Académique Documents
Professionnel Documents
Culture Documents
Architecture
ePO Cloud 5.5 Essentials
Copyright
Copyright © 2015 McAfee LLC. All rights reserved
The training information in this document is provided in connection with McAfee products. No license,
express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Except as provided in McAfee's terms and conditions of sale for such products, McAfee assumes no liability
whatsoever and McAfee disclaims any express or implied warranty, relating to sale and/or use of McAfee
products including liability or warranties relating to fitness for a particular purpose, merchantability, or
infringement of any patent, copyright or other intellectual property right.
McAfee may make changes to specifications and product descriptions at any time, without notice. McAfee
reserves these for future definition and shall have no responsibility whatsoever for conflicts or
incompatibilities arising from future changes to them. The information here is subject to change without
notice. The products described in this document may contain design defects or errors known as errata which
may cause the product to deviate from published specifications. Effort has been made to ensure the accuracy
of information presented as factual; However, errors may exist.
The statements, comments or opinions expressed by users through the use of McAfee technology resources
are those of their respective authors, who are solely responsible for them, and do not necessarily represent
the views of McAfee and/or its affiliates.
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
3
Purpose
4
Key ePO Terminology
Key ePO Terminology
6
What is ePolicy Orchestrator?
What is ePolicy Orchestrator?
• McAfee released the first version of ePolicy
Orchestrator (ePO) to meet a growing
demand from customers: a way to better
manage their anti-virus software.
8
What is ePolicy Orchestrator?
ePO is designed to:
9
On-Premise vs In-the-Cloud
Our working list of features in and out of ePO Cloud is:
Features only available in Cloud 5.5: Features not supported in Cloud 5.5:
– Multi-tenancy (5.2) – Contacts (Address Book)
– Tomcat Farm (5.2) – Issues
– Partner Branding (5.2) – Certificate Based Authentication
– Provisioning (5.2) – Registered Servers
– Centralized Authentication (5.2) – Ticketing
– Server Tasks (5.4) – User Editable Queries
– Automatic Responses
– LDAP/AD Integration/ Policy
Assignment Rules
– User based policy
– Notifications
– Server Initiated Communication
– External access to Remote commands
– Multiple ePO servers
– Custom dashboards
10
ePO Cloud – Customer Needs
ePO Cloud – Customer Needs
Market is embracing “the Cloud” with more
and more services, applications,
infrastructure, and solutions moving outside
perimeter
12
Goals for the Cloud Release
Goals for the Cloud Release
• Protect 1 to 10K systems in minutes with the
world’s leading security for business
• Stay ahead of the latest threats with McAfee’s
newest Anti-Malware with Proactive Detection,
industry-leading Host IPS Firewall and web
protection
• Experience better performance
– Signatures/DATs are 40% size of traditional
DAT
– Page refresh and reload times
• Install protection with one click with Getting
Started and McAfee Smart Installer for
Windows & Mac
• Easily keep tabs on your PC security with our
all-new, touch enabled end user experience
• Never upgrade your ePO server again – we do it
for you in our Cloud platform
• Use advanced management features including
tags, policies, client tasks and scheduled
reports
14
Current SaaS Landscape
@ McAfee
Current SaaS Landscape
Customers Partners
Insight, Support
Security SaaS Email MFE Secure
Center and Web
Endpoint
16
Current SaaS Landscape
Customers Partners
Direct
Retail
Partners
Insight, Support
Provision
17
One Place to Manage Everything
McAfee Agent
62 + Million
Deployed
(plus 4M migrated
SaaS endpoint agents 50+
50+
McAfee Products Partner Products
18
One Place to Manage Everything
Partner Portal Online Store
19
Supported Products
Supported Products
Client Endpoint
McAfee
Endpoint
Security
Modules
McAfee
Agent
21
Architecture Overview
ePO Cloud 5.5 Architecture
• Simplified User Experience for SMB
McAfee Partners
• Designed to support the full range of
McAfee commercial products Ordering &
Management
– Not just SaaS product line Partner
APIs
Business
– Subject to availability of extensions Center
Business McAfee
Platform Back Office
Services Systems
• ePolicy Orchestrator – provided in
McAfee's managed data centers (“the
cloud”) ePO Cloud
Simplified (SMB) UX
Product Extensions
• Managed and maintained by McAfee – (Endpoint, Web, Email, …)
customer no longer needs a server
• Multi-tenancy Customers
23
Business Platform Services (BPS)
McAfee Partners
24
ePO Cloud Components
ePO Cloud — The center of your managed environment. ePO Cloud
delivers security policies and tasks, controls updates, and processes
events for all managed systems.
Database — The central storage component for all data created and
used by ePO Cloud.
Master Repository — The central location for all McAfee updates and
signatures, residing on ePO Cloud. The Master repository retrieves
user-specified updates and signatures from McAfee.
25
How it Works - Process
26
How it Works - Flow
27
How it Works – Backend Architecture
Target Total End Points Count = 1M Customers, Partners, McAfee Staff
(~50,000 users) DAT
DAT
CDN login.epocloud.mcafee.com
CDN
pod1.epocloud.mcafee.com
End Point ePO Agents
GTM pod2.epocloud.mcafee.com
End Point ePO Agents
Denver DC Miami DC
… AUTH …
Trusted BPS Trusted
28
Summary
• McAfee provides full security management
capabilities from our worldwide data centers.
