McAfee ePolicy Orchestrator :

A single console for all your security management

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry.

§ Get a unified view of your security posture with drag-and-drop dashboards that provide security intelligence across endpoints, data, mobile and networks.

§ Simplify security operations with streamlined workflows for proven efficiencies.

§ Flexible security management options allow you to select either a traditional premises-based or a cloud-based management version of McAfee ePO.

§ Leverage your existing third-party IT infrastructure from a single security management console with our extensible architecture.

EPO Description

McAfee ePolicy Orchestrator is a server based application that monitors and controls McAfee end-point-protection packages. It uses a Microsoft SQL database for its backend data storage. The two prominent managed packages are McAfee VirusScan Enterprise and Groupshield. McAfee VirusScan Enterprise or VSE is the current server and workstation anti-virus client used on Windows and Linux systems. Groupshield is the current anti-virus solution for our Exchange email servers.

McAfee ePolicy Orchestrator server, "EPO" for short, enables enterprise-level control and monitoring for our McAfee security clients. It has a user friendly web interface console that has a lot of flexibility. Some examples are Active Directory synchronization, pushing clients, upgrading clients, sorting based on IP, global policy control for all systems, automated notifications, event correlation, report generation and a very customizable Dashboard section for easy daily monitoring of all 6,500+ systems.

An agent installation is required for the EPO server to manage Windows and Linux hosts. The installation is small and doesn't require a reboot. The agent install file is compiled by the EPO server with specific security keys and connection information pertaining to the EPO server.

McAfee EPO Server Port List

Introduction

This article lists all the network ports used by the McAfee ePolicy Orchestrator 4.5 server.

Network Port List

Source	Target	Port	Protocol	Description
EPO Client	EPO Server	8080	TCP	Agent to Server Communication
EPO Client	EPO Server	4443	TCP	Agent to Server Communication Secure
EPO Server	EPO Client	8081	TCP	Agent Wake-up Communication
EPO Server	EPO Client	8082	UDP	Agent Broadcast Communication (Client Listening)
Admin PC	EPO Server	4443	TCP	Web Console to Application Server Communication
Admin PC	EPO Server	8444	TCP	Client to Server Authenticated Communication

McAfee EPO Agent Supported Operating Systems List

Summary

As Microsoft releases new operating systems or Service Packs, the original McAfee product guides might not reflect the current McAfee support policy for those platforms.

Most of the information below is available in the product installation guides and Readme.txt files, however some of the information is available only in Product Management Statements published in the McAfee KnowledgeBase.

Microsoft Windows supported operating systems

The following tables detail the McAfee products supported for use on Windows workstation and server operating systems. Only the most current versions are included as most customers upgrade to the latest Service Packs shortly after they are released.

Supported ePolicy Orchestrator versions

Version	CMA 3.5.5	CMA 3.6.0	MA 4.0	MA 4.5	MA 4.6
ePolicy Orchestrator 4.6	No	No	Yes	Yes	Yes
ePolicy Orchestrator 4.5	No	Yes*	Yes	Yes	Yes
ePolicy Orchestrator 4.0	Yes*	Yes*	Yes	Yes	No

* CMA 3.5.5 and 3.6.0 reached End of Life (EOL) on March 31, 2010. See KB60789 for details. CMA 3.6.0 Patch 4 wasthe minimum supported version with ePO 4.5. CMA = Common Management Agent

MA = McAfee Agent

For EOL and EOS lifecycle details, see: McAfee Product and Technology Support Lifecycle

For EOL and EOS policy details, see: Enterprise Products End of Life Policy

Definitions

End of Support (EOS) Notification	The notification that establishes when the discontinued product will no longer have General Availability. EOS Notification begins the EOL process.
End of Life (EOL) Period	The EOL Period refers to the timeframe beginning with the day that McAfee notifies its intentions to discontinue a product until the last date that the product is formally supported. In general, after the EOL Period is announced, product enhancements are not made.
End of Support	The last day that the product is supported according the terms of McAfee’s standard support offering.

McAfee EPO Web Console

1. Browse to https://eposerver:8443/

2. Username should be your Best domain administrator account usually prefaced with "X"

3. The password is authenticated against Active Directory

Example

Login Screen
Enter your assigned username and password. Usually it's your normal Best domain account. Don't enter the domain name.

Figure A

McAfee EPO Server Dashboards

Purpose

This article covers some of the basic usage of the Dashboards in our McAfee ePolicy Orchestrator 4.5 web console interface.

EPO Dashboard Description

The McAfee ePolicy Orchestrator web console Dashboards are designed primarily for instant up-to-date report data of the McAfee managed environments. Dashboards are completely customizable by the web console user. It does not take a McAfee EPO expert or administrators to create your own Dashboards that suit you’re needed. The way Dashboards are created is through the EPO Queries section. Basically reporting queries can be created fairly quickly through and intuitive wizard. These can be used standalone or linked into a Dashboard.

So, all the Dashboards besides the default ePO Summary Dashboard have been created by making queries and linking them into the different Dashboards.

There are several already created which can be used as examples to create your own custom Dashboard if desired.

Basically, the purpose of the Dashboards it for the support personnel that help keep the McAfee environments healthy can frequently login, look over their Dashboards and know the status of their environment.

This is also McAfee solution to spamming reports out via email. Which you could do if needed, but the preferred method is to simply login and check your Dashboards. From the Dashboards you can easily export data to many common formats such as CSV and PDF as needed.

McAfee EPO web console

When you login for the first time you will have a single default Dashboard named ePO Summary

Go to again login figure A

Select and Arrange Existing Dashboards

You can add or remove Public or private (My) Dashboards that are all ready created to your user profile active Dashboard list through one of these solutions. These selections will be saved to your user profile and remain for the following logins.

Solution 1

1. Select Options\Manage Dashboards

2. Select the Dashboard you wish to add on the left under Public Dashboards

3. Select Make Active

4. OK

Figure B

Adding Dashboards

Solution 2

1. Select Options\Select Active Dashboards

2. Click the grey circle with white chevron next to existing Dashboard on left that you wish to add

3. Either use the arrows on the Active Dashboards to sort or drag and drop to rearrange order on right blue bar

4. Click the X on an Active Dashboard to remove it

1. This does not delete the Dashboard.

Figure 3

Select and Arrange Dashboards

Repeat solution steps to add as many Dashboards as you want.

Recommended Dashboards

IS Operations

· Client Overview

· Problem Systems

· Servers

· Threat Overview

IS Desktop and Service Desk

· Client Overview

· Problem Systems

· Workstations

· Threat Overview

Figure 4

Added Dashboards

Tip: The far left Dashboard will be the default Dashboard viewed upon login. Also, Dashboards can be activated or deactivated in this management section as well.

Note: Threat Overview is slow to load because of all the data it pulls. The three Threats (Timeframe) Dashboards were partial created to address that issue. These three can be used instead because they load faster and have threats broke down by site (EPO Groups sorted by IP).

McAfee EPO Server Queries

Description

The EPO server queries have several purposes. The top three are for building Dashboards, automated server tasks, and generating reports. Dashboards basically are user interfaces to view live reports that built queries pull. This is where most time will be spent by administrators to monitor the status of the McAfee environments through the EPO web console. Automated server tasks use queries to execute actions. Such as, a query to list all unmanaged systems is built and then a server task uses that list to remove them daily before repopulating from and Active Directory sync. Lastly, queries can be used to pull data from the EPO database and generate reports. These reports can be exported in several formats including CSV, XML, HTML and PDF. They can also be setup to automatically be emailed. The queries are very customizable and fairly simple to create. Meaning you don’t need to know a scripting language to create them, because it’s all done through a web wizard interface from the EPO web console.

Queries

Queries are configurable objects that retrieve and display data from the database. The results of queries are displayed in charts and tables. Any query’s results can be exported to a variety of formats, any of which can be downloaded or sent as an attachment to an email message. Most queries can be used as dashboard monitors.

Query results are actionable

Query results are now actionable. Query results displayed in tables (and drill-down tables) have a variety of actions available for selected items in the table. For example, you can deploy agents to systems in a table of query results. Actions are available at the bottom of the results page.

Queries as dashboard monitors

Most queries can be used as a dashboard monitor (except those using a table to display the initial results). Dashboard monitors are refreshed automatically on a user-configured interval (five minutes by default).

Exported results

Query results can be exported to four different formats. Exported results are historical data and are not refreshed like other monitors when used as dashboard monitors. Like query results and query-based monitors displayed in the console, you can drill down into the HTML exports for more detailed information. Unlike query results in the console, data in exported reports is not actionable.

Reports are available in several formats:

· CSV — Use the data in a spreadsheet application (for example, Microsoft Excel).

· XML — Transform the data for other purposes.

· HTML — View the exported results as a web page.

· PDF — Print the results.

