Product Guide Revision A Endpoint Intelligence Agent 2.1.
COPYRIGHT Copyright © 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Introduction 7 How Endpoint Intelligence Agent works . . . . . . . . . . . . . . . . . . . . . . . . . 7 Endpoint Baseline Generator tool . . . . .
Contents Log Collector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6 4 Frequently asked questions 35 Index 37 Endpoint Intelligence Agent 2.1.
Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction McAfee® Endpoint Intelligence Agent is an endpoint solution that provides per-connection information to the supported network devices, namely, the McAfee® Firewall Enterprise (Firewall Enterprise) and the McAfee® Network Threat Behavior Analysis Appliance.
1 Introduction How Endpoint Intelligence Agent works • The executable file name on the disk (full path) and hash of the process that generated the connection This is an optional field and is sent only when file reputation is available.
Introduction How Endpoint Intelligence Agent works 1 When network traffic is generated, the reputation of the executable file is critical for the network device to configure response actions to prevent malicious files on the network. McAfee EIA monitors the executable files which send traffic from endpoints to the network device, and analyzes them and their associated libraries to calculate the file reputation.
1 Introduction How Endpoint Intelligence Agent works • ePolicy Orchestrator installs and configures the Endpoint Intelligence Agent settings on managed hosts. • Firewall Enterprise is configured for Endpoint Intelligence Agent using the Admin Console. If your firewall is managed by Control Center, the firewall is configured on the Control Center Management Server. • Endpoint Intelligence Agent sends metadata to Firewall Enterprise. User information and other metadata is used for auditing.
Introduction Endpoint Baseline Generator tool 1 When the GTI capability is enabled on the NTBA appliance, McAfee EIA sends a GTI request consisting of the MD5. The NTBA communicates with the GTI server and sends a response to McAfee EIA consisting of the MD5 and the corresponding GTI value. Based on this response (GTI value) the confidence score in the reputation cache is refreshed. Endpoint Intelligence Agent works with enterprise point-product installations on the host computers.
1 Introduction Determining your discovery method The confidence levels associated with an executable are specified in numeric values. Each of these values corresponds to the following confidence levels. • 0 - Unknown • 4 - Medium Risk • 2 - Very Low Risk • 5 - High Risk • 3 - Low Risk • 6 - Very High Risk • The confidence levels can't be modified and are imported as part of the baseline computer profile.
2 Setting up Endpoint Intelligence Agent with ePolicy Orchestrator Install the Endpoint Intelligence Management Extension, check in the Endpoint Intelligence Agent package, and deploy Endpoint Intelligence Agent to managed systems.
2 Setting up Endpoint Intelligence Agent with ePolicy Orchestrator Download Endpoint Intelligence Management extension and Endpoint Intelligence Agent package Product Supported version Firewall Enterprise Control Center Version 5.3.1 or later. Firewall Enterprise Version 8.3.1 with the latest P-patch, version 8.3.2 or later. • Version 8.3.1 with the latest P-patch McAfee EIA works only with the Network Integrity Agent 1.0.0 features. • Version 8.3.
2 Setting up Endpoint Intelligence Agent with ePolicy Orchestrator Upload the Endpoint Intelligence Agent package Upload the Endpoint Intelligence Agent package Upload the Endpoint Intelligence Agent package to the ePolicy Orchestrator server. This package contains the files necessary to install Endpoint Intelligence Agent on managed systems. Task For option definitions, click ? in the interface. 1 From the ePolicy Orchestrator console, select Menu | Software | Master Repository.
2 Setting up Endpoint Intelligence Agent with ePolicy Orchestrator Upgrade the Endpoint Intelligence Agent 3 In the Task Types list, select Product Deployment. 4 Click OK. The Client Task Catalog: New Task - McAfee Agent: Product Deployment window appears. 5 In the Task Name field, enter a name for the task. 6 From the Products and components menu, select Endpoint Intelligence Agent 2.1.0. 7 Click Save. 8 Run the task. a Click the System Tree icon. The Systems tab appears.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise To configure Endpoint Intelligence Agent on Firewall Enterprise, follow the procedures in this section. Contents Configure certificates Configure policy Firewall Enterprise setup Configure certificates Certificate configuration is necessary for the encrypted communication between Firewall Enterprise and McAfee EIA. The certificate configuration is not required for NTBA.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Configure certificates • Public key lengths must be 4096 bits or lower. • The host certificate used by McAfee EIA must be signed by the same certificate authority that generated the CA certificate. Tasks • Generate the firewall certificate on page 18 Create and export a firewall certificate to be signed by ePolicy Orchestrator.
Configure Endpoint Intelligence Agent on Firewall Enterprise Configure certificates 3 Option Definition Retention Interval Specifies the number of days ePolicy Orchestrator keeps the Gateway Status reports sent from the McAfee EIA. 'Time to Live' for Data channel packets Specifies the amount of time to live for data channel packets. The time range is 1 to 1440 minutes. By default, this is set to 10 minutes.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Configure certificates Task For option definitions, click Help in the interface. 1 From the Firewall Enterprise Admin Console, select Maintenance | Certificate/Key Management. 2 Load the signed certificate. 3 a Click the Firewall Certificates tab. b In the Certificates list, select the certificate, then click Load. The Firewall Certificates: Load Certificate for PKSC10 Request window appears. c For Certificate Source, select File.