– Fast, secure policy management
– Automatic updates to stay ahead of the latest threats
– Simple yet powerful user experience
• Beta Signup
https://beta.manage.mcafee.com ePO Cloud 5.4 loaded
in environment as of 10/1/15.
29
Performance Improvements
Policy Catalog – Performance Graph
35
30
25
20
After Fix
15 Before
10
0
Log On ENDPOINT ENDPOINT ENDPOINT McAfee Agent Log Off
SECURITY SECURITY Web SECURITY
FIREWALL Control COMMON
31
Summary
32
Summary
33
Initial Configuration
35
Purpose
In this module, you will learn to …….
36
Getting Started with ePO Cloud
Getting Started with ePO Cloud 5.5
Major setup and steps for ePO Cloud
1. Activate the ePO Cloud server account - Once the customer has purchased
ePO Cloud software, they can activate their account through an email that
the provider sends them.
2. Log on to the ePO Cloud console – Once the account has been activated,
customers should open an internet browser, navigate to the following URL
and enter their ePO Cloud login information: https://manage.mcafee.com
3. Begin initial deployment - Customize Installation action is ran after the user
logs in the first time, to help get ePO up and running as quickly as possible.
4. Manage the account - Set up and manage the basic features of the account.
6. Dashboards, queries and reports - Dashboards and reports help you keep
constant watch on the environment. The Queries & Reports page gives you
access to the robust reporting features of ePolicy Orchestrator.
38
Activation Email
39
ePO Cloud Login
40
Guided Configuration
Cloud UI – ePO Console
42
Cloud UI – ePO Console
43
Getting Started with ePO Cloud
44
Begin Initial Deployment
• The system users run the deployment URL installer and the McAfee
Agent is then downloaded to the system.
45
McAfee Smart Installer
46
McAfee Smart Installer
47
Deployment Validation
48
Deployment Validation
49
Deployment Validation
50
ePO Cloud Console
ePO Console
ePO uses a menu-based navigation model with a favorites bar you can
customize to get where you need to go quickly.
– Menu sections represent the top-level features of your ePO server.
– As you add new managed products to your server, the associated
interface pages are either added to an existing category, or a new
category is created in the Menu.
– Key navigational controls are the navigation bar and the navigation
Menu, which is accessed by clicking Menu on the navigation bar.
Navigation bar:
52
Customizable User Interface
53
Menu Options
Menu Options
1 2 3
4 5 6
7 8
55
Software
Product Deployment
57
Uninstallation of Product Software
58
Uninstallation of Product Software
59
Uninstallation of Product Software
60
Master Repository
61
Automation
Server Tasks
Server Tasks
• Purge Audit Log
• Purge Server Task Log
• Run Query
• Run Report
• Run Tag Criteria
• System Search by Tag or Group
63
Server Task Log
64
Configuration
Server Settings
66
Personal Settings
67
Summary
68
Summary
69
ePO User Accounts and
Permission Sets
ePO Cloud 5.5 Essentials
Copyright
Copyright © 2015 McAfee LLC. All rights reserved
The training information in this document is provided in connection with McAfee products. No license,
express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Except as provided in Intel's terms and conditions of sale for such products, McAfee assumes no liability
whatsoever and McAfee disclaims any express or implied warranty, relating to sale and/or use of McAfee
products including liability or warranties relating to fitness for a particular purpose, merchantability, or
infringement of any patent, copyright or other intellectual property right.
McAfee may make changes to specifications and product descriptions at any time, without notice. McAfee
reserves these for future definition and shall have no responsibility whatsoever for conflicts or
incompatibilities arising from future changes to them. The information here is subject to change without
notice. The products described in this document may contain design defects or errors known as errata which
may cause the product to deviate from published specifications. Effort has been made to ensure the accuracy
of information presented as factual; However, errors may exist.
The statements, comments or opinions expressed by users through the use of McAfee technology resources
are those of their respective authors, who are solely responsible for them, and do not necessarily represent
the views of McAfee and/or its affiliates.
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
72
Purpose
In this module, you will learn to …….
73
User Accounts
User Account
75
My Account
76
My Account – My Profile
77
My Account – Customer Profile
78
My Account - Users
79
My Account - Subscriptions
80
My Account - Support
81
User Management
User Management
83
Account Permissions
Account Permissions
Owner users (or owners), who have full administrative rights.
– NOTE: There is only one owner for each customer account.
85
Create User Accounts
Creating a New User
1. To open the New User page, click New User.
2. Type the email address of the person you want to invite to be a user.
3. Click Invite.
87
Audit Log
Audit Log
89
Summary
90
Summary
91
Managing the System Tree
93
Purpose
In this module, you will learn to …….
94
The ePO Cloud System Tree
• Contains all of the systems that
ePO manages.
o A system is a managed machine, a
server, workstation, laptop or
appliance.
o Represented in System Tree by its
NetBIOS name.
95
System Tree Hierarchical Structure
My Organization:
• Top level of tree.
• Contains all managed systems.
Groups:
• Created by owners. Top level: My
• Let you manage policies for several Organization
systems at once, and schedule
tasks at any level of System Tree.
• Can contain systems or other Logical
groups, which you can move groups of
between groups. systems
Lost&Found:
• Contains systems with
Lost&Found
undetermined locations.
96
Lost and Found Group Characteristics
• Characteristics:
o Always appears last in the list (not
alphabetized).
