 0 - 23 ,-*/ Day of Month 1 - 31 ,-*?/LWC Month 1 - 12, or JAN - DEC ,-*/ Day of Week 1 -7, or SUN - SAT ,-*?/LC# Year (optional) Empty, or 1970 - 2099 ,-*/ Notes on allowed special characters • Commas (,) are allowed to specify additional values. For example, “5,10,30” or “MON,WED,FRI”. • Asterisks (*) are used for "every.
Organizing Systems for Management ePolicy Orchestrator 4.0 provides some new features and improvements to existing features to organize and manage your systems. • The Directory has been replaced by the System Tree — The System Tree allows for easy management of policies and tasks, and organization of systems and groups. • Tags — This new feature allows you to create labels that can be applied to systems manually or automatically, based on criteria assigned to the tag.
Organizing Systems for Management The System Tree Contents The System Tree Considerations when planning your System Tree Tags and how they work Active Directory and NT domain synchronization Criteria-based sorting How a system is first placed in the System Tree Working with tags Creating and populating groups Moving systems manually within the System Tree The System Tree The System Tree organizes managed systems in units for monitoring, assigning policies, scheduling tasks, and taking actions.
Organizing Systems for Management Considerations when planning your System Tree • When a system is sorted into Lost&Found, it is placed in a subgroup named for the system’s domain. If no such group exists, one is created. NOTE: If you delete systems from the System Tree, you also need to remove their agents. Otherwise, these systems continue to appear in the Lost&Found group because the agent continues to communicate to the server.
Organizing Systems for Management Considerations when planning your System Tree These questions impact both the System Tree organization, and the permission sets you create and apply to user accounts. Environmental borders and their impact on system organization How you organize the systems for management depends on the borders that exist in your network. These borders influence the organization of the System Tree differently than the organization of your network topology.
Organizing Systems for Management Tags and how they work If possible, consider using sorting criteria based on IP address information to automate System Tree creation and maintenance. Set IP subnet masks or IP address range criteria for applicable groups within the System Tree. These filters automatically populate locations with the appropriate systems. Tags and systems with similar characteristics You can use tags for automated sorting into groups. Tags identify systems with similar characteristics.
Organizing Systems for Management Active Directory and NT domain synchronization • Apply and remove existing tags to systems in the groups to which they have access. • Exclude systems from receiving specific tags. • Use queries to view and take actions on systems with certain tags. • Use scheduled queries with chained tag actions to maintain tags on specific systems within the parts of the System Tree they have access.
Organizing Systems for Management Active Directory and NT domain synchronization • Delete systems from the System Tree when they are deleted from Active Directory. • Allow or disallow duplicate entries of systems that already exist elsewhere in the System Tree. 3 Use the Synchronize Now action to import Active Directory systems (and possibly structure) into the System Tree according to the synchronization settings.
Organizing Systems for Management Criteria-based sorting When to use this synchronization type Use this synchronization type when you use Active Directory as a regular source of systems for ePolicy Orchestrator, but the organizational needs for security management do not coincide with the organization of containers and systems in Active Directory. NT domain synchronization Use your NT domains as a source for populating your System Tree.
Organizing Systems for Management Criteria-based sorting (even ones with sorting disabled) clicking Move Systems places those systems in the location identified. How settings affect sorting You can choose three server settings that determine whether and when systems are sorted. Also, you can choose whether any system can be sorted by enabling or disabling System Tree sorting on selected systems in the System Tree.
Organizing Systems for Management How a system is first placed in the System Tree Tag-based sorting criteria In addition to using IP address information to sort systems into the appropriate group, you can define sorting criteria based on the tags assigned to systems. Tag-based criteria can be used with IP address-based criteria for sorting.
Organizing Systems for Management Working with tags 4 The server applies all criteria-based tags to the system if the server is configured to run sorting criteria at each agent-server communication. 5 What happens next depends on whether System Tree sorting is enabled on both the server and the system. • If System Tree sorting is disabled on either the server or the system, the system is left where it is.
Organizing Systems for Management Working with tags Creating tags with the Tag Builder Use this task to create a tag with the Tag Builder wizard. Tags can use criteria that’s evaluated against every system: • Automatically at agent-server communication. • When the Run Tag Criteria action is taken. • Manually on selected systems, regardless of criteria, with the Apply Tag action. Tags without criteria can only be applied manually to selected systems.
Organizing Systems for Management Working with tags b Next to Systems with tag in the details pane, click the link for the number of systems excluded from automatic tagging. The Systems Excluded from the Tag page appears. c Verify the desired systems are in the list. Applying tags to selected systems Use this task to apply a tag manually to selected systems in the System Tree. Task For option definitions, click ? on the page displaying the options.
Organizing Systems for Management Creating and populating groups a Go to Systems | Tag Catalog, then select the desired tag in the list of tags. b Next to Systems with tag in the details pane, click the link for the number of systems with tag applied by criteria. The Systems with Tag Applied by Criteria page appears. c Verify the desired systems are in the list. The tag is applied to all systems that match its criteria.
Organizing Systems for Management Creating and populating groups does not make sense for security management, you can create your System Tree in a text file and import it into your System Tree. If you have a smaller network, you can create your System Tree by hand and import each system manually. Best practices While you won’t use all of the System Tree creation methods, you also probably won’t use just one.
Organizing Systems for Management Creating and populating groups Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Group, then select the desired group in the System Tree, under which to create another group. 2 Click New Subgroup at the bottom of the page. The New Subgroup dialog box appears. 3 Type the desired name then click OK. The new group appears in the System Tree.
Organizing Systems for Management Creating and populating groups a Select the agent version to deploy. b Select whether to suppress the agent installation user interface on the system. Select this if you do not want the end-user to see the installation interface. c Configure the agent installation path or accept the default. d Type valid credentials to install the agent. 6 Click OK.
Organizing Systems for Management Creating and populating groups Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree, then click New Systems. The New Systems page appears. 2 Select Import systems from a text file into the selected group, but do not deploy agents. 3 Click Browse, then select the text file. 4 Select what to do with systems that already exist elsewhere in the System tree. 5 Click OK.
Organizing Systems for Management Creating and populating groups Enabling System Tree sorting on the server Use this task to enable System Tree sorting on the server. System Tree sorting must be enabled on the server and the desired systems for systems to be sorted. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Server Settings, select System Tree Sorting in the Setting Categories list, then click Edit.
Organizing Systems for Management Creating and populating groups Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Systems, then select the group that contains the desired systems. 2 Select the systems, then click Sort Now. You may have to click More Actions to access this option. The Sort Now dialog box appears. NOTE: If you want to preview the results of the sort before sorting, click Test Sort instead.
Organizing Systems for Management Creating and populating groups 1 Go to Systems | System Tree | Group, then select the desired group in the System Tree. This should be the group to which you want to map an Active Directory container. NOTE: You cannot synchronize the My Organization or Lost&Found groups of the System Tree. Figure 13: Synchronization Settings page 2 Next to Synchronization type click Edit. The Synchronization Settings page for the selected group appears.
