McAfee Total Protection for Endpoint
Lab Evaluation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Total Protection for Endpoint Lab Evaluation Guide2
Contents
Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Server requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Database requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Operating systems language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Setting up McAfee Total Protection for Endpoint suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Logging on to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting Policies for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Setting Policies for Email Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Set Tasks for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deploy the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3McAfee Total Protection for Endpoint Lab Evaluation Guide
Welcome
Welcome to McAfee
®
Total Protection
®
for Endpoint. This solution incorporates the best and
most comprehensive McAfee security for endpoints, email, web, and data. Compared to
purchasing and maintaining multiple security components from multiple vendors, McAfee Total
Protection for Endpoint saves time, saves money, and provides a more powerful, integrated
defense against the threats that businesses know about, and the threats they can't see coming.
This guide is organized so you can evaluate McAfee Total Protection for Endpoint in a pilot
environment consisting of one ePolicy Orchestrator
®
(ePO
™
) server and a number of client
computers. The guide covers the basic steps required to install ePolicy Orchestrator quickly,
configure basic policies and tasks, and deploy these McAfee products for client protection:
• VirusScan
®
Enterprise 8.7i
• AntiSpyware Enterprise 8.7
• Host Intrusion Prevention 7.0
• SiteAdvisor
®
Enterprise Plus 3.0
• GroupShield
®
7.0.1 for Microsoft Exchange
• McAfee Security for Lotus Domino, v7.5 on Windows
This guide provides real examples of steps you take during a live deployment. It does not cover
every possible deployment scenario, nor examine every feature. For complete information on
all aspects of the products included in Total Protection for Endpoint, see their respective product
guides.
Full product documentation is available on the McAfee KnowledgeBase.
Under Self Service, click Product Documentation, choose a product and version, then
choose a document.
Product descriptions
The products in Total Protection for Endpoint are grouped into these categories:
• Management solution
• Endpoint protection
• Email server protection
Management solution
Total Protection for Endpoint provides these products for a management solution.
DescriptionProduct
ePolicy Orchestrator is the industry-leading system security management
solution for the enterprise. It delivers a coordinated, proactive defense
McAfee ePolicy Orchestrator 4.5
against malicious threats and attacks. ePolicy Orchestrator combines
unmatched global policy control with a single agent and a central console
with custom reporting to easily manage your system security
environment.
McAfee Total Protection for Endpoint Lab Evaluation Guide4
DescriptionProduct
McAfee Agent is the client-side framework that supports the McAfee
security management infrastructure. It provides secure communication
McAfee Agent 4.5
between point-products and ePolicy Orchestrator, and local services to
point-products. As a framework, the McAfee Agent enables
point-products to focus on enforcing their policies, while delivering an
expanding set of services that includes logging, communication, and
policy storage.
Endpoint protection
Total Protection for Endpoint provides these products for endpoint protection.
DescriptionProduct
VirusScan Enterprise, a trusted name in security, is a leader in the
advanced, proactive protection for PCs and servers. Businesses rely on
McAfee VirusScan
®
Enterprise 8.7i
the key features of VirusScan Enterprise during an outbreak, including:
cleaning memory, rootkits, the registry and files, as well as preventing
propagation of malicious code to other systems. VirusScan Enterprise
also contains functionality from anti-virus, intrusion prevention, and
firewalls for protection from known and unknown attacks.
AntiSpyware Enterprise Module, the leading enterprise anti-spyware
software solution, uses true on-access scanning to identify, proactively
McAfee AntiSpyware Enterprise 8.7
block, and safely eliminate potentially unwanted programs (PUPs) for
optimal business availability. Centrally managed with ePolicy
Orchestrator, McAfee AntiSpyware Enterprise Module seamlessly
integrates with VirusScan Enterprise, reducing disruptions due to threats
and PUPs.
Host Intrusion Prevention monitors and blocks intrusions by combining
signature and behavioral protection with a system firewall. Shielding
McAfee Host Intrusion Prevention 7.0
your assets improves the availability, confidentiality, and integrity of
your business processes. A single agent makes it easy to deploy,
configure, and manage, and patching becomes less frequent and less
urgent.