97
Inheritance
Inheritance
• Can be broken by
applying new policies.
• An efficient and
well-organized System Tree
can simplify maintenance
101
Planning the System Tree
Considerations:
Department or group Physical location
Grouping systems
• Sales
Policy and task
• Marketing
management
• Production
Inheritance
IP Address System type or role
172.16.0.0
192.168.100.0
102
Scenario
• Customer has five offices — How should they organize
computers within the System Tree?
Paris
Dallas
Sydney
103
Creating Groups
104
Group Details Tab
105
Tagging
Tags
Tags are labels that can be applied to one or
more systems.
You can organize the System Tree using
tags.
Tagging has several benefits:
• Machines can now be sorted into groups by their tag,
if desired.
• Assign a task according to a tag.
• Tagging provides virtual grouping by associating
related systems.
• Provides an easy way to identify systems for later
action.
• Systems can have more than one tag assigned.
• Tags can be applied as a result of a query.
• Action can then be taken on the systems based on
tag criteria.
107
Working with Tags
108
Tag Catalog
109
Tag Grouping
110
Creating Tags
111
Tag Builder Evaluation Page
Defines when tags are applied to matching systems:
o Only when Run Tag Criteria action is taken.
o On each agent-to-server communication and when Run Tag
Criteria action is taken.
112
Tag Builder Preview Page
View Summary Information
113
Some Powerful Uses of Tags
Automatic System Tree sorting
o All systems with OS Type = “Windows
7”, System Name starts with “DSKTP”,
and IP Address is between
“192.168.1.1 – 192.168.1.200” to be
placed into group “Chicago Office
Desktops”.
System identification
o Example: Tag virtual systems that are
running under VMware ESX
Tag is applied if the MAC address of a
machine begins with “000C29”.
114
Viewing Systems with the Tag Applied
• Use this page to view all systems with the selected tag applied.
• From this page, you can take actions on one or more systems listed.
115
Excluding Systems from Automatic Tagging
116
Manually Applying Tags
117
Clearing Tags
118
Applying Criteria-based Tags
• Run Tag Criteria.
• Schedule to run periodically.
119
Using Tags with Server Tasks
Example:
• Run Query with sub-action of Move Systems and Apply Tag
120
Sorting Systems in the ePO System
Tree
Sort Settings for Systems
122
Criteria-based Sorting
• Systems only need to match one criterion of a group's
sorting criteria to be placed in the group.
• Move Systems
• Sort Now
• Test Sort
123
Tags as Sorting Criteria
124
IP Address as Sorting Criteria
• You can sort systems into groups based on their IP
address information:
o Subnet mask: 192.168.1.0/24
o IP address range: From 192.168.2.1 – 192.168.2.255
o Single IP: 172.16.1.199
o IPv6 format is supported
125
Using IP Address Filtering
ePO uses search algorithm to place systems in the
System Tree.
192.168.101.1 - 192.168.103.254
192.168.101.1 - 192.168.101.254
192.168.101.1 - 192.168.101.240
192.168.101.241 - 192.168.101.254
192.168.102.1 - 192.168.102.254
126
Check IP Integrity
127
Check IP Integrity (cont’d)
128
Resolve Sorting Conflicts
• Resolve IP address sorting conflicts between a group and
a subgroup
129
How Systems are First Placed in System Tree
If the sorting is disabled on the system, the system is left where it is.
If sorting is enabled, the system is moved based on the sorting criteria in the System
Tree groups.
130
How ePO Cloud Determines Placement
Starting at the top of the subgroup list:
131
Changing the Sort Order on Groups
• The system is placed in the first group with matching criteria or a catch-all
group it considers.
• When sorted into a group, each of its subgroups are considered for matching
criteria according to their sorting order on the Group Details tab.
• This continues until there is no subgroup with matching criteria for the system,
and is placed in the last group found with matching criteria.
132
Sort Order
Subgroups of groups with un-matching criteria are not considered, a group must
have matching criteria or have no criteria in order for its subgroups to be
considered for a system.
133
Adding Sorting Criteria to Groups
134
Test Sorting Systems
• Displays preview of System Tree structure using the current sort
criteria.
• Lets you test your sorting criteria before committing.
1
1. Select system.
2. Click Actions.
3. Select Directory Management.
4. Select Test Sort.
4
3
2
135
Manually Moving Systems
Two methods move systems from one group to another:
1. From the group System tab:
Select the system(s) to move and click the Actions button. Choose Directory
Management > Move Systems.
Select sorting options and the group to which the system is to move.
2. Drag and drop the system onto any group in the System Tree.
The system inherits the new parent groups sorting criteria and policies.
136
Sequencing Errors and Duplicate GUIDs
• ePO has a feature called sequence checking. This basically enables
the server to keep track of the number of connections the client
makes and detect whether or not the connection falls out of
sequence.
137
About Sequence Errors
Common Causes:
o Virtual Machines Snapshot
Resolution:
o Identify machine(s) with problem – Add a sequence
errors column
o From Actions menu, select Directory Management
Move GUID to Duplicate List and Delete System
138
Summary
139
Summary
140
Managing Policies
142
Purpose
In this module, you will learn to …….
• Describe the purpose of policies
• Create and edit policy objects in the policy
catalog
• Manage policy configuration and assignment
• Enforce policy changes on client machines
143
Policies
Policy Management
• A policy is a collection of settings that you create,
configure, then enforce. Policies ensure that the
managed security software products are
configured and perform accordingly.