Sharing queries between servers

Any query can be imported and exported, allowing you to share queries between servers. In a multi-server environment, any query needs to be created only once.

Public and personal queries

Queries can be personal (private) or public. Private queries exist in the user’s My Groups list, and are available only to their creator. Public queries exist in the Shared Groups list, and are available to everyone who has permissions to use public queries. By default, all of ePolicy Orchestrator default queries are public. However, not all users have permission to view queries automatically. Additionally, users must have permissions to view queries to be able to view all of the default dashboards, because some of the monitors on these dashboards are created by queries. Only users with appropriate permissions can make their personal queries public ones.

NOTE: If migrating from ePolicy Orchestrator 4.5, any queries that were private in version 4.0 remain private in this version. These private queries are located in the Migrated Queries group inside the My Groups list. Public queries that are migrated are located in the Shared Groups list in the Migrated Queries group.

Query permissions

Use query permissions to assign specific levels of query functionality to permission sets, which are assigned to individual users. To run most queries, you also need permissions to the feature sets associated with their result types. In a query’s results pages, the available actions to take on the resulting items depend on the feature sets a user has permission to.

Available permissions include:

· No permissions — The Query tab is unavailable to a user with no permissions.

· Use public queries — Grants permission to use any queries that have been made public.

· Use public queries; create and edit personal queries — Grants permission to use any queries that have been made public, as well as the ability to use the Query Builder wizard to create and edit personal queries.

· Edit public queries; create and edit personal queries; make personal queries public

· Grants permission to use and edit any public queries, create and edit any personal queries, as well as the ability to make any personal query available to anyone with access to public queries.

Query Builder

ePolicy Orchestrator provides an easy, four-step wizard that is used to create and edit custom queries. With the wizard you can configure which data is retrieved and displayed, and how it is displayed.

Result types

The first selection you make in the Query Builder wizard is a result type from a feature group. This selection identifies what type of data the query retrieves, and determines the available selections in the rest of the wizard.

Chart types

ePolicy Orchestrator provides a number of charts and tables to display the data it retrieves. These and their drill-down tables are highly configurable.
NOTE: Tables do not include drill-down tables.

Chart Type Groups

Pie:

· Boolean Pie Chart

· Pie Chart

Bar:

· Grouped Bar Chart

· Singe Group Bar Chart

· Stacked Bar Chart

Summary:

· Multi-group Summary Table

· Single Group Summary Table

Line:

· Multi-line Chart

· Single Line Chart

List:

· Table

Table columns

Specify columns for the table. If you select Table as the primary display of the data, this

configures that table. If you select a type of chart as the primary display of data, this configures

the drill-down table.

Query results displayed in a table are actionable. For example, if the table is populated with

systems, you can deploy or wake up agents on those systems directly from the table.

Filters

Specify criteria by selecting properties and operators to limit the data retrieved by the query.

Creating custom queries

Use this task to create custom queries with the Query Builder wizard. You can query on system

properties, product properties, many of the log files, repositories, and more.

1. Click Menu | Reporting | Queries, then click Actions | New Query. The Query Builder wizard opens.

2. On the Result Type page, select the Feature Group and Result Type for this query, then click Next. The Chart page appears.
NOTE: This choice determines the options available on subsequent pages of the wizard.

3. Select the type of chart or table to display the primary results of the query, then click Next. The Columns page appears.
NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the query.

4. Select the columns to be included in the query, then click Next. The Filter page appears.
NOTE: If you selected Table on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table.

5. Select properties to narrow the search results, then click Run. The Unsaved Query page displays the results of the query, which is actionable, so you can take any available actions on items in any tables or drill-down tables.
NOTE: Selected properties appear in the content pane with operators that can specify criteria used to narrow the data that is returned for that property.

1. If the query didn’t appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of this query.

2. If you don’t need to save the query, click Close.

3. If this is a query you want to use again, click Save and continue to the next step.

6. The Save Query page appears. Type a name for the query, add any notes, and select one of the following:

1. New Group — Type the new group name and select either:

1. Private group (My Groups)

2. Public group (Shared Groups)

2. Existing Group — Select the group from the list of Shared Groups.

7. Click Save.

Running an existing query

Use this task to run an existing query from the Queries page.

1. Click Menu | Reporting | Queries, then select a query from the Queries list.

2. Click Actions | Run. The query results appear. Drill down into the report and take actions on items as necessary. Available actions depend on the permissions of the user.

3. Click Close when finished.

Running a query on a schedule

Use this task to create and schedule a server task that runs a table-based (list chart type) query

and takes actions on the query results.

1. Click Menu | Automation | Server Tasks, then click Actions | New Task. The Server Task Builder wizard opens.

2. On the Description page, name and describe the task, then click Next. The Actions page appears.

3. From the Actions drop-down menu, select Run Query.

4. In the Query field, browse to the table-based query you want to run.

5. Select the language in which to display the results.

6. From the Sub-Actions list, select an action to take based on the results. Available actions depend on the permissions of the user, and include:

1. Add to System Tree — Specifies the systems selected from the query to be added to the System Tree.

2. Apply Tag — Applies a specified tag to all systems (that are not excluded from the tag) in the query results. This option is valid only for queries that result in a table of systems.

3. Assign Policy — Assigns a specified policy to all systems in the query results. This option is valid only for queries that result in a table of systems.

4. Change Sorting Status — Enables or disables System Tree sorting on all systems in the query results. This option is valid only for queries that result in a table of systems.

5. Clear Agent GUID Sequence Error Count — Clears the agent GUID sequence count found by the query.

6. Clear Tag — Removes a specified tag from all systems in the query results. This option is valid only for queries that result in a table of systems.

7. Delete Sensor — Specifies the sensor selected from the query to be deleted.

8. Delete Systems — Specifies the systems selected from the query to be deleted.

9. Detected System Exceptions — Specifies what to do with the system exceptions detected by the query.

10. Email File — Sends the results of the query to a specified recipient, in a user-configured format (PDF, XML, CSV, or HTML).

11. Exclude Tag — Excludes a specified tag from all systems in the query results. This option is valid only for queries that result in a table of systems.

12. Export to File — Exports the query results to a specified format. The exported file is placed in a location specified in the Printing and Exporting server settings.

13. Generate Compliance Event — Generates an event based on a percentage or actual number threshold of systems that do not match the criteria in the query. This action is intended for compliance-based Boolean pie chart queries that retrieve data on managed systems (for example, the McAfee Agent and VirusScan Enterprise Compliance Summary default queries).

14. Install Rogue Sensor — Specifies when to install a Rogue System Sensor when the query detects the system.

15. Move Agent GUID to Duplicate List — Moves an agent GUID to the duplicate list when it is discovered by the query.

16. Move System to Another Group — Moves all systems in the query results to a group in the System Tree. This option is valid only for queries that result in a table of systems.

17. Push Agents for Windows — Uses push technology to move agents for Windows that are detected by the query.

18. Remove Rogue Sensor — Removes the Rogue System Sensor detected by the query.

19. Repository Replication — Replicates master repository contents to the distributed repositories in the query results. This is valuable for queries that return a list of out-of-date repositories (for example, the Distributed Repository Status default query). This option is valid only for queries that result in a table of distributed repositories.

20. Resort Systems — Resorts the systems found by the query.

21. Sensor Blacklist Management — Allows editing of the sensor blacklist systems detected by the query.

22. Set System Description — Allows adding a description and four custom fields.

23. Transfer Systems — Allows moving systems detected by the query within the System Tree.

24. Update Agents — Distributes and updates agents detected by the query.

25. Wake Up Agents — Sends a wake-up call to specified systems.
NOTE:<span style="color: #0000ff" /> You are not limited to selecting one action for the query results. Click the + button to add additional actions to take on the query results. Be careful to ensure you place the actions in the order you want them to be taken on the query results.

7. Click Next. The Schedule page appears.

8. Schedule the task as desired, then click Next. The Summary page appears.

9. Verify the configuration of the task, then click Save.

The task is added to the list on the Server Tasks page. If the task is enabled (by default), it runs at the next scheduled time. If the task is disabled, it only runs by clicking Run next to the task on the Server Tasks page.

Making a personal query group

Use this task to make personal query groups that allow you to save personal queries that you

create.

NOTE: You can also create personal query groups during the process to save a custom query.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Reporting | Queries, then click Group Actions | New Group. The New Group page appears.

2. Type a group name.

3. From Group Visibility, select one of the following:

1. Private group — Adds the new group under My Groups.

2. Public group — Adds the new group under Shared Groups.

3. By permission — Adds the new group under Shared Groups. Users with the following default permissions can view the results:

1. Executive Reviewer — Only users designated as an Executive Reviewer can view the results.

2. Global Reviewer — Only users designated as a Global Reviewer can view the results.

3. Group Admin — Only users designated as a Group Admin can view the results.

4. Group Reviewer — Only users designated as a Group Reviewer can view the results.NOTE: Global Administrators have full access to all By permission queries.TIP: You can also specify any custom user permission sets in your environment.

