Epo 450 Evaluation Guide en-us

McAfee ePolicy Orchestrator 4.5Evaluation Guide

COPYRIGHT

Copyright 2009 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee ePolicy Orchestrator 4.52

ContentsIntroducing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Components of ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What's new in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Server and Agent Handler requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Database requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Database considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Supported products and components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Operating systems language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing ePolicy Orchestrator 4.5 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Installing the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing an Agent Handler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Logging on to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

How to navigate the ePO interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

The Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

The navigation bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Configuring a repository pull task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Checking the status of the pull task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Checking in the VirusScan Enterprise package manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Creating your System Tree groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Adding systems to your System Tree groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Organizing new systems into your groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Deploying the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Verifying agent communication with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

More on working with the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3McAfee ePolicy Orchestrator 4.5

Deployment Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Creating a product deployment task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating a product update task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Verifying client software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Revisiting the PUP audit VirusScan policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Resetting the On-Access Scan policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Verifying the On-Demand Scan task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Setting Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Creating policies for the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Creating policies for VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Locking the local VirusScan console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Creating file exclusions on a server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Creating policies for the AntiSpyware Enterprise module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Assigning policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Assigning McAfee Agent policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Assigning VirusScan Enterprise policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Activating a dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Changing a dashboard monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41


Contents

Introducing ePolicy Orchestrator 4.5ePolicy Orchestrator 4.5 provides a scalable platform for centralized policy management andenforcement of your security products and the systems on which they reside. It also providescomprehensive reporting and product deployment capabilities, all through a single point ofcontrol.

Contents

Components of ePolicy Orchestrator

What's new in this release

Components of ePolicy OrchestratorePolicy Orchestrator comprises several components that reside on systems across your network.

The ePolicy Orchestrator software is comprised of these components:

ePO server The center of your managed environment. The server delivers securitypolicies and tasks, controls updates, and processes events for all managed systems. TheePO server includes these subcomponents:

Application server Auto Response, Registered Servers, and user interface

Agent Handler Policies, tasks, and properties

Event parser Threat events and client events

RSD server and data channel listener

Registered servers Used to register the ePO server with other servers. Registeredserver types include:

LDAP server Used for Policy Assignment Rules and to enable automatic user accountcreation.

SNMP server Used to receive an SNMP trap. You must add the SNMP serversinformation so that ePolicy Orchestrator knows where to send the trap.

Ticketing server Before tickets can be associated with issues, you must have a registeredTicketing server configured. The system running the ticketing extension must be able toresolve the address of the Service Desk system.

Database The central storage component for all data created and used by ePolicyOrchestrator. You can choose whether to house the database on your ePO server or on aseparate system, depending on the specific needs of your organization.

Master repository The central location for all McAfee updates and signatures, residingon the ePO server. The Master repository retrieves user-specified updates and signaturesfrom McAfee or from user-defined source sites.


Distributed repositories Placed strategically throughout your environment to providemanaged systems access to receive signatures, product updates, and product installationswith minimal bandwidth impact. Depending on how your network is configured, you can setup SuperAgent, HTTP, FTP, or UNC share distributed repositories.

McAfee Agent A vehicle of information and enforcement between the ePO server andeach managed system. The agent retrieves updates, ensures task implementation, enforcespolicies, and forwards events for each managed system. McAfee Agent 4.5 and higher canuse a separate secure data channel to transfer data to the ePO server. A McAfee Agent canalso be configured as a SuperAgent with the addition of a repository.

Remote Agent Handlers A server that you can install in various network locations tohelp manage agent communication, load balancing, and product updates. Remote AgentHandlers can help you manage the needs of large or complex network infrastructures byallowing you more control over agent-server communication.

NOTE: Depending on the needs of your organization and the complexity of your network, youmight not need to use all of these components.

What's new in this releaseThis release of McAfee ePolicy Orchestrator includes several new and enhanced features.

Scalability

The ePolicy Orchestrator 4.5 software supports enhanced scalability through the use of remoteAgent Handlers. Agent Handlers can be installed on the servers where agents connect to retrievepolicies, client actions, and updates. Agents can also use Agent Handlers to send propertiesand events to your primary ePO server.

Support of multiple Agent Handlers enables one ePO server to manage a larger set of installedproducts on a larger set of managed systems. Agent Handlers can be deployed to strategicpoints in your network environment, enabling management of systems that cannot access themain ePO server directly. They can also be used in locations where the ePO server can beaccessed directly.

Agent data channel

The Agent data channel is a bi-directional channel for sending product-specific data betweenePolicy Orchestrator and the products on your managed systems. This feature allows McAfeeto provide user interface actions, which are used when troubleshooting with real-time feedback.These actions operate on a single system, providing real-time status to your ePO administrators.The Update Now command, which allows you to update a managed system on demand, is anexample of this feature.

Improved security for agent-server communication

Agent communication with the ePO server now uses the TLS (Transport Layer Security) protocolfor improved security.

Transfer systems

You can now move systems from one ePO server to another with the Transfer Systems feature.

Introducing ePolicy Orchestrator 4.5What's new in this release


Navigation redesign

Navigation for the ePO console has been redesigned for the 4.5 release. Now you can accessany of the first-level ePolicy Orchestrator tabs from the new ePO Menu.

Drag-and-drop

You can use drag-and-drop functionality to move certain objects in the interface. You can:

Add Menu items to the favorites bar.

In tables, add commonly used actions from the Actions menu to the Action bar.

Using the Systems table, move selected systems or groups of systems to a different groupin the System Tree.

In the System Tree, move groups and subgroups into other groups.

Policy Assignment Rules

ePolicy Orchestrator 4.5 allows you to assign policies to unique groups or to individual usersthrough the use of Policy Assignment Rules. This feature enables policy assignment based onthe Active Directory groups that users belong to, instead of the system they are using. You caninclude individual users, groups, and Organizational Units (OUs) in a rule. You can also excludespecific users from a rule. McAfee SiteAdvisor Enterprise 3.0 is the first managed product toleverage this feature.

Automatic Responses

The new Automatic Responses feature replaces the Notifications feature. This new featureallows you to create rules for responding to events that are specific to your business environment.Available actions include:

Sending email notifications

Sending SNMP traps

Creating issues for use with integrated third-party ticketing systems

Running a registered executable or server task

IPv6 support

ePolicy Orchestrator 4.5 is fully compatible with IPv6 in both native and mixed environments,including:

Native IPv4

Native IPv6

Mixed IPv4 and IPv6

LDAP support

ePolicy Orchestrator 4.5 supports LDAP (Lightweight Directory Access Protocol) through theuse of Active Directory servers. This version of ePolicy Orchestrator allows closer integrationwith Active Directory servers so that you can:

Assign permission sets to users based on their Active Directory group

Browse your Active Directory server for users or groups when creating Policy AssignmentRules

Automatically assign administrator rights to users when they log on with their Active Directorydomain credentials



Issues and ticketing

ePolicy Orchestrator 4.5 provides basic issues management and bi-directional integration withthese third-party ticketing systems:

Service Desk

Remedy

Multi-server rollup reporting improvements

The multi-server rollup reporting feature has been enhanced. You can now filter out unwanteditems before performing a data rollup. New rollup reporting targets have been added, includingapplied policies, client events, and specific policy use across your network.

Queries system improvements

The Queries system has been enhanced in several ways. A redesigned Queries page now allowspersonal and shared query groups that contian queries organized by feature group, and includesmore preconfigured queries. Query targets are now grouped in the Query Builder. Additionally,a stacked bar chart has been added to the available chart types, and the variables andparameters for configuring charts have been improved.