145
Policy Catalog
Policies and the Policy Catalog
• Displays policies for managed products (extensions in
Repository).
o McAfee Default: Cannot be renamed, edited, or deleted but can be duplicated.
Product Name
Category
147
Creating a New Policy
• Policy Catalog > New Policy
o Can be based on existing policy
148
Duplicating a Policy
• From Policy Catalog, click Duplicate link on any policy.
• Provide a new name for the copy.
• Edit policy configuration to meet your needs.
149
Editing a Policy
• Policies can be edited in two locations:
o Policy Catalog, Edit settings by clicking hyperlink name of the policy.
o Policies can be edited from the System Tree by clicking the hyperlink
name of the policy on the Assigned Policies tab of any given group.
150
Renaming or Deleting a Policy
151
Policy Assignments
Policy Assignment and Inheritance
McAfee Policy
Default Assignment
Inherited
McAfee
Default
Policy A
Inherited
Policy A
Policy B
153
Viewing Policy Assignments
• Select System Tree > Assigned Policies
• Select the group in System Tree, then click Assigned
Policies tab
• Inherited by subgroups by default
154
Assigning a Policy to a Group Node
4
5
6
155
Assigning a Policy to a Managed System
Select the desired system, then click Actions - Agent -
Modify Policies on a Single System.
156
Assigning Policy to Multiple Managed Systems
Select the desired systems, then click Actions > Agent >
Set Policy & Inheritance.
157
Policy Assignment Rules
Can be based on:
o System-based policies — Policies that include only system
based criteria. For example, you can create a policy
assignment rule that is enforced for all servers on your network
based on the tags you've applied, or all systems in a specific
location in your System Tree. System based
policies cannot include user based criteria.
158
Creating Policy Assignment Rules
Select Menu > Policy > Policy Assignment Rules > New
Assignment Rule.
- Assignment can be based on tags.
o System criteria required for all rules
- Select policies to assign.
159
Policy Assignment Rule Priority
160
Policy Assignment Rule Priority (cont’d)
• Default Enforcement
Status is Enforcing
162
Product Enforcement Status
• Product enforcement status indicates how many groups
have enforcement disabled.
• Click the link to see group(s) where enforcement of this
policy is disabled.
163
Locking Assignment and Enforcement
• Can be locked at any location within the System Tree.
• Locking does not prevent a policy from being modified, it
simply prevents policy assignments from being modified
in subgroups.
164
Resetting Broken Inheritance
165
Copying and Pasting Assignments
Copy and paste policy assignments from one group or
system to another.
166
Policy Comparison
• Compare like policies using Policy Comparison.
• This allows you to determine which setting are different
and which are the same.
167
When Policies are Enforced
• At the Policy Enforcement Interval
• At the next agent-server communication interval
Check New Policies button (client)
168
Policy History
New Feature in ePO Cloud 5.4
Policy History - Overview
Click the Policy History entry under Policy to view detailed
historical information.
170
Policy History - Details
The Policy History section logs the following information:
• Date Saved
• User
• Comment
• Product Version
171
DEMO – Policy History
http://bcove.me/gsrac20r
18
Affected Systems Information
New Feature in ePO Cloud 5.4
Affected Systems Information - Tag
Cloud 5.2 Cloud 5.4 (and later)
174
Affected Systems Information - Policy
Cloud 5.2 Cloud 5.4 (and later)
175
DEMO – Affected Systems Information - Tags
http://bcove.me/4j7uzx5r
18
Summary
177
Summary
178
McAfee Agent Deployment
and Policy Configuration
ePO Cloud 5.5 Essentials
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
180
Purpose
In this module, you will learn to …….
181
McAfee Agent Overview
McAfee Agent 5.0
Nex Gen Agent Deliverables
– New Service-based Architecture – VDI support
– Data channel improvements
– Bandwidth controls
Objectives – Hierarchical super agents
– To architect a new McAfee Agent – Relay capabilities
as a secure modular framework – Peer to peer
technology enabling consistent – New deployment mechanisms,
and efficient management for a especially for cloud
broad range of mobile,
embedded, traditional system,
appliance, M2M, cloud and virtual
environments.
– To provide an extensible open
services architecture.
– To enable a flexible secure
network friendly delivery
mechanism for content, policy,
events, and products.
183
Requirements for McAfee Agent 5.0
Message Bus
McAfee Agent Services
– Property, Policy, Event
– Scheduler/Task
– Licensing
Common Libraries – Logger, Dispatcher
Agent Mesh: P2P, Relay
McAfee Agent ePO Extension
McAfee Agent Integration SDK
Backward Compatibility / Legacy Support
– LPC and Plug-In based Integration (will be phased out in future versions)
– Feature parity with MA 4.8 (e.g. Deployment and Updating, UI, Crypto, UBP)
Native 64 bit support for latest OS releases on supported OS distributions
Standardization across platforms
– Focus on best implementation, when in doubt use Windows implementation
OS Support Matrix to be defined through the OS Support Matrix Process
Languages supported is the superset of VSE/Harvey and ePO languages.
– Extensions, help and documentation will only be in ePO languages.
186
MA 5.0 Architecture
187
MA 5.0 Architecture
188
MA 5.0 Architecture
189
MA 5.0 Architecture
190
Agent-to-Server Communication
Agent-to-Server Communication
Agent-to-Server (ASC) information is transferred
using our proprietary network protocol (SPIPE)
Default is 60 minutes.