4. Click Save.

Making existing personal queries public

Use this task to make personal queries public. All users with permissions to public queries have

access to any personal queries you make public.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Reporting | Queries. In the Queries list, select the query you want to make public and click Actionsand select either:

2. Move to Different Group — Select the desired shared group from the Select target group menu.

3. Duplicate — Specify a new name and select the desired share group from the Group to receive copy menu. NOTE: The public group must be created before performing this task.

4. Click OK.

Duplicating queries

Use this task to create a query based on an existing query.

1. Click Menu | Reporting | Queries. From the list, select a query to duplicate and click Actions |Duplicate. The Duplicate dialog box appears.

2. Type a name for the duplicate and select a group to receive a copy of the query, then click OK.

Exporting query results to other formats

Use this task to export query results for other purposes. You can export to HTML and PDF files

for viewing formats, or to CSV or XML files for using and transforming the data in other

applications.

1. Click Menu | Reporting | Queries then select the query or multiple queries to export.NOTE: You can also, run the query from the Queries page and click Options | Export Data from the query results page to access the Export page.

2. Click Actions | Export Data. The Export page appears.

3. Select what to export. For chart-based queries, select either Chart data only or Chart data and drill-down tables.

4. Select whether the data files are exported individually or in a single archive (zip) file.

5. Select the format of the exported file. If exporting to a PDF file, configure the following:

1. Select the Page size and Page orientation.
Optionally select:

2. Show filter criteria.

3. Include a cover page with these text and include the needed text. Select whether the files are emailed as attachments to selected recipients, or they are saved to a location on the server to which a link is provided. You can open or save the file to another location by right-clicking it. NOTE: When typing multiple email addresses for recipients, you must separate entries with a comma or semicolon.

1. Click Export.

The files are created and either emailed as attachments to the recipients, or you are taken to

a page where you can access the files from links.

Creating a query to define compliance

Use this task to specify the properties to be included in a query to define compliance for

Compliance History reporting.

1. Click Menu | Reporting | Queries , then click Actions | New Query. The Query Builder wizard opens.

2. On the Result Type page, select System Management as Feature Group, and select Managed Systems as Result Types, then click Next. The Chart page appears.

3. Select Boolean Pie Chart from the Display Result As list, then click Configure Criteria. The Configure Criteria page appears.

4. Select the properties to include in the query, then set the operators and values for each property. Click OK. When the Chart page appears, click Next. The Columns page appears.
NOTE: These properties define what is compliant for systems managed by this ePO server.

5. Select the columns to be included in the query, then click Next.

6. Select any filters to be applied to the query, click Run, then click Save.

Generating compliance events

Use this task to create a Run Query server task using the information that defines compliance.

1. Click Menu | Automation | Server Tasks , then click Actions | New Task. The Server Task Builder wizard opens.

2. On the Description page, type a name for the new task, then click Next. The Actions page appears.

3. From the Actions drop-down menu, select Run Query.

4. Click browse (...) next to the Query field and select a query. The Select a query from the list dialog box appears with the My Groups tab active.

5. Select the compliance-defining query. This could be a default query, such as McAfee Agent and VirusScan Enterprise (for Windows) Compliance Summary in the Shared Groups section, or a user-created query, such as one described in Creating a query to define compliance.

6. From the Sub-Actions drop-down menu, select Generate Compliance Event and specify the percentage or number of target systems, then click Next. The Schedule page appears.
NOTE: Events can be generated by the generate compliance event task if noncompliance rises above a set percentage or set number of systems.

7. Schedule the task for the time interval needed for Compliance History reporting. For example, if compliance must be collected on a weekly basis, schedule the task to run weekly. Click Next. The Summary page appears.

8. Review the details, then click Save.

Figure 1

Query Display Page This page displays all the queries you have access to.

Figure 2

New Query Result Type

Managed Systems is used for the majority of the query builds.

Figure 3

New Query Chart Options

Select the type of chart you wish to be displayed when the query is ran.

Tip: You must select table chart if the task is going to be used for an automated task.

Figure 4

New Query Columns Selection

Here you select the items for the query to pull that would be included in the export or if you drilled down in a Dashboard chart using this query.

Figure 5

New Query Filter Selections

Here you select query options to narrow down the listed that is pulled from the EPO database to exactly what systems you wish to be included in the chart. When done select run.

Figure 6

Run Query

When a query is run the chart is displayed. To make changes to the query select Edit Query. When saticfied with the results or to change the name of an existing query; select save and enter the name and description for the query.

McAfee EPO Server Threat Event Log

Description

Use the Threat Event Log to quickly view and sort through events in the database. The log can be purged only by age. You can choose which columns are displayed in the sortable table. You can choose from a variety of event data to use as columns. Depending on which products you are managing, you can also take certain actions on the events. Actions are available in the Actions menu at the bottom of the page.

Common event format

Most managed products now use a common event format. The fields of this format can be used as columns in the Threat Event Log. These include:

· Action Taken — Action that was taken by the product in response to the threat.

· Agent GUID — Unique identifier of the agent that forwarded the event.

· DAT Version — DAT version on the system that sent the event.

· Detecting Product Host Name — Name of the system hosting the detecting product.

· Detecting Product ID — ID of the detecting product.

· Detecting Product IPv4 Address — IPv4 address of the system hosting the detecting product (if applicable).

· Detecting Product IPv6 Address — IPv6 address of the system hosting the detecting product (if applicable).

· Detecting Product MAC Address — MAC address of the system hosting the detecting product.

· Detecting Product Name — Name of the detecting managed product.

· Detecting Product Version — Version number of the detecting product.

· Engine Version — Version number of the detecting product’s engine (if applicable).

· Event Category — Category of the event. Possible categories depend on the product.

· Event Generated Time (UTC) — Time in Coordinated Universal Time that the event was detected.

· Event ID — Unique identifier of the event.

· Event Received Time (UTC) — Time in Coordinated Universal Time that the event was received by the ePO server.

· File Path — File path of the system which sent the event.

· Host Name — Name of the system which sent the event.

· IPv4 Address — IPv4 address of the system which sent the event. Reporting On System Status

· IPv6 Address — IPv6 address of the system which sent the event.

· MAC Address — MAC address of the system which sent the event.

· Network Protocol — Threat target protocol for network-homed threat classes.

· Port Number — Threat target port for network-homed threat classes.

· Process Name — Target process name (if applicable).

· Server ID — Server ID which sent the event.

· Threat Name — Name of the threat.

· Threat Source Host Name — System name from which the threat originated.

· Threat Source IPv4 Address — IPv4 address of the system from which the threat originated.

· Threat Source IPv6 Address — IPv6 address of the system from which the threat originated.

· Threat Source MAC Address — MAC address of the system from which the threat originated.

· Threat Source URL — URL from which the threat originated.

· Threat Source User Name — User name from which the threat originated.

· Threat Type — Class of the threat.

· User Name — Threat source user name or email address.

Working with the Threat Event Log

Use these tasks to view and purge the Threat Event Log

Viewing the Threat Event Log

Use this task to view the Threat Event Log.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Reporting | Threat Event Log.

2. Click any of the column titles to sort the events. You can also click Actions | Choose Columns and the Select Columns to Display page appears.

3. From the Available Columns list, select different table columns that meet your needs, then click Save.

4. Select events in the table, then click Actions and select Show Related Systems to see the details of the systems that sent the selected events.

Purging Threat Events

Use this task to purge Threat Event records from the database. Purging Threat Event records deletes them permanently.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Reporting | Threat Event Log.

2. Click Actions | Purge.

3. In the Purge dialog box, next to Purge records older than, type a number and select a time unit.

4. Click OK.

Records older than the specified age are deleted permanently.

Purging the Threat Event Log on a schedule

Use this task to purge the Threat Event Log with a scheduled server task.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Automation | Server Tasks, then click Actions | New Task. The Server Task Builder wizard opens to the Description page.

2. Name, describe the task, and click Enabled after Schedule Status.

3. Click Next. The Actions page appears.

4. Select Purge Threat Event Log from the drop-down list.

5. Select whether to purge by age or from a queries results. If you purge by query, you must pick a query that results in a table of events.

6. Click Next. The Schedule page appears.

7. Schedule the task as needed, then click Next. The Summary page appears.

8. Review the task’s details, then click Save.

Figure 1

Threat Event Log

This page displays all the known threats reported from the clients to the EPO server. It defaults to displaying the last day of data. From the Filter dropdown box Hour, Day, Week, Month, Quarter and Year can be selected. Custom queries can be created to pull this information with different filters. Also, the list can be filtered by selecting the Advanced Filter hyperlink in the upper left of the screen.