Rogue System Detection improvements

Rogue System Detection has been improved to fully leverage the power of the ePolicyOrchestrator. Now you can categorize exceptions, update your OUI (Organizationally UniqueIdentifier) list, and optionally employ OS finger printing.

Searchable Help

When you install the ePO Help extension for products that are managed by ePolicy Orchestrator,you can now search the context-sensitive Help and product guides for those products.



Pre-InstallationBefore installing ePolicy Orchestrator 4.5, review these requirements and recommendations.

Contents

System requirements

Supported products and components

Operating systems language support

System requirementsVerify that your environment meets the minimum requirements listed here:

Server and Agent Handler

Database

Distributed repositories

Server and Agent Handler requirementsFree disk space 1 GB minimum (first-time installation); 1.5 GB minimum (upgrade); 2 GBrecommended.

Memory 1 GB available RAM; 24 GB recommended.

Processor Intel Pentium III-class or higher; 1 GHz or higher.

Monitor 1024x768, 256-color, VGA monitor.

NIC Network interface card; 100 MB or higher.

NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the firstidentified IP address. If you want to use additional IP addresses for agent-server communication,see Installing an Agent Handler.

Dedicated server If managing more than 250 computers, McAfee recommends using adedicated server.

File system NTFS (NT file system) partition recommended.

IP address McAfee recommends using static IP addresses for ePO servers.

Server-class operating system 32bit or 64bit

Windows Server 2003 Enterprise with Service Pack 2 or later

Windows Server 2003 Standard with Service Pack 2 or later

Windows Server 2003 Web with Service Pack 2 or later

Windows Server 2003 R2 Enterprise with Service Pack 2 or later


Windows Server 2003 R2 Standard with Service Pack 2 or later

Windows Server 2008

NOTE: Installation is blocked if you attempt to install on a version of Windows earlier thanServer 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installedon Windows Server 2003, the server is upgraded to Windows Server 2008.

Browser

Firefox 3.0

Microsoft Internet Explorer 7.0 or 8.0

If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.

1 From the Tools menu in Internet Explorer, select Internet Options.

2 Select the Connections tab and click LAN Settings.

3 Select Use a proxy server for your LAN, then select Bypass proxy server for localaddresses.

4 Click OK as needed to close Internet Options.

Domain controllers The server must have a trust relationship with the Primary DomainController (PDC) on the network. For instructions, see the Microsoft product documentation.

Security software

Install and/or update the anti-virus software on the ePolicy Orchestrator server and scanfor viruses.

CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installingePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabledduring the installation process, or the installation fails.

Install and/or update firewall software on the ePolicy Orchestrator server.

Ports

McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although thisis the default port, it is also the primary port used by many web-based activities, is a populartarget for malicious exploitation, and it is likely to be disabled by the system administratorin response to a security violation or outbreak.

NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestratorserver computer.

Notify the network staff of the ports you intend to use for HTTP and HTTPS communicationvia ePolicy Orchestrator.

NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but notrecommended.

Supported virtual infrastructure software

VMware ESX 3.5.x

Microsoft Virtual Server 2005 R2 with Service Pack 1

Windows Server 2008 Hyper-V

Pre-InstallationSystem requirements


Database requirements

Microsoft updates and patches

Update both the ePO server and the database server with the latest Microsoft security updates.If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's requiredupgrade scenarios.

Databases supported for use with ePolicy Orchestrator

SQL Server 2005 Express. This database is included with ePolicy Orchestrator for use inenvironments where there is no supported database available.

SQL Server 2005.

SQL Server 2008 Express.

SQL Server 2008.

NOTE: Use of ePolicy Orchestrator with MSDE 2000 or SQL 2000 (or earlier) is not supported.

Database installation documented in this Guide

The only database installation scenario described in detail is a first-time installation of SQLServer 2005 Express. In this scenario, the ePOSetup installs both the ePolicy Orchestratorsoftware and the database on the same server. If the database is to be installed on a differentserver from the ePolicy Orchestrator software, manual installation is required on the remoteservers.

Other relevant database installations and upgrades

See the documentation provided by the database manufacturer for information about thefollowing installation scenarios:

Installing SQL Server 2005.

Installing SQL Server 2008.

Upgrading from MSDE 2000.

Upgrading from SQL 2000.

Upgrading from SQL 2005.

Upgrading from SQL 2005 Express.

Maintenance settings McAfee recommends making specific maintenance settings toePO databases. For instructions, see Maintaining ePO databases in the ePolicy OrchestratorHelp.

SQL Server

Dedicated server and network connection Use a dedicated server and networkconnection if managing more than 5,000 client computers.

Local database server If using SQL Server on the same system as the ePOserver,McAfee recommends using a fixed memory size in Enterprise Manager that is approximatelytwo-thirds of the total memory for SQL Server. For example, if the computer has 1GB ofRAM set 660MB as the fixed memory size for SQL Server.



SQL Server licenses If using SQL Server, a SQL Server license is required for eachprocessor on the computer where SQL Server is installed.

CAUTION: If the minimum number of SQL Server licenses is not available after you installthe SQL Server software, you may have issues installing or starting the ePolicy Orchestratorsoftware.

Database considerations

Using ePolicy Orchestrator with a database

A database must be installed before ePolicy Orchestrator can be installed. Any of the followingdatabases, if previously installed, meets this requirement.

SQL Server 2005

SQL Server 2005 Express

SQL Server 2008


NOTE: SQL Server 2000 is not supported.

If none of those databases was previously installed, the ePO installation wizard detects that nodatabase is present and offers you the opportunity to install SQL Server 2005 Express.

The following tables provide additional information about the database choices and othersoftware requirements.

NoteRequirementsDatabase

Needed if managing more than 5,000 computers.Dedicated server and networkconnection

SQL Server 2005or SQL Server2008

If the database and ePO server are on the same system,McAfee recommends using a fixed memory size in Enterprise

Local database server

Manager or SQL Server Management Studio that isapproximately two-thirds of the total memory for SQL Server.For example, if the computer has 1 GB of RAM, set 660 MBas the fixed memory size for SQL Server.

A license is required for each processor on the computerwhere SQL Server is installed. If the minimum number of SQL

Licenses

Server licenses is not available, you might have difficultyinstalling or starting the ePolicy Orchestrator software.

You must acquire and install..NET FrameworkSQL Server 2005Express

NoteSoftware

You must acquire and install.MSXML 6.0

1 From the Internet Explorer Tools menu, select WindowsUpdate.

2 Click Custom, then select Software.3 Select MSXML6.4 Select Review and install updates, then click Install Updates.



NoteSoftware

You must acquire and install.Internet Explorer 7 or 8, orFirefox 3.0

You must acquire and install if using SQL Server 2005 Express..NET Framework 2.0

If not previously installed, the installation wizard installs automatically.Microsoft Visual C++Redistributable

If not previously installed, the installation wizard installs automatically.Microsoft Visual C++Redistributable - x86 9.0.21022

If not previously installed, the installation wizard installs automatically.MDAC 2.8

If not previously installed, the installation wizard installs automatically.SQL Server 2005 BackwardCompatibility

If no other database has been previously installed, this database can be installedautomatically at users selection.


Update the ePolicy Orchestrator server and the database server with the mostcurrent updates and patches.

Microsoft updates

The installation fails if using a version of MSI previous to MSI 3.1.MSI 3.1

Distributed repositoriesFree disk space 400 MB on the drive where the repository is stored.

NOTE: The disk space requirement for the distributed repositories on agents that are designatedas SuperAgents is equal to the disk space available for the master repository.

Memory 256 MB minimum.

