Manualshelf

Product guide

ManualsBrandsMcafee ManualsOtherFIREWALL 2.1-GETTING STARTED
11121314151617181920
When the GTI capability is enabled on the NTBA appliance, McAfee EIA sends a GTI request consisting
of the MD5. The NTBA communicates with the GTI server and sends a response to McAfee EIA
consisting of the MD5 and the corresponding GTI value. Based on this response (GTI value) the
confidence score in the reputation cache is refreshed.
Endpoint Intelligence Agent works with enterprise point-product installations on the host computers.
Consumer point-product installations are not supported.
Endpoint Baseline Generator tool
The Endpoint Baseline Generator tool is used to implement a standard for endpoint hosts. The tool
scans a computer, calculates the reputation for all the executable files on the system, and generates
the baseline computer profile (an XML file) with the reputation details of each executable. This profile
is uploaded from a computer to the NTBA and Firewall Enterprise, which use the same to evaluate the
confidence level of the executables on the network, thereby securing network connections made by
similar hosts, enabling Endpoint Intelligence Agent to report any deviations from that standard. The
XML file generated by the tool associates the MD5 hash value, confidence level, and heuristic bitmap
with each executable. This information provides the reputation to the network device to define a
classification list consisting of the whitelisted, blacklisted, or unclassified (new or unknown
executables) entries and monitors endpoint executable files.
You can import the baseline computer profile as generated by the tool or modify (add/delete)
executable entries to this list. You can also modify executable entries as whitelisted or blacklisted.
Using the classification list, you can configure responses for these scenarios:
A new executable file is detected
Unknown executable files are captured in the audit. You can set up an attack response to send an
alert or strikeback.
A blacklisted executable file is detected
You can identify vulnerable application versions as blacklisted on the classification list. You can set
up an attack response to send an alert or strikeback.
You can edit the list of MD5 hashes generated, through import and export operations supported on the
Firewall and on NTBA. For more information, see the McAfee NTBA Administration Guide and the
Firewall Enterprise Product Guide.
Task
For option definitions, click Help in the interface.
1
Go to the Endpoint Baseline Generator tool. To scan specific directories, click Include/Exclude Directories and
select the directories to be scanned.
2
Click Scan.
3
When the scan is complete, click View Report.
The XML report is displayed. The following is a sample of the MD5 associated with an application.
</MD5>
<MD5 value ='dadd090c2972d26f071f0ea0498fd6be' name="UWAKEON.EXE" version='7.0.711'>
<ProductName>Workflow</ProductName>
<ConfidenceLevel>2</ConfidenceLevel>
<StaticBitmap>04aaaaaaaa0200000000000000000000</StaticBitmap>
</MD5>
Introduction
Endpoint Baseline Generator tool
1
Endpoint Intelligence Agent 2.1.0 Product Guide
11