McAfee EPO Server Policies and Client Tasks

Description

The McAfee EPO server manages all the settings for the McAfee clients on our systems. This includes things like exclusions, client update intervals, log settings, protection settings and so forth. These policies and client tasks are how these settings for one or many of the managed systems are changed.

Policies and Client Tasks

Managing products from a single location is a central feature of ePolicy Orchestrator and is accomplished through the combination of product policies and client tasks. Policies ensure a product’s features are configured correctly, while client tasks are the scheduled actions that run on the managed systems hosting any client-side software.

Configuring Policies for the First Time

When configuring policies and tasks for the first time:

1. Plan product policies and client tasks for the segments of your System Tree.

2. Create and assign policies to groups and systems.

3. Create and assign client tasks to groups and systems.

Product Extensions

Extensions are zip files you install on the ePO server to manage another security product in your environment. The extensions contain the files, components, and information necessary to manage such a product. Extensions replace the NAP files of previous releases.

Functionality that extensions add

When a managed product extension is installed, added functionality can include:

· Policy pages

· Server tasks

· Client tasks

· Default queries

· New result types, chart types, and properties to select with the Query Builder wizard

· Default Dashboards and dashboard monitors

· Feature permissions that can be assigned to user accounts

· Additional product-specific functionality

Where extension files are located

Some product extensions are installed automatically when ePolicy Orchestrator is installed. For products whose extensions are not installed by default, see the product documentation for the extension name and location on the product CD or in the product download.

Policy management

A policy is a collection of settings that you create, configure, then enforce. Policies ensure that the managed security software products are configured and perform accordingly.

Some policy settings are the same as the settings you configure in the interface of the product installed on the managed system. Other policy settings are the primary interface for configuring the product or component. The ePolicy Orchestrator console allows you to configure policy settings for all products and systems from a central location.

Policy categories

Policy settings for most products are grouped by category. Each policy category refers to a specific subset of policy settings. Policies are created by category. In the Policy Catalog page, policies are displayed by product and category. When you open an existing policy or create a new policy, the policy settings are organized across tabs.

Where policies are displayed

To see all of the policies that have been created per policy category, click Menu | Policy | Policy Catalog, then select aProduct and Category from the drop-down lists. On the Policy Catalog page, users can see only policies of the products to which they have permissions. To see which policies, per product, are applied to a specific group of the System Tree, clickMenu | Systems | System Tree | Assigned Policies page, select a group, then select a Product from the drop-down list.

NOTE: A McAfee Default policy exists for each category. You cannot delete, edit, export or rename these policies, but you can copy them and edit the copy.

How policy enforcement is set

For each managed product or component, choose whether the agent enforces all or none of its policy selections for that product or component. From the Assigned Policies page, choose whether to enforce policies for products or components on the selected group. In the Policy Catalog page, you can view policy assignments, where they are applied, and if

they are enforced. You can also lock policy enforcement to prevent changes to enforcement below the locked node.
If policy enforcement is turned off, systems in the specified group do not receive updated sitelists during an agent-server communication. As a result, managed systems in the group might not function as expected. For example, you might configure managed systems to communicate with Agent Handler A, but with policy enforcement turned off, the managed systems won't receive the new sitelist with this information, so they report to a different Agent Handler listed in an expired sitelist.

When policies are enforced

When you reconfigure policy settings, the new settings are delivered to, and enforced on, the managed systems at the next agent-server communication. The frequency of this communication is determined by the Agent-to-server-communication interval (ASCI) settings on the General tab of the McAfee Agent policy pages, or the McAfee Agent Wakeup client task schedule (depending on how you implement agent-server communication). This interval is set to occur once every 60 minutes by default.

Once the policy settings are in effect on the managed system, the agent continues to enforce policy settings locally at a regular interval. This enforcement interval is determined by the Policy enforcement interval setting on the General tab of the McAfee Agent policy pages. This interval is set to occur every five minutes by default. Policy settings for McAfee products are enforced immediately at the policy enforcement interval, and at each agent-server communication if policy settings have changed.

For Symantec AntiVirus products, there is a delay of up to three minutes after the interval before policies are enforced. The agent first updates the GRC.DAT file with policy information, then the Symantec AntiVirus product reads the policy information from the GRC.DAT file, which occurs approximately every three minutes.

Exporting and importing policies

If you have multiple servers, you can export and import policies between them via XML files. In such an environment, you only need to create a policy once. You can export and import individual policies, or all policies for a given product. This feature can also be used to back up policies if you need to reinstall the server.

Policy sharing

Policy sharing is another way to transfer policies between servers. Sharing policies allows you to manage policies on one server, and use them on many additional servers all through the ePO console. For more information, see Sharing policies among ePO servers.

Policy Application

Policies are applied to any system by one of two methods, inheritance or assignment.

Inheritance

Inheritance determines whether the policy settings and client tasks for a group or system are taken from its parent. By default, inheritance is enabled throughout the System Tree.

When you break this inheritance by assigning a new policy anywhere in the System Tree, all child groups and systems that are set to inherit the policy from this assignment point do so.

Assignment

You can assign any policy in the Policy Catalog to any group or system, provided you have the appropriate permissions. Assignment allows you to define policy settings once for a specific need, then apply the policy to multiple locations. When you assign a new policy to a particular group of the System Tree, all child groups and systems that are set to inherit the policy from this assignment point do so.

Assignment locking

You can lock the assignment of a policy on any group or system, provided you have the appropriate permissions. Assignment locking prevents other users:

· With appropriate permissions at the same level of the System Tree from inadvertently replacing a policy.

· With lesser permissions (or the same permissions but at a lower level of the System Tree) from replacing the policy.

Assignment locking is inherited with the policy settings.

Assignment locking is valuable when you want to assign a certain policy at the top of the System Tree and ensure that no other users replace it anywhere in the System Tree.

Assignment locking only locks the assignment of the policy, but does not prevent the policy owner from making changes to its settings. Therefore, if you intend to lock a policy
assignment, make sure that you are the owner of the policy.

Policy ownership

All policies for products and features to which you have permissions are available from the Policy Catalog page. To prevent any user from editing other users’ policies, each policy is assigned an owner — the user who created it. Ownership provides that no one can modify or delete a policy except its creator or a global administrator. Any user with appropriate permissions can assign any policy in the Policy Catalog page, but only the owner or a global administrator can edit it. If you assign a policy that you do not own to managed systems, be aware that if the owner of the named policy modifies it, all systems where this policy is assigned receive these modifications. Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you first duplicate the policy, then assign the duplicate to the desired locations. This provides you ownership of the assigned policy. You can specify multiple non-global administrator users as owners of a single policy.

Creating Policy Management Queries

Use this task to create either of the following Policy Management queries:

· Applied Policies query — Retrieves policies assigned to a specified managed systems.

· Broken Inheritance query — Retrieves information on policies that are broken in the system hierarchy.

Before you begin

You must have appropriate permissions to perform this task.

1. Click Menu | Reporting | Queries, then click Actions | New Query. The Query Wizard opens.

2. On the Result Type page, select Policy Management from the Feature Group list.

3. Under Result Types, select one of these options, then click Next and the Chart page appears:
• Applied Policies
• Broken Inheritance

4. Select the type of chart or table to display the primary results of the query, then click Next. The Columns page appears.
NOTE: If you select Boolean Pie Chart, you must configure the criteria you want to include in the query.

5. Select the columns to be included in the query, then click Next. The Filter page appears.

6. Select properties to narrow the search results, then click Run. The Unsaved Query page displays the results of the query, which is actionable. You can take any available actions on items in any tables or drill-down tables.
NOTE: Selected properties appear in the content pane with operators that can specify criteria, which narrows the data that is returned for that property.
• If the query didn’t return the expected results, click Edit Query to go back to the Query Builder and edit the details of this query.
• If you don’t need to save the query, click Close.
• If you want to use again this query again, click Save and continue to the next step.

7.   In Save Query page, type a name for the query, add any notes, and select one of the following:
• New Group — Type the new group name and select either:
     • Private group (My Groups)
     • Public group (Shared Groups)
• Existing Group — Select the group from the list of Shared Groups.

8. Click Save.

Client Tasks

ePolicy Orchestrator allows you to create and schedule client tasks that run on managed systems. You can define tasks for the entire System Tree, for a specific group, or for an individual system. Like policy settings, client tasks are inherited from parent groups in the System Tree. Which extension files are installed on your ePO server determines which client tasks are available. Client tasks are commonly used for:

· Product deployment

· Product functionality (for example, the VirusScan Enterprise On-Demand Scan task)

· Upgrades and updates

See the product documentation for your managed products for information and instructions.

Product Extensions

Use this task to install an extension (zip) file. A product’s extension must be installed before ePolicy Orchestrator can manage the product.

Before you begin

You must have appropriate permissions to perform this task.