Possible hosts:

HTTP-compliant servers on Microsoft Windows, Linux, or Novell NetWare operating systems

Windows, Linux, or NetWare FTP servers

Windows, Linux, or UNIX Samba UNC shares

Computer with a SuperAgent installed on it

Supported products and components McAfee Agent 4.0 for Email and Web Security

McAfee Agent 4.0 for HP-UX

McAfee Agent 4.0 for Linux

McAfee Agent 4.0 for Macintosh

McAfee Agent 4.0 for Solaris

McAfee Agent 4.5

McAfee Agent for Windows Patch 1 and Patch 2

McAfee Common Management Agent 3.7 Patch 1

McAfee Common Management Agent MA 3.6 Patch 4

McAfee Data Loss Prevention 3.0

Pre-InstallationSupported products and components


McAfee Email and Web Security 5.1 Appliance

McAfee Endpoint Encryption 5.2.1

McAfee Endpoint Encryption 5.3

McAfee Endpoint Encryption Files/Folders 3.1

McAfee Endpoint Encryption Files/Folders 4.x

McAfee EndPoint Encryption for Mobile 3.0

McAfee Foundstone 6.5.3

McAfee GroupShield for Domino 7.0 Patch 2

McAfee GroupShield for Exchange 7.0

McAfee GroupShield for Exchange 7.0 SP 1

McAfee Host Intrusion Prevention 6.1 Patch 3

McAfee Host Intrusion Prevention 7.0 Patch 3

McAfee Host Intrusion Prevention 7.1

McAfee IntruShield 4.1

McAfee IntruShield 5.1

McAfee LinuxShield 1.5.1

McAfee Network Access Control 3.1

McAfee Policy Auditor 5.1

McAfee PortalShield 2.0 Patch 1

McAfee Quarantine Manager 6.0

McAfee Rogue System Detection 2.0 Patch 2

McAfee Security for Lotus Domino Linux 7.5

McAfee Security for Macintosh v1.0

McAfee SiteAdvisor Enterprise 1.6

McAfee SiteAdvisor Enterprise 2.0+

McAfee SiteAdvisor Enterprise 3.0

McAfee VirusScan 8.5i with McAfee AntiSpyware Enterprise

McAfee VirusScan 8.7 with McAfee AntiSpyware Enterprise

McAfee VirusScan Enterprise for Storage

McAfee VirusScan Enterprise for use with the SAP Netweaver platform

McAfee VirusScan Enterprise for Offline Virtual Images

McAfee VirusScan for Macintosh 8.6.1

Symantec SAV 10.x

Symantec SAV 9.x

USB Device 1.0 (EEV)

Vdisk 4.1 (EEV)

vDisk for Macintosh 1.0

Pre-InstallationSupported products and components


Operating systems language supportThis version of the ePolicy Orchestrator software runs on any supported operating systemirrespective of the language of the operating system.

Following is a list of languages into which the ePolicy Orchestrator has been translated. Whenthe software is installed on an operating system using a language that is not on this list, theePolicy Orchestrator interface attempts to display in English.

Japanese Chinese (Simplified)

Chinese (Traditional) Korean

Russian English

French (Standard) Spanish

German (Standard)

Pre-InstallationOperating systems language support


Installing ePolicy Orchestrator 4.5 SoftwareThis chapter provides instructions for installing ePolicy Orchestrator 4.5 in an environmentwhere no previous version of ePolicy Orchestrator software has been installed.

CAUTION: If you are upgrading from a prior version of ePolicy Orchestrator, see ePolicyOrchestrator 4.5 Installation Guide.

Be sure that you have read, understood, and complied with the requirements andrecommendations in Pre-Installation.

Contents

Installing the server

Installing an Agent Handler

Logging on to ePolicy Orchestrator

How to navigate the ePO interface

Installing the serverThe installation depends, in part, upon the presence of MSXML 6.0 on the server. If it is notpresent, an error message appears during the installation, advising you that it must be installedbefore proceeding. To avoid the inconvenience of interfering with the installation in order todownload and install MSXML, we strongly recommend that you obtain and install MSXML beforestarting the installation.

We also recommend that you monitor the entire installation process. It might require you torestart the system.

Use this task to install the ePolicy Orchestrator server.

Task

1 Using an account with local administrator permissions, log on to the Windows servercomputer to be used as the ePO server.

2 Run the Setup program.

From the product CD: select a language in the ePolicy Orchestrator autorun window,then select Install ePolicy Orchestrator 4.5.

From software downloaded from the McAfee website: go to the location containing theextracted files and double-click Setup.exe. The executable is located in the file EPO4.5.0 .zip. Be certain to extract the contents of the zip fileto a temporary location. Do not attempt to run Setup.exe without first extracting thecontents of the zip file.

NOTE: If any prerequisite software is missing from the installation target computer, a listof those items appears.


3 Click Next. The installation process for each software item not listed as Optional beginsautomatically.If you intend to use an existing instance of SQL Server 2005, or SQL 2008, you can continuewithout selecting the checkbox for installation of SQL Server 2005 Express.If you do not have a supported version of SQL or MSDE, take one of the following actions:

Install SQL 2005 or 2008 on a server.

If you are installing ePolicy Orchestrator with SQL 2005, the SQL Browser must beenabled or you cannot complete the installation wizard.

Install SQL Server 2005 Express on the same computer where you are installing ePolicyOrchestrator. If you selected the checkbox for installation of SQL Server 2005 Express,ePolicy Orchestrator installs the database automatically.

If you are installing SQL Server 2005 Express, you might be prompted to install SQLServer 2005 Backward Compatibility. You must install it.

4 In the Welcome page of the installation wizard, click Next. The License Key page appears.

NOTE: License Keys are distributed from the same McAfee website from which the ePolicyOrchestrator software is downloaded.

5 Select whether you are installing based on a license key or installing an evaluation version.

If you have a License Key, type its number here.

If you select License Key but do not type its number, you are asked if you want toinstall an evaluation version. Click OK to proceed with installation of the evaluationversion, or Cancel to return to the previous page.

6 If you are installing a beta version of the software, the Beta test information box appears.Click OK.

7 Accept the End User License Agreement, then click OK to continue. The ChooseDestination Location dialog box appears. Click Next.

8 Accept the default installation path or click Browse to select or create a different location,then click Next.If installing on a cluster server, the Set Database and Virtual Server Settings dialog boxappears. Otherwise the Set Administrator Information dialog box appears.

9 Type and verify the password for logging on to this ePolicy Orchestrator server, then clickNext.If your environment employs Microsoft Cluster Server (MSCS) for a high availability systemthat ensures failover support, the Set Database and Virtual Server Settings dialog boxappears.

10 In the Set Database Information dialog box, identify the type of account andauthentication details that the ePO server will use to access the database:

a Use the drop-down list to select a database server. If SQL Express was installed, thename of the database is \EPOSERVER.

b Select the type of authentication, then click Next. The available options are:

Windows authentication (recommended) Specify the NetBIOS name of theDomain associated with the desired domain administrator user account. Then, provideand verify a password.

NOTE: If the database identification fails, type 1433 or 1434 in the SQL server TCPport field.

SQL authentication Provide the User name that the ePolicy Orchestrator softwarewill use to access the database, then provide a password. If the installer cannot identify

Installing ePolicy Orchestrator 4.5 SoftwareInstalling the server


the port used for communication to and from the server, you might be prompted toprovide that information.

NOTE: The ePolicy Orchestrator account must have DB ownership to the database.

11 Set the HTTP Configuration. Designate the port to be used by each function, then clickNext.

PortFunction

Configurable. McAfee recommends using a port otherthan 80.

Agent-to-Server communication port

Configurable port that the agent uses for securecommunication with the server. The default port is 443.