At each ASCI:
o Agent collects and sends properties to server and/or Agent Handler.
o Agent sends events occurring since last ASCI.
o Server sends new policies/tasks.
o Agent enforces policies.
193
ASC Interruption Handling
Agent-to-Server connection algorithm is designed to re-
attempt communication if its first attempt fails.
o IP address
IP
FQDN
o Fully qualified domain name Address
o NetBIOS
NetBIOS
194
ASC Interruption Handling (cont’d)
The agent stops this cycle if a connection attempt results in
any of the following:
• No error
• Download failed
• Upload failed
• Agent is shutting down
• Transfer aborted
• Server busy (status code from ePO)
• Upload success (status code from ePO)
• No package to receive (status code from ePO)
• Agent needs to regenerate GUID (status code from ePO)
195
Installing the McAfee Agent
Agent System Requirements
Minimum
Component
Requirements
• Windows 8.1
• Windows 8
• Windows 2012
• Windows 2008
• Windows 7
• Windows Vista
• Windows 2003
• Windows XP
The article KB51573 contains all the details about the latest supported versions of
ePO, Windows workstation and server and Non-Windows Operating Systems.
198
Supported Non-Windows Operating Systems
• Mac OS X
• Oracle Linux
• Red Hat Enterprise Linux
• CentOS
• SUSE Linux
• openSUSE
• McAfee Linux Operating
System (MLOS)
• Ubuntu
• Debian
• iOS
199
Additional Supported Platforms
200
Supported Languages
201
Agent Installation Options
Agent installation is only available through the Deployment URL.
202
Creating the Agent Deployment URL
You must send the Agent Deployment URL to all system users whose systems you want to
manage with ePO Cloud.
When you send the Agent Deployment URL to the users of the systems in your network, the
endpoint users navigate to the Agent Deployment URL, open it and the installer starts this process:
• The system communicates back to ePO and adds the system in the System Tree group you created. For
example, the system is added to the group "AllWindowsSystems.“
• The McAfee Agent, configured in the URL, is downloaded to the system and a Product Deployment task is
automatically assigned to the system during the first communication.
• After the McAfee Agent is installed it starts downloading the product software you selected when you
created the Agent Deployment URL.
• After these communications the system appears in the selected group of the System Tree as managed.
203
Creating the Agent Deployment URL
204
Creating the Agent Deployment URL (cont’d)
205
Creating the Agent Deployment URL (cont’d)
206
McAfee Smart Installer
207
Post Installation - Files and
\Services
Agent Installation Directory
• Windows
o <System_Drive>:\Program Files (Program Files (x86))\McAfee\Agent
• Non-Windows
o /opt/McAfee/agent/
209
McAfee Agent Windows Install Logs
• On Windows client systems, the install logs are saved in:
%TEMP%\McAfeeLogs.
Frminst_<System_Name>_Error.log Agent install error log. Contains details about recorded errors.
MFEAgent.msi.<date.time>.log MSI Install log. Contains details about the MSI installation of the agent.
Ma_vscore_install_<date.time>.log It records installation of VSCORE, and the ACC details for MA 5.0.
Ma_vscore_uninstall_<date.time>.log It records uninstallation of VSCORE, and the ACC details for MA 5.0.
This file contains details of the updates to managed products on the client
UpdaterUI_<hostname>.log system.
210
McAfee Agent Data Files
\ProgramData\McAfee\Agent
Data Explanation
Stores the Agent and Server keys which are used by MA & ePO for
Keystore
ASC.
Stores the logs for each service of MA 50 and also the logs of
Logs
Mue.exe.
211
McAfee Agent Activity Logs
• The agent logs are saved in these locations
o Windows client systems: \ProgramData\McAfee\Agent\logs
o Non-Windows client systems: /var/McAfee/agent/logs
When the McScript.log reaches its size limit, a backup copy is made. If a
McScript_backup.log
backup copy of a log file already exists, it is overwritten.
212
McAfee Agent Activity Logs
213
McAfee Agent Log Files
214
Agent Files and Services
Masvc.exe (running) This is the service which performs major functionality of Agent (like
Property collection, policy enforcement, scheduling of tasks, ASC,
triggering update session, etc.)
McAfee Agent Common Services
Macmnsvc.exe This services hosts multiple services of McAfee Agent like SuperAgent,
P2P Server, Wake-up, RelayServer.
McAfee Agent Backwards Compatibility service
Macompatsvc.exe This executable is the compatibility service for the McAfee Agent Service. It
is started by the McAfee Agent service and communicates to the
various point product plugins.
McAfee Agent Mirror Task
Ma_mirror_task.exe
Manages McAfee Agent mirror tasks.
215
Agent Files and Services
Filename Explanation
McAfee Agent Configurator – Command line interface to configure MA in
Maconfig.exe
managed and unmanaged mode, configure language, custom props, etc.
McScanCheck.exe McAfee Agent McScanCheck – Tool used by VSE for data updates
McAfee Agent Script Engine – This interprets the scripts of all PPs to
McScript_InUse.exe
perform updates and deployments
Single tray icon management tool that runs under same user session and
McTray.exe (running)
is started by UpdaterUI.exe
216
Using the System Tray Icon Options
• Update Security: Triggers immediate updating of all
installed McAfee software products.