SiteAdvisor Enterprise Plus allows your employees to surf and search
the web safely as threats like spyware, adware, phishing scams, and
McAfee SiteAdvisor
®
Enterprise Plus 3.0
more are blocked. Integrated into McAfee solutions, SiteAdvisor
Enterprise technology adds web security to your comprehensive
protection, guiding and shielding users from online threats.
Email server protection
Total Protection for Endpoint provides these products for email server protection.
DescriptionProduct
GroupShield protects your email and other documents as they enter
and leave your Microsoft Exchange server. GroupShield proactively
McAfee GroupShield
®
7.0.1 for Microsoft
Exchange
scans for viruses, automatically manages outbreaks, and prevents
malicious code from disrupting your systems. The GroupShield content
filter blocks or quarantines messages that contain specific words and
phrases that violate content rules.
McAfee Security for Lotus Domino protects your email and other
documents as they enter and leave your Domino server. McAfee
McAfee Security for Lotus Domino, v7.5 on
Windows
Security for Lotus Domino proactively scans for viruses, automatically
manages outbreaks, and prevents malicious code from disrupting your
systems. The McAfee Security for Lotus Domino content filter blocks
or quarantines messages that contain specific words and phrases that
violate content rules.
Welcome
5McAfee Total Protection for Endpoint Lab Evaluation Guide
DescriptionProduct
Anti-Spam blocks spam from your Microsoft Exchange and Lotus Domino
mail servers. This increases employee productivity, while also stopping
McAfee Anti-Spam add-on
phishing scams to protect confidential data from being disclosed by
employees. Anti-Spam integrates with McAfee GroupShield and McAfee
Security for Lotus Domino to reduce resource usage on your busy mail
servers.
When you are ready to deploy products to your environment, like VirusScan Enterprise or Host
Intrusion Prevention, you will use ePolicy Orchestrator and the McAfee Agent to handle the
deployment and updates. McAfee recommends that you use the workflow in the following
sections to get started with the solution.
Welcome
McAfee Total Protection for Endpoint Lab Evaluation Guide6
System requirements
Before setting up McAfee Total Protection for Endpoint software, verify that each component
meets the minimum system requirements that are listed below:
• Server
• Database
Server requirements
Free disk space — 1 GB minimum (first-time installation); 2 GB recommended.
Memory — 1 GB available RAM; 2–4 GB recommended.
Processor — Intel Pentium III-class or higher; 1 GHz or higher.
Monitor — 1024x768, 256-color, VGA monitor.
NIC — Network interface card; 100 MB or higher.
NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the first
identified IP address.
Dedicated server — If managing more than 250 computers, McAfee recommends using a
dedicated server.
File system — NTFS (NT file system) partition recommended.
IP address — McAfee recommends using static IP addresses for ePO servers.
Server-class operating system — 32bit or 64bit
• Windows Server 2003 Enterprise with Service Pack 2 or later
• Windows Server 2003 Standard with Service Pack 2 or later
• Windows Server 2003 Web with Service Pack 2 or later
• Windows Server 2003 R2 Enterprise with Service Pack 2 or later
• Windows Server 2003 R2 Standard with Service Pack 2 or later
• Windows Server 2008
NOTE: Installation is blocked if you attempt to install on a version of Windows earlier than
Server 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installed
on Windows Server 2003, the server is upgraded to Windows Server 2008.
Browser
• Firefox 3.0
• Microsoft Internet Explorer 7.0 or 8.0
If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.
1 From the Tools menu in Internet Explorer, select Internet Options.
7McAfee Total Protection for Endpoint Lab Evaluation Guide
2 Select the Connections tab and click LAN Settings.
3 Select Use a proxy server for your LAN, then select Bypass proxy server for local
addresses.
4 Click OK as needed to close Internet Options.
Domain controllers — The ePolicy Orchestrator server can manage systems in a Workgroup
or Windows Domain. In the installation instructions below, we will use the latter which requires
the server to be a member of your Windows domain. For instructions, see the Microsoft product
documentation.
Security software
• Install and/or update the anti-virus software on the ePolicy Orchestrator server and scan
for viruses.
CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installing
ePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabled
during the installation process, or the installation fails.
• Install and/or update firewall software on the ePolicy Orchestrator server.
Ports
• McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although this
is the default port, it is also the primary port used by many web-based activities, is a popular
target for malicious exploitation, and it is likely to be disabled by the system administrator
in response to a security violation or outbreak.
NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestrator
server computer.
• Notify the network staff of the ports you intend to use for HTTP and HTTPS communication
via ePolicy Orchestrator.
NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but not
recommended.
Supported virtual infrastructure software
• VMware ESX 3.5.x
• Microsoft Virtual Server 2005 R2 with Service Pack 1
• Windows Server 2008 Hyper-V
Database requirements
A database must be installed before ePolicy Orchestrator can be installed. Any of the following
databases, if previously installed, meets this requirement.
• SQL Server 2005
• SQL Server 2005 Express
• SQL Server 2008
• SQL Server 2008 Express
NOTE: SQL Server 2000 is not supported.
System requirements
Database requirements
McAfee Total Protection for Endpoint Lab Evaluation Guide8
If none of those databases was previously installed, the ePO installation wizard detects that no
database is present and offers you the opportunity to install SQL Server 2005 Express.
Database installation documented in this Guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePO Setup installs both the ePolicy Orchestrator
software and the database on the same server. If the database is to be installed on a different
server from the ePolicy Orchestrator, manual installation is required on the remote servers.
SQL Server
• Local database server — If using SQL Server on the same system as the ePO server,
McAfee recommends using a fixed memory size in Enterprise Manager that is approximately
two-thirds of the total memory for SQL Server. For example, if the computer has 1GB of
RAM set 660MB as the fixed memory size for SQL Server.
• SQL Server licenses — If using SQL Server, a SQL Server license is required for each
processor on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install
the SQL Server software, you may have issues installing or starting the ePolicy Orchestrator
software.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
• Maintenance settings — McAfee recommends making specific maintenance settings to
ePO databases. For instructions, see
Maintaining ePO databases
in the
ePolicy Orchestrator
Help.
NOTE: For detailed system requirements information about Agent Handlers, Database and
Distributed Repositories, refer to the
ePolicy Orchestrator 4.5 Installation Guide
.
Other software requirements
The following table provides additional information about the other software requirements.
NoteSoftware
You must acquire and install.MSXML 6.0
1
From the Internet Explorer Tools menu, select Windows
Update.
2
Click Custom, then select Software.
3
Select MSXML6.
4 Select Review and install updates, then click Install Updates.
You must acquire and install.Internet Explorer 7 or 8, or
Firefox 3.0
You must acquire and install if using SQL Server 2005 Express..NET Framework 2.0
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
Redistributable
System requirements
Database requirements
9McAfee Total Protection for Endpoint Lab Evaluation Guide
NoteSoftware
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
Redistributable - x86 9.0.21022
If not previously installed, the installation wizard installs automatically.MDAC 2.8
If not previously installed, the installation wizard installs automatically.SQL Server 2005 Backward
Compatibility
If no other database has been previously installed, this database can be installed
automatically at user’s selection.
SQL Server 2005 Express
Update the ePolicy Orchestrator server and the database server with the most
current updates and patches.
Microsoft updates
The installation fails if using a version of MSI previous to MSI 3.1.MSI 3.1
Microsoft updates and patches
Update both the ePO server and the database server with the latest Microsoft security updates.
If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's required
upgrade scenarios.
Operating systems language support
This version of the ePolicy Orchestrator runs on any supported operating system irrespective
of the language of the operating system.
Following is a list of languages into which the ePolicy Orchestrator has been translated. When
the software is installed on an operating system using a language that is not on this list, the
ePolicy Orchestrator interface attempts to display in English.
• Japanese• Chinese (Simplified)
• Chinese (Traditional) • Korean
• Russian• English
• French (Standard) • Spanish
• German (Standard)
System requirements
Operating systems language support
McAfee Total Protection for Endpoint Lab Evaluation Guide10
Setting up McAfee Total Protection for Endpoint
suite
This section guides you to install the McAfee Total Protection for Endpoint suite with the default
options. The McAfee Total Protection for Endpoint suite installer will setup the ePO server and
check-in the endpoint softwares to the ePO repository in one go.