Agent-to-Server communication secure port

Configurable.Agent Wake-Up communication port

Configurable port used to send SuperAgent wake-upcalls.

Agent Broadcast communication port

Configurable.Console-to-Application Server communicationport

Configurable port used by the Rogue System sensor toreport host-detected messages to the Rogue SystemDetection server using SSL.

Sensor-to-Server communication port

Port 8801. Nonconfigurable port used by McAfee Avertto provide information on security threats and the

Security Threats communication port

required DAT and engine versions to protect againstthem.

See SQL documentation for configuration information.SQL server TCP port

NOTE: Client firewalls block communication from the ePO server. Ensure that the portsrequired for communication from the ePO server are available on the client.

12 Optional step (can be performed after ePolicy Orchestrator is up-and-running). In theDefault Notification Email Address dialog box, type the email address of the recipient ofmessages from ePolicy Orchestrator notification or leave the default. For a new recipient,complete these options, then click Next.

a Provide a default destination for messages.

b Select Setup email server settings now. However, if you choose Setup emailserver settings later, leave the default address.

c Type the Fully Qualified Domain Name (FQDN) of the mail server and specify the Portto use for email.

d Select This server requires authentication if needed, then type the User nameand Password required to access the server.

For more information, see Automatic Responses in the ePolicy Orchestrator 4.5 ProductGuide.

13 In the Start Copying Files dialog box, click Next to begin the installation.

14 In the Installation Complete dialog box, you can view the Release Notes, launch ePolicyOrchestrator, or click Finish to complete the installation.

Installing ePolicy Orchestrator 4.5 SoftwareInstalling the server


Installing an Agent HandlerUse this task to set up an Agent Handler.

Before you begin

You must first install the ePO server with which the Agent Handler is to communicate.

Task

1 Open the folder where you extracted the contents of the ePolicy Orchestrator installationpackage.

2 Copy the AgentHandler folder to the intended Agent Handler server system.

3 Double-click and run Setup.exe. Installation activities take place in the background. Whenthey are completed, the InstallShield Wizard for McAfee Agent Handler opens. Click Next.

4 Accept the default destination or click Browse to change the destination, then click Next.The Server Information page opens.

5 Type the machine name of the ePO Server with which the Agent Handler is to communicate.

6 Type the port to be used for server-handler communication. Port 8433 is the default. McAfeerecommends that you change the port designation. See the discussion of Ports in the Serverand Agent Handler requirements section.

7 Type the ePO Admin User name and password of a user with global administratorprivileges. If these credentials are to be used for the database as well, click Next to startthe installation.

8 If you want to use different database credentials than those mentioned in step 7, followthese additional steps:

a Deselect Use ePO Server's database credentials, then click Next.

b Type the name of the SQL database server.

c SelectWindows Authentication or SQL Authentication, then type the credentials.

NOTE: These credentials must be previously defined in SQL Server.

9 Click Next. The installation process begins.

Logging on to ePolicy OrchestratorUse this task to log on to the ePolicy Orchestrator. You must have valid credentials to do this.

Task

1 To launch the ePolicy Orchestrator software, open an Internet browser and go to the URLof the server (For example: https://:8443). The Log On to ePolicyOrchestrator dialog box appears.

NOTE: You can also double-click the McAfee ePolicy Orchestrator icon on the desktop tolaunch ePolicy Orchestrator.

2 Type the User name and Password of a valid account, created during the installation ofthe software.

NOTE: Passwords are case-sensitive.

Installing ePolicy Orchestrator 4.5 SoftwareInstalling an Agent Handler


3 Select the Language you want the software to display.

4 Click Log On.

How to navigate the ePO interfaceNavigation in ePolicy Orchestrator 4.5 has been redesigned to make it faster and easier to findthe features and functionality you need. The interface now uses a single menu for all top-levelfeatures of ePolicy Orchestrator, and a customizable navigation bar. Top-level features werepreviously displayed as tabs when selecting a section.

For example, in ePolicy Orchestrator 4.0, when the Reporting section was selected, the top-levelfeatures that were displayed included: Queries, Server Task Log, Audit Log, Event Log, andMyAvert.

In version 4.5, all of these top-level features are accessed from the Menu. The following tableprovides some examples of the change in navigation steps to arrive at a desired page.

in version 4.5in version 4.0To get to...

Click Menu and select User Management |Audit Log.

Click Reporting | Audit Log tab.The Audit Log

ClickMenu and select Policy | Policy Catalog.Click Systems | Policy Catalog page.The Policy Catalog

The Menu

The Menu is new in version 4.5 of ePolicy Orchestrator software. The Menu uses categoriesthat comprise the various ePO features and functionalities. Each category contains a list ofprimary feature pages associated with a unique icon. The Menu and its categories replace staticgroup of section icons used to navigate the 4.0 version of the interface. For example, in the4.5 version, the Reporting category includes all of the pages included in the 4.0 version Reporting

Installing ePolicy Orchestrator 4.5 SoftwareHow to navigate the ePO interface


section, plus other commonly used reporting tools such as the Dashboards page. When an itemin the Menu is highlighted, its choices appear in the details pane of the interface.

The navigation bar

In ePolicy Orchestrator 4.5, the navigation bar is customizable. In the 4.0 version of the interface,the navigation bar was comprised of a fixed group of section icons that organized functionalityinto categories. Now you can decide which icons are displayed on the navigation bar by draggingany Menu item on or off the navigation bar. When you navigate to a page in the Menu, or clickan icon in the navigation bar, the name of that page is displayed in the blue box next to theMenu.

On systems with 1024x768 screen resolution, the navigation bar can display six icons. Whenyou place more than six icons on the navigation bar, an overflow menu is created on the rightside of the bar. Click > to access the Menu items not displayed in the navigation bar. The iconsdisplayed in the navigation bar are stored as user preferences, so each user's customizednavigation bar is displayed regardless of which console they log on to.

Installing ePolicy Orchestrator 4.5 SoftwareHow to navigate the ePO interface


Set Up the ePolicy Orchestrator ServerThe ePolicy Orchestrator repository is the central location for all McAfee product installations,updates, and signature packages. The modular design of ePolicy Orchestrator allows newproducts to be added as extensions. This includes new or updated versions of McAfee products,such as VirusScan Enterprise, and non-McAfee products from McAfee partners. Packages arecomponents that are checked in to the master repository, then deployed to client systems.

For information about extensions and packages, see these topics in the ePolicy Orchestrator4.5 Product Guide:

Extensions and what they do

Deployment packages for products and updates

Contents

Configuring a repository pull task

Checking the status of the pull task

Checking in the VirusScan Enterprise package manually

Configuring a repository pull taskFor ePolicy Orchestrator to keep your client systems up-to-date, you must configure a repositorypull task that retrieves updates from a McAfee site (HTTP or FTP) at specified intervals. Usethis task to create a repository pull task that adds and updates the client software.

NOTE: A repository pull task was created for you automatically during installation.

Task

For option definitions, click ? in the interface.

1 Click Menu | Automation | Server Tasks.

2 In the list, find the task named Update Master Repository and, under the Actionscolumn, click Edit to open the Server Task Builder.

3 On the Description page, set Schedule status to Enabled, then click Next.

4 On the Actions page, there is a gray bar just below the page description labeled 1. SelectRespository Pull from the drop-down list.

5 Select Move existing packages to Previous branch, then click Next.

NOTE: This option allows ePolicy Orchestrator to maintain more than one day's signaturefiles, so you can rollback updates, if necessary. When the next pull task runs, today'supdates are moved to a directory on the server called Previous.

6 On the Schedule page, choose when you want ePolicy Orchestrator to check the McAfeesite for updates.


Schedule the task to run Daily, with No End Date.