217
McAfee Agent Status Monitor
• Displays information on the collection and transmission of
properties
• Sends events
• Downloads and enforces policies
218
McAfee Agent Policy Overview
Agent Policies Overview
• General: Basic agent policy configuration.
• Repository: Configure agents to use proxy server settings.
• Troubleshooting: Select language.
220
McAfee Agent Policy Options
McAfee Agent Policy General
• Default policies:
o Large Organization Default: Read-only
o McAfee Default: Read-only
222
General Policies – General Tab
• Contains settings for basic agent functionality
223
General Policies – Super Agent Tab
• Contains settings to enable and customize SuperAgent, as
required.
224
Agent Relay Capability – Super Agent
• Enabling relay capability in the network converts a McAfee
Agent to a RelayServer.
McAfee Agent requires the User Datagram Protocol (UDP) to discover each
RelayServer in the network.
A RelayServer connects only with the servers that are listed in its policy database.
225
General Policies – Events Tab
• Configure how and when the agent sends priority events to
the ePO server. Event priority is predefined by the installed
product.
226
General Policies – Logging Tab
• Controls creation of, and access to, the agent activity log
on managed systems.
227
General Policies – Updates Tab
• Configure options for updating signatures, engines,
patches, and service packs
228
General Policies – Peer-to-Peer Tab
• Enable Peer-to-Peer Communication
229
Agent Peer-to-Peer Service
230
Repository Policies – Proxy Tab
231
Troubleshooting Policies
• McAfee Agent user interface and log language
232
Uninstalling the McAfee Agent
Uninstalling the McAfee Agent
• Manually from within the ePO console:
– Delete the machine node(s) from the ePO System Tree. When a node is
deleted from System Tree:
• System entry in DB is flagged for agent uninstall.
• At next ASCI, Agent receives uninstall flag.
• Agent responds back to the server for confirmation.
• Server sends final uninstall command.
• Agent uninstall begins.
234
Summary
235
Summary
236
Point Product Deployment
and Policy Configuration
ePO Cloud 5.5 Essentials
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
238
Purpose
In this module, you will learn to …….
239
Choosing a Product Deployment Method
There are two processes you
can follow to deploy products
using ePolicy Orchestrator:
240
Product Deployment Projects
Benefits of Product Deployment Projects
Run a deployment continuously — This allows you to
configure your deployment project so that when new
systems matching your criteria are added, products are
deployed automatically
243
Client Tasks
Client Tasks
Go to: Menu > Policy > Client Task Catalog.
– Product deployment
– Product functionality (Example: The Endpoint Security Threat Prevention On-
Demand Scan task.)
– Upgrades and updates
Deploying Point Products (MES)
Deploy Products Using a Deployment Project
248
Deploy Products Using a Deployment Project
6. Select Group or Systems
7. Pick a start time or schedule
8. Click Save.
8
249
Deploy Products Using a Deployment Project
250
Troubleshooting Product
Deployment
Troubleshooting Product Deployment
b. If task was not received, validate that the agent is communicating with ePO. If
failing to communicate, investigate as an agent-to-server communication problem
(check the ma.log file).
2. On the ePO Server side, review the client task to validate the scheduling and
settings.
3. Validate that the agents executed the task at the scheduled time. Check the
cma.log, and McScript.log files.
Policy Application
Policy Application
Policies are applied to any system by one of two methods,
inheritance or assignment.
Inheritance
– Inheritance determines whether the policy settings and client tasks for a
group or system are taken from its parent. By default, inheritance is
enabled throughout the System Tree.
– When the inheritance is broken, by assigning new policy anywhere in the
System Tree, all subgroups and systems that are set to inherit the policy
from this assignment point does so.
Assignment
– You can assign any policy in the Policy Catalog to any group or system,
provided you have the appropriate permissions. Assignment allows you to
define policy settings once for a specific need, and then apply the policy to
multiple locations.
– When you assign a new policy to a particular group of the System Tree, all
subgroups and systems that are set to inherit the policy from this
assignment point do so.
Configuring Point Product
Policies and Tasks
(MES Threat Prevention)
Creating a New Policy
258
When Policies are Enforced
Policy settings for McAfee products are enforced
immediately at the policy enforcement interval, and at each
agent-to-server communication if policy settings have
changed.
259
Troubleshooting Point Product Policy
Enforcement
Point Product Policy Enforcement Issues
Troubleshooting Point Product Policy Enforcement
• Policy enforcement
• Agent service logs are located in: C:\Windows\Temp.
Collect masvc.log and ma_brokersvc.log
Summary
262
Summary
ePolicy Orchestrator simplifies the process of
deploying security products to the managed
systems in the network by providing a user
interface to configure and schedule deployments.
263
Dashboards, Queries and
Reports
ePO Cloud 5.5 Essentials
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
• Dashboards Overview
• Reporting/Queries
265
Purpose
In this module, you will learn to …….
266
Dashboards
Dashboard Overview
268
Dashboards
269
Default Dashboards and their
Monitors
Default Dashboards and their Monitors
• Audit – User activity in past 30 days
• Queries
o Essentially questions you ask ePO, with the answers
shown in charts, tables, etc.
o Can be included in reports or dashboard monitors
o Actionable
• Reports
o Combine query results and other elements into PDF
documents
o Enable focused, offline analysis
o Used to identify vulnerabilities, usage, events, etc.
o Most recent result for each report is stored within the
system for quick access
Additional Logging Activity
• Additional Logging Activity:
o Audit log
o Server Task log
o Threat Event log
About Queries
• Objects that retrieve and display data from ePO database.