1. Ensure that the extension file is in an accessible location on the network.

2. Click Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears.

3. Browse to and select the desired extension (zip) file, then click OK.

4. Verify that the product name appears in the Extensions list.

Viewing policy information

Use these tasks to view detailed information about the policies, their assignments, inheritance, and their owners.

Viewing groups and systems where a policy is assigned

Use this task to view the groups and systems where a policy is assigned. This list shows the assignment points only, not each group or system that inherits the policy.

1. Click Menu | Policy | Policy Catalog, then select the desired Product and Category. All created policies for the selected category appear in the details pane.

2. Under Assignments on the row of the desired policy, click the link that indicates the number of groups or systems the policy is assigned to (for example, 6 assignments).

On the Assignments page, each group or system where the policy is assigned appears with its Node Name and Node Type.

Viewing the settings of a policy

Use this task to view the specific settings of a policy.

1. Click Menu | Policy | Policy Catalog, then select the desired Product and Category. All created policies for the selected category appear in the details pane.

2. Click Edit Settings next to the desired policy. The policy pages and their settings appear.
NOTE: You can also view this information when accessing the assigned policies of a specific group. To access this information click Menu | Systems | System Tree | Assigned Policies, then click the link for the selected policy in the Policy column.

Viewing policy ownership

Use this task to view the owners of a policy.

1. Click Menu | Policy | Policy Catalog, then select the desired Product and Category. All created policies for the selected category appear in the details pane.

2. The owners of the policy are displayed under Owner.

Viewing assignments where policy enforcement is disabled

Use this task to view assignments where policy enforcement, per policy category, is disabled.

1. Click Menu | Policy | Policy Catalog, then select the desired Product and Category. All created policies for the selected category appear in the details pane.

2. Click the link next to Product enforcement status, which indicates the number of assignments where enforcement is disabled, if any. The page appears.

3. Click any item in the list to go to its Assigned Policies page.

Viewing policies assigned to a group

Use this task to view the policies assigned to a group.

1. Click Menu | Systems | System Tree | Assigned Policies, then select a group in the System Tree. All assigned policies, organized by product, appear in the details pane.

2. Click any policy to view its settings.

Viewing policies assigned to a specific system

Use this task to view the policies assigned to a specific system.

1. Click Menu | Systems | System Tree | Systems, then select the desired group in the System Tree. All systems belonging to the group appear in the details pane.

2. Select the system, then click Actions | Agent | Modify Policies on a Single System.

3. Select the product. The product’s policies assigned to this system appear.

4. Click any policy to view its settings.

Viewing a group’s policy inheritance

Use this task to view the policy inheritance of a specific group.

1. Click Menu | Systems | System Tree | Assigned Policies. All assigned policies, organized by product, appear in the details pane.

2. The desired policy row, under Inherit from, displays the name of the group from which the policy is inherited.

Viewing and resetting broken inheritance

Use this task to view where policy inheritance is broken.

1. Click Menu | Systems | System Tree | Assigned Policies. All assigned policies, organized by product, appear in the details pane.

2. The desired policy row, under Broken Inheritance, displays the number of groups and systems where this policy’s inheritance is broken.
NOTE: This is the number of groups or systems where the policy inheritance is broken, not the number of systems that do not inherit the policy. For example, if only one group does not inherit the policy, this is represented by 1 doesn’t inherit, regardless of the number of systems within the group.

3. Click the link indicating the number of child groups or systems that have broken inheritance. The View broken inheritance page displays a list of the names of these groups and systems.

4. To reset the inheritance of any of these, select the checkbox next to the name, then click Actions and select Reset Inheritance.

Working with the Policy Catalog

Use these tasks to create and maintain policies from the Policy Catalog page.

Creating a policy from the Policy Catalog page

Use this task to create a new policy from the Policy Catalog. By default, policies created here are not assigned to any groups or systems. When you create a policy here, you are adding a custom policy to the Policy Catalog. You can create policies before or after a product is deployed.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Click Actions | New Policy. The Create New Policy dialog box appears.

3. Select the policy you want to duplicate from the Create a policy based on this existing policy drop-down list.

4. Type a name for the new policy and click OK. The Policy Settings wizard opens.

5. Edit the policy settings on each tab as needed.

6. Click Save.

Duplicating a policy on the Policy Catalog page

Use this task to create a new policy based on an existing one. For example, if you already have a policy that is similar to one you want to create, you can duplicate the existing one, then make the desired changes.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Locate the policy to duplicate, then click Duplicate in that policy’s row. The Duplicate Existing Policy dialog box appears.

3. Type the name of the new policy in the field (for example, Sales Europe), then click OK. The new policy appears on the Policy Catalog page.

4. Click Edit Settings next to the new policy’s name in the list.

5. Edit the settings as needed, then click Save.

Editing a policy’s settings from the Policy Catalog

Use this task to modify the settings of a policy. Your user account must have appropriate permissions to edit policy settings for the desired product.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Locate the desired policy, then click Edit Settings next to it.

3. Edit the settings as needed, then click Save.

Renaming a policy from the Policy Catalog

Use this task to rename a policy. Your user account must have appropriate permissions to edit policy settings for the desired product.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Locate the desired policy, then click Rename/Modify in the desired policy’s row. The Rename/Modify Policy dialog box appears.

3. Type a new name for the existing policy, then click OK.

Deleting a policy from the Policy Catalog

Use this task to delete a policy from the Policy Catalog. When you delete a policy, all groups and systems where it is currently applied inherit the policy of their parent group. Before deleting a policy, review the groups and systems where it is assigned. If you don’t want the group or system to inherit the policy from the parent group, assign a different policy . If you delete a policy that is applied to the My Organization group, the McAfee Default policy of this category is assigned.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Locate the desired policy, then click Delete in the policy’s row.

3. Click OK when prompted.

Working with Policies

Use these tasks to assign and manage the policies in your environment.

Changing the owners of a policy

Use this task to change the owners of a policy. By default, ownership is assigned to the user that created the policy. This task can only be performed by global administrators.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category. All created policies for the selected category appear in the details pane.

2. Locate the desired policy, then click on the Owner of the policy. The Policy Ownership page appears.

3. Select the desired owners of the policy from the list, then click OK.

Moving policies between ePO servers

Use these tasks to move policies between servers. To do this, you must export the policy to an XML file from the Policy Catalog page of the source server, then import it to the Policy Catalog page on the target server.

Exporting a single policy

Use this task to export a policy to an XML file. Use this file to import the policy to another ePO server, or to keep as a backup of the policy.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category from the drop-down lists. All created policies for the selected category appear in the details pane.

2. Locate the desired policy, then click Export next to the policy. The Download File page appears.

3. Right-click the link to download and save the file.

4. Name the policy XML file and save it. If you plan to import this file into a different ePO server, ensure that this location is accessible to the target ePolicy Orchestrator server.

Exporting all policies of a product

Use this task to export all policies of a product to an XML file. Use this file to import the policy to another ePO server, or to keep as a backup of the policies.

1. Click Menu | Policy | Policy Catalog, then select the Product and Category . All created policies for the selected category appear in the details pane.

2. Click Export next to Product policies. The Download File page appears.

3. Right-click the link to download and save the file.

4. Name the policy XML file and save it. If you plan to import this file into a different ePO server, ensure that this location is accessible to the target ePolicy Orchestrator server.

Importing policies

Use this task to import a policy XML file. Regardless of whether you exported a single policy or all named policies, the import procedure is the same.

1. Click Menu | Policy | Policy Catalog, then click Import next to Product policies.

2. Browse to and select the desired policy XML file, then click OK.

3. Select the policies you want to import and click OK. The policies are added to the policy catalog.

Assigning a Policy to a Group of the System Tree

Use this task to assign a policy to a specific group of the System Tree. You can assign policies before or after a product is deployed.

1. Click Menu | Systems | System Tree | Assigned Policies, then select the desired Product. Each assigned policy per category appears in the details pane.

2. Locate the desired policy category, then click Edit Assignment. The Policy Assignment page appears.

3. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherited from.

4. Select the desired policy from the Assigned policy drop-down list.
NOTE: From this location, you can also edit the selected policy’s settings, or create a new policy.

5. Choose whether to lock policy inheritance. Locking policy inheritance prevents any systems that inherit this policy from having another one assigned in its place.

6. Click Save.

Assigning a policy to a managed system

Use this task to assign a policy to a specific managed system. You can assign policies before or after a product is deployed.

1. Click Menu | Systems | System Tree | Systems, then select the desired group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane.

2. Select the desired system, then click Actions | Agent | Modify Policies on a Single System. The Policy Assignment page for that system appears.

3. Select the desired Product. The categories of selected product are listed with the system’s assigned policy.

4. Locate the desired policy category, then click Edit Assignments.

5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherited from.