Set Schedule to between 9:00am and 11:00pm.

Set every to two or three hours.

TIP: McAfee recommends checking for updates several times each day to ensure you havethe latest content.

7 Click Next.

8 On the Summary page, click Save. The console returns to the Server Tasks page.

9 Find the Update Master Repository task and, under the Actions column, click Run. Thisimmediately retrieves the current updates, and opens the Server Task Log.

Checking the status of the pull taskThe Server Task Log is useful to show the status of the McAfee Pull task. Use this task toverify that the Update Master Repository task has finished pulling updates from the McAfeesite.

Task


1 Click Menu | Automation | Server Task Log.

2 In the list of tasks, find the Update Master Repository task.

3 The task is finished when the Status column reports Completed.

Checking in the VirusScan Enterprise packagemanually

Use this task to manually check in the VirusScan Enterprise deployment package to the masterrepository so that ePolicy Orchestrator can deploy them.

Before you begin

You must have the VirusScan Enterprise 8.7i deployment package available in a temporarydirectory. If you do not have the deployment package, you can download the McAfeeVirusScan Enterprise 8.7i Repost Patch 1 Evaluation version from:https://secure.nai.com/apps/downloads/free_evaluations/default.asp.

You must have the appropriate permissions to perform this task.

NOTE: You cannot check in packages while pull or replication tasks are running.

Task

For option definitions, click ? in the page interface.

1 ClickMenu | Software |Master Repository, then click Actions | Check In Package.The Check In Package wizard opens.

Set Up the ePolicy Orchestrator ServerChecking the status of the pull task


2 Select the package type, then browse to and select the VirusScan Enterprise 8.7i deploymentpackage file.

NOTE: If you had downloaded the evaluation version of McAfee VirusScan Enterprise 8.7iRepost Patch 1, then browse for the file VSE870MLRP1.ZIP.

3 Click Next. The Package Options page appears.

4 Confirm or configure the following:

Package info Confirm this is the correct package.

Branch Select the desired branch. If there are requirements in your environment totest new packages before deploying them throughout the production environment,McAfee recommends using the Evaluation branch whenever checking in packages. Onceyou finish testing the packages, you can move them to the Current branch by clickingMenu | Software | Master Repository.

Options Select whether to:

Move the existing package to the Previous branch When selected, movespackages in the master repository from the Current branch to the Previous branchwhen a newer package of the same type is checked in. Available only when youselect Current in Branch.

Add this package to the global update list Adds the package to the Distributedrepository. A SuperAgent call also occurs, forcing the package to be installed on allthe managed systems.

Package signing Specifies if the package is signed by McAfee or is third-partypackage.

5 Click Save to begin checking in the package. Wait while the package is checked in.

The new package appears in the Packages in Master Repository list on the Master Repositorytab.

Set Up the ePolicy Orchestrator ServerChecking in the VirusScan Enterprise package manually


Add Systems to ManageThe ePolicy Orchestrator System Tree organizes managed systems in units for monitoring,assigning policies, scheduling tasks, and taking actions. These units are called groups, whichare created and administered by global administrators or users with the appropriate permissions,and can include both systems and other groups. Before you start managing endpoint policiesfor client systems on your network, you must add those systems to your System Tree.

There are several methods of organizing and populating the System Tree:

Manually structure your System Tree by creating your own groups and adding individualsystems.

Synchronize with Active Directory or NT domain as a source for systems. In the case of usingActive Directory, synchronization also provides System Tree structure.

Create your own groups based on IP ranges or subnets. This is called criteria-based sorting.

Import groups and systems from a text file.

The workflow in this section uses the manual approach to create a simple structure for evaluation.While this method can be too slow when deploying ePolicy Orchestrator in a live network, it isa useful way to add a small number of systems in your test network. You can try the otherapproaches once you become familiar with ePolicy Orchestrator.

Contents

Creating your System Tree groups

Adding systems to your System Tree groups

Organizing new systems into your groups

Deploying the McAfee Agent

Verifying agent communication with ePolicy Orchestrator

More on working with the System Tree

Creating your System Tree groupsUse this task to add groups to your System Tree. For this exercise, we are creating two groups,Servers and Workstations.

Task


1 Click Menu | Systems | System Tree, then click Group on the menu bar.

2 Highlight My Organization, then click System Tree Actions | New Subgroup.

3 Type Test Group, then click OK. The new group appears in the System Tree.


4 Highlight Test Group, click System Tree Actions | New Subgroup, type Servers, andclick OK.

5 Repeat Step 4, but type Workstations for the group name. Once you return to the Grouppage, highlight Test Group. Your Servers and Workstations groups are listed on the Grouppage. The sorting order should be the same as the order in which you created the groups.

Adding systems to your System Tree groupsUse this task to manually add a few test systems to your ePO System Tree.

Task


1 In the System Tree, highlight the Workstation group and click System Tree Actions| New Systems.

2 For How to Add Systems, select Add systems to the current group, but do notdeploy agents.

3 For Systems to Add, type the NetBIOS name for each system in the text box, separatedby commas, spaces, or line breaks. You can also click Browse to select systems.

4 Verify that System Tree sorting is disabled.

5 Click OK.

6 As needed, repeat these steps to add systems to your Servers group.

Organizing new systems into your groupsBy performing the tasks in the previous sections, you now have several groups and systems inyour System Tree. In a live production environment, new systems contact the ePolicyOrchestrator server, and need to be placed in the System Tree. This occurs if you installed theMcAfee Agent on new systems, through use of Rogue System Detection, or through anothermethod. In these cases, systems are placed in the Lost&Found group.

ePolicy Orchestrator has a powerful group sorting function that allows you to set up rules abouthow systems sort themselves into your System Tree when they first contact the ePO server.For details on this feature, refer to Criteria-based sorting in the McAfee ePolicy Orchestrator4.5 Product Guide.

In this exercise, you will create a system sorting rule based on tags. ePolicy Orchestrator createstwo default tags, Server and Workstation, which you can use. The sorting rule does not functionuntil a system that is not in the System Tree calls in to the ePO server. You can also schedulethe sorting rule, or run it manually.

Use this task to create a sorting rule based on the default tags.

Task


1 Click Menu | Systems | System Tree, then click Group Details on the menu bar.

2 Highlight Test Group.

3 At the top of the Group page, locate the label Sorting Criteria and click Edit.

Add Systems to ManageAdding systems to your System Tree groups


4 Select Systems that match any of the criteria below (IP addresses and/or tags).The page expands with additional options.

5 Click Add Tag(s).

6 From the drop-down menu, select Server, click the plus sign (+), then selectWorkstation.

7 Click Save.

8 In the System Tree, highlight My Organization.

9 In the Sorting Order list, find the entry for Test Group. In the Actions column, clickMove Up until the group is at the top of the list. Now this group is the first to be evaluatedwhen new systems are put into the System Tree.

Deploying the McAfee AgentThe McAfee Agent is the distributed component of ePolicy Orchestrator that must be installedon each system in your network that you want to manage. The agent collects and sendsinformation to the ePO server. It also installs and updates the endpoint products, and appliesyour endpoint policies. Systems cannot be managed by ePolicy Orchestrator unless the McAfeeAgent is installed.

Use this task to deploy the McAfee Agent to your client systems.

Before deploying the McAfee Agent, it is useful to verify communication between the serverand systems, and access to the default administrator share directory. Also, you might need tocreate firewall exceptions.

Before you begin

Check that you can ping client systems by name. This demonstrates that the server canresolve client names to an IP address.

Check for access to the default Admin$ share on the client systems: in the Windows interface,click Start | Run, then type \\computer-name\admin$. If the systems are properly connectedover the network, your credentials have sufficient rights, and the Admin$ shared folder ispresent, a Windows Explorer dialog box opens.