Task
1 From McAfee official site, download and extract the contents of McAfee Total Protection
for Endpoint software to a temporary directory on your ePO server or your intended
management server.
2 Double-click Setup.exe. The Welcome to the McAfee ePolicy Orchestrator setup
for Total Protection for Endpoint suite page appears.
3 Click Next. The Type License Key page appears.
4 Select Evaluation, then click Next. The McAfee Licensing Evaluation page appears.
5 Click OK. The McAfee End User License Agreement page appears.
6 Select I accept the terms in the license agreement, then click OK. The Choose
Software to Evaluate page appears with the following options, enabled by default:
• Base Installation
• Host Intrusion Prevention
• McAfee Security for Lotus Domino and MS Exchange (GroupShield)
7 Click Next. The Set Administrator Information page appears.
8 Type the username and password to use for the ePolicy Orchestrator administrative account
and click Next. The Choose Setup Type page appears.
NOTE: You will use the same credentials later, to log on to ePolicy Orchestrator.
9 Select Default to install ePolicy Orchestrator and Microsoft SQL 2005 Express using the
default location and settings, then click Next. A confirmation dialog box appears.
10 Click OK to install Microsoft SQL 2005 Express. The Set Database Information page
appears.
11 Identify the type of account and authentication details that the ePolicy Orchestrator server
uses to access the database.
• From the Database Server credentials field, select the windows domain from the
drop-down, type the domain user name and password, then click Next. The Start
Copying Files page appears.
NOTE: Windows authentication is enabled, as SQL Express does not allow SA authentication
by default.
11McAfee Total Protection for Endpoint Lab Evaluation Guide
12 Click Next to begin installation. The InstallShield Wizard Complete page appears with
the following options, enabled by default:
• Select Yes, I want to view the ReadMe file to view the Readme.
• Select Yes, I want to launch McAfee ePolicy Orchestrator now to launch the
ePolicy Orchestrator user interface.
NOTE: During installation, you may be prompted to change one or more of the default port
numbers incase of any conflict.
13 Click Finish.
Setting up McAfee Total Protection for Endpoint suite
McAfee Total Protection for Endpoint Lab Evaluation Guide12
Logging on to ePolicy Orchestrator
Use this task to log on to the ePolicy Orchestrator. You must have valid credentials to do this.
Task
1 To launch the ePolicy Orchestrator software, open an Internet browser and go to the URL
of the server (For example:
https://<servername>:8443
). The Log On to ePolicy
Orchestrator dialog box appears.
NOTE: You can also double-click the Launch McAfee ePolicy Orchestrator 4.5 console
icon on the desktop to launch ePolicy Orchestrator.
2 Type the User name and Password of a valid account, created in
Step 7
under the
"
Setting up McAfee Total Protection for Endpoint suite
" section.
NOTE: Passwords are case-sensitive.
3 Select the Language you want the software to display.
4 Click Log On.
13McAfee Total Protection for Endpoint Lab Evaluation Guide
Set Up the ePolicy Orchestrator Server
The ePolicy Orchestrator repository is the central location for all McAfee product installations,
updates, and signature packages. The modular design of ePolicy Orchestrator allows new
products to be added as
extensions
. This includes new or updated versions of McAfee products,
such as VirusScan Enterprise, and non-McAfee products from McAfee partners.
Packages
are
components that are checked in to the master repository, then deployed to client systems.
For information about extensions and packages, see these topics in the
ePolicy Orchestrator
Product Guide
:
•
Extensions and what they do
•
Deployment packages for products and updates
According to your selections during installation, the Total Protection for Endpoint client software
was added to your ePO master repository. To verify the installation, go to the Master
Repository.
Configure a repository pull task
For ePolicy Orchestrator to keep your client systems up-to-date, you must configure a
repository
pull task
that retrieves updates from a McAfee site (HTTP or FTP) at specified intervals.
NOTE: A repository pull task was created for you automatically during installation.
Task
Use this task to create a repository pull task that adds and updates the client software.