6. Select the desired policy from the Assigned policy drop-down list.
NOTE: From this location, you can also edit settings of the selected policy, or create a new policy.

7. Choose whether to lock policy inheritance. Locking policy inheritance prevents any systems that inherit this policy from having another one assigned in its place.

8. Click Save.

Assigning a policy to multiple managed systems within a group

Use this task to assign a policy to multiple managed systems within a group. You can assign policies before or after a product is deployed.

1. Click Menu | Systems | System Tree | Systems, then select the desired group in the System Tree. All the systems within this group (but not its subgroups) appear in the details pane.

2. Select the desired systems, then click Actions | Agent | Set Policy & Inheritance.

3. Select the Product, Category, and Policy from the drop-down lists, then click Save.

Enforcing policies for a product on a group

Use this task to enable or disable policy enforcement for a product on a System Tree group. Policy enforcement is enabled by default, and is inherited in the System Tree.

1. Click Menu | Systems | System Tree | Assigned Policies, then select the desired group in the System Tree.

2. Select the desired Product, then click the link next to Enforcement Status. The Enforcement page appears.

3. To change the enforcement status you must first select Break inheritance and assign the policy and settings below.

4. Next to Enforcement status, select Enforcing or Not enforcing accordingly.

5. Choose whether to lock policy inheritance. Locking inheritance for policy enforcement prevents breaking enforcement for groups and systems that inherit this policy.

6. Click Save.

Enforcing policies for a product on a system

Use this task to enable or disable policy enforcement for a product on a system. Policy enforcement is enabled by default, and is inherited in the System Tree.

1. Click Menu | Systems | System Tree | Systems, then select the group under System Tree where the system belongs. The list of systems belonging to this group appears in the details pane.

2. Select the desired system, then click Actions | Modify Policies on a Single System.

3. Select the desired Product, then click Enforcing next to Enforcement status.

4. If you want to change the enforcement status you must first select Break inheritance and assign the policy and settings below.

5. Next to Enforcement status, select Enforcing or Not enforcing accordingly.

6. Click Save.

Copying and pasting assignments

Use these tasks to copy and paste policy assignments from one group or system to another. This is an easy way to share multiple assignments between groups and systems from different portions of the System Tree.

Copying policy assignments from a group

Use this task to copy policy assignments from a group in the System Tree.

1. Click Menu | Systems | System Tree | Assigned Policies, then select the desired group in the System Tree.

2. Click Actions | Copy Assignments.

3. Select the products or features for which you want to copy policy assignments, then click OK.

Copying policy assignments from a system

Use this task to copy policy assignments from a specific system.

1. Click Menu | Systems | System Tree | Systems, then select the desired group in the System Tree. The systems belonging to the selected group appear in the details pane.

2. Select the desired system, then click Actions | Agent | Modify Policies on a Single System.

3. Click Actions | Copy Assignments, select the desired products or features for which you want to copy policy assignments, then click OK.

Pasting policy assignments to a group

Use this task to paste policy assignments to a group. You must have already copied policy assignments from a group or system.

1. Click Menu | Systems | System Tree | Assigned Policies, then select the desired group in the System Tree.

2. In the details pane, click Actions and select Paste Assignments. If the group already has policies assigned for some categories, the Override Policy Assignments page appears.
NOTE: When pasting policy assignments, an extra policy appears in the list (Enforce Policies and Tasks). This policy controls the enforcement status of other policies.

3. Select the policy categories you want to replace with the copied policies, then click OK.

Pasting policy assignments to a specific system

Use this task to paste policy assignments to a specific system. You must have already copied policy assignments from a group or system.

1. Click Menu | Systems | System Tree | Systems, then select the desired group in the System Tree. All of the systems belonging to the selected group appear in the details pane.

2. Select the system where you want to paste policy assignments, then click Actions | Agent | Modify Policies on a Single System.

3. In the details pane, click Actions | Paste Assignment. If the system already has policies assigned for some categories, the Override Policy Assignments page appears.
NOTE: When pasting policy assignments, an extra policy appears in the list (Enforce Policies and Tasks). This policy controls the enforcement status of other policies.

4. Confirm the replacement of assignments.

Working with Client Tasks

Use these tasks to create and maintain client tasks.

Creating and scheduling client tasks

Use this task to create and schedule a client task. The process is similar for all client tasks.

1. Click Menu | Systems | System Tree | Client Tasks, select the desired group in the System Tree, then clickActions | New Task. The Client Task Builder wizard opens.

2. Type a name for the task you are creating, add any notes, then select the product task type from the drop-down lists, for example, Product Update.

3. Specify any tags to use with this task and click Next.

Configure the settings, then click Next. The Schedule page appears.

1. Configure the schedule details as needed, then click Next.

2. Review the task settings, then click Save. The task is added to the list of client tasks for the selected group and any group that inherits the task.

Editing client tasks

Use this task to edit a client task’s settings or to schedule information for any existing task.

1. Click Menu | Systems | System Tree | Client Tasks, then select the group where the desired client task was in the System Tree.

2. Click Edit Settings next to the task. The Client Task Builder wizard opens.

3. Edit the task settings as needed, then click Save.

The managed systems receive these changes the next time the agents communicate with the server.

Deleting client tasks

Use this task to delete unneeded client tasks. You can delete any client task you have created.

1. Click Menu | Systems | System Tree | Client Tasks, then select the group where the desired client task was created in the System Tree.

2. Click Delete next to the desired client task.

3. Click OK.

Figure 1

Policy Catalog
This page displays all of the current product policies. This is where settings for VirusScan Enterprise and Groupshield are configured. Select the product and category for the policies specific to those clients.

Figure 2

VSE 8.7 On-Access Exclusions
This page is where VirusScan Enterprise 8.7 managed clients On-Access exclusions are configured. This policy affects all managed systems. Select Workstation or Server from the Settings dropdown box, Exclusions and then add or edit to change these settings

Figure 3

Client Tasks
This page is where you can view or edit client tasks. Client tasks only work on managed systems. Meaning systems that already have the McAfee EPO Agent installed and working. It can be an older version, but it must be functioning. Thus, fresh installations of the McAfee EPO Agent CAN NOT be done with a client task. Also, client tasks can only be created for McAfee software that the EPO server has product extensions added. Also only software packages that have been added to the repository can be deployed with a client task.

Add an Exclusion for McAfee VSE Policy on EPO Server

Steps

Research Need

Frequently the requester doesn't know exactly what they need. Communicate with the requester to discover the need. Then apply common since to formulate a solid solution that can be applied to all systems for ease of administration.

Example

Request: Customer asks to have control to disable the VSE client because it's slowing their software builds down.

Possible Solution: Ask them to use a uniquely named directory to do the builds and apply and exclusion to that folder.

Check Current Exclusions

At times an matching exclusion is already in place. Check the SharePoint document first to know if it's already in place.

Exclusions Syntax

* = wildcard

*\ = root of any partition or device

**\ = any directory level on any partition or device

Examples

*\Program Files\ = C:\Program Files, D:\Program Files etc.

*\Program Files*\ = C:\Program Files, D:\Program Files, C:\Program Files (x86) etc.

**\source\ = C:\source, C:\Program Files\source, H:\dev\testing\code\temp\source etc.

**\*visual studio*\ = C:\Program Files (x86)\Microsoft Visual Studio 8 etc.

Apply Exclusions

If there is not an exclusion in place already then follow these steps to add one:

1. Login to McAfee EPO web console

2. Select Menu | Policy | Policy Catalog

3. Select Product: VirusScan Enterprise 8.7.0

4. Select Category: On-Access Default Processes Policies

5. Select My Default | Edit Settings

6. Chose Settings for | Workstation or Server

7. Select Exclusions tab

8. Select Add...

9. Enter Exclusion Syntax

10. OK

11. Select Save

1. Bottom Right

Tips

· To speed up the process of getting the exclusion to the client do the following:

1. Search for the client in the Search Dashboard by hostname or IP address

2. Select the host or hosts with the checkbox

3. Select Actions \ Agent \ Wake Up Agents

4. Select OK

· To watch the update status of the client do the following:

1. Search for the client in the Search Dashboard by hostname or IP address

2. Select the host or hosts with the checkbox

3. Select Actions \ Agent \ Show Agent Log

4. Refresh the web browse page to see updates

· Be sure to have a trailing backslash when excluding a directory.

Figure 1

Add Exclusion
To exclude a directory named "someprogram" and all it's sub-directories: C:\Program Files (x86)\Someprogram The syntax to include any partition (drive letter) would be: *\Program Files*\Someprogram\Plus check the box to exclude sub folders

McAfee EPO Server Tasks

Description

EPO Server Tasks accomplish several actions. There are a lot of prebuilt task actions including purging old data from the database and Active Directory synchronization. Custom tasks for system management can be created by using built queries. This includes the creation of audit reports that are emailed based on the set schedule.