– Displayed in charts/tables.
– Are actionable.
– Exportable, via email, to four formats:
• CSV: Use with spreadsheets.
• XML: Transform data.
• HTML: View as a web page.
• PDF: Obtain printable results.
275
Queries and Reports
276
Working with Queries
• Run a Query
277
Exporting Query Results
278
Reports
About Reports
280
Troubleshooting Report/Query
Generation Issues
Troubleshooting Report\Query Generation
• Default content will not be displayed if a user does not have
permissions for that content. In most cases, permissions are granted
through licensing. For example, if a user has not been granted a
license for Threat Prevention (or the license has been revoked), the
user will not see dashboards, queries, or reports related to the Threat
Prevention extension. Licensing can be verified by navigating to the
user's My Account page.
283
Summary
284
General Troubleshooting
286
Purpose
In this module, you will learn to …….
287
Documentation
Documentation
ServicePortal - (https://support.mcafee.com/)
Product Guides and Release Notes
• Product Guides
o Installation Guide
o User Guide
o Release Notes
o Etc.
Knowledge Center
• Troubleshooting Articles
• Product Documentation
• Procedure Documents
290
Support Engineering Operations (SEO)
• Supportability Documents
– The ePO Cloud 5.x and the McAfee Agent 5.0 Supportability Documents are
located on the ePolicy Orchestrator page on the Planet McAfee site.
291
NoHold – Troubleshooting Trees
292
ePO Community Forums
293
ePO Community Forums (cont’d)
Other Guidelines:
o Do not refer back to the case. All pertinent information should be contained in the
post including MERS or logs.
o Be sure all relevant files are linked to the post before posting. Please do not post
and indicate MERS will be included later rather wait until you have valid MERS to
post.
o Please do not post security vulnerabilities in this forum group rather follow the
process outlined in KB61029 for all security vulnerabilities related to ePO
o Select the appropriate category when starting a new discussion. Only select one
category. The region for the category is based on the customer's region and the tier
is based on the tier of the person posting the question. These are the only
categories you should use when posting a question:
294
Top Call Generators
Top Call Generators
ePO Cloud
o Server Configuration - Server Settings
o Agent-to-Server communication failure
o Console login failure
o Product deployment issues
o Product policy enforcement issues
McAfee Agent
o General ASCI failure troubleshooting
o General Updating (content) failure
o Specific content updating failure
o Specific MA installation issue (file locking)
McAfee Agent:
http://thezone.corp.mcafee.com/sites/tieriii/CMA/TTree/MATree_02282013.htm
296
Troubleshooting Basics for ePO
Cloud
Troubleshooting Basics for ePO Cloud
Troubleshooting Basics
Asking questions
• Search Inquira
• Review
Troubleshooting Tree
• Follow Escalation
Process
299
Support Tools
• McAfee Virtual Technician (MVT) -
http://mvt.mcafee.com
300
MERTool and MER Analyzer
Information Collected by the MERTool
• What information is collected by the MERTool?
– Registry details
– File version details
– Files
– Event logs
– Process details
302
Downloading the WebMER Tool
https://support.mcafee.com/ServicePortal/faces/tools
303
Installing the MERTool
304
Collecting Data for Review
305
Information Collected by the MERTool
306
Log Files Collected by the MERTool
• Extracted MERTool Capture
307
Using the MER Analyzer
308
Virtual Technician
McAfee Virtual Technician (MVT)
BPS and Support Portal
TPS to BPS Support Portal
312
TPS to BPS Support Portal
313
BPS Support Portal
BPS to Cloud ePO
BPS to Cloud ePO
316
BPS to Cloud ePO
317
McAfee Agent Logs
Agent Log Files for Troubleshooting
Frminst_<System_Name>.log
Frminst_<System_Name>_Error.log
Agent installation
MFEAgent.msi.<date.time>.log
McAfeeSmartInstall_<date.time>.log
Frminst_<System_Name>.log
Agent uninstallation
Frminst_<System_Name>_Error.log
UpdaterUI_<hostname>.log
Client Updating
UpdaterUI_<hostname>_error.log
319
Files to Collect When Issues are Observed
Agent log files:
• Log file path for Windows “C:\ProgramData\McAfee\Agent\Logs”.
NOTE: Collect all the log files under this folder.
320
Messages Reported
Message Type Description
E (error) Debug error message
W (warning) Debug warning message
I (information) or none Debug information message
X (extended data) Debug extended information message
321
Troubleshooting McAfee Agent
Deployment
322
Troubleshooting McAfee Agent Deployment
• On Windows client systems, the install logs are saved in
%TEMP%\McAfeeLogs.
Windows Install Log Description
Install log. It records installation of the McAfee Agent. This file
Frminst_<System_Name>.log contains: Informational messages, Progress messages, and
Failure messages if the installation fails.
Frminst_<System_Name>_Error.log Agent install error log. Contains details about recorded errors.
MSI Install log. Contains details about the MSI installation of the
MFEAgent.msi.<date.time>.log
agent.
It records installation of VSCORE, and the ACC details for MA
Ma_vscore_install_<date.time>.log
5.0.