Organizing Systems for Management Creating and populating groups 10 Select whether to deploy agents automatically to new systems. If you do, be sure to configure the deployment settings. TIP: McAfee recommends that you do not deploy the agent during the initial import if the container is large. Deploying the 3.62 MB agent package to many systems at once may cause network traffic issues. Instead, import the container, then deploy the agent to groups of systems at a time, rather than all at once.
Organizing Systems for Management Creating and populating groups Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Group, then select or create a group in the System Tree. 2 Next to Synchronization type, click Edit. The Synchronization Settings page for the selected group appears. Figure 14: Synchronization Settings page 3 Next to Synchronization type, select NT Domain. The domain synchronization settings appear.
Organizing Systems for Management Creating and populating groups 8 To synchronize the group with the domain immediately, click Synchronize Now, then wait while the systems in the domain are added to the group. NOTE: Clicking Synchronize Now saves changes to the synchronization settings before synchronizing the group. If you have an NT domain synchronization notification rule enabled, an event is generated for each system added or removed. (These events appear in the Notifications Log, and are queryable).
Organizing Systems for Management Moving systems manually within the System Tree 2 Name the task and choose whether it is enabled once it is created, then click Next. The Actions page appears. 3 From the drop-down list, select NT Domain/Active Directory Synchronization. 4 Select whether to synchronize all groups or selected groups. If you are synchronizing only some synchronized groups, click Select Synchronized Groups and select specific ones. 5 Click Next. The Schedule page appears.
Organizing Systems for Management Moving systems manually within the System Tree 2 Click Move Systems. The Select New Group page appears. NOTE: You may need to click More Actions to access this action. 62 3 Select whether to enable or disable System Tree sorting on the selected systems when they are moved. 4 Select the group in which to place the systems, then click OK. McAfee ePolicy Orchestrator 4.
Distributing Agents to Manage Systems Managing your network systems effectively is dependent on each system running an active, up-to-date agent. There are several methods to distribute the agent. The ones you use depend on: • The realities of your environment. • Whether you are upgrading agents or distributing them for the first time.
Distributing Agents to Manage Systems Agents and SuperAgents Agents and SuperAgents The agent is the distributed component of ePolicy Orchestrator that must be installed on each system in your network that you want to manage. A SuperAgent is an agent that is enabled to broadcast wake-up calls by network broadcast segment. SuperAgents can also be used as a repository from which to distribute products and updates.
Distributing Agents to Manage Systems Agent-server communication The agent installation package The FRAMEPKG.EXE file is created when you install the server. It is a customized installation package for agents that report to your server. The package contains the server name, its IP address, ASCI port number, and other information that allows the agent to communicate with the server.
Distributing Agents to Manage Systems Agent-server communication Network Size Recommended ASCI Wireless LAN 150 minutes NOTE: For complete information on balancing bandwidth, server hardware, and ASCI determination, see the ePolicy Orchestrator 4.0 Hardware Sizing and Bandwidth Usage Guide. Agent-initiated after agent startup After the installation, and after the agent service is stopped and restarted, the agent calls into the server at a randomized interval within ten minutes.
Distributing Agents to Manage Systems Agent-server communication networks where ePolicy Orchestrator may manage agents in remote sites over lower-speed WAN or VPN connections. Figure 15: SuperAgent and Broadcast Wake-Up Calls 1 Server sends a wake-up call to all SuperAgents. 2 SuperAgents send a broadcast wake-up call to all agents in the same broadcast segment. 3 All agents (regular agents and SuperAgents) exchange data with the server.
Distributing Agents to Manage Systems Agent activity logs Agent activity logs The agent log files are useful for determining agent status or troubleshooting. Two log files record agent activity, both are located in the agent installation folders on the managed system. Agent activity log The agent activity log is an XML file named agent_.xml where is the NetBIOS name of the system on which the agent is installed.
Distributing Agents to Manage Systems Agent policy settings use Notifications, enabling immediate uploading of higher severity events is necessary for those features to function as intended. You can enable immediate uploading of events on the Events tab of the McAfee Agent policy pages. Full and minimal properties The agent sends information from the managed system to the server at each agent-server communication, allowing you to view the properties of individual systems from ePolicy Orchestrator.
Distributing Agents to Manage Systems Security Keys Agent policy and distributed repositories By default, the agent can update from any repository in its repository list (SITELIST.XML) file. The agent can use a network ICMP ping command or the repository’s subnet address to determine the distributed repository with the fastest response time out of the top five repositories in the list. Usually, this is the distributed repository that is closest to the system on the network.
Distributing Agents to Manage Systems Methods of agent distribution Master repository key pair The master repository private key signs all unsigned content in the master repository. These keys are in anticipation of the McAfee Agent 4.0. Agents version 4.0 or later use the public key to verify the repository content originating from the master repository on this ePO server.
Distributing Agents to Manage Systems Creating custom agent installation packages Method Advantages Disadvantages Including the agent on an Prevents the bandwidth impact that other If you do not use images consistently, this image forms of distribution can cause. Reduces method would not be efficient to ensure the overhead by integrating the task into coverage. another. Enabling the agent on unmanaged McAfee products Saves significant bandwidth and time.
Distributing Agents to Manage Systems Distributing agents Including the agent on an image Using other deployment products Distributing the agent to WebShield appliances and Novell NetWare servers Deploying the agent with ePolicy Orchestrator Use this task to deploy agents to your systems with ePolicy Orchestrator. This method uses Windows NT push technology. This method is recommended if large segments of your System Tree are already populated.
Distributing Agents to Manage Systems Distributing agents • Ensure network access is enabled on Windows XP Home systems. Deploy the agent from ePolicy Orchestrator or install a custom agent installation package on systems running Windows XP Home, you must enable network access.
Distributing Agents to Manage Systems Distributing agents Installing the agent with login scripts Use this task to set up and use network login scripts to install the agent on systems logging on to the network. Using network login scripts is a reliable method to make sure that every system logging on to your network is running an agent. You can create a login script to call a batch file that checks if the agent is installed on systems attempting to log onto the network.
Distributing Agents to Manage Systems Distributing agents Below is a sample batch file that checks whether the agent is installed and, if it is not, runs the FRAMEPKG.EXE to install the agent. IF EXIST “C:\Windows\System32\ePOAgent\NAIMAS32.EXE” \\\\UPDATE$\FRAMEPKG.EXE /FORCEINSTALL /INSTALL=AGENT IF EXIST “C:\ePOAgent\FRAMEWORKSERVICE.EXE” GOTO END_BATCH \\MyServer\Agent\UPDATE$\FRAMEPKG.
Distributing Agents to Manage Systems Distributing agents Enabling the agent on unmanaged McAfee products Use this task to enable agents on existing McAfee products in your environment. Before purchasing ePolicy Orchestrator, you may have already been using McAfee Enterprise products in your network. Some of the more recent McAfee products that use the AutoUpdate updater, such as VirusScan Enterprise, install with the agent in a disabled state.