The most frequent uses for Server Task include software repository updates, client system management, EPO server database maintainance, domain synchronizations, unique tag management, emailing reports and can be used to deploy the McAfee Agent.

Creating a New Task

The three configuration pages for creating a new server task are the following:

· Description

· Actions

· Schedule

See Figure 2

Steps

Note: If you plan to create a server task based on a custom query it will need to be created before making the server task.

1. Login to the EPO web console

2. Select Menu\Automation\Server Tasks
Server Tasks
This page displays all the currently created automated tasks. This is where you can edit tasks or create new.

3. Select New Task

Enter a Name and Description for the Task
Figure 2

New Task
This is the first of three pages of the for creating a New Task

4. Next

5. Select Actions

1. For a lot of the server tasks the default "Run Query" will be what you want to select.

6. Select Query browse button

7. Select My Groups (Private) or Shared Groups (Public)

Select the appropriate query from the list
Figure 3

Select Query
Select the appropriate query from the list. There is a My Groups (private) and Shared Groups (public) tab at the top of the poppup window.

8. Select the Sub-Actions and associated settings

9. Next

10. Set Schedule

Figure 4

11. Actions
Set the actions or what to do with the list of systems pulled by the query.

Figure 5

Schedule
Set the frequency and time to run the server task.

McAfee EPO Server Repositories

Description

Security software is only as effective as the latest installed updates. For example, if your DAT files are out-of-date, even the best anti-virus software cannot detect new threats. It is critical that you develop a robust updating strategy to keep your security software as current as possible.

ePolicy Orchestrator repository architecture offers flexibility to ensure that deploying and updating software is as easy and automated as your environment allows. Once your repository infrastructure is in place, create update tasks that determine how, where, and when your software is updated.

Repository types and what they do

To deliver products and updates throughout your network, ePolicy Orchestrator offers several types of repositories that create a robust update infrastructure when used together. These provide the flexibility to develop an updating strategy to ensure your systems stay up-to-date.

Master repository

The master repository maintains the latest versions of security software and updates for your environment. This repository is the source for the rest of your environment.

The master repository is configured when ePolicy Orchestrator is installed. However, you must ensure that proxy server settings are configured correctly. By default, ePolicy Orchestrator uses Microsoft Internet Explorer proxy settings.

Distributed repositories

Distributed repositories host copies of your master repository’s contents. Consider using distributed repositories and placing them throughout your network strategically to ensure

managed systems are updated while network traffic is minimized, especially across slow connections.

As you update your master repository, ePolicy Orchestrator replicates the contents to the distributed repositories.

Replication can occur:

· Automatically when specified package types are checked in to the master repository, as long as global updating is enabled.

· On a recurring schedule with Replication tasks.

· Manually, by running a Replicate Now task.

A large organization can have multiple locations with limited bandwidth connections between them. Distributed repositories help reduce updating traffic across low bandwidth connections, or at remote sites with a large number of client systems. If you create a distributed repository in the remote location and configure the systems within that location to update from this distributed repository, the updates are copied across the slow connection only once — to the distributed repository — instead of once to each system in the remote location.

If global updating is enabled, distributed repositories update managed systems automatically, as soon as selected updates and packages are checked in to the master repository. Update tasks are not necessary. However, you do need to be running SuperAgents in your environment if you want automatic updating. You must still create and configure repositories and the update tasks.

CAUTION: If distributed repositories are set up to replicate only selected packages, your newly checked-in package is replicated by default. To avoid replicating a newly checked-in package, deselect it from each distributed repository or disable the replication task before checking in the package. For additional information, see Avoiding replication of selected packages and Disabling replication of selected packages.

Source site

The source site provides all updates for your master repository. The default source site is the McAfeeHttp update site, but you can change the source site or create multiple source sites if you require. McAfee recommends using the McAfeeHttp or McAfeeFtp update sites as your source site.

NOTE: Source sites are not required. You can download updates manually and check them in to your master repository. However, using a source site automates this process.

McAfee posts software updates to these sites regularly. For example, DAT files are posted daily. Update your master repository with updates as they are available.

Use pull tasks to copy source site contents to the master repository. McAfee update sites provide updates to detection definition (DAT) and scanning engine files,

as well as some language packs. You must check in all other packages and updates, including service packs and patches, to the master repository manually.

Fallback site

The fallback site is a source site that’s been enabled as the backup site, from which managed systems can retrieve updates when their usual repositories are inaccessible. For example, when network outages or virus outbreaks occur, accessing the established location might be difficult.

Therefore, managed systems can remain up-to-date in such situations. The default fallback site is the McAfeeHttp update site. You can enable only one fallback site.

If managed systems use a proxy server to access the Internet, you must configure agent policy settings for those systems to use proxy servers when accessing this fallback site.

Types of distributed repositories

ePolicy Orchestrator supports four types of distributed repositories. Consider your environment and needs when determining which type of distributed repository to use. You are not limited to using one type, and might need several, depending on your network.

SuperAgent repositories

Use systems hosting SuperAgents as distributed repositories. SuperAgent repositories have several advantages over other types of distributed repositories:

· Folder locations are created automatically on the host system before adding the repository to the repository list.

· File sharing is enabled automatically on the SuperAgent repository folder.

· SuperAgent repositories don’t require additional replication or updating credentials — account permissions are created when the agent is converted to a SuperAgent.

Although functionality of SuperAgent broadcast wake-up calls requires a SuperAgent in each broadcast segment, this is not a requirement for functionality of the SuperAgent

repository. Managed systems only need to “see” the system hosting the repository.

FTP repositories

You can use an FTP server to host a distributed repository. Use FTP server software, such as Microsoft Internet Information Services (IIS), to create a new folder and site location for the distributed repository. See your web server documentation for details.

HTTP repositories

You can use an HTTP server to host a distributed repository. Use HTTP server software, such as Microsoft IIS, to create a new folder and site location for the distributed repository. See your web server documentation for details.

UNC share repositories

You can create a UNC shared folder to host a distributed repository on an existing server. Be sure to enable sharing across the network for the folder, so that the ePO server can copy files to it and agents can access it for updates.

Unmanaged repositories

If you are unable to use managed distributed repositories, ePolicy Orchestrator administrators can create and maintain distributed repositories that are not managed by ePolicy Orchestrator. If a distributed repository is not managed, a local administrator must keep it up-to-date manually.

Once the distributed repository is created, use ePolicy Orchestrator to configure managed systems of a specific System Tree group to update from it.

<span style="color: #ff0000" />Refer to Enabling the agent on unmanaged McAfee products so that they work with ePolicy Orchestrator for configuration of unmanaged systems.

TIP: McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. This and using global updating, or scheduled replication tasks frequently, ensures your managed environment is up-to-date. Use unmanaged distributed repositories only if your network or organizational policy do not allow managed distributed repositories.

Repository branches and their purposes

ePolicy Orchestrator provides three repository branches, allowing you to maintain three versions of all packages in your master and distributed repositories. The repository branches are Current, Previous, and Evaluation. By default, ePolicy Orchestrator uses only the Current branch. You can specify branches when adding packages to your master repository. You can also specify branches when running or scheduling update and deployment tasks, to distribute different versions to different parts of your network.

Update tasks can retrieve updates from any branch of the repository, but you must select a branch other than the Current branch when checking in packages to the master repository. If a non-Current branch is not configured, the option to select a branch other than Current does not appear.

To use the Evaluation and Previous branches for packages other than updates, you must configure this in the Repository Packages server settings. Agent versions 3.6 and earlier can retrieve update packages only from the Evaluation and Previous branches.

Current branch

The Current branch is the main repository branch for the latest packages and updates. Product deployment packages can be added only to the Current branch, unless support for the other branches has been enabled.

Evaluation branch

You might want to test new DAT and engine updates with a small number of network segments or systems before deploying them to your entire organization. Specify the Evaluation branch when checking in new DATs and engines to the master repository, then deploy them to a small number of test systems. After monitoring the test systems for several hours, you can add the new DATs to your Current branch and deploy them to your entire organization.

Previous branch

Use the Previous branch to save and store prior DAT and engine files before adding the new ones to the Current branch. In the event that you experience an issue with new DAT or engine files in your environment, you have a copy of a previous version that you can redeploy to your systems if necessary. ePolicy Orchestrator saves only the most immediate previous version of each file type. You can populate the Previous branch by selecting Move existing packages to Previous branchwhen you add new packages to your master repository. The option is available when you pull updates from a source site and, when you manually check in packages to the Current branch.

Repository list file and its uses

The repository list (SiteList.xml and SiteMgr.xml) file contains the names of all the repositories you are managing. The repository list includes the location and encrypted network credentials that managed systems use to select the repository and retrieve updates. The server sends the repository list to the agent during agent-server communication.

If needed, you can export the repository list to external files (SiteList.xml or SiteMgr.xml).