It records uninstallation of VSCORE, and the ACC details for
Ma_vscore_uninstall_<date.time>.log
MA 5.0.
Agent installation from the Deployment URL Smart Installer is
McAfeeSmartInstall_<date.time>.log
recorded in this file.
This file contains details of the updates to managed products on
UpdaterUI_<hostname>.log
the client system.
Known issue with downloading the bootstrap agent. It does not work with IE8 (due to a security
issue). There is a link for the workaround (Microsoft KB) on the download page.
323
Agent Log Files to be Collected
List of files to be collected when reporting issues observed:
324
Troubleshooting Agent
Communication with ePO Cloud
325
McAfee Agent Communication Issues
Steps to Troubleshoot Agent-to-Server
Communication Issues
[HKLM\Software\Wow6432Node\Network
Associates\ePolicy Orchestrator\Agent]
2. Perform an Agent-to-Server
Communication (ASC) and wait for the
communication to fail.
3. Grab a copy of the Agent log (ma.db) and
look for the failure.
4. Search the KB (http://agent.mcafee.com)
for the errors and apply any relevant
articles.
326
McAfee Agent Ports and Traffic Flows
327
Forcing Agent Activity from the Client
CmdAgent usage:
• “<Agent_Install_Directory>/cmdAgent.exe“
328
General Troubleshooting
ePO Ports and Traffic Flows
Port Default Description Traffic Direction
TCP port opened by the ePO Bi-directional between the Agent Handler and the ePO
Agent to server
80 Server service to receive requests server and inbound to the Agent Handler from
communication port
from agents. the McAfee Agent.
Client-to-server HTTPS port opened by the ePO Inbound connection to the ePO server from the Rogue
authenticated 8444 Application Server service to System Sensor. Outbound connection from remote
communication port receive RSD connections. Agent Handlers to the ePO server.
330
Policy Update/Enforcement Issues
331
Product Deployment/Client Task Issues
1. Validate that the agent(s) received the task.
a. Validate that the task is present on the client.
o Check for its presence in the ma_task.db file.
b. If task was not received, validate that the agent is communicating with ePO. If
failing to communicate, investigate as an agent-to-server communication problem
(check the ma.db file).
2. On the ePO Server side, review the client task to validate the scheduling and
settings.
3. Validate that the agents executed the task at the scheduled time. Check the
ma_scheduler.db, and McScript.log files.
Trusted Sites
• When accessing the ePO console
using Internet Explorer 8 (and
later), the log on dialog might not
appear.
333
Helpful Support Articles
ePO Cloud Known Issues:
KB79063 – ePolicy Orchestrator 5.x Known Issues
FAQs:
KB78045 – FAQs for ePolicy Orchestrator Cloud
Documentation:
PD26163 – ePolicy Orchestrator Cloud 5.5.0 Product Guide
PD25493 – McAfee Agent 5.0.0 (Cloud) Product Guide
PD26157 – ePO Cloud 5.5.0 Release Notes
PD25961 – ePO Cloud 5.4.0 Release Notes
PD25497 – ePO Cloud 5.2.0 Release Notes
General:
KB83024 – Initial setup steps for ePO Cloud
KB81829 – How to create an installation URL from ePO Cloud
KB84630 – How to deploy products using ePO Cloud
KB84197 – How to create and assign Endpoint Security policies within ePO Cloud
KB85135 – How to remove Endpoint Security from client computers managed by ePO Cloud
KB84629 – How to schedule an On-Demand scan from ePO Cloud
KB82760 – Installation fails for Endpoint Security products managed by ePO Cloud
334
Escalation Guidelines
335
Minimum Escalation Guidelines
• Article KB78187 outlines the basic escalation guidelines
for all products.
Escalation Guidelines
The Minimum Escalation Guidelines are stored in the KnowledgeBase as
procedure documents, for example:
– ePO – PR500014
– McAfee Agent – PR500033
– Endpoint Security Threat Prevention – PR500104 Multiple Articles
– Endpoint Security Web Control – PR500104 Multiple Articles
– Endpoint Security Firewall - PR500104 Multiple Articles
These articles contain the Minimum Escalation Guidelines for the product, links
to the Issue Specific Escalation Guidelines, and all currently identified KB
articles that are relevant to the product or issue.
It provides a guideline that lists the tasks that one needs to perform before
escalating a case to the next Tier for all issue types with ePO.
337
Escalation Checklist
Make sure that the relevant log files are included in the MER results and attach to the
case.
Search MAX to find related cases or KB articles that address the issue.
If cannot reproduce, provide the steps that the customer uses to reproduce the issue.
338
Documenting Cases Clearly and Accurately
To ensure our documentation is clear and gives the necessary information to the next tier,
McAfee requires you to use the ART/CS format for all cases and on every product.
When populating the Description field in Insight, the ART format is to be used as follows:
A – Action - Document the action taken by the customer that resulted in the issue they are
currently having.
R – Result - Document the result of the customer’s action, including any error messages,
symptoms, or issues seen.
T – Troubleshooting - Document a summary of all the steps taken so far and NOT all of
the activities.
When closing the SR, the Resolution field should be populated with the Cause and
Solution:
C – Cause - Document the cause of the issue, when it is clear (from a McAfee
perspective) what caused it.
S – Solution - Document the solution steps, when the issue has been resolved, so that it
is clear what steps actually resolved it and they can be referred to if the issue re-occurs in
the future.
339
Summary
340
Summary
341