If an active firewall is running on any client systems, create an exception for Framepkg.exe.This is the file ePolicy Orchestrator copies to the systems you want to manage.

Task


1 Click Menu | Systems | System Tree, then click Systems on the menu bar.

2 Highlight Test Group. If this group has no systems, but has subgroups with systems, clickthe Level Filter drop-down list and select This Group and All Subgroups.

3 Select one or more systems from the list, and click Actions | Agent | Deploy Agents.

4 Type credentials that have rights to install software on client systems, such as a DomainAdministrator, and click OK.

It will take a few minutes for the McAfee Agent to install and for client systems to retrieveand execute the installation packages for the endpoint products. When first installed, theagent determines a random time within 10 minutes for connecting to the ePO server toretrieve policies and tasks.

Add Systems to ManageDeploying the McAfee Agent


There are many other ways to deploy the McAfee Agent (see the ePolicy OrchestratorProduct Guide or Help).

Verifying agent communication with ePolicyOrchestrator

Once the initial agent-server communication has occurred, the agent polls the server once every60 minutes by default. This is known as the Agent to Server Communication Interval or ASCI.Every time this occurs, the agent retrieves policy changes and enforces the policies locally.

With the default ASCI, an agent that polled the server 15 minutes ago will not pick up any newpolicies for another 45 minutes. However, you can force systems to poll the server with anagent wake-up call. The wake-up call is useful when you need to force a policy change soonerthan the next communication would occur. It also allows you to force clients to run tasks, suchas an immediate update.

Use this task to verify whether your client systems are communicating with ePolicy Orchestrator.

Task



2 Highlight your Servers or Workstations group.

3 If an IP address and user name are listed, the agent on the client system is communicatingwith the server.

4 If five to ten minutes pass and systems do not have an IP address and user name, selectActions | Agent | Wake Up Agents.

If sending a wake-up call fails to retrieve an IP address and user name, other environmentalfactors might be preventing the initial agent deployment. If this happens, you can copythe agent installer, Framepkg.exe, from the ePO server and run it on the client systems.

More on working with the System TreeYou can use many types of groupings to organize your System Tree.

Along with groups, you can add tags to your systems to further identify them, using a traitbased on the system's properties. For details on this feature, refer to Organizing the SystemTree in the McAfee ePolicy Orchestrator 4.5 Product Guide.

Add Systems to ManageVerifying agent communication with ePolicy Orchestrator


Deployment TasksYou have now created a System Tree, added some client systems, checked in the software,and configured your policies. Next, you will schedule the deployment of VirusScan Enterprise.Product deployment is accomplished using a client task that the McAfee Agent retrieves andexecutes. You also use client tasks for scheduling scans and updating.

After creating the deployment and update tasks in this section, create a VirusScan EnterpriseOn-Demand Scan task.

Contents

Creating a product deployment task

Creating a product update task

Verifying client software installation

Revisiting the PUP audit VirusScan policy

Resetting the On-Access Scan policy

Verifying the On-Demand Scan task

Creating a product deployment taskUse this task to create a client task that deploys VirusScan Enterprise 8.7 to a group of systems.

Task


1 Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.

2 Highlight My Organization, then click New Task.

3 For Name, type McAfee Deployment.

4 For Type, select Product Deployment from the drop-down menu, then click Next.

5 On the Configuration page under Products and components, select VirusScanEnterprise 8.7.0.xxx, set Action to Install and set Language to the language usedon your client systems.

6 Select Run at Every Policy Enforcement (Windows only), then click Next.

7 On the Schedule page, set these options, then click Next:

EnabledSchedule status

Run ImmediatelySchedule type

8 On the Summary page, click Save.


When deploying to a large number of systems in a production environment, McAfeerecommends using the Randomization option on the Schedule page. Task randomizationhelps avoid client systems sending numerous simultaneous requests to the server. Typicallyin a live environment, you might want to schedule deployments at specific times of theday. Setting the schedule to Run Immediately speeds up the deployment process forevaluation purposes.

Creating a product update taskUse this section to create a client task that updates the VirusScan engine and DATs.

Task



2 Highlight Test Group, then click New Task.

3 For Name, type Daily Update.

4 For Type, select Product Update from the drop-down menu, then click Next.

5 On the Configuration page under Products and components, select McAfee AgentforWindows 4.x.x.xxx, set Action to Install, select Engine and DAT, then click Next.

6 On the Schedule page, set Schedule type to Daily.

NOTE: If you are updating a large number of systems, McAfee recommends specifyingsome randomization to stagger the client requests.

7 For Options, select Run missed task.

8 Set Schedule to Repeat Between, and set the time values to 7:00am, 6:59am, andevery 4 hours.

9 On the Summary page, click Save.

The time span for the schedule is an example only. Typically in a live environment, youwant to schedule client systems to check for updates throughout the day. The schedulingoptions allow you to set up any schedule you require.

Systems that temporarily disconnect from your network (for example, laptops) continue torun their assigned update tasks. In such a case, the laptop retrieves updates from theMcAfee site (rather than the ePO server) while in a hotel or anywhere there is an Internetconnection.

Verifying client software installationDepending on how many products you deployed, the client installation process might take sometime to complete. You can verify client installations from the ePO server, or on the client systemsby right-clicking the McAfee system tray icon.

Use this task to verify client installations from the ePO server.

Task


Deployment TasksCreating a product update task



2 Highlight your Servers or Workstations group.

3 Select individual systems using the checkboxes, or use Select All in this Page or SelectAll in all Pages.

4 Click Actions | Agent | Wake Up Agents.

5 If you were waking up a large number of systems, adding a few minutes of randomizationis useful. Click OK.

6 After a few minutes, click individual systems. The SystemDetails page provides informationabout the system, including the installed McAfee software.

Revisiting the PUP audit VirusScan policyAt this point, the software installation client tasks have run, or are running, and all the policiesyou created in previous tasks are downloaded. If your test systems have clean, newly installedoperating systems, you might not have any PUP detections. For the purpose of this exercise,assume that these items were detected on your clients:

The remote administration tool Tight VNC.

A port scanner called SuperScan.

Most PUPs are detected with both the family and name of the application. For instance, theport scanner called SuperScan is detected as PortScan-SuperScan, and TightVNC is detectedas RemAdm-TightVNC. This is the basic nomenclature for the "detection names" as providedin ePO reports and local client log files.

After completing your audit of PUPs, use this task to create a new policy, based on your existingUnwanted Programs Policies, and add any required exclusions. This task uses SuperScanand Tight VNC as examples. You do not need to enter these exclusions now; you can refer backto this example if and when you need to make any actual exclusions.

Task


1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.

2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.


4 To the right of Unwanted Programs Policies, click Edit Assignment.

5 Select Break inheritance and assign the policy and settings below.

6 Click New Policy.

7 Type a name for the policy, such as PUP exclusions for IT staff, and click OK. The Policy editoropens.

8 In the Unwanted Program Exclusions area, type PortScan-SuperScan and click the plus symbol(+) on the right.

9 Type RemAdm-TightVNC, click + again, and type Reg-TightVNC.TightVNC also requires a "Reg" exclusion for the Windows Registry entries for thisapplication. This instructs the scanner not to clean the associated Registry entries for thisprogram. SuperScan does not require a Reg exclusion because it is a standalone executable.

10 Click Save.

Deployment TasksRevisiting the PUP audit VirusScan policy


11 From the Assigned policy drop-down menu, select the policy PUP exclusions for ITstaff, then click Save.

It is safer to exclude only the tools you use, rather than deselecting an entire category.For example, considering remote administration tools, you might need to exclude a fewtools for normal operations, but you might also want to know if the McAfee AntiSpywaremodule finds any non-approved, rogue tools of this nature on your network.