1 Click Menu | Automation | Server Tasks.
2 In the list, find the task named Update Master Repository and, under the Actions
column, click Edit to open the Server Task Builder.
3 On the Description page, set Schedule status to Enabled, then click Next.
4 On the Actions page, there is a gray bar just below the page description labeled 1. Select
Respository Pull from the drop-down list.
5 Select Move existing packages to Previous branch, then click Next.
NOTE: Checking this option allows ePolicy Orchestrator to maintain more than one day's
signature files. When the next pull task runs, today's updates are moved to a directory on
the server called Previous. This allows you to rollback updates, if necessary.
6 On the Schedule page, choose when you want ePolicy Orchestrator to check the McAfee
site for updates.
• Schedule the task to run Daily, with No End Date.
• Set Schedule to between 9:00am and 11:00pm.
McAfee Total Protection for Endpoint Lab Evaluation Guide14
• Set every to two or three hours.
TIP: McAfee recommends checking for updates several times each day to ensure you have
the latest content.
7 Click Next.
8 On the Summary page, click Save. The console returns to the Server Tasks page.
9 Find the Update Master Repository task and, under the Actions column, click Run. This
immediately retrieves the current updates, and opens the Server Task Log.
Checking the status of the pull task
The Server Task Log is useful to show the status of the McAfee Pull task. Use this task to verify
that the Update Master Repository task has finished pulling updates from the McAfee site.
Task
1 Click Menu | Automation | Server Task Log.
2 In the list of tasks, find the Update Master Repository task.
3 The task is finished when the Status column reports Completed.
Set Up the ePolicy Orchestrator Server
15McAfee Total Protection for Endpoint Lab Evaluation Guide
Add Systems to Manage
The ePolicy Orchestrator System Tree organizes managed systems in units for monitoring,
assigning policies, scheduling tasks, and taking actions. These units are called
groups
, which
are created and administered by global administrators or users with the appropriate permissions,
and can include both systems and other groups. Before you start managing endpoint policies
for client systems on your network, you must add those systems to your System Tree.
There are several methods of organizing and populating the System Tree:
• Manually structure your System Tree by creating your own groups and adding individual
systems.
•
Synchronize with Active Directory or NT domain
as a source for systems. In the case of using
Active Directory, synchronization also provides System Tree structure.
• Create your own groups based on IP ranges or subnets. This is called
criteria-based sorting
.
•
Import groups and systems from a text file
The workflow in this section uses the manual approach to create a simple structure for evaluation.
While this method can be too slow when deploying ePolicy Orchestrator in a live network, it is
a useful way to add a small number of systems in your test network. You can try the other
approaches once you become familiar with ePolicy Orchestrator.
Creating your System Tree groups
Use this task to add groups to your System Tree. For this exercise, we are creating two groups,
Servers
and
Workstations
.
1 Click Menu | Systems | System Tree, then click Group Details on the menu bar.
2 Highlight My Organization, then click New Subgroup.
3 Type Test Group, then click OK. The new group appears in the System Tree.
4 Highlight Test Group, click New Subgroup, type Servers, and click OK.
5 Repeat Step 4, but type Workstations for the group name. Once you return to the Group
page, highlight Test Group. Your Servers and Workstations groups are listed on the Group
page. The groups are alphabetically arranged.
Adding systems to your System Tree groups
Use this task to manually add a few test systems to your ePO System Tree.
1 In the System Tree, highlight the Workstations group and click System Tree Actions
| New Systems.
2 For How to Add Systems, select Add systems to the current group, but do not
deploy agents.
3 For Systems to Add, type the NetBIOS name for each system in the text box, separated
by commas, spaces, or line breaks. You can also click Browse to select systems.
4 Verify that System Tree sorting is disabled.
McAfee Total Protection for Endpoint Lab Evaluation Guide16
5 Click OK.
6 As needed, repeat these steps to add systems to your Servers group.
Organizing new systems into your groups
By performing the tasks in the previous sections, you now have several groups and systems in
your System Tree. In a live production environment, new systems contact the ePolicy
Orchestrator server, and need to be placed in the System Tree. This occurs if you installed the
McAfee Agent on new systems, through use of Rogue System Detection, or through another
method. In these cases, systems are placed in the Lost&Found group.
ePolicy Orchestrator has a powerful group sorting function that allows you to set up rules about
how systems sort themselves into your System Tree when they first contact the ePO server.