Distributing Agents to Manage Systems Forcing the agent to call in to the server For instructions, see the documentation for your preferred image-creation product. Using other deployment products You may already use other network deployment products to deploy software. You can use many of these tools, such as Microsoft Systems Management Server (SMS), IBM Tivoli, or Novell ZENworks, to deploy agents. Configure your deployment tool of choice to distribute the FRAMEPKG.
Distributing Agents to Manage Systems Upgrading existing agents If you have been using an older version of ePolicy Orchestrator and have previous agent versions in your environment, you can upgrade those agents once you’ve installed your ePO server. The procedure for upgrading the agent depends on which previous agent version is running on your managed systems. NOTE: Some previous agent versions are not fully functional in ePolicy Orchestrator 4.0. For full agent functionality, upgrade to agent version 3.
Distributing Agents to Manage Systems Removing the agent 5 Select the agent version from the drop-down list. 6 Select Install from the Action drop-down list. 7 Add any command-line options. 8 Select whether to run the task at each policy enforcement interval. 9 Select whether to run an update task after successful deployments, then click Next. 10 Schedule the task as needed, then click Next. The Summary page appears. 11 Verify the task’s details, then click Save.
Distributing Agents to Manage Systems Maintaining the agent Removing agents when deleting groups from the System Tree Use this task to remove agents from all systems in a group, which you are deleting from the System Tree. CAUTION: When you delete a group, all child groups and systems are also deleted. If you select the Remove agents from all systems checkbox when deleting systems, ePolicy Orchestrator removes the agents from all child systems.
Distributing Agents to Manage Systems Maintaining the agent Sending manual wake-up calls to systems Use this task to manually send an agent or SuperAgent wake-up call to systems in the System Tree. This is useful when you make policy changes and you want agents to call in for an update. Before you begin Before sending the agent wake-up call to systems, make sure that wake-up support for the systems’ groups is enabled and applied on the General tab of the McAfee Agent policy pages (enabled by default).
Distributing Agents to Manage Systems Maintaining the agent Before you begin Before sending the agent wake-up call to such a group, make sure that wake-up support for the group is enabled and applied on the General tab of the McAfee Agent policy pages (enabled by default). Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Groups, then select the group under System Tree. 2 Click Wake Up Agents. The Wake Up McAfeeAgent page appears.
Distributing Agents to Manage Systems Maintaining the agent Viewing the agent activity log Use these tasks to view the agent activity log. The agent activity log records an agent’s activity. The amount of detail depends on the policy settings you selected on the Logging tab of the McAfee Agent policy pages. These log files can be viewed from the managed system or from the console.
Distributing Agents to Manage Systems Maintaining the agent Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Systems, then select the system. 2 Click the system in the list. Properties for the system, installed products, and the agent appear. Running agent tasks from the managed system Use these tasks to perform selected tasks from the system where the agent is installed.
Distributing Agents to Manage Systems Maintaining the agent Task 1 Right-click the McAfee tray icon at the managed system, then select McAfee Agent | Status Monitor. The Agent Status Monitor appears. 2 Click Collect and Send Props. Sending events to the ePO server immediately Use this task to send events to the server immediately from the managed system. Task 1 Right-click the McAfee tray icon at the managed system, then select McAfee Agent | Status Monitor. The Agent Status Monitor appears.
Distributing Agents to Manage Systems Maintaining the agent Viewing agent and product version numbers Use this procedure to look up the agent and product version numbers from the managed system. This is useful for troubleshooting when installing new agent versions or confirming that the installed agent is the same version as the one displayed in the agent properties on the server. Task 1 Right-click the McAfee tray icon. 2 Select McAfee Agent | About.
Distributing Agents to Manage Systems Maintaining the agent 1 Export the desired ASSC keys from the desired ePO server. 2 Import the ASSC keys to all other servers. 3 Make the imported key the master on all servers. 4 Run an agent update task so that all agents begin using the keys immediately. 5 When all agents are using the new keys, delete any unused keys. 6 Back up all keys.
Distributing Agents to Manage Systems Maintaining the agent 1 Go to Configuration | Server Settings, then select Security Keys in the Setting Categories list. 2 In the details pane, click Edit. 3 In the Agent-server secure communication keys list, select the desired key, then click Export. The Export Agent-Server Communication Keys dialog box appears. 4 Click OK. The File Download dialog box appears. 5 Click Save, then browse to a location to save the ZIP file.
Distributing Agents to Manage Systems Maintaining the agent 4 Back up all keys. Deleting ASSC keys Use this task to delete unused ASSC keys in the Agent-server secure communication keys list. CAUTION: Do not delete any keys that are currently in use by any agents, or those agents are not able to communicate with the server. Task For option definitions, click ? on the page displaying the options.
Distributing Agents to Manage Systems Maintaining the agent 2 Next to Local master repository key pair, click Export Key Pair. The Export Master Repository Key Pair dialog box appears. 3 Click OK. The File Download dialog box appears. 4 Click Save. The Save As dialog box appears. 5 Browse to the location to which to save the ZIP file containing the SC key files. This should be a location accessible by the other servers, then click Save.
Distributing Agents to Manage Systems Maintaining the agent Backing up and restoring security keys Use these tasks to back up and restore the security keys. McAfee recommends periodically backing up all of the security keys and storing them in a secure network location so that they can be restored easily in the unexpected event any are lost from the ePO server. NOTE: McAfee recommends backing up all keys before making any changes to the key management settings.
Distributing Agents to Manage Systems Agent command-line options Agent command-line options Use the Command Agent (CMDAGENT.EXE) tool to perform selected agent tasks from the managed system. CMDAGENT.EXE is installed on the managed system at the time of agent installation. Perform this task locally on managed systems using this program or the McAfee tray icon. The CMDAGENT.EXE file is located in the agent installation folder.
Distributing Agents to Manage Systems Agent installation command-line options Command Description Sample: FRAMEPKG /INSTALL=AGENT /FORCEINSTALL /INSTDIR=c:newagentdirectory /INSTALL=AGENT Installs and enables the agent. Sample: FRAMEPKG /INSTALL=AGENT /INSTALL=UPDATER Enables the AutoUpdate 7.0 component if it has already been installed, and does NOT change whether the agent is enabled. This command-line option upgrades the agent.
Creating Repositories Security software is only as effective as the latest installed updates. For example, if your DAT files are out-of-date, even the best anti-virus software cannot detect new threats. It is critical that you develop a robust updating strategy to keep your security software as current as possible. ePolicy Orchestrator software’s repository architecture offers flexibility to ensure deploying and updating software is as easy and automated as your environment allows.
Creating Repositories Repository types and what they do The master repository is configured when installed. However, you must ensure that proxy server settings are configured correctly. By default, ePolicy Orchestrator uses Microsoft Internet Explorer proxy settings. Distributed repositories Distributed repositories host copies of your master repository’s contents.
Creating Repositories Repository types and what they do If managed systems use a proxy server to access the Internet, you must configure agent policy settings for those systems to use proxy servers when accessing this fallback site. Types of distributed repositories ePolicy Orchestrator supports four types of distributed repositories. Consider your environment and needs when determining which type of distributed repository to use.
Creating Repositories Repository types and what they do Once the distributed repository is created, use ePolicy Orchestrator to configure managed systems of a specific System Tree group to update from it. TIP: McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. This and using global updating, or scheduled replication tasks frequently, ensures your managed environment is up-to-date.
Creating Repositories How repositories work together If needed, you can export the repository list to external files (SITELIST.XML or SITEMGR.XML). Use an exported SITELIST.XML file to: • Import to an agent at installation. • Import the repository list from a previous installation of ePolicy Orchestrator or from another McAfee product. Use an exported SITEMGR.XML file to: • Back up and restore your distriubted repositories and source sites if you need to reinstall the server.
Creating Repositories Ensuring access to the source site Ensuring access to the source site Use these tasks to ensure the master repository and managed systems can access the Internet when using the McAfeeHttp and the McAfeeFtp sites as source and fallback sites. McAfee recommends using the Internet Explorer proxy server settings. You can also configure proxy server settings from the console.
Creating Repositories Ensuring access to the source site 6 Type proxy information into the appropriate fields. To use the default source and fallback sites, enter the information for HTTP and FTP. 7 Select Use the same proxy for all protocols so both FTP and HTTP correctly use the proxy. 8 Click OK to close the Proxy Settings dialog box. 9 Select Bypass proxy for local addresses options. 10 Click OK to close the LAN Settings dialog box. 11 Click OK to close the Internet Options dialog box.
Creating Repositories Working with source and fallback sites If your server does not need a proxy to access the Internet, select Don’t use proxy settings, then click OK. 3 Next to Proxy authentication, configure the settings as appropriate, depending on whether you pull updates from HTTP repositories, FTP repositories, or both. 4 Next to Proxy server, select whether to use one proxy server for all communication, or different proxy servers for HTTP and FTP proxy servers.
Creating Repositories Working with source and fallback sites 1 Go to Software | Source sites. A list of all sites that can be used as the source or fallback appear. Figure 20: Source Sites tab 2 Locate the site in the list that you want to be the fallback, then click Enable Fallback next to it. Creating source sites Use this task to create a new source site. Before you begin You must have appropriate permissions to perform this task.
Creating Repositories Using SuperAgents as distributed repositories Editing source and fallback sites Use this task to edit the settings of source or fallback sites, such as URL address, port number, and download authentication credentials. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Software | Source Sites. A list of all sites that can be used as the source or fallback appears.
Creating Repositories Using SuperAgents as distributed repositories Deleting SuperAgent distributed repositories Creating SuperAgent repositories Use this task to create a SuperAgent repository. The desired system must have an ePO agent installed and running. McAfee recommends using SuperAgent repositories with global updating. This task assumes that you know where the desired systems are located in the System Tree.
Creating Repositories Creating and configuring FTP, HTTP, and UNC repositories 1 Go to Software | Distributed Repositories. A list of all distributed repositories appears. 2 Locate the desired SuperAgent repository, then click Edit Package Types under Actions. 3 Select package types as needed. NOTE: Ensure that all packages required by any managed system using this repository are selected.
Creating Repositories Creating and configuring FTP, HTTP, and UNC repositories Creating a folder location on an FTP, HTTP server or UNC share Use this task to create the folder that hosts repository contents on the distributed repository system: Task • For UNC share repositories, create the folder on the system and enable sharing. • For FTP or HTTP repositories, use your existing FTP or HTTP server software, such as Microsoft Internet Information Services (IIS), to create a new folder and site location.
Creating Repositories Creating and configuring FTP, HTTP, and UNC repositories If credentials are incorrect, check the: • User name and password. • URL or path on the previous panel of the wizard. • The HTTP, FTP or UNC site on the system. 6 Enter Replication credentials. The server uses these credentials when it replicates DAT files, engine files, or other product updates from the master repository to the distributed repository.
Creating Repositories Working with the repository list files Editing distributed repositories Use this task to edit a distributed repository. Task For option definitions, click ? on the page displaying the options. 1 Go to Software | Distributed Repositories, then select Edit Settings next to the desired repository. The Distributed Repository Builder wizard opens with the details of the distributed repository. 2 Change configuration, authentication, and package selection options as needed.
Creating Repositories Working with the repository list files Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Software | Master Repository, then click Export Sitelist. The File Download dialog box appears. 2 Click Save. The Save As dialog box appears. 3 Browse to the location to save the SITELIST.XML file, then click Save.
Creating Repositories Changing credentials on multiple distributed repositories Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Software | Distributed Repositories, then click Import Repositories. The Import Repositories dialog box appears. 2 Browse to and select the exported SITEMGR.XML file. The Import Repositories page appears.
Creating Repositories Changing credentials on multiple distributed repositories 112 2 Select the type of distributed repository for which you want to change credentials, then click Next. The Repository Selection page appears. 3 Select the desired distributed repositories, then click Next. The Credentials page appears. 4 Edit the credentials as needed, then click Next. The Summary page appears. 5 Review the information, then click Save. McAfee ePolicy Orchestrator 4.
Managing Products with Policies and Client Tasks Managing products from a single location is a central feature of ePolicy Orchestrator and is accomplished through the combination of product policies and client tasks. Policies ensure a product’s features are configured correctly, while client tasks are the scheduled actions that run on the managed systems hosting any client-side software.
Managing Products with Policies and Client Tasks Policy management • Policy pages. • Server tasks. • Client tasks. • Default queries. • New result types, chart types, and properties to select with the Query Builder wizard. • Default Dashboards and dashboard monitors. • Feature permissions that can be assigned to user accounts. • Additional product-specific functionalities. Where extension files are located Some extensions are installed automatically when ePolicy Orchestrator is installed.
Managing Products with Policies and Client Tasks Policy application Setting policy enforcement For each managed product or component, choose whether the agent enforces all or none of its policy selections for that product or component. From the Policies page, choose whether to enforce policies for products or components on the selected group. In the Policy Catalog page, you can view assignments, per policy, where the it is applied but not enforced.
Managing Products with Policies and Client Tasks Client tasks and what they do When you assign a new policy to a particular group of the System Tree, all child groups and systems that are set to inherit the policy from this assignment point do so. Assignment locking You can lock the assignment of a policy on any group or system (provided you have the appropriate permissions).
Managing Products with Policies and Client Tasks Bringing products under management Bringing products under management Use this task to install an extension (ZIP) file. A product’s extension must be installed before ePolicy Orchestrator can manage the product. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Ensure the extension file is in accessible location on the network.
Managing Products with Policies and Client Tasks Viewing policy information 1 Go to Systems | Policy Catalog, then select the desired Product and Category. All created policies for that category appear in the details pane. Figure 22: Policy Catalog page 2 Under Assignments on the row of the desired policy, click the blue text that indicates the number of groups or systems where the policy is assigned (for example, 6 assignments).
Managing Products with Policies and Client Tasks Viewing policy information 2 Click the blue text next to Product enforcement status, which indicates the number of assignments where enforcement is disabled, if any. The Enforcement page appears. 3 Click any item in the list to go to its Policies page. Viewing policies assigned to a group Use this task to view the policies assigned to a group. Task For option definitions, click ? on the page displaying the options.
Managing Products with Policies and Client Tasks Working with the Policy Catalog 1 Go to Systems | System Tree | Policies. All assigned policies, organized by product, are appear in the details pane. 2 The desired policy row, under Broken Inheritance, displays the number of groups and systems where this policy’s inheritance is broken. NOTE: This is the number of groups or systems where the policy inheritance is broken, not the number of systems that do not inherit the policy.
Managing Products with Policies and Client Tasks Working with the Policy Catalog 2 Click New Policy at the bottom of the page. The Create New Policy dialog box appears. 3 Select the policy you want to duplicate from the Create a policy based on this existing policy drop-down list. 4 Type a name for the new policy in the New policy name field, then click OK. The Policy Settings dialog box appears for the new policy. 5 Edit the policy settings on each tab as needed. 6 Click Save.
Managing Products with Policies and Client Tasks Working with policies 1 Go to Systems | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for that category appear in the details pane. 2 Locate the desired policy, then click Rename in the desired policy’s row. The Rename Policy dialog box appears. 3 Type a new name for the existing policy, then click OK.
Managing Products with Policies and Client Tasks Working with policies 1 Go to Systems | Policy Catalog, then select the Product and Category. All created policies for that category appear in the details pane. 2 Locate the desired policy, then click the Owner of the policy. The Assign Policy Owner dialog box appears. 3 Select the desired owners of the policy from the list, then click OK. Sharing policies between ePO servers Use these tasks to share policies between servers.
Managing Products with Policies and Client Tasks Working with policies Importing policies Use this task to import a policy XML file. Regardless of whether you exported a single policy, or all named policies, the import procedure is the same. Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | Policy Catalog, then click Import next to Product policies at the top of the page. 2 Browse to and select the desired policy XML file, then click OK.
Managing Products with Policies and Client Tasks Working with policies 4 Locate the desired policy category, then click Edit Assignment. 5 If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherited from. 6 Select the desired policy from the Assigned policy drop-down list. NOTE: From this location, you can also edit the selected policy’s settings, or create a new policy. 7 Choose whether to lock policy inheritance. 8 Click Save.
Managing Products with Policies and Client Tasks Working with policies Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Systems, then select the group under System Tree to which the system belongs. The list of systems belonging to this group appears in the details pane. 2 Select the desired system, then click Modify Policies on a Single System. The Policy Assignment page appears.
Managing Products with Policies and Client Tasks Working with client tasks 2 Select the desired system, then click Modify Policies on a Single System. 3 Click Copy Assignments, then select the desired products or features for which you want to copy policy assignments, then click OK. Pasting policy assignments to a group Use this task to paste policy assignments to a group. You must have already copied policy assignments from a group or system.
Managing Products with Policies and Client Tasks Working with client tasks Creating and scheduling client tasks Use this task to create and schedule a client task. The process is similar for all client tasks. Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree | Client Tasks, select the desired group in the System Tree, then click New Task.
Managing Products with Policies and Client Tasks Frequently asked questions Frequently asked questions What is a policy? A policy is a customized subset of product settings corresponding to a policy category. You can create, modify, or delete as many named policies as needed for each policy category. What are the McAfee Default and My Default policies? Upon installation, each policy category contains at least two policies. These are named McAfee Default and My Default.
Deploying Software and Updates In addition to managing security products, ePolicy Orchestrator can deploy products to your network systems. Use ePolicy Orchestrator to deploy products and their updates. If you plan to deploy security products and updates with a tool other than ePolicy Orchestrator, skip this section. Are you deploying packages for the first time? When deploying packages for the first time: 1 Understand product deployment and the types of packages that ePolicy Orchestrator can deploy.
Deploying Software and Updates Deployment packages for products and updates Each McAfee product that ePolicy Orchestrator can deploy provides a product deployment package ZIP file. ePolicy Orchestrator can deploy these packages to any of your managed systems, once they are checked in to the master repository. The ZIP file contains the product installation files, which are compressed in a secure format. ZIP files are used for both detection definition (DAT) and engine update packages.
Deploying Software and Updates Product and update deployment Package type Description Origination packages into the master repository manually. Package signing and security All packages created and distributed by McAfee are signed with a key pair using the DSA (Digital Signature Algorithm) signature verification system, and are encrypted using 168-bit 3DES encryption. A key is used to encrypt or decrypt sensitive data. You are notified when you check in packages that are not signed by McAfee.
Deploying Software and Updates Product and update deployment Product deployment packages Update packages If not implementing global updating for product If not implementing global updating for product updating, deployment, a deployment task must be configured and an update client task must be configured and scheduled scheduled for managed systems to retrieve the package. for managed systems to retrieve the package.
Deploying Software and Updates Product and update deployment If you are using global updating, this task is unnecessary, although you can create a daily task for redundancy. Considerations when creating update client tasks Consider the following when scheduling client update tasks: • Create an Update client task to update DAT and engine files daily at the highest level of the System Tree that is inherited by all systems.
Deploying Software and Updates Product and update deployment Requirements These requirements must be met to implement global updating: • A SuperAgent must use the same agent-server secure communication key as the agents that receive its wake-up call. • A SuperAgent is installed on each broadcast segment. Managed systems cannot receive a SuperAgent wake-up call if there is no SuperAgent on the same broadcast segment.
Deploying Software and Updates Product and update deployment Replication tasks Use replication tasks to copy the contents of the master repository to distributed repositories. Unless you have replicated master repository contents to all your distributed repositories, some systems do not receive them. Ensure all your distributed repositories are up-to-date.
Deploying Software and Updates Checking in packages manually How agents select repositories By default, agents can attempt to update from any repository in the repository list file. The agent can use a network ICMP ping or subnet address compare algorithm to find the distributed repository with the quickest response time. Usually, this is the distributed repository closest to the system on the network.
Deploying Software and Updates Using the Product Deployment task to deploy products to managed systems 1 Go to Software | Master Repository, then click Check In Package. The Check In Package wizard appears. Figure 24: Master Repository tab 2 Select the package type, then browse to and select the desired package file. 3 Click Next. The Package Options page appears. 4 Next to Check in package to this branch, select the desired branch.
Deploying Software and Updates Using the Product Deployment task to deploy products to managed systems Tasks Configuring the Deployment task for groups of managed systems Configuring the Deployment task to install products on a managed system Configuring the Deployment task for groups of managed systems Use this task to configure the Product Deployment task to deploy products to groups of managed systems in the System Tree. Task For option definitions, click ? on the page displaying the options.
Deploying Software and Updates Deploying update packages automatically with global updating 1 Go to Systems | System Tree | Systems, then select the group in the System Tree which contains the desired system. 2 Select the checkbox next to the desired system. 3 Click Modify Tasks on a Single System. The list of tasks assigned to this system appears. NOTE: You may need to click More Actions to access Modify Tasks on a Single System. 4 Click New Task .
Deploying Software and Updates Deploying update packages with pull and replication tasks Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Server Settings, select Global Updating, then click Edit at the bottom of the page. Figure 25: Edit Global Updating page 2 On the Edit Global Updating page, select Enabled next to Status. 3 Edit the Randomization interval, if desired. The default is 20 minutes.
Deploying Software and Updates Deploying update packages with pull and replication tasks Tasks Using pull tasks to update the master repository Replicating packages from the master repository to distributed repositories Using pull tasks to update the master repository Use either of these tasks to update the contents of the master repository from the McAfee update site or a user-configured source site. You can schedule pull tasks or run them immediately.
Deploying Software and Updates Deploying update packages with pull and replication tasks Select Evaluation to test the packages in a lab environment first. Select Current to use the packages without testing them first. 7 Select whether to pull: • All packages • Selected packages — If you select this option, you must click Select Packages and choose the packages to pull from the source site when this task runs.
Deploying Software and Updates Deploying update packages with pull and replication tasks 3 Select the repository branch that receives the packages. Select Evaluation, to test the packages in a lab environment first. Select Current to use the packages without first testing them. 4 Select Support NetShield for NetWare if you have NetShield for NetWare in your environment.
Deploying Software and Updates Deploying update packages with pull and replication tasks 4 Select Repository Replication from the drop-down list. Figure 28: Repository Replication server task action 5 Select Incremental or Full from the Replication type drop-down list. Incremental replicates only the differences between the master and distributed repositories. Full replicates all contents of the master repository to the distributed repositories.
Deploying Software and Updates Configuring agent policies to use a distributed repository 3 Select Incremental replication or Full replication, then click Next. NOTE: If this is the first time you are replicating to a distributed repository, it is a full replication even if you select incremental replication. 4 Click Start Replication to begin the task. The Server Task Log page appears, displaying the status of the task until it completes.
Deploying Software and Updates Checking in engine, DAT and EXTRA.DAT update packages manually 2 Paste the copied files and subfolders in your repository folder on the distributed repository system. 3 Configure an agent policy for managed systems to use the new unmanaged distributed repository: a Create a new agent policy or open an existing one for editing. CAUTION: Policy inheritance cannot be broken for tabs of a policy.
Deploying Software and Updates Updating managed systems regularly with a scheduled update task 4 Next to Branch, select the desired branch. If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. Once you finish testing the packages, you can move them to the Current branch on the Software | Master Repository tab.
Deploying Software and Updates Evaluating new DATs and engines before distribution Task For option definitions, click ? on the page displaying the options. • Go to Reporting | Queries, select VSE: DAT Deployment in the Queries list, then click Run Query. NOTE: See the VirusScan Enterprise documentation for more information on this query. Evaluating new DATs and engines before distribution Use this task to test update packages using the Evaluation branch.
Deploying Software and Updates Deleting DAT or engine packages from the master repository Task For option definitions, click ? on the page displaying the options. 1 Go to Software | Master Repository. The Packages in Master Repository table appears. 2 In the row of the desired package, click Change Branch. The Change Branch page appears. 3 Select whether to move or copy the package to another branch. 4 Select which branch receives the package.
Sending Notifications The ePolicy Orchestrator Notifications feature alerts you to events that occur on your managed systems or on the ePolicy Orchestrator server . You can configure notification rules in ePolicy Orchestrator to send email messages or SNMP traps, as well as run external commands when specific events are received and processed by the ePolicy Orchestrator server.
Sending Notifications Notifications and how it works Notifications and how it works Before you plan the implementation of Notifications, you should understand how this feature works with ePolicy Orchestrator and the System Tree. NOTE: This feature does not follow the inheritance model of policy enforcement.
Sending Notifications Notifications and how it works rule is named VirusDetected_, where is the name of the group as it appears in the System Tree (for example, VirusDetected_Subgroup2c). Figure 29: System Tree for Notification Scenarios Scenario one For this scenario, 100 virus detections are detected in Subgoup2C within 60 minutes in a single day.
Sending Notifications Planning Default rules ePolicy Orchestrator provides six default rules that you can enable for immediate use while you learn more about the feature. NOTE: Once enabled, the default rules send notification messages to the email address you provided in the ePO installation wizard. Before enabling any of the default rules: • Specify the email server (at Configuration | Server Settings) from which the notification messages are sent.
Sending Notifications Determining how events are forwarded • The types of events (product and server) that trigger notification messages in your environment. • Who should receive which notification messages. For example, it may not be necessary to notify the administrator of group B about a failed replication in group A, but you may want all administrators to know that an infected file was discovered in group A. • Which types and levels of thresholds you want to set for each rule.
Sending Notifications Setting up ePO Notifications 5 To regulate traffic size, type the Maximum number of events per upload. 6 Click Save. Determining which events are forwarded Use this task to determine which events are forwarded to the server. Task For option definitions click ? on the page displaying the options. 1 Go to Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page. 2 Select the desired events, then click Save.
Sending Notifications Setting up ePO Notifications 3 Next to Notifications, click Edit. 4 Select the desired Notifications permission: • No permissions • View notification rules and Notification Log NOTE: This permission also grants the ability to view SNMP servers, registered executables, and external commands. • Create and edit notification rules; view Notification Log NOTE: This permission also grants the ability to view SNMP servers, registered servers, and external commands.
Sending Notifications Setting up ePO Notifications 2 Provide the name and address of the SNMP server, then click Save. The added SNMP Server appears in the SNMP Servers list. Duplicating SNMP servers Use this task to duplicate an existing SNMP server. Task For option definitions click ? on the page displaying the options. 1 Go to Automation | SNMP Servers, then click Duplicate next to the desired SNMP server on which you want to base a new entry. 2 Provide a new name, then click Save.
Sending Notifications Setting up ePO Notifications Working with registered executables and external commands Use these tasks to configure external commands by adding registered executables and assigning them to commands. You can configure notification rules to execute an external command when the rule is initiated. Before you begin Before configuring the list of external commands, place the registered executables at a location on the server where the rules can point.
Sending Notifications Setting up ePO Notifications Editing registered executables Use this task to edit an existing registered executable entry. Before you begin You must have appropriate permissions to perform this task. You must use a browser session from the ePO server system. Task 1 Go to Automation | Registered Executables, then select edit next to the desired executable in the list. The Edit Registered Executable page appears.
Sending Notifications Setting up ePO Notifications Task For option definitions click ? on the page displaying the options. 1 Go to Automation | External Commands, then click New External Command at the bottom of the page. The New External Command page appears. 2 Type the name of the command. 3 Select the desired Registered Executable to which you want to assign the command. 4 Type the desired Arguments for the command and insert any variables as needed, then click Save.
Sending Notifications Creating and editing Notification rules Creating and editing Notification rules Use these tasks to create and edit Notification rules. These allow you to define when, how, and to whom, notifications are sent. NOTE: Notification rules do not have a dependency order. Tasks Describing the rule Setting filters for the rule Setting thresholds of the rule Configuring the notifications for the rule Describing the rule Use this task to begin creating a rule.
Sending Notifications Creating and editing Notification rules 5 Set the priority of the rule to High, Medium, or Low. NOTE: The priority of the rule is used to set a flag on an email message in the recipient’s Inbox. For example, selecting High places a red exclamation mark next to the notification email message, and selecting Low places a blue, down-facing arrow next to the notification email message. The priority does not affect the rule or event processing in any way.
Sending Notifications Creating and editing Notification rules 2 If you selected Send a notification if multiple events occur within, you can choose to send a notification when the specified conditions are met. These conditions are: • When the number of affected systems is at least a defined number of systems. • When the number of events is at least a defined number of events. • Either (by selecting both options). NOTE: You can select one or both options.
Sending Notifications Viewing the history of Notifications • Selected categories • Selected threat or rule name • First event time • Event IDs • Event descriptions • Actual number of systems • Actual number of events • Actual products • Actual categories • Actual threat or rule names • Source systems • Affected system IP addresses • Affected system names • Time notification sent • Affected objects • Additional information NOTE: Some events do not include this information.
Sending Notifications Viewing the history of Notifications Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Notification Log. 2 Select the desired period of time for which you want to view notification history from the Time filter drop-down list. 3 Click ... next to the System Tree filter text box. The Select group to filter by dialog box appears. 4 Select the desired group of the System Tree to view its notification history.
Sending Notifications Product and component list Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Notification Log, then click Purge at the bottom of the page. The Purge Notification Log dialog box appears. 2 Select the number of days, weeks, months, or years by which you want to purge all items of that age or older, or select a query to run that you have created for this purpose. The Notification Log entries that meet this criteria are permanently deleted.
Sending Notifications Frequently asked questions • Any external tool installed on the ePolicy Orchestrator server. 168 McAfee ePolicy Orchestrator 4.
Querying the Database ePolicy Orchestrator 4.0 ships with its own querying and reporting capabilities. These are highly customizable and provide flexibility and ease of use. Included is the Query Builder wizard which creates and runs queries that result user-configured data in user-configured charts and tables. To get you started, McAfee includes a set of default queries which provide the same information as the default reports of previous versions.
Querying the Database Queries Queries as dashboard monitors Use almost any query (except those using a table to display the initial results) as a dashboard monitor. Dashboard monitors refresh automatically on a user-configured interval (five minutes by default). Exported results Query results can be exported to four different formats. Exported results are historical data and are not refreshed like when using queries as dashboard monitors.
Querying the Database Query Builder as well as the ability to make any personal query available to anyone with access to public queries. NOTE: To run some queries, you also need permissions to the feature sets associated with their result types. Also, in a query’s results pages, the available actions to take on the resulting items depend on the feature sets a user has permission to. Query Builder ePolicy Orchestrator provides an easy, four-step wizard with which to create and edit custom queries.
Querying the Database Multi-server roll-up querying • Grouped summary table • Line chart • Pie chart • Summary table • Table Table columns Specify columns for the table. If you select Table as the primary display of the data, this configures that table. If you selected a type of chart as the primary display of data, this configures the drill-down table. Query results displayed in a table are actionable.
Querying the Database Preparing for roll-up querying Preparing for roll-up querying Use these tasks to ensure the eporollup_ tables on the reporting server are populated and ready for using queries based on the Rolled Up query result types. These tasks should be performed for each server whose data will be included in the query results. NOTE: Using the Rolled-Up Compliance History result type additionally requires that a Boolean pie chart-based query on managed systems be created on each server.
Querying the Database Working with queries 3 Select the desired Data Roll Up actions, and select the desired registered server to which it applies. NOTE: McAfee recommends creating one server task per registered server, and configuring it to run both Roll Up Data actions. 4 Click Next. The Schedule page appears. 5 Schedule the task as needed, then click Next. The Summary page appears.
Querying the Database Working with queries 7 Click Next. The Filter page appears. 8 Select properties to narrow the search results. Selected properties appear in the content pane with operators to specify criteria to narrow the data that is returned for that property. Ensure your choices provide the data to display in the table columns configured in the previous step. 9 Click Run.
Querying the Database Working with queries 5 Select the language in which to display the results. Figure 31: Run Query server task actions 6 Select an action to take on the results. Available actions depend on the permissions of the user, and include: • Email File — Sends the results of the query to a specified recipient, in a user-configured format (PDF, XML, CSV, or HTML). • Move To — Moves all systems in the query results to a group in the System Tree.
Querying the Database Working with queries • Deploy Agents — Deploys agents, according to the configuration on this page, to systems in the query results. This option is only valid for queries that result in a table of systems. • Wake Up Agents — Sends an agent wake-up call, according to the configuration on this page, to all systems in the query results. This option is only valid for queries that result in a table of systems. NOTE: You are not limited to selecting one action for the query results.
Querying the Database Working with queries Sharing a query between ePO servers Use these tasks to import and export a query for use among multiple servers. Tasks Exporting queries for use by another ePO server Importing queries Exporting queries for use by another ePO server Use this task to export a query to an XML file which can be imported to another ePO server. Task For option definitions, click ? on the page displaying the options.
Querying the Database Default queries and what they display 4 Select the format of the exported file. If exporting to a PDF file, select the page size and orientation. 5 Select whether the files are emailed as attachments to selected recipients, or whether they are saved to a location on the server to which a link is provided. You can open or save the file to another location by right-clicking it.
Querying the Database Default queries and what they display ePO: Compliance History query Use this query, with its default settings, to view the percentage of systems (over time) in your environment that are non-compliant. Before you begin This query and its results depend on the Generate Compliance Event server task. Schedule this server task to run at a regular interval. This query depends on a Boolean pie chart query based on managed systems (for example, the default ePO: Compliance Summary query).
Querying the Database Default queries and what they display Comparable report in ePolicy Orchestrator 3.6 This query replaces all or part of: • DAT-Definition Deployment Summary • DAT Engine Coverage ePO: Distributed Repository Status query Use this query, with its default settings, to view a Boolean pie chart of your distributed repositories, divided according to whether their last replication was successful.
Querying the Database Default queries and what they display Comparable report in ePolicy Orchestrator 3.6 This query replaces all or part of: • DAT-Definition Deployment Summary • DAT Engine Coverage ePO: Systems per Top-Level Group query Use this query, with its default settings, to view a bar chart of your managed systems organized by top-level System Tree group. Query results The results of the query are displayed in a bar chart, which you can use to drill down into the systems which make up each bar.
Assessing Your Environment With Dashboards Dashboards allow you to keep a constant eye on your environment. Dashboards are collections of monitors. Monitors can be anything from a chart-based query, to a small web application, like the MyAvert Security Threats, that is refreshed at a user-configured interval. Users must have the appropriate permissions to use and create dashboards.
Assessing Your Environment With Dashboards Setting up dashboard access and behavior • McAfee Links — Hyperlinks to McAfee sites, including ePolicy Orchestrator Support, Avert Labs WebImmune, and Avert Labs Threat Library. Setting up dashboard access and behavior Use these tasks to ensure users have the appropriate access to dashboards, and how often dashboards are refreshed.
Assessing Your Environment With Dashboards Working with Dashboards Working with Dashboards Use these tasks to create and manage dashboards. Tasks Creating dashboards Making a dashboard active Selecting all active dashboards Making a dashboard public Creating dashboards Use this task to create a dashboard. Task For option definitions, click ? on the page displaying the options. 1 Go to Dashboards, then select Manage Dashboards from the Options drop-down list. The Manage Dashboards page appears.
Assessing Your Environment With Dashboards Working with Dashboards Task For option definitions, click ? on the page displaying them. 1 Go to Dashboards, click Options, then select Manage Dashboards. The Manage Dashboards page appears. 2 Select a dashboard from the Dashboards list, then click Make Active. 3 Click OK when prompted. 4 Click Close. The selected dashboard is now on the tab bar. Selecting all active dashboards Use this task to select all dashboards that make up your active set.
Assessing Your Environment With Dashboards Working with Dashboards Task For option definitions, click ? on the page displaying the options. 1 Go to Dashboards, then select Manage Dashboards from the Options drop-down list. 2 Select the desired dashboard from the Available Dashboards list, then click Make Public. 3 Click OK when prompted. The dashboard appears in the Public Dashboards list on the Manage Dashboards page. McAfee ePolicy Orchestrator 4.
Appendix: Maintaining ePolicy Orchestrator databases Regardless of whether you use an MSDE or SQL database with ePolicy Orchestrator, your databases require regular maintenance over time. This ensures optimal performance and that the data in it is protected. Depending on your deployment of ePolicy Orchestrator, plan on spending a few hours each week on regular database backups and maintenance. Many of the tasks in this section should be done on a regular basis, either weekly or daily.
Appendix: Maintaining ePolicy Orchestrator databases Performing daily or weekly database maintenance Run this utility at least once a week. You can use SQLMAINT.EXE command-prompt utility to perform routine database maintenance activities. It can be used to run DBCC checks, to dump a database and its transaction log, to update statistics, and to rebuild indexes.
Appendix: Maintaining ePolicy Orchestrator databases Backing up ePolicy Orchestrator databases regularly Backing up ePolicy Orchestrator databases regularly McAfee recommends that you back up ePolicy Orchestrator databases regularly to protect your data and guard against hardware and software failure. You may need to restore from a backup, such as if you ever need to reinstall the server. How often you backup depends on how much of your data you are willing to lose.
Appendix: Maintaining ePolicy Orchestrator databases Changing SQL Server information 8 Click Backup. 9 Click OK when the backup process is done. 10 Start the McAfee ePolicy Orchestrator 4.0 Server service and ensure that the MSSQLSERVER service is running. For instructions, see the operating system product documentation. Changing SQL Server information Use this task to edit the SQL Server connection configuration details.
Appendix: Maintaining ePolicy Orchestrator databases Restoring ePolicy Orchestrator databases Restoring a SQL database--see your SQL documentation If you are using Microsoft SQL Server or SQL 2005 Express as the database, see the SQL Server product documentation. Restoring an MSDE database from a backup You can back up and restore MSDE databases to the same path on the same database server using this utility. You cannot use it to change the location of the database.
Index A account credentials for agent installation package 72 accounts (See user accounts) 16 Active Directory containers agent deployment and 73 mapping to System Tree groups 56 Active Directory synchronization borders and 40 deleting systems 42, 43 duplicate entry handling 42 integration with System Tree 42 Synchronize Now action 42 systems and structure 43 tasks 42 to System Tree structure 56 types 43 administrator accounts (See user accounts) 16 administrators, global 38 agent about 13 accessing multipl
Index branches (continued) Current 143, 147 deleting DAT and engine packages 150 Evaluation 149 manually moving packages between 149 Previous 137 types of, and repositories 98 C catch-all groups 46 Change Branch action 149 charts (See queries) 171 client tasks about 116 creating and scheduling 128 deleting 128 editing settings for 128 working with 127 Command Agent tool (CMDAGENT.EXE) 66, 93 command-line options agent 93 CMDAGENT.EXE 66, 78, 93 FRMINST.
Index engines deleting from repository 150 repository branches 149 Evaluation branch defined 98 using for new DATs and engine 149 events contacts for notifications 17 determining which are forwarded 27 filtering, server settings 17 forwarding and notifications 155 forwarding, agent configuration and 68 notification rules for 167 executables configuring external commands 159 deleting 160 editing, notifications and 160 External Commands list 160 notifications and external commands 160 registered, adding 159
Index managed systems (continued) roll-up querying 172 running an update task manually 85, 86 sorting, criteria-based 44 tasks for 139 viewing agent activity log 84 master repositories about 95 checking in packages manually 147 communicating with source site 100 configuring proxy settings 101 ePO components 12 key pair for unsigned content 71 key pairs, using 90 pulling from source site 142, 143 replicating to distributed repositories 144, 145 updating with pull tasks 135 using Internet Explorer proxy sett
Index policies (continued) importing and exporting 115, 123, 124 inheritance 115 ownership 116, 118 settings, viewing 118 sharing between ePO servers 123 update settings 86 verifying changes 84 viewing 114, 117 working with Policy Catalog 120 policy assignment copying and pasting 126, 127 disabled enforcement, viewing 118 group, assigning to 124 locking 116 Policy Catalog 115 systems, assigning to 124, 125 viewing 117, 119 Policy Catalog page, viewing 114 working with 120 policy enforcement enabling and di
Index replication tasks (continued) server task log 137 updating master repository 136 reports configuring template and location for 27 exported data 20 exported query results 170 formats 20, 170 repositories branches 98, 149 creating SuperAgent repository 105 how they work together 99 importing from repository list files 110 master, configuring proxy setttings for 101 replication and selection of 136 replication tasks 145 scheduling a pull task 142 scheduling a replication task 144 source site 96, 143 typ
Index subgroups and policy management 58 criteria-based 46 subnets, as grouping criteria 40 SuperAgent repositories about 97 creating 105 deleting 106 global updating requirements 135 replicating packages to 105 tasks 104 SuperAgents as repositories 64 distributed repositories 97 wake-up calls 66, 82 wake-up calls to System Tree groups 82 synchronization Active Directory and 43 defaults 47 deploying agents automatically 43 excluding Active Directory containers 43 importing systems 43 NT domains 44 preventi
Index updating (continued) manually 85, 86 master repository with pull tasks 142 process description 133 Pull Now task to update master repository 143 scheduling an update task 148 user accounts about 16 changing passwords 23 creating 22 creating permission sets for 24 permission sets and 16 working with 22, 23 user interface, agent 85 utilities NETDOM.EXE, creating a text file 53 200 McAfee ePolicy Orchestrator 4.0 Product Guide V VCREDIST.