After completing the PUP audit, it is important that you change the VirusScan setting backto Clean, and create a policy with exclusions. If you don't, you won't remove spyware.

Resetting the On-Access Scan policyPreviously, you created a new policy that instructed the on-access scanner to detect PUPs butnot clean them. Use this task to reapply the default scanner policy, which enables cleaning.

Task





4 To the right of On-Access Default Processes Policies, click Edit Assignment.

5 From the Assigned policy drop-down menu, select My Default.

6 Select the radio button for the policy Audit for PUPs, which is either Global Root or MyOrganization, depending on your previous settings.

7 Click Save.

Verifying the On-Demand Scan taskIn a previous exercise, you scheduled a recurring scan for the client system. As part of thatconfiguration, we instructed the scanner to temporarily only detect PUPs, and not to clean them.Use this task to reset the option that enables cleaning during a scheduled scan.

Task




3 Locate the scan task you created, then under the Actions column click Edit Settings.

4 On the first page of the task wizard, click Next.

5 On the Configuration page, click Actions, then in the When an Unwanted Programis Found drop-down menu, select Clean Files.

6 Click Save.

VirusScan will now clean any PUPs that you have not explicitly excluded. The next timeclient systems communicate with the server, they will download your configuration changes.

Deployment TasksResetting the On-Access Scan policy


Setting PoliciesA policy is a collection of settings that you create, configure, then enforce. Policies ensure thatthe managed security software products are configured and perform accordingly.

Some policy settings are the same as the settings you configure in the interface of the productinstalled on the managed system. Other policy settings are the primary interface for configuringthe product or component. The ePolicy Orchestrator console allows you to configure policysettings for all products and systems from a central location.

Policy categories

Policy settings for most products are grouped by category. Each policy category refers to aspecific subset of policy settings. Policies are created by category. In the Policy Catalog page,policies are displayed by product and category. When you open an existing policy or create anew policy, the policy settings are organized across tabs.

Where policies are displayed

To see all of the policies that have been created per policy category, click Menu | Policy |Policy Catalog, then select a Product and Category from the drop-down lists. On the PolicyCatalog page, users can see only policies of the products to which they have permissions.

To see which policies, per product, are applied to a specific group of the System Tree, clickMenu | Systems | System Tree | Assigned Policies page, select a group, then select aProduct from the drop-down list.

NOTE: A McAfee Default policy exists for each category. You cannot delete, edit, export orrename these policies, but you can copy them and edit the copy.

Contents

Creating policies for the McAfee Agent

Creating policies for VirusScan Enterprise

Assigning policies

Creating policies for the McAfee AgentWhen evaluating McAfee ePolicy Orchestrator, it is useful to change the McAfee Agent policyto display the system tray icon on client systems. This allows you to view the Agent StatusMonitor.

Another reason to change the McAfee Agent policy might be slow WAN connections to remoteoffices, or a very large number of managed nodes.

For example, you might determine that systems communicating over slower links should contactePolicy Orchestrator every 180 minutes, which is eight times a day rather than the default of24. For this case, you might create a policy called "Low bandwidth" or "3 hour polling" and


change the Agent to Server Connection Interval option to 180 minutes from the defaultof 60.

NOTE: This functionality is enabled by McAfee Agent 4.0 latest patch, which is included in theePolicy Orchestrator 4.5 evaluation software.

Use this task to create a policy that displays the McAfee Agent on client systems:

Task


1 Click Menu | Policy | Policy Catalog.

2 From the Product drop-down menu, select McAfee Agent.

3 On the line that lists McAfee Default, click Duplicate.

4 For Name, type Show Agent Icon, then click OK.

5 On the line that lists your new policy, click Edit.

6 Select the box next to Show the McAfee system tray icon, and click Save.ePolicy Orchestrator provides you with the option to access the McAfee Agent log on eachsystem remotely. See the ePolicy Orchestrator Product Guide for details on this usefultroubleshooting tool.

Creating policies for VirusScan EnterpriseThis section covers three examples of VirusScan Enterprise policies. The first is designed toprevent users from making changes to VirusScan settings on their managed systems. Thesecond establishes database exclusions on servers. The third temporarily modifies the UnwantedPrograms Policy.

Tasks

Locking the local VirusScan console

Creating file exclusions on a server

Creating policies for the AntiSpyware Enterprise module

Locking the local VirusScan consoleUse this task to modify the default VirusScan Enterprise User Interface Policy to prevent usersfrom tampering with the local VirusScan interface. VirusScan Enterprise runs on both workstationsand servers; therefore, the VirusScan policies have separate settings for each platform. In thiscase, you want to make changes only to the workstation settings.

Task




3 From the Category drop-down menu, select User Interface Policies.


5 For Name, type Lock VSE Console, then click OK.

Setting PoliciesCreating policies for VirusScan Enterprise


6 On the line that lists your new Lock VSE Console policy, click Edit.

7 On the menu bar, click Password Options.

8 Make sure the Settings for option is set to Workstation.

9 For User interface password, select Password protection for all items listed.

10 Type a password in the boxes provided, then click Save.

Creating file exclusions on a serverUse this task to create a VirusScan policy that excludes two hypothetical database files on aserver. Creating these types of scanning exclusions is a typical practice on many database andemail servers.

Task




3 Expand Test Group, then click your Servers group. This policy can be configured priorto adding systems to this group.

4 To the right of On-Access Default Processes Policies, click Edit Assignment.

5 For Inherit from, select Break inheritance and assign the policy and settingsbelow.

6 For Assigned policy, click New Policy.

7 In the Create a new policy dialog box, for Policy Name, type Database AV Exclusions,then click OK. This opens the policy editor.

8 From the Settings for drop-down menu, select Server.

9 On the menu bar, click Exclusions.

10 For What not to scan, click Add.

11 In the dialog box, select By pattern and type data.mdf, then click OK. Click Add again,and type data.ldf as another exclusion, then click OK.

NOTE: Only the file name is specified in this task. In a real environment, you might wantto specify a full path to narrow your exclusions.

12 Once both exclusions are listed, click Save.

13 From the Assigned policy drop-down menu, select Database AV Exclusions, then clickSave.

Creating policies for the AntiSpyware Enterprise moduleWhen the AntiSpyware module is installed, it is immediately active and cleans or deletes anypotentially unwanted programs (PUPs) it finds. While it detects and cleans spyware and adware,there are other PUPs that you might not want it to clean, such as your IT department'sadministrative tools. For example, you might have remote administrative tools, port scanners,or password cracking utilities that your IT staff uses. Many of these tools have legitimate useson the network by administrators.

Setting PoliciesCreating policies for VirusScan Enterprise


This section presents a methodology for detecting the PUPs on your network to discover whatexists, create exclusions for any with legitimate purposes, then configure the scanner to blockthe remainder.

The task modifies the VirusScan On-Access Scan settings to log PUPs that it finds, but not deletethem. VirusScan continues to detect and clean viruses, worms, Trojan horses, and other threats.The intent is to check for PUPs in "audit mode" for a few days or a week, check the PUP detectionreports in ePolicy Orchestrator, and identify your required exclusions. Later, you will changethe policy assignment so it once again cleans PUPs.

Use this task to modify the default VirusScan On-Access Scan policy so that PUPs are auditedon your managed systems.

Task




3 In the Category column, select On-Access Default Processes Policies.


5 For Name, type Audit for PUPs, then click OK.

6 On the line that lists your new policy, click Edit.

7 From the Settings for drop-down menu, select Workstation.

8 On the menu bar, click Actions.

9 For When an unwanted program is found, select Allow access to files from thedrop-down menu for the first action to perform. This disables the secondary action.