For details on this feature, refer to
Criteria-based sorting
in the
ePolicy Orchestrator 4.5 Product
Guide.
In this exercise, you will create a system sorting rule based on tags. ePolicy Orchestrator creates
two default tags,
Server
and
Workstation
, which you can use. The sorting rule does not function
until a system that is not in the System Tree calls in to the ePO server. You can also schedule
the sorting rule, or run it manually.
Task
Use this task to create a sorting rule based on the default tags.
1 Click Menu | Systems | System Tree, then click Group Details on the menu bar.
2 Highlight Test Group.
3 At the top of the Group page, locate the label Sorting Criteria and click Edit.
4 Select Systems that match any of the criteria below (IP addresses and/or tags).
The page expands with additional options.
5 Click Add Tag.
6 From the drop-down menu, select Server, click the plus sign (+), then select Workstation.
7 Click Save.
8 In the System Tree, highlight My Organization.
9 In the Sorting Order list, find the entry for Test Group. In the Actions column, click
Move Up until the group is at the top of the list. Now this group is the first to be evaluated
when new systems are put into the System Tree.
More on working with the System Tree
You can use many types of groupings to organize your System Tree.
Along with groups, you can add tags to your systems to further identify them, using a trait
based on the system's properties.
Add Systems to Manage
17McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Endpoints
Policies are used to set the configuration for the various Total Protection for Endpoint products
that run on client systems, such as the McAfee Agent and VirusScan Enterprise.
To have your policies reflect the configuration settings and exclusions you require, McAfee
recommends creating the policies before making policy assignments. It is helpful to name a
policy so it describes its function. Creating your own "named policies" makes it easy to apply
policies based on the role or function of systems.
This section steps you through a few policy changes, which might be useful in a production
environment, for the McAfee Agent, VirusScan Enterprise, Host Intrusion Prevention, and
SiteAdvisor Enterprise. Use the following real-time examples and learn how to set policies, so
you will know how to make policies specific to your environment.
If you install all products in Total Protection for Endpoint, McAfee recommends that you perform
all the tasks in this section.
Creating policies for the McAfee Agent
When evaluating McAfee Total Protection for Endpoint, it is helpful to have access to the McAfee
Agent system tray icon on client systems. This policy option is enabled by default. It allows you
to view the local Agent Status Monitor on the client, to see the communication of the client with
the ePO Server. It is also possible to remotely see a client’s Agent log through your browser.
Another reason to change the McAfee Agent policy might be slow WAN connections to remote
offices, or a very large number of managed nodes.
For example, you might determine that systems communicating over slower links should contact
ePolicy Orchestrator every 180 minutes, which is eight times a day rather than the default of
24. For this case, you might create a policy called "Low bandwidth" or "3 hour polling" and
change the Agent to Server Connection Interval option to 180 minutes from the default
of 60.
Use the following task to create a policy that enables remote access to the McAfee Agent log
on client systems:
Task
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select McAfee Agent.
3 On the line that lists McAfee Default, click Duplicate.
4 For Name, type Remote Log Access, then click OK.
5 On the line that lists your new policy, click Edit Settings.
6 Click the Logging tab and select Enable remote access to log.
7 Click Save.
McAfee Total Protection for Endpoint Lab Evaluation Guide18
ePolicy Orchestrator provides you with the option to access the McAfee Agent log on each
system remotely.
NOTE: To view the Agent Log on a remote system, using a web-browser type: http://<computer
name or IP address>:8081 (where 8081 is the default port for the Agent Wake Up call). If you
changed this port number, then use the port you specified.
Creating policies for VirusScan Enterprise
This section covers three examples of VirusScan Enterprise policies. The first is designed to
prevent users from making changes to VirusScan settings on their managed systems. The
second establishes database exclusions on servers. The third temporarily modifies the Unwanted
Programs Policy.