Use an exported SiteList.xml file to:

· Import to an agent during installation.

Use an exported SiteMgr.xml file to:

· Backup and restore your distributed repositories and source sites if you need to reinstall the server.

· Import the distributed repositories and source sites from a previous installation of ePolicy Orchestrator.

Master Repository

McAfee EPO Server System Tree

Description

The EPO console System Tree is where all the host objects reside for managed and unmanaged systems. The source of the unmanaged systems generally is from automated Active Directory synchronizations or systems that at one time in the last two weeks were managed and communicating with the EPO server.

The System Tree

The System Tree organizes managed systems in units for monitoring, assigning policies, scheduling tasks, and taking actions.

Groups

The System Tree is a hierarchical structure that allows you to combine your systems within units called groups.

Groups have these characteristics:

· Groups can be created by global administrators or users with the appropriate permissions.

· A group can include both systems and other groups.

· Groups are administered by a global administrator or a user with appropriate permissions.

Grouping systems with similar properties or requirements into these units allows you to manage policies for systems in one place, rather than setting policies for each system individually. As part of the planning process, consider the best way to organize systems into groups prior to building the System Tree.

Lost&Found group

The System Tree root (My Organization) includes a Lost&Found group. Depending on the methods for creating and maintaining the System Tree, the server uses different characteristics to determine where to place systems. The Lost&Found group stores systems whose locations could not be determined.

The Lost&Found group has these characteristics:

· It can't be deleted.

· It can't be renamed.

· Its sorting criteria can't be changed from being a catch-all group (although you can provide sorting criteria for the subgroups you create within it.)

· It always appears last in the list and is not alphabetized among its peers.

· Users must be granted permissions to the Lost&Found group to see the contents of Lost&Found.

· When a system is sorted into Lost&Found, it is placed in a subgroup named for the system’s domain. If no such group exists, one is created.
CAUTION: If you delete systems from the System Tree, be sure you select the option to remove their agents. If the agent is not removed, deleted systems reappear in the Lost&Found group because the agent continues to communicate to the server.

Inheritance

Inheritance is an important property that simplifies policy and task administration. Because of inheritance, child groups in the System Tree hierarchy inherit policies set at their parent groups.

For example:

· Policies set at the My Organization level of the System Tree are inherited by groups below it.

· Group policies are inherited by subgroups or individual systems within that group.

Inheritance is enabled by default for all groups and individual systems that you add to the System Tree. This allows you to set policies and schedule client tasks in fewer places.

To allow for customization, however, inheritance can be broken by applying a new policy at any location of the System Tree (provided a user has appropriate permissions). You can lock policy assignments to preserve inheritance.

Add a Workstation the Allow Outbound TCP Port 25 in McAfee EPO

Purpose

This article describes the steps to add a single workstation to allow outbound TCP port 25 (SMTP). This is done by adding a EPO tag to the system in the EPO console that then assigns a special Access Protection policy that does not block the traffic.

Steps

1. Login the the EPO Web Console

2. Search for the workstation

3. Select Actions\Tags\Apply Tag

4. Select NO BLOCK 25

5. Ok

6. Select Wake Up Agents

7. Leave defaults and select OK

8. Trigger Server Task to Apply Specific Policy OR wait an hour for the task to automatically run

1. Browse to Server Tasks

2. Select run for either the 32-bit or 64-bit OS task

1. Apply Specific Policy to 32-Bit + No Block 25 Systems

2. Apply Specific Policy to 64-Bit + No Block 25 Systems

9. Test from workstation

10. Done

Tips

1. All Server class operating systems allow outbound TCP port 25 by default.

1. So it's not neccessary to tag server class operating systems with the above process.

Manually Add a System to McAfee EPO Server

Purpose

This article explains how to add a single system that is missing in the McAfee EPO Server System tree. The purpose could be for such things as pushing the agent from the EPO Server to a system for the first time. Once any system has the McAfee agent installed and communicating correctly to the EPO server; it will automatically show up in the System Tree.

Steps

1. Login to the McAfee EPO Web Console

2. Select System Tree \ Systems

3. Select a System Tree Group

1. Example: Lost&Found

4. Select System Tree Actions \ New Systems

5. Select How to add systems

6. Either type/paste the systems into the Systems to add field or Select Browse...to connect to a domain and pick the systems

7. Uncheck "Disable System Tree sorting..."

8. Enter Credentails for agent installation if desired.

9. Select OK

10. Watch progress in Server Task Log

Monitor Virus Threats in McAfee EPO Console

Purpose

This article describes some basic ways to monitor virus threats through the McAfee EPO web console.

View Dashboards

1. Login to the McAfee EPO web console

2. Select Dashboards with the default icon at the top or Menu\Reporting\Dashboards

3. You may have to add the Dashboards published by Levon

1. Select Options in the upper right

2. Select Manage Dashboards

3. Select each Dashboard you'd like to add to your Dashboard section

4. For each Select Make Active in the lower right

Threat Overview Dashboard

· Select Threat Overview Dashboard from the submenu bar

Columns:

1. Past 24 hours

2. Past 7 days

3. Past 30 days

Rows:

1. Top 10 Detected Threats for all systems

2. Detected Threats for Workstations

3. Detected Threats for Servers

Day, Week, Month Breakout Threat Dashboards

Three Dashboarded were created for Detected Threat monitoring. They are named "Threats (Today), Threats (Past Week), and Threats (Past Month). Each of these are have identical monitors, but the queries for each select the three different timeframes to pull from the database.

Monitors:

1. Row 1 - Column 1

1. Detected threats per site (EPO Group)

2. Row 1 - Column 2

1. Top 10 Detected Threats

3. Row 2 - Column 1

1. Detected Threats per Workstation

4. Row 2 - Column 2

1. Detected Threats per Server

Item Drill Down in Monitors

For all the monitors including these threat monitors you can browse items by clicking on them in the monitor window.

Tips

The Day, Week, Month Dashboards have less to load so they load faster than the Threat Overview Dashboard.

So Detections are false and it is best to research them and determine if we need an exclusion to eliminate the issue.

Each monitor can be expanded to fill the console screen by clicking on the upper right square icon on the monitor.

· (HowTo) Search for a System in the McAfee EPO Console
McAfee EPO Agent

· (HowTo) Install and Uninstall the McAfee Clients on Windows

· (HowTo) Install and Uninstall the McAfee Clients on Linux

· (HowTo) Prepare a VM Template or System Image with McAfee Clients

· (HowTo) Reinstall McAfee Clients with McAfee-Clients Batch Script

· (HowTo) Identify Unmanaged Systems in McAfee EPO Console

Monday, 18 April 2016

epo

EPO Description

McAfee EPO Server Port List

Introduction

Network Port List

McAfee EPO Agent Supported Operating Systems List

McAfee EPO Web Console

Example

McAfee EPO Server Dashboards

Purpose

EPO Dashboard Description

Select and Arrange Existing Dashboards

Figure B

Figure 3

Figure 4

McAfee EPO Server Queries

Description

Queries

Public and personal queries

Query permissions

Query Builder

Creating custom queries

Running an existing query

Running a query on a schedule

Making a personal query group

Making existing personal queries public

Duplicating queries

Exporting query results to other formats

Creating a query to define compliance

Generating compliance events

Figure 1

McAfee EPO Server Threat Event Log

Description

Common event format

Working with the Threat Event Log

Purging the Threat Event Log on a schedule

McAfee EPO Server Policies and Client Tasks

Description

Policies and Client Tasks

Product Extensions

Policy management

Policy Application

Creating Policy Management Queries

Client Tasks

Product Extensions

Viewing policy information

Viewing groups and systems where a policy is assigned

Viewing the settings of a policy

Viewing policy ownership

Viewing assignments where policy enforcement is disabled

Viewing policies assigned to a group

Viewing policies assigned to a specific system

Viewing a group’s policy inheritance

Viewing and resetting broken inheritance

Working with the Policy Catalog

Creating a policy from the Policy Catalog page

Duplicating a policy on the Policy Catalog page

Editing a policy’s settings from the Policy Catalog

Renaming a policy from the Policy Catalog

Deleting a policy from the Policy Catalog

Working with Policies

Changing the owners of a policy

Moving policies between ePO servers

Exporting a single policy

Exporting all policies of a product

Importing policies

Assigning a Policy to a Group of the System Tree

Assigning a policy to a managed system

Assigning a policy to multiple managed systems within a group

Enforcing policies for a product on a group

Enforcing policies for a product on a system

Copying and pasting assignments

Copying policy assignments from a group

Copying policy assignments from a system

Pasting policy assignments to a group

Pasting policy assignments to a specific system

Working with Client Tasks

Creating and scheduling client tasks

Editing client tasks

Enter a Name and Description for the Task
Figure 2

Select the appropriate query from the list
Figure 3