10 Click Save.

Assigning policiesUse these tasks to assign policies from the System Tree interface and assign the VirusScanEnterprise policies.

Tasks

Assigning McAfee Agent policy

Assigning VirusScan Enterprise policies

Assigning McAfee Agent policyYou now have several policies to assign to the systems in your System Tree. For this part, youwill assign all the policies from the System Tree interface.

Task




3 From the Product drop-down menu, select McAfee Agent.

Setting PoliciesAssigning policies


4 On the line that lists My Default, click Edit Assignment.


6 From the Assigned Policy drop-down menu, select Show Agent Icon.

7 Click Save.

Assigning VirusScan Enterprise policiesUse this task to assign the VirusScan Enterprise policies.

NOTE: When you created the Database AV Exclusions policy, you also assigned it to the Serversgroup.

Task



2 On the line that lists User Interface Policies, click Edit Assignment.


4 From the Assigned Policy drop-down menu, select Lock VSE Console.

5 Click Save.

6 Click Save. When you return to the Policies page, you will see that On-Access DefaultProcesses Policies has an entry in the Broken Inheritence column. This is becauseyou already assigned the Database AV Exclusions policy to the Servers group.

Setting PoliciesAssigning policies


Using Dashboards and QueriesDashboards and queries provide various types of status information about your environment.You can also create custom dashboards and queries.

By default, the only active dashboard after installation is the ePO Summary for 4.5 dashboard.In this section, you will activate a second dashboard, change one of the monitors, run apredefined query, and create a custom query.

NOTE: Default dashboards and queries are displayed only for the user that installs ePolicyOrchestrator and ePO managed products. Before other users will be able to view these defaultdashboards and queries, the installing user must make them public or shared.

Contents

Activating a dashboard

Changing a dashboard monitor

Activating a dashboardTo make a dashboard part of your active set on the tab bar of the Dashboards page, youneed to activate it.

Task


1 ClickMenu | Reporting | Dashboards, clickOptions, then selectManage Dashboards.The Manage Dashboards page appears.

2 From the Dashboards list, highlight VSE: Current Detections, then clickMake Active.The Make Active dialog box appears.

3 Click OK, then Close.

The VSE: Current Detections dashboard now appears on the tab bar. Take a momentto examine this dashboard and the information it provides.

NOTE: When first installed, Virus Scan Enterprise will not have any detections to reporton. As a result, the VSE: Current Detections dashboard will display a message statingthat Query did not return any results. Overtime, VirusScan Enterprise will makedetections (based on your policy configuration) and display them in this dashboard.

Changing a dashboard monitorMost default dashboards contain six monitors. If the default monitors do not give you theinformation you want, you can change the set of monitors rather than create a new dashboard.


To view some information about VirusScan Enterprise and Potentially Unwanted Programs, youwill duplicate, then modify the VSE: Current Detections dashboard.

Task


1 ClickMenu | Reporting | Dashboards, clickOptions, then selectManage Dashboards.The Manage Dashboards page appears.

2 From the Dashboards list, highlight VSE: Current Detections then click Duplicate.

3 For Name, type VSE: Detections (custom), and click OK.

4 Click Edit.

5 Find the monitor named VSE: Threats Detected in the Last 24 Hours and click Delete.

6 Click New Monitor.

7 From the Category list, select Queries.

8 From the Monitor list, select VSE: DAT Deployment, then click OK.

9 Find the monitor named VSE: Threats Detected in the Last 7 Days and click Delete.

10 Click New Monitor.

11 From the Category list, select Queries.

12 From theMonitor list, select VSE: Top 10 Access Protection Rules Broken, then clickOK.

13 Click Save.

14 ClickMake Active, then when prompted, click OK.

15 Click Close.

16 On the Dashboards tab bar, click VSE: Detections (custom).

The two monitors you added display a pie chart (DAT Deployment), and a summary table(Top 10 Access Protection Rules Broken). When creating your own queries, consider thetype of data you want to view, and how to display it.

Using Dashboards and QueriesChanging a dashboard monitor


SummaryCongratulations. By completing this guide, you have performed many of the common tasksused in creating and maintaining a secure network environment.

Here is what you have accomplished:

1 Installed the McAfee ePolicy Orchestrator 4.5 software.

2 Enabled and run a task that updates the ePO master repository from the McAfee site.

3 Created a System Tree structure, and added test systems into groups.

4 Created and applied a new McAfee Agent policy that displays the system tray icon onmanaged systems.

5 Created and applied new policies for endpoint products, consisting of several VirusScanpolicies, including a policy to audit PUPs.

6 Created a deployment task to install VirusScan Enterprise on the client systems.

7 Created a client update task to keep the clients current.

8 Deployed the McAfee Agent.

9 Verified agent-server communication, and sent agent wake-up calls to ensure that yourmanaged systems retrieved the new policies.

10 Modified the PUP audit policy with exclusions.

11 Reapplied the default on-access scan policy, and reset the on-demand scan task to cleanPUPs.

12 Activated a dashboard and changed monitors on a dashboard.


References

Use the links in this section to access more information.

Support by Reading

Search McAfee's award-winning KnowledgeBase to find answers to questions.

Search the Knowledge base

For more information on ePolicy Orchestrator 4.5, refer to the following product documentation:

ePolicy Orchestrator 4.5

ePolicy Orchestrator 4.5 Product Guide

ePolicy Orchestrator 4.5 Installation Guide

License Management in ePolicy Orchestrator 4.5 FAQ

ePolicy Orchestrator 4.5 - Master list of release Support articles

VirusScan Enterprise 8.7i

VirusScan Enterprise 8.7i Installation Guide

VirusScan Enterprise 8.7i Product Guide

Access Protection in McAfee VirusScan Enterprise and Host Intrusion Prevention - Whitepaper

Support by Seeing

View tutorials

View video tutorials that address common issues and questions.

Support by Doing

Download Software Updates

Obtain the latest anti-virus definitions, product security updates and product versions. To getproduct patches and maintenance releases you must be logged on to the ServicePortal.

Global Support Lab

Configure and walk through common issues in a live test environment.


ContentsIntroducing ePolicy Orchestrator 4.5Components of ePolicy OrchestratorWhat's new in this release

Pre-InstallationSystem requirementsServer and Agent Handler requirementsDatabase requirementsDatabase considerationsDistributed repositories

Supported products and componentsOperating systems language support

Installing ePolicy Orchestrator 4.5 SoftwareInstalling the serverInstalling an Agent HandlerLogging on to ePolicy OrchestratorHow to navigate the ePO interfaceThe MenuThe navigation bar

Set Up the ePolicy Orchestrator ServerConfiguring a repository pull taskChecking the status of the pull taskChecking in the VirusScan Enterprise package manually

Add Systems to ManageCreating your System Tree groupsAdding systems to your System Tree groupsOrganizing new systems into your groupsDeploying the McAfee AgentVerifying agent communication with ePolicy OrchestratorMore on working with the System Tree

Deployment TasksCreating a product deployment taskCreating a product update taskVerifying client software installationRevisiting the PUP audit VirusScan policyResetting the On-Access Scan policyVerifying the On-Demand Scan task

Setting PoliciesCreating policies for the McAfee AgentCreating policies for VirusScan EnterpriseLocking the local VirusScan consoleCreating file exclusions on a serverCreating policies for the AntiSpyware Enterprise module

Assigning policiesAssigning McAfee Agent policyAssigning VirusScan Enterprise policies

Using Dashboards and QueriesActivating a dashboardChanging a dashboard monitor

SummaryReferences

Documents

Epo 450 Evaluation Guide en-us