Product guide
1
Introduction
McAfee
®
Endpoint Intelligence Agent is an endpoint solution that provides per-connection information
to the supported network devices, namely, the McAfee
®
Firewall Enterprise (Firewall Enterprise) and
the McAfee
®
Network Threat Behavior Analysis Appliance.
Contents
How Endpoint Intelligence Agent works
Endpoint Baseline Generator tool
Determining your discovery method
How Endpoint Intelligence Agent works
Endpoint Intelligence Agent sends connection information, called metadata, that Firewall Enterprise
uses for auditing and the NTBA appliance uses for enhanced malware detection capability.
Metadata
When Endpoint Intelligence Agent is installed on a host system, it monitors the system for any
outgoing connections. When a connection attempt is made, McAfee EIA sends metadata information to
Firewall Enterprise or to the NTBA appliance over an encrypted channel. This gives enough time for
network device to process metadata and make it available at policy decision points before connection
request packet is received.
Many network environments contain computers or servers that have multiple users logged on at the
same time. The user information in the metadata allows the supported network devices to determine
what users are associated with what connections, even if those connections are coming from the same
IP address.
You can view the information collected by Endpoint Intelligence Agent providing better visibility on
what users and applications are initiating connections on your network, while using the Firewall
Enterprise or the NTBA appliance.
The executable file reputation in the metadata allows you to calculate the overall confidence level for
an executable file connection. This enables the network device to configure response actions when
malicious and unknown executables are detected on the network.
The metadata consists of the following information:
• Source and destination address
• Protocol
• Source and destination port
1
Endpoint Intelligence Agent 2.1.0 Product Guide
7