Locking the local VirusScan console
Use this task to modify the default VirusScan Enterprise User Interface Policy to prevent users
from tampering with the local VirusScan interface. VirusScan Enterprise runs on both
workstations and servers; therefore, the VirusScan policies have separate settings for each
platform. In this case, you want to make changes only to the workstation settings.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select User Interface Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Lock VSE Console, then click OK.
6 On the line that lists your new Lock VSE Console policy, click Edit Settings.
7 On the menu bar, click Password Options.
8 Make sure the Settings for option is set to Workstation.
9 For User interface password, select Password protection for all items listed.
10 Type a password in the boxes provided, then click Save.
Creating file exclusions on a server
NOTE: In the above examples, you created your new policies in Policy Catalog. In this example
you will create the new policy from the System Tree, achieving the same results through a
different workflow. In addition, this second method applies your new policy to a specific group
upon creation.
Use this task to create a VirusScan policy that excludes two hypothetical database files on a
server. Creating these types of scanning exclusions is a typical practice on many database and
mail servers.
We will follow the second method of creating a policy, that is from the System Tree as opposed
to the Policy Catalog. The result is the same; its just another way of achieving the same result.
1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 Expand Test Group, then click your Servers group. This policy can be configured prior
to adding systems to this group.
4 To the right of On-Access Default Processes Policies, click Edit Assignment.
5 For Inherit from, select Break inheritance and assign the policy and settings
below.
6 For Assigned policy, click New Policy.
Setting Policies for Endpoints
19McAfee Total Protection for Endpoint Lab Evaluation Guide
7 In the Create a new policy dialog box, type Database AV Exclusions, then click OK. This
opens the policy editor.
8 From the Settings for drop-down menu, select Server.
9 On the menu bar, click Exclusions.
10 For What not to scan, click Add.
11 In the dialog box, select By pattern and type data.mdf, then click OK. Click Add again,
and type data.ldf as another exclusion, then click OK.
Only the file name is specified in this task. In a real environment, you might want to specify
a full path to narrow your exclusions.
12 Once both exclusions are listed, click Save.
Take the example of Microsoft Exchange Server; the link takes you to Microsoft's recommended
exclusions when running file level antivirus on Exchange 2007:
http://technet.microsoft.com/en-us/library/bb332342.aspx.
Although a bit more extensive in terms of the number of exclusions, a VirusScan policy for the
Microsoft Exchange Server scenario would be configured in the same manner as in this example.
Allowing email servers to send emails using Port 25
By default VirusScan Enterprise blocks outbound traffic on Port 25, except for an editable list
of excluded applications. This prevents any new mass mailing worms from propagating even
before an anti-virus definition is available. While the list of excluded process covers many client
email applications, you can either disable the rule or modify its exclusions to allow mail to be
sent by email servers or other systems that send alerts via SMTP. Both options are described
below.
Use any of the following tasks to create a VirusScan policy that allows email servers to send
emails using Port 25.
Option 1: Turning OFF the Port block rule
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select Access Protection Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Allow Outbound Email, then click OK.
6 On the line that lists your new Allow Outbound Email policy, click Edit Settings.
7 Make sure the Settings for option is set to Server.
8 For Categories under Access protection rules, select Anti-virus Standard Protection.
9 Deselect the Block option for Prevent mass mailing worms from sending email.
NOTE: Deselecting the Report option will prevent events from being sent to the ePO
server. There will be no reporting of additional processes using Port 25.
10 Click Save.
Option 2: Excluding the process name
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select Access Protection Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Allow Outbound Email, then click OK.
Setting Policies for Endpoints
McAfee Total Protection for Endpoint Lab Evaluation Guide20
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
McAfee Total Protection For Endpoint Evaluator Manual
- Type
- Evaluator Manual
- This manual is also suitable for
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
McAfee EPOLICY ORCHESTRATOR 4.5 - Installation guide
-
-
-
-
-
-
-
-
-
Other documents
-
Jumbo Fireman Sam Owner's manual
-
F-SECURE ANTI-VIRUS FOR MICROSOFT EXCHANGE 7.10 - Administrator's Manual
-
-
-
-
-
-
-
VMware vCenter vCenter Orchestrator 4.1.2 Configuration Guide
-
IBM R5 User manual