Configure Endpoint Intelligence Agent on Firewall Enterprise Configure policy 6 7 d Enter the information for the CA certificate. e Click Add. f Click Get CA Cert to get the Distinguished Name details. 3 Configure the firewall certificate. a Click the Firewall Authorities tab. b Click New. The Firewall Certificates: Create New Certificate window appears. c From the Submit to CA drop-down list, select the name of the CA certificate you configured on the firewall. d Click Add.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Configure policy 3 Click New Policy. The New Policy window appears. 4 Choose a policy in the Create a policy based on this existing policy list. 5 Enter a name in the Policy Name field. 6 [Optional] Enter a description in the Notes field. 7 Click OK. The new policy appears in the Name column in the Policy Catalog area. Configure discovery options Edit a policy to specify optional route and discovery information for managed systems.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Configure policy Example: You have a subnet configured for route discovery, but you don't want to send metadata for a particular host in that network. 9 a Enter the network address and subnet mask as you did in steps 4 and 5, but leave the Device IP and Port fields empty. b Select Exempt Route. c Click Add Route. When you are done entering discovery options, click Save.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Configure policy Option Definition Log Level Specifies the logging level for the Endpoint Intelligence Agent. By default, this is selected as Error. You can select other logging levels like Fatal, Error, Warn, and Debug based on your need. Log Numbers Specifies the number of times the log files are rotated in the system. After this limit, the log files are removed. For example, if the log number is 0, the old versions are removed.
Configure Endpoint Intelligence Agent on Firewall Enterprise Firewall Enterprise setup Option Definition Thread Count Used to configure the number of worker threads used by McAfee EIA to compute reputation. Reducing the thread count reduces the performance of McAfee EIA (used for debugging purposes). The default value is 4. Show Configuration GUI Specifies if configuration information must be displayed on the endpoint interface. By default, this checkbox is deselected.
3 Configure Endpoint Intelligence Agent on Firewall Enterprise Firewall Enterprise setup 26 Endpoint Intelligence Agent 2.1.
4 Configure Endpoint Intelligence Agent on NTBA To configure Endpoint Intelligence Agent on NTBA appliance, follow the procedures in this section. Contents Configure policy NTBA setup Configure policy Configure the shared key and route discovery information. You can edit or duplicate an existing policy, or create a new policy. Two preconfigured policies are generated for Endpoint Intelligence Agent: • McAfee Default is read-only and cannot be deleted. It can be duplicated.
4 Configure Endpoint Intelligence Agent on NTBA NTBA setup 28 Endpoint Intelligence Agent 2.1.
5 Maintenance and troubleshooting You can use a variety of reports and logs to monitor the status of host agents and troubleshoot communication or operational problems.
5 Maintenance and troubleshooting View active hosts connected to Firewall Enterprise View the Gateway Status report The Gateway Status report lists agent hosts that have problems communicating with the Firewall Enterprise gateway. Task For option definitions, click ? in the interface. 1 From the ePolicy Orchestrator console, select Menu | Network | Gateway Status report. The Enterprise Firewalls area appears. 2 When you are finished viewing the report, click Close.
5 Maintenance and troubleshooting Log Collector tool Log Collector tool You can collect logs using LogCollector.exe in the Endpoint Intelligence Agent install folder. This file is found in C:\Program Files\McAfee\Endpoint Intelligence Agent\x86.The logs are generated in the EiaDiagnosisLogs.CAB folder. The location of this folder varies depending on the system user; it is found in the x86 folder in the 32-bit operating system and in the x64 folder in the 64-bit operating system.
5 Maintenance and troubleshooting Troubleshooting tips Problem Solution The McAfee EIA Service does not start In case the McAfee EIA Service does not start: • Check if Firecore service is running (start if it is not running) • In case VSE is present, disable Access Protection to start the Firecore service. • Check if the McAfee EIA service is running (start if it is not running). Verify the status of Firecore installation.
Maintenance and troubleshooting Troubleshooting tips Problem Solution Issues with the EIM extension In case of issues with the EIM extension: 5 • Provide the policy configuration. • Provide the browser version details. • In case of certificate issues, provide the ePO Audit logs. • Collect the ePO MER logs. For more information, see KB59385.
5 Maintenance and troubleshooting Troubleshooting tips 34 Endpoint Intelligence Agent 2.1.
6 Frequently asked questions This section answers some of the frequently asked questions about Endpoint Intelligence Agent. Question 1 When McAfee EIA switches the DTLS connection from one network device to another, the older connection continues to be displayed in the status screen as connected. Why? Answer 1 When a route is added, McAfee EIA connects to a network device and starts sending metadata. The status screen displays that the connection is up.
6 Frequently asked questions 36 Endpoint Intelligence Agent 2.1.
Index A I about this guide 5 active hosts, viewing 30 agent status 30 integration 7 L log files 30 C certificates ePolicy Orchestrator deployment 17 SCEP 20 conventions and icons used in this guide 5 M McAfee ServicePortal, accessing 6 metadata 7 R D discovery ePolicy Orchestrator deployment 22 methods 12 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5 E ePolicy Orchestrator deployment agent and extension packages 14 assigning policy 25 